18 Mar, 2019

1 commit


04 Nov, 2018

1 commit

  • [ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ]

    In case unpair_device() was called through mgmt interface at the same time
    when pairing was in progress, Bluetooth kernel module crash was seen.

    [ 600.351225] general protection fault: 0000 [#1] SMP PTI
    [ 600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G OE 4.19.0-rc1+ #1
    [ 600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017
    [ 600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
    [ 600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
    [ 600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
    [ 600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
    [ 600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
    [ 600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
    [ 600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
    [ 600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
    [ 600.351295] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
    [ 600.351298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
    [ 600.351302] Call Trace:
    [ 600.351325] smp_failure+0x4f/0x70 [bluetooth]
    [ 600.351345] smp_cancel_pairing+0x74/0x80 [bluetooth]
    [ 600.351370] unpair_device+0x1c1/0x330 [bluetooth]
    [ 600.351399] hci_sock_sendmsg+0x960/0x9f0 [bluetooth]
    [ 600.351409] ? apparmor_socket_sendmsg+0x1e/0x20
    [ 600.351417] sock_sendmsg+0x3e/0x50
    [ 600.351422] sock_write_iter+0x85/0xf0
    [ 600.351429] do_iter_readv_writev+0x12b/0x1b0
    [ 600.351434] do_iter_write+0x87/0x1a0
    [ 600.351439] vfs_writev+0x98/0x110
    [ 600.351443] ? ep_poll+0x16d/0x3d0
    [ 600.351447] ? ep_modify+0x73/0x170
    [ 600.351451] do_writev+0x61/0xf0
    [ 600.351455] ? do_writev+0x61/0xf0
    [ 600.351460] __x64_sys_writev+0x1c/0x20
    [ 600.351465] do_syscall_64+0x5a/0x110
    [ 600.351471] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [ 600.351474] RIP: 0033:0x7fb2bdb62fe0
    [ 600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24
    [ 600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
    [ 600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0
    [ 600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004
    [ 600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000
    [ 600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001
    [ 600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000
    [ 600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap
    [ 600.351569] snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi
    [ 600.351637] ---[ end trace e49e9f1df09c94fb ]---
    [ 600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
    [ 600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
    [ 600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
    [ 600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
    [ 600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
    [ 600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
    [ 600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
    [ 600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
    [ 600.351684] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
    [ 600.351686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0

    Crash happened because list_del_rcu() was called twice for smp->ltk. This
    was possible if unpair_device was called right after ltk was generated
    but before keys were distributed.

    In this commit smp_cancel_pairing was refactored to cancel pairing if it
    is in progress and otherwise just removes keys. Once keys are removed from
    rcu list, pointers to smp context's keys are set to NULL to make sure
    removed list items are not accessed later.

    This commit also adjusts the functionality of mgmt unpair_device() little
    bit. Previously pairing was canceled only if pairing was in state that
    keys were already generated. With this commit unpair_device() cancels
    pairing already in earlier states.

    Bug was found by fuzzing kernel SMP implementation using Synopsys
    Defensics.

    Reported-by: Pekka Oikarainen
    Signed-off-by: Matias Karhumaa
    Signed-off-by: Johan Hedberg
    Signed-off-by: Sasha Levin

    Matias Karhumaa
     

26 Sep, 2018

1 commit

  • [ Upstream commit b71c69c26b4916d11b8d403d8e667bbd191f1b8f ]

    Fixes this warning that was provoked by a pairing:

    [60258.016221] WARNING: possible recursive locking detected
    [60258.021558] 4.15.0-RD1812-BSP #1 Tainted: G O
    [60258.027146] --------------------------------------------
    [60258.032464] kworker/u5:0/70 is trying to acquire lock:
    [60258.037609] (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}, at: [] bt_accept_enqueue+0x3c/0x74
    [60258.046863]
    [60258.046863] but task is already holding lock:
    [60258.052704] (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}, at: [] l2cap_sock_new_connection_cb+0x1c/0x88
    [60258.062905]
    [60258.062905] other info that might help us debug this:
    [60258.069441] Possible unsafe locking scenario:
    [60258.069441]
    [60258.075368] CPU0
    [60258.077821] ----
    [60258.080272] lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);
    [60258.085510] lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);
    [60258.090748]
    [60258.090748] *** DEADLOCK ***
    [60258.090748]
    [60258.096676] May be due to missing lock nesting notation
    [60258.096676]
    [60258.103472] 5 locks held by kworker/u5:0/70:
    [60258.107747] #0: ((wq_completion)%shdev->name#2){+.+.}, at: [] process_one_work+0x130/0x4fc
    [60258.117263] #1: ((work_completion)(&hdev->rx_work)){+.+.}, at: [] process_one_work+0x130/0x4fc
    [60258.126942] #2: (&conn->chan_lock){+.+.}, at: [] l2cap_connect+0x80/0x4f8
    [60258.134806] #3: (&chan->lock/2){+.+.}, at: [] l2cap_connect+0x8c/0x4f8
    [60258.142410] #4: (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}, at: [] l2cap_sock_new_connection_cb+0x1c/0x88
    [60258.153043]
    [60258.153043] stack backtrace:
    [60258.157413] CPU: 1 PID: 70 Comm: kworker/u5:0 Tainted: G O 4.15.0-RD1812-BSP #1
    [60258.165945] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
    [60258.172485] Workqueue: hci0 hci_rx_work
    [60258.176331] Backtrace:
    [60258.178797] [] (dump_backtrace) from [] (show_stack+0x18/0x1c)
    [60258.186379] r7:80e55fe4 r6:80e55fe4 r5:20050093 r4:00000000
    [60258.192058] [] (show_stack) from [] (dump_stack+0xb0/0xdc)
    [60258.199301] [] (dump_stack) from [] (__lock_acquire+0xffc/0x11d4)
    [60258.207144] r9:5e2bb019 r8:630f974c r7:ba8a5940 r6:ba8a5ed8 r5:815b5220 r4:80fa081c
    [60258.214901] [] (__lock_acquire) from [] (lock_acquire+0x78/0x98)
    [60258.222655] r10:00000040 r9:00000040 r8:808729f0 r7:00000001 r6:00000000 r5:60050013
    [60258.230491] r4:00000000
    [60258.233045] [] (lock_acquire) from [] (lock_sock_nested+0x64/0x88)
    [60258.240970] r7:00000000 r6:b796e870 r5:00000001 r4:b796e800
    [60258.246643] [] (lock_sock_nested) from [] (bt_accept_enqueue+0x3c/0x74)
    [60258.255004] r8:00000001 r7:ba7d3c00 r6:ba7d3ea4 r5:ba7d2000 r4:b796e800
    [60258.261717] [] (bt_accept_enqueue) from [] (l2cap_sock_new_connection_cb+0x68/0x88)
    [60258.271117] r5:b796e800 r4:ba7d2000
    [60258.274708] [] (l2cap_sock_new_connection_cb) from [] (l2cap_connect+0x190/0x4f8)
    [60258.283933] r5:00000001 r4:ba6dce00
    [60258.287524] [] (l2cap_connect) from [] (l2cap_recv_frame+0x744/0x2cf8)
    [60258.295800] r10:ba6dcf24 r9:00000004 r8:b78d8014 r7:00000004 r6:bb05d000 r5:00000004
    [60258.303635] r4:bb05d008
    [60258.306183] [] (l2cap_recv_frame) from [] (l2cap_recv_acldata+0x210/0x214)
    [60258.314805] r10:b78e7800 r9:bb05d960 r8:00000001 r7:bb05d000 r6:0000000c r5:b7957a80
    [60258.322641] r4:ba6dce00
    [60258.325188] [] (l2cap_recv_acldata) from [] (hci_rx_work+0x35c/0x4e8)
    [60258.333374] r6:80e5743c r5:bb05d7c8 r4:b7957a80
    [60258.338004] [] (hci_rx_work) from [] (process_one_work+0x1a4/0x4fc)
    [60258.346018] r10:00000001 r9:00000000 r8:baabfef8 r7:ba997500 r6:baaba800 r5:baaa5d00
    [60258.353853] r4:bb05d7c8
    [60258.356401] [] (process_one_work) from [] (worker_thread+0x54/0x5cc)
    [60258.364503] r10:baabe038 r9:baaba834 r8:80e05900 r7:00000088 r6:baaa5d18 r5:baaba800
    [60258.372338] r4:baaa5d00
    [60258.374888] [] (worker_thread) from [] (kthread+0x134/0x160)
    [60258.382295] r10:ba8310b8 r9:bb07dbfc r8:8013dfd4 r7:baaa5d00 r6:00000000 r5:baaa8ac0
    [60258.390130] r4:ba831080
    [60258.392682] [] (kthread) from [] (ret_from_fork+0x14/0x20)
    [60258.399915] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:801447c4
    [60258.407751] r4:baaa8ac0 r3:baabe000

    Signed-off-by: Philipp Puschmann
    Signed-off-by: Marcel Holtmann
    Signed-off-by: Sasha Levin
    Signed-off-by: Greg Kroah-Hartman

    Philipp Puschmann
     

20 Sep, 2018

1 commit

  • [ Upstream commit b3cadaa485f0c20add1644a5c877b0765b285c0c ]

    This fixes two issues with setting hid->name information.

    CC net/bluetooth/hidp/core.o
    In function ‘hidp_setup_hid’,
    inlined from ‘hidp_session_dev_init’ at net/bluetooth/hidp/core.c:815:9,
    inlined from ‘hidp_session_new’ at net/bluetooth/hidp/core.c:953:8,
    inlined from ‘hidp_connection_add’ at net/bluetooth/hidp/core.c:1366:8:
    net/bluetooth/hidp/core.c:778:2: warning: ‘strncpy’ output may be truncated copying 127 bytes from a string of length 127 [-Wstringop-truncation]
    strncpy(hid->name, req->name, sizeof(req->name) - 1);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    CC net/bluetooth/hidp/core.o
    net/bluetooth/hidp/core.c: In function ‘hidp_setup_hid’:
    net/bluetooth/hidp/core.c:778:38: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same expression as the source; did you mean to use the size of the destination? [-Wsizeof-pointer-memaccess]
    strncpy(hid->name, req->name, sizeof(req->name));
    ^

    Signed-off-by: Marcel Holtmann
    Signed-off-by: Johan Hedberg
    Signed-off-by: Sasha Levin
    Signed-off-by: Greg Kroah-Hartman

    Marcel Holtmann
     

22 Aug, 2018

1 commit

  • commit 4e1a720d0312fd510699032c7694a362a010170f upstream.

    slub debug reported:

    [ 440.648642] =============================================================================
    [ 440.648649] BUG kmalloc-1024 (Tainted: G BU O ): Poison overwritten
    [ 440.648651] -----------------------------------------------------------------------------

    [ 440.648655] INFO: 0xe70f4bec-0xe70f4bec. First byte 0x6a instead of 0x6b
    [ 440.648665] INFO: Allocated in sk_prot_alloc+0x6b/0xc6 age=33155 cpu=1 pid=1047
    [ 440.648671] ___slab_alloc.constprop.24+0x1fc/0x292
    [ 440.648675] __slab_alloc.isra.18.constprop.23+0x1c/0x25
    [ 440.648677] __kmalloc+0xb6/0x17f
    [ 440.648680] sk_prot_alloc+0x6b/0xc6
    [ 440.648683] sk_alloc+0x1e/0xa1
    [ 440.648700] sco_sock_alloc.constprop.6+0x26/0xaf [bluetooth]
    [ 440.648716] sco_connect_cfm+0x166/0x281 [bluetooth]
    [ 440.648731] hci_conn_request_evt.isra.53+0x258/0x281 [bluetooth]
    [ 440.648746] hci_event_packet+0x28b/0x2326 [bluetooth]
    [ 440.648759] hci_rx_work+0x161/0x291 [bluetooth]
    [ 440.648764] process_one_work+0x163/0x2b2
    [ 440.648767] worker_thread+0x1a9/0x25c
    [ 440.648770] kthread+0xf8/0xfd
    [ 440.648774] ret_from_fork+0x2e/0x38
    [ 440.648779] INFO: Freed in __sk_destruct+0xd3/0xdf age=3815 cpu=1 pid=1047
    [ 440.648782] __slab_free+0x4b/0x27a
    [ 440.648784] kfree+0x12e/0x155
    [ 440.648787] __sk_destruct+0xd3/0xdf
    [ 440.648790] sk_destruct+0x27/0x29
    [ 440.648793] __sk_free+0x75/0x91
    [ 440.648795] sk_free+0x1c/0x1e
    [ 440.648810] sco_sock_kill+0x5a/0x5f [bluetooth]
    [ 440.648825] sco_conn_del+0x8e/0xba [bluetooth]
    [ 440.648840] sco_disconn_cfm+0x3a/0x41 [bluetooth]
    [ 440.648855] hci_event_packet+0x45e/0x2326 [bluetooth]
    [ 440.648868] hci_rx_work+0x161/0x291 [bluetooth]
    [ 440.648872] process_one_work+0x163/0x2b2
    [ 440.648875] worker_thread+0x1a9/0x25c
    [ 440.648877] kthread+0xf8/0xfd
    [ 440.648880] ret_from_fork+0x2e/0x38
    [ 440.648884] INFO: Slab 0xf4718580 objects=27 used=27 fp=0x (null) flags=0x40008100
    [ 440.648886] INFO: Object 0xe70f4b88 @offset=19336 fp=0xe70f54f8

    When KASAN was enabled, it reported:

    [ 210.096613] ==================================================================
    [ 210.096634] BUG: KASAN: use-after-free in ex_handler_refcount+0x5b/0x127
    [ 210.096641] Write of size 4 at addr ffff880107e17160 by task kworker/u9:1/2040

    [ 210.096651] CPU: 1 PID: 2040 Comm: kworker/u9:1 Tainted: G U O 4.14.47-20180606+ #2
    [ 210.096654] Hardware name: , BIOS 2017.01-00087-g43e04de 08/30/2017
    [ 210.096693] Workqueue: hci0 hci_rx_work [bluetooth]
    [ 210.096698] Call Trace:
    [ 210.096711] dump_stack+0x46/0x59
    [ 210.096722] print_address_description+0x6b/0x23b
    [ 210.096729] ? ex_handler_refcount+0x5b/0x127
    [ 210.096736] kasan_report+0x220/0x246
    [ 210.096744] ex_handler_refcount+0x5b/0x127
    [ 210.096751] ? ex_handler_clear_fs+0x85/0x85
    [ 210.096757] fixup_exception+0x8c/0x96
    [ 210.096766] do_trap+0x66/0x2c1
    [ 210.096773] do_error_trap+0x152/0x180
    [ 210.096781] ? fixup_bug+0x78/0x78
    [ 210.096817] ? hci_debugfs_create_conn+0x244/0x26a [bluetooth]
    [ 210.096824] ? __schedule+0x113b/0x1453
    [ 210.096830] ? sysctl_net_exit+0xe/0xe
    [ 210.096837] ? __wake_up_common+0x343/0x343
    [ 210.096843] ? insert_work+0x107/0x163
    [ 210.096850] invalid_op+0x1b/0x40
    [ 210.096888] RIP: 0010:hci_debugfs_create_conn+0x244/0x26a [bluetooth]
    [ 210.096892] RSP: 0018:ffff880094a0f970 EFLAGS: 00010296
    [ 210.096898] RAX: 0000000000000000 RBX: ffff880107e170e8 RCX: ffff880107e17160
    [ 210.096902] RDX: 000000000000002f RSI: ffff88013b80ed40 RDI: ffffffffa058b940
    [ 210.096906] RBP: ffff88011b2b0578 R08: 00000000852f0ec9 R09: ffffffff81cfcf9b
    [ 210.096909] R10: 00000000d21bdad7 R11: 0000000000000001 R12: ffff8800967b0488
    [ 210.096913] R13: ffff880107e17168 R14: 0000000000000068 R15: ffff8800949c0008
    [ 210.096920] ? __sk_destruct+0x2c6/0x2d4
    [ 210.096959] hci_event_packet+0xff5/0x7de2 [bluetooth]
    [ 210.096969] ? __local_bh_enable_ip+0x43/0x5b
    [ 210.097004] ? l2cap_sock_recv_cb+0x158/0x166 [bluetooth]
    [ 210.097039] ? hci_le_meta_evt+0x2bb3/0x2bb3 [bluetooth]
    [ 210.097075] ? l2cap_ertm_init+0x94e/0x94e [bluetooth]
    [ 210.097093] ? xhci_urb_enqueue+0xbd8/0xcf5 [xhci_hcd]
    [ 210.097102] ? __accumulate_pelt_segments+0x24/0x33
    [ 210.097109] ? __accumulate_pelt_segments+0x24/0x33
    [ 210.097115] ? __update_load_avg_se.isra.2+0x217/0x3a4
    [ 210.097122] ? set_next_entity+0x7c3/0x12cd
    [ 210.097128] ? pick_next_entity+0x25e/0x26c
    [ 210.097135] ? pick_next_task_fair+0x2ca/0xc1a
    [ 210.097141] ? switch_mm_irqs_off+0x346/0xb4f
    [ 210.097147] ? __switch_to+0x769/0xbc4
    [ 210.097153] ? compat_start_thread+0x66/0x66
    [ 210.097188] ? hci_conn_check_link_mode+0x1cd/0x1cd [bluetooth]
    [ 210.097195] ? finish_task_switch+0x392/0x431
    [ 210.097228] ? hci_rx_work+0x154/0x487 [bluetooth]
    [ 210.097260] hci_rx_work+0x154/0x487 [bluetooth]
    [ 210.097269] process_one_work+0x579/0x9e9
    [ 210.097277] worker_thread+0x68f/0x804
    [ 210.097285] kthread+0x31c/0x32b
    [ 210.097292] ? rescuer_thread+0x70c/0x70c
    [ 210.097299] ? kthread_create_on_node+0xa3/0xa3
    [ 210.097306] ret_from_fork+0x35/0x40

    [ 210.097314] Allocated by task 2040:
    [ 210.097323] kasan_kmalloc.part.1+0x51/0xc7
    [ 210.097328] __kmalloc+0x17f/0x1b6
    [ 210.097335] sk_prot_alloc+0xf2/0x1a3
    [ 210.097340] sk_alloc+0x22/0x297
    [ 210.097375] sco_sock_alloc.constprop.7+0x23/0x202 [bluetooth]
    [ 210.097410] sco_connect_cfm+0x2d0/0x566 [bluetooth]
    [ 210.097443] hci_conn_request_evt.isra.53+0x6d3/0x762 [bluetooth]
    [ 210.097476] hci_event_packet+0x85e/0x7de2 [bluetooth]
    [ 210.097507] hci_rx_work+0x154/0x487 [bluetooth]
    [ 210.097512] process_one_work+0x579/0x9e9
    [ 210.097517] worker_thread+0x68f/0x804
    [ 210.097523] kthread+0x31c/0x32b
    [ 210.097529] ret_from_fork+0x35/0x40

    [ 210.097533] Freed by task 2040:
    [ 210.097539] kasan_slab_free+0xb3/0x15e
    [ 210.097544] kfree+0x103/0x1a9
    [ 210.097549] __sk_destruct+0x2c6/0x2d4
    [ 210.097584] sco_conn_del.isra.1+0xba/0x10e [bluetooth]
    [ 210.097617] hci_event_packet+0xff5/0x7de2 [bluetooth]
    [ 210.097648] hci_rx_work+0x154/0x487 [bluetooth]
    [ 210.097653] process_one_work+0x579/0x9e9
    [ 210.097658] worker_thread+0x68f/0x804
    [ 210.097663] kthread+0x31c/0x32b
    [ 210.097670] ret_from_fork+0x35/0x40

    [ 210.097676] The buggy address belongs to the object at ffff880107e170e8
    which belongs to the cache kmalloc-1024 of size 1024
    [ 210.097681] The buggy address is located 120 bytes inside of
    1024-byte region [ffff880107e170e8, ffff880107e174e8)
    [ 210.097683] The buggy address belongs to the page:
    [ 210.097689] page:ffffea00041f8400 count:1 mapcount:0 mapping: (null) index:0xffff880107e15b68 compound_mapcount: 0
    [ 210.110194] flags: 0x8000000000008100(slab|head)
    [ 210.115441] raw: 8000000000008100 0000000000000000 ffff880107e15b68 0000000100170016
    [ 210.115448] raw: ffffea0004a47620 ffffea0004b48e20 ffff88013b80ed40 0000000000000000
    [ 210.115451] page dumped because: kasan: bad access detected

    [ 210.115454] Memory state around the buggy address:
    [ 210.115460] ffff880107e17000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    [ 210.115465] ffff880107e17080: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
    [ 210.115469] >ffff880107e17100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    [ 210.115472] ^
    [ 210.115477] ffff880107e17180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    [ 210.115481] ffff880107e17200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    [ 210.115483] ==================================================================

    And finally when BT_DBG() and ftrace was enabled it showed:

    -14979 [001] .... 186.104191: sco_sock_kill -14979 [001] .... 186.104191: sco_sock_kill -14979 [001] .... 186.104192: sco_sock_kill: sk ef0497a0 state 9
    -14979 [001] .... 186.104193: bt_sock_unlink
    Signed-off-by: Marcel Holtmann
    Signed-off-by: Greg Kroah-Hartman

    Sudip Mukherjee
     

18 Aug, 2018

1 commit

  • commit 7992c18810e568b95c869b227137a2215702a805 upstream.

    CVE-2018-9363

    The buffer length is unsigned at all layers, but gets cast to int and
    checked in hidp_process_report and can lead to a buffer overflow.
    Switch len parameter to unsigned int to resolve issue.

    This affects 3.18 and newer kernels.

    Signed-off-by: Mark Salyzyn
    Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
    Cc: Marcel Holtmann
    Cc: Johan Hedberg
    Cc: "David S. Miller"
    Cc: Kees Cook
    Cc: Benjamin Tissoires
    Cc: linux-bluetooth@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Cc: security@kernel.org
    Cc: kernel-team@android.com
    Acked-by: Kees Cook
    Signed-off-by: Marcel Holtmann
    Signed-off-by: Greg Kroah-Hartman

    Mark Salyzyn
     

19 Apr, 2018

1 commit

  • commit 082f2300cfa1a3d9d5221c38c5eba85d4ab98bd8 upstream.

    Local random address needs to be updated before creating connection if
    RPA from LE Direct Advertising Report was resolved in host. Otherwise
    remote device might ignore connection request due to address mismatch.

    This was affecting following qualification test cases:
    GAP/CONN/SCEP/BV-03-C, GAP/CONN/GCEP/BV-05-C, GAP/CONN/DCEP/BV-05-C

    Before patch:
    < HCI Command: LE Set Random Address (0x08|0x0005) plen 6 #11350 [hci0] 84680.231216
    Address: 56:BC:E8:24:11:68 (Resolvable)
    Identity type: Random (0x01)
    Identity: F2:F1:06:3D:9C:42 (Static)
    > HCI Event: Command Complete (0x0e) plen 4 #11351 [hci0] 84680.246022
    LE Set Random Address (0x08|0x0005) ncmd 1
    Status: Success (0x00)
    < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #11352 [hci0] 84680.246417
    Type: Passive (0x00)
    Interval: 60.000 msec (0x0060)
    Window: 30.000 msec (0x0030)
    Own address type: Random (0x01)
    Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
    > HCI Event: Command Complete (0x0e) plen 4 #11353 [hci0] 84680.248854
    LE Set Scan Parameters (0x08|0x000b) ncmd 1
    Status: Success (0x00)
    < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #11354 [hci0] 84680.249466
    Scanning: Enabled (0x01)
    Filter duplicates: Enabled (0x01)
    > HCI Event: Command Complete (0x0e) plen 4 #11355 [hci0] 84680.253222
    LE Set Scan Enable (0x08|0x000c) ncmd 1
    Status: Success (0x00)
    > HCI Event: LE Meta Event (0x3e) plen 18 #11356 [hci0] 84680.458387
    LE Direct Advertising Report (0x0b)
    Num reports: 1
    Event type: Connectable directed - ADV_DIRECT_IND (0x01)
    Address type: Random (0x01)
    Address: 53:38:DA:46:8C:45 (Resolvable)
    Identity type: Public (0x00)
    Identity: 11:22:33:44:55:66 (OUI 11-22-33)
    Direct address type: Random (0x01)
    Direct address: 7C:D6:76:8C:DF:82 (Resolvable)
    Identity type: Random (0x01)
    Identity: F2:F1:06:3D:9C:42 (Static)
    RSSI: -74 dBm (0xb6)
    < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #11357 [hci0] 84680.458737
    Scanning: Disabled (0x00)
    Filter duplicates: Disabled (0x00)
    > HCI Event: Command Complete (0x0e) plen 4 #11358 [hci0] 84680.469982
    LE Set Scan Enable (0x08|0x000c) ncmd 1
    Status: Success (0x00)
    < HCI Command: LE Create Connection (0x08|0x000d) plen 25 #11359 [hci0] 84680.470444
    Scan interval: 60.000 msec (0x0060)
    Scan window: 60.000 msec (0x0060)
    Filter policy: White list is not used (0x00)
    Peer address type: Random (0x01)
    Peer address: 53:38:DA:46:8C:45 (Resolvable)
    Identity type: Public (0x00)
    Identity: 11:22:33:44:55:66 (OUI 11-22-33)
    Own address type: Random (0x01)
    Min connection interval: 30.00 msec (0x0018)
    Max connection interval: 50.00 msec (0x0028)
    Connection latency: 0 (0x0000)
    Supervision timeout: 420 msec (0x002a)
    Min connection length: 0.000 msec (0x0000)
    Max connection length: 0.000 msec (0x0000)
    > HCI Event: Command Status (0x0f) plen 4 #11360 [hci0] 84680.474971
    LE Create Connection (0x08|0x000d) ncmd 1
    Status: Success (0x00)
    < HCI Command: LE Create Connection Cancel (0x08|0x000e) plen 0 #11361 [hci0] 84682.545385
    > HCI Event: Command Complete (0x0e) plen 4 #11362 [hci0] 84682.551014
    LE Create Connection Cancel (0x08|0x000e) ncmd 1
    Status: Success (0x00)
    > HCI Event: LE Meta Event (0x3e) plen 19 #11363 [hci0] 84682.551074
    LE Connection Complete (0x01)
    Status: Unknown Connection Identifier (0x02)
    Handle: 0
    Role: Master (0x00)
    Peer address type: Public (0x00)
    Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
    Connection interval: 0.00 msec (0x0000)
    Connection latency: 0 (0x0000)
    Supervision timeout: 0 msec (0x0000)
    Master clock accuracy: 0x00

    After patch:
    < HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #210 [hci0] 667.152459
    Type: Passive (0x00)
    Interval: 60.000 msec (0x0060)
    Window: 30.000 msec (0x0030)
    Own address type: Random (0x01)
    Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
    > HCI Event: Command Complete (0x0e) plen 4 #211 [hci0] 667.153613
    LE Set Scan Parameters (0x08|0x000b) ncmd 1
    Status: Success (0x00)
    < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #212 [hci0] 667.153704
    Scanning: Enabled (0x01)
    Filter duplicates: Enabled (0x01)
    > HCI Event: Command Complete (0x0e) plen 4 #213 [hci0] 667.154584
    LE Set Scan Enable (0x08|0x000c) ncmd 1
    Status: Success (0x00)
    > HCI Event: LE Meta Event (0x3e) plen 18 #214 [hci0] 667.182619
    LE Direct Advertising Report (0x0b)
    Num reports: 1
    Event type: Connectable directed - ADV_DIRECT_IND (0x01)
    Address type: Random (0x01)
    Address: 50:52:D9:A6:48:A0 (Resolvable)
    Identity type: Public (0x00)
    Identity: 11:22:33:44:55:66 (OUI 11-22-33)
    Direct address type: Random (0x01)
    Direct address: 7C:C1:57:A5:B7:A8 (Resolvable)
    Identity type: Random (0x01)
    Identity: F4:28:73:5D:38:B0 (Static)
    RSSI: -70 dBm (0xba)
    < HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #215 [hci0] 667.182704
    Scanning: Disabled (0x00)
    Filter duplicates: Disabled (0x00)
    > HCI Event: Command Complete (0x0e) plen 4 #216 [hci0] 667.183599
    LE Set Scan Enable (0x08|0x000c) ncmd 1
    Status: Success (0x00)
    < HCI Command: LE Set Random Address (0x08|0x0005) plen 6 #217 [hci0] 667.183645
    Address: 7C:C1:57:A5:B7:A8 (Resolvable)
    Identity type: Random (0x01)
    Identity: F4:28:73:5D:38:B0 (Static)
    > HCI Event: Command Complete (0x0e) plen 4 #218 [hci0] 667.184590
    LE Set Random Address (0x08|0x0005) ncmd 1
    Status: Success (0x00)
    < HCI Command: LE Create Connection (0x08|0x000d) plen 25 #219 [hci0] 667.184613
    Scan interval: 60.000 msec (0x0060)
    Scan window: 60.000 msec (0x0060)
    Filter policy: White list is not used (0x00)
    Peer address type: Random (0x01)
    Peer address: 50:52:D9:A6:48:A0 (Resolvable)
    Identity type: Public (0x00)
    Identity: 11:22:33:44:55:66 (OUI 11-22-33)
    Own address type: Random (0x01)
    Min connection interval: 30.00 msec (0x0018)
    Max connection interval: 50.00 msec (0x0028)
    Connection latency: 0 (0x0000)
    Supervision timeout: 420 msec (0x002a)
    Min connection length: 0.000 msec (0x0000)
    Max connection length: 0.000 msec (0x0000)
    > HCI Event: Command Status (0x0f) plen 4 #220 [hci0] 667.186558
    LE Create Connection (0x08|0x000d) ncmd 1
    Status: Success (0x00)
    > HCI Event: LE Meta Event (0x3e) plen 19 #221 [hci0] 667.485824
    LE Connection Complete (0x01)
    Status: Success (0x00)
    Handle: 0
    Role: Master (0x00)
    Peer address type: Random (0x01)
    Peer address: 50:52:D9:A6:48:A0 (Resolvable)
    Identity type: Public (0x00)
    Identity: 11:22:33:44:55:66 (OUI 11-22-33)
    Connection interval: 50.00 msec (0x0028)
    Connection latency: 0 (0x0000)
    Supervision timeout: 420 msec (0x002a)
    Master clock accuracy: 0x07
    @ MGMT Event: Device Connected (0x000b) plen 13 {0x0002} [hci0] 667.485996
    LE Address: 11:22:33:44:55:66 (OUI 11-22-33)
    Flags: 0x00000000
    Data length: 0

    Signed-off-by: Szymon Janc
    Signed-off-by: Marcel Holtmann
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman

    Szymon Janc
     

08 Apr, 2018

1 commit

  • commit 64e759f58f128730b97a3c3a26d283c075ad7c86 upstream.

    If Security Request is received on connection that is already encrypted
    with sufficient security master should perform encryption key refresh
    procedure instead of just ignoring Slave Security Request
    (Core Spec 5.0 Vol 3 Part H 2.4.6).

    > ACL Data RX: Handle 3585 flags 0x02 dlen 6
    SMP: Security Request (0x0b) len 1
    Authentication requirement: Bonding, No MITM, SC, No Keypresses (0x09)
    < HCI Command: LE Start Encryption (0x08|0x0019) plen 28
    Handle: 3585
    Random number: 0x0000000000000000
    Encrypted diversifier: 0x0000
    Long term key: 44264272a5c426a9e868f034cf0e69f3
    > HCI Event: Command Status (0x0f) plen 4
    LE Start Encryption (0x08|0x0019) ncmd 1
    Status: Success (0x00)
    > HCI Event: Encryption Key Refresh Complete (0x30) plen 3
    Status: Success (0x00)
    Handle: 3585

    Signed-off-by: Szymon Janc
    Signed-off-by: Marcel Holtmann
    Signed-off-by: Greg Kroah-Hartman

    Szymon Janc
     

17 Jan, 2018

1 commit

  • commit 06e7e776ca4d36547e503279aeff996cbb292c16 upstream.

    In the function l2cap_parse_conf_rsp and in the function
    l2cap_parse_conf_req the following variable is declared without
    initialization:

    struct l2cap_conf_efs efs;

    In addition, when parsing input configuration parameters in both of
    these functions, the switch case for handling EFS elements may skip the
    memcpy call that will write to the efs variable:

    ...
    case L2CAP_CONF_EFS:
    if (olen == sizeof(efs))
    memcpy(&efs, (void *)val, olen);
    ...

    The olen in the above if is attacker controlled, and regardless of that
    if, in both of these functions the efs variable would eventually be
    added to the outgoing configuration request that is being built:

    l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs);

    So by sending a configuration request, or response, that contains an
    L2CAP_CONF_EFS element, but with an element length that is not
    sizeof(efs) - the memcpy to the uninitialized efs variable can be
    avoided, and the uninitialized variable would be returned to the
    attacker (16 bytes).

    This issue has been assigned CVE-2017-1000410

    Cc: Marcel Holtmann
    Cc: Gustavo Padovan
    Cc: Johan Hedberg
    Signed-off-by: Ben Seri
    Signed-off-by: Greg Kroah-Hartman

    Ben Seri
     

02 Nov, 2017

1 commit

  • Many source files in the tree are missing licensing information, which
    makes it harder for compliance tools to determine the correct license.

    By default all files without license information are under the default
    license of the kernel, which is GPL version 2.

    Update the files which contain no license information with the 'GPL-2.0'
    SPDX license identifier. The SPDX identifier is a legally binding
    shorthand, which can be used instead of the full boiler plate text.

    This patch is based on work done by Thomas Gleixner and Kate Stewart and
    Philippe Ombredanne.

    How this work was done:

    Patches were generated and checked against linux-4.14-rc6 for a subset of
    the use cases:
    - file had no licensing information it it.
    - file was a */uapi/* one with no licensing information in it,
    - file was a */uapi/* one with existing licensing information,

    Further patches will be generated in subsequent months to fix up cases
    where non-standard license headers were used, and references to license
    had to be inferred by heuristics based on keywords.

    The analysis to determine which SPDX License Identifier to be applied to
    a file was done in a spreadsheet of side by side results from of the
    output of two independent scanners (ScanCode & Windriver) producing SPDX
    tag:value files created by Philippe Ombredanne. Philippe prepared the
    base worksheet, and did an initial spot review of a few 1000 files.

    The 4.13 kernel was the starting point of the analysis with 60,537 files
    assessed. Kate Stewart did a file by file comparison of the scanner
    results in the spreadsheet to determine which SPDX license identifier(s)
    to be applied to the file. She confirmed any determination that was not
    immediately clear with lawyers working with the Linux Foundation.

    Criteria used to select files for SPDX license identifier tagging was:
    - Files considered eligible had to be source code files.
    - Make and config files were included as candidates if they contained >5
    lines of source
    - File already had some variant of a license header in it (even if
    Reviewed-by: Philippe Ombredanne
    Reviewed-by: Thomas Gleixner
    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     

29 Sep, 2017

1 commit

  • This reverts commit dbbccdc4ced015cdd4051299bd87fbe0254ad351.

    It turns out that the "legacy" users aren't so legacy at all, and that
    turning off the legacy ioctl will break the current Qt bluetooth stack
    for bluetooth LE devices that were released just a couple of months ago.

    So it's simply not true that this was a legacy interface that hasn't
    been needed and is only limited to old legacy BT devices. Because I
    actually read Kconfig help messages, and actively try to turn off
    features that I don't need, I turned the option off.

    Then I spent _way_ too much time debugging BLE issues until I realized
    that it wasn't the Qt and subsurface development that had broken one of
    my dive computer BLE downloads, but simply my broken kernel config.

    Maybe in a decade it will be true that this is a legacy interface. And
    maybe with a better help-text and correct dependencies, this kind of
    legacy removal might be acceptable. But as things are right now both
    the commit message and the Kconfig help text were misleading, and the
    Kconfig option had the wrong dependenencies.

    There's no reason to keep that broken Kconfig option in the tree.

    Cc: Marcel Holtmann
    Cc: Johan Hedberg
    Signed-off-by: Linus Torvalds

    Linus Torvalds
     

10 Sep, 2017

1 commit


07 Sep, 2017

1 commit

  • Pull networking updates from David Miller:

    1) Support ipv6 checksum offload in sunvnet driver, from Shannon
    Nelson.

    2) Move to RB-tree instead of custom AVL code in inetpeer, from Eric
    Dumazet.

    3) Allow generic XDP to work on virtual devices, from John Fastabend.

    4) Add bpf device maps and XDP_REDIRECT, which can be used to build
    arbitrary switching frameworks using XDP. From John Fastabend.

    5) Remove UFO offloads from the tree, gave us little other than bugs.

    6) Remove the IPSEC flow cache, from Florian Westphal.

    7) Support ipv6 route offload in mlxsw driver.

    8) Support VF representors in bnxt_en, from Sathya Perla.

    9) Add support for forward error correction modes to ethtool, from
    Vidya Sagar Ravipati.

    10) Add time filter for packet scheduler action dumping, from Jamal Hadi
    Salim.

    11) Extend the zerocopy sendmsg() used by virtio and tap to regular
    sockets via MSG_ZEROCOPY. From Willem de Bruijn.

    12) Significantly rework value tracking in the BPF verifier, from Edward
    Cree.

    13) Add new jump instructions to eBPF, from Daniel Borkmann.

    14) Rework rtnetlink plumbing so that operations can be run without
    taking the RTNL semaphore. From Florian Westphal.

    15) Support XDP in tap driver, from Jason Wang.

    16) Add 32-bit eBPF JIT for ARM, from Shubham Bansal.

    17) Add Huawei hinic ethernet driver.

    18) Allow to report MD5 keys in TCP inet_diag dumps, from Ivan
    Delalande.

    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1780 commits)
    i40e: point wb_desc at the nvm_wb_desc during i40e_read_nvm_aq
    i40e: avoid NVM acquire deadlock during NVM update
    drivers: net: xgene: Remove return statement from void function
    drivers: net: xgene: Configure tx/rx delay for ACPI
    drivers: net: xgene: Read tx/rx delay for ACPI
    rocker: fix kcalloc parameter order
    rds: Fix non-atomic operation on shared flag variable
    net: sched: don't use GFP_KERNEL under spin lock
    vhost_net: correctly check tx avail during rx busy polling
    net: mdio-mux: add mdio_mux parameter to mdio_mux_init()
    rxrpc: Make service connection lookup always check for retry
    net: stmmac: Delete dead code for MDIO registration
    gianfar: Fix Tx flow control deactivation
    cxgb4: Ignore MPS_TX_INT_CAUSE[Bubble] for T6
    cxgb4: Fix pause frame count in t4_get_port_stats
    cxgb4: fix memory leak
    tun: rename generic_xdp to skb_xdp
    tun: reserve extra headroom only when XDP is set
    net: dsa: bcm_sf2: Configure IMP port TC2QOS mapping
    net: dsa: bcm_sf2: Advertise number of egress queues
    ...

    Linus Torvalds
     

02 Sep, 2017

1 commit


31 Aug, 2017

1 commit


19 Aug, 2017

1 commit


12 Aug, 2017

1 commit


08 Aug, 2017

1 commit


27 Jul, 2017

1 commit

  • Although HID itself is transport-agnostic, occasionally a driver may
    want to interact with the low-level transport that a device is connected
    through. To do this, we need to know what kind of bus is in use. The
    first guess may be to look at the 'bus' field of the 'struct hid_device',
    but this field may be emulated in some cases (e.g. uhid).

    More ideally, we can check which ll_driver a device is using. This
    function introduces a 'hid_is_using_ll_driver' function and makes the
    'struct hid_ll_driver' of the four most common transports accessible
    through hid.h.

    Signed-off-by: Jason Gerecke
    Acked-By: Benjamin Tissoires
    Signed-off-by: Jiri Kosina

    Jason Gerecke
     

26 Jul, 2017

1 commit


20 Jul, 2017

1 commit


06 Jul, 2017

1 commit

  • Pull networking updates from David Miller:
    "Reasonably busy this cycle, but perhaps not as busy as in the 4.12
    merge window:

    1) Several optimizations for UDP processing under high load from
    Paolo Abeni.

    2) Support pacing internally in TCP when using the sch_fq packet
    scheduler for this is not practical. From Eric Dumazet.

    3) Support mutliple filter chains per qdisc, from Jiri Pirko.

    4) Move to 1ms TCP timestamp clock, from Eric Dumazet.

    5) Add batch dequeueing to vhost_net, from Jason Wang.

    6) Flesh out more completely SCTP checksum offload support, from
    Davide Caratti.

    7) More plumbing of extended netlink ACKs, from David Ahern, Pablo
    Neira Ayuso, and Matthias Schiffer.

    8) Add devlink support to nfp driver, from Simon Horman.

    9) Add RTM_F_FIB_MATCH flag to RTM_GETROUTE queries, from Roopa
    Prabhu.

    10) Add stack depth tracking to BPF verifier and use this information
    in the various eBPF JITs. From Alexei Starovoitov.

    11) Support XDP on qed device VFs, from Yuval Mintz.

    12) Introduce BPF PROG ID for better introspection of installed BPF
    programs. From Martin KaFai Lau.

    13) Add bpf_set_hash helper for TC bpf programs, from Daniel Borkmann.

    14) For loads, allow narrower accesses in bpf verifier checking, from
    Yonghong Song.

    15) Support MIPS in the BPF selftests and samples infrastructure, the
    MIPS eBPF JIT will be merged in via the MIPS GIT tree. From David
    Daney.

    16) Support kernel based TLS, from Dave Watson and others.

    17) Remove completely DST garbage collection, from Wei Wang.

    18) Allow installing TCP MD5 rules using prefixes, from Ivan
    Delalande.

    19) Add XDP support to Intel i40e driver, from Björn Töpel

    20) Add support for TC flower offload in nfp driver, from Simon
    Horman, Pieter Jansen van Vuuren, Benjamin LaHaise, Jakub
    Kicinski, and Bert van Leeuwen.

    21) IPSEC offloading support in mlx5, from Ilan Tayari.

    22) Add HW PTP support to macb driver, from Rafal Ozieblo.

    23) Networking refcount_t conversions, From Elena Reshetova.

    24) Add sock_ops support to BPF, from Lawrence Brako. This is useful
    for tuning the TCP sockopt settings of a group of applications,
    currently via CGROUPs"

    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1899 commits)
    net: phy: dp83867: add workaround for incorrect RX_CTRL pin strap
    dt-bindings: phy: dp83867: provide a workaround for incorrect RX_CTRL pin strap
    cxgb4: Support for get_ts_info ethtool method
    cxgb4: Add PTP Hardware Clock (PHC) support
    cxgb4: time stamping interface for PTP
    nfp: default to chained metadata prepend format
    nfp: remove legacy MAC address lookup
    nfp: improve order of interfaces in breakout mode
    net: macb: remove extraneous return when MACB_EXT_DESC is defined
    bpf: add missing break in for the TCP_BPF_SNDCWND_CLAMP case
    bpf: fix return in load_bpf_file
    mpls: fix rtm policy in mpls_getroute
    net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t
    net, ax25: convert ax25_route.refcount from atomic_t to refcount_t
    net, ax25: convert ax25_uid_assoc.refcount from atomic_t to refcount_t
    net, sctp: convert sctp_ep_common.refcnt from atomic_t to refcount_t
    net, sctp: convert sctp_transport.refcnt from atomic_t to refcount_t
    net, sctp: convert sctp_chunk.refcnt from atomic_t to refcount_t
    net, sctp: convert sctp_datamsg.refcnt from atomic_t to refcount_t
    net, sctp: convert sctp_auth_bytes.refcnt from atomic_t to refcount_t
    ...

    Linus Torvalds
     

02 Jul, 2017

1 commit

  • …etooth/bluetooth-next

    Johan Hedberg says:

    ====================
    pull request: bluetooth-next 2017-07-01

    Here are some more Bluetooth patches for the 4.13 kernel:

    - Added support for Broadcom BCM43430 controllers
    - Added sockaddr length checks before accessing sa_family
    - Fixed possible "might sleep" errors in bnep, cmtp and hidp modules
    - A few other minor fixes

    Please let me know if there are any issues pulling. Thanks.
    ====================

    Signed-off-by: David S. Miller <davem@davemloft.net>

    David S. Miller
     

01 Jul, 2017

1 commit

  • refcount_t type and corresponding API should be
    used instead of atomic_t when the variable is used as
    a reference counter. This allows to avoid accidental
    refcounter overflows that might lead to use-after-free
    situations.

    This patch uses refcount_inc_not_zero() instead of
    atomic_inc_not_zero_hint() due to absense of a _hint()
    version of refcount API. If the hint() version must
    be used, we might need to revisit API.

    Signed-off-by: Elena Reshetova
    Signed-off-by: Hans Liljestrand
    Signed-off-by: Kees Cook
    Signed-off-by: David Windsor
    Signed-off-by: David S. Miller

    Reshetova, Elena
     

29 Jun, 2017

2 commits

  • Verify that the caller-provided sockaddr structure is large enough to
    contain the sa_family field, before accessing it in bind() and connect()
    handlers of the Bluetooth sockets. Since neither syscall enforces a minimum
    size of the corresponding memory region, very short sockaddrs (zero or one
    byte long) result in operating on uninitialized memory while referencing
    sa_family.

    Signed-off-by: Mateusz Jurczyk
    Signed-off-by: Marcel Holtmann

    Mateusz Jurczyk
     
  • Bluetooth hci uses ordered HIGHPRI, MEM_RECLAIM workqueues. It's
    likely that the flags came from mechanical conversion from
    create_singlethread_workqueue(). Bluetooth shouldn't be depended upon
    for memory reclaim and the spurious MEM_RECLAIM flag can trigger the
    following warning. Remove WQ_MEM_RECLAIM and convert to
    alloc_ordered_workqueue() while at it.

    workqueue: WQ_MEM_RECLAIM hci0:hci_power_off is flushing !WQ_MEM_RECLAIM events:btusb_work
    ------------[ cut here ]------------
    WARNING: CPU: 2 PID: 14231 at /home/brodo/local/kernel/git/linux/kernel/workqueue.c:2423 check_flush_dependency+0xb3/0x100
    Modules linked in:
    CPU: 2 PID: 14231 Comm: kworker/u9:4 Not tainted 4.12.0-rc6+ #3
    Hardware name: Dell Inc. XPS 13 9343/0TM99H, BIOS A11 12/08/2016
    Workqueue: hci0 hci_power_off
    task: ffff9432dad58000 task.stack: ffff986d43790000
    RIP: 0010:check_flush_dependency+0xb3/0x100
    RSP: 0018:ffff986d43793c90 EFLAGS: 00010086
    RAX: 000000000000005a RBX: ffff943316810820 RCX: 0000000000000000
    RDX: 0000000000000000 RSI: 0000000000000096 RDI: 0000000000000001
    RBP: ffff986d43793cb0 R08: 0000000000000775 R09: ffffffff85bdd5c0
    R10: 0000000000000040 R11: 0000000000000000 R12: ffffffff84d596e0
    R13: ffff9432dad58000 R14: ffff94321c640320 R15: ffff9432dad58000
    FS: 0000000000000000(0000) GS:ffff94331f500000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007b8bca242000 CR3: 000000014f60a000 CR4: 00000000003406e0
    Call Trace:
    flush_work+0x8a/0x1c0
    ? flush_work+0x184/0x1c0
    ? skb_free_head+0x21/0x30
    __cancel_work_timer+0x124/0x1b0
    ? hci_dev_do_close+0x2a4/0x4d0
    cancel_work_sync+0x10/0x20
    btusb_close+0x23/0x100
    hci_dev_do_close+0x2ca/0x4d0
    hci_power_off+0x1e/0x50
    process_one_work+0x184/0x3e0
    worker_thread+0x4a/0x3a0
    ? preempt_count_sub+0x9b/0x100
    ? preempt_count_sub+0x9b/0x100
    kthread+0x125/0x140
    ? process_one_work+0x3e0/0x3e0
    ? __kthread_create_on_node+0x1a0/0x1a0
    ? do_syscall_64+0x58/0xd0
    ret_from_fork+0x27/0x40
    Code: 00 75 bf 49 8b 56 18 48 8d 8b b0 00 00 00 48 81 c6 b0 00 00 00 4d 89 e0 48 c7 c7 20 23 6b 85 c6 05 83 cd 31 01 01 e8 bf c4 0c 00 ff eb 93 80 3d 74 cd 31 01 00 75 a5 65 48 8b 04 25 00 c5 00
    ---[ end trace b88fd2f77754bfec ]---

    Signed-off-by: Tejun Heo
    Reported-by: Dominik Brodowski
    Signed-off-by: Marcel Holtmann

    Tejun Heo
     

28 Jun, 2017

3 commits

  • It looks like hidp_session_thread has same pattern as the issue reported in
    old rfcomm:

    while (1) {
    set_current_state(TASK_INTERRUPTIBLE);
    if (condition)
    break;
    // may call might_sleep here
    schedule();
    }
    __set_current_state(TASK_RUNNING);

    Which fixed at:
    dfb2fae Bluetooth: Fix nested sleeps

    So let's fix it at the same way, also follow the suggestion of:
    https://lwn.net/Articles/628628/

    Signed-off-by: Jeffy Chen
    Tested-by: AL Yu-Chen Cho
    Tested-by: Rohit Vaswani
    Signed-off-by: Marcel Holtmann

    Jeffy Chen
     
  • It looks like cmtp_session has same pattern as the issue reported in
    old rfcomm:

    while (1) {
    set_current_state(TASK_INTERRUPTIBLE);
    if (condition)
    break;
    // may call might_sleep here
    schedule();
    }
    __set_current_state(TASK_RUNNING);

    Which fixed at:
    dfb2fae Bluetooth: Fix nested sleeps

    So let's fix it at the same way, also follow the suggestion of:
    https://lwn.net/Articles/628628/

    Signed-off-by: Jeffy Chen
    Reviewed-by: Brian Norris
    Reviewed-by: AL Yu-Chen Cho
    Signed-off-by: Marcel Holtmann

    Jeffy Chen
     
  • It looks like bnep_session has same pattern as the issue reported in
    old rfcomm:

    while (1) {
    set_current_state(TASK_INTERRUPTIBLE);
    if (condition)
    break;
    // may call might_sleep here
    schedule();
    }
    __set_current_state(TASK_RUNNING);

    Which fixed at:
    dfb2fae Bluetooth: Fix nested sleeps

    So let's fix it at the same way, also follow the suggestion of:
    https://lwn.net/Articles/628628/

    Signed-off-by: Jeffy Chen
    Reviewed-by: Brian Norris
    Reviewed-by: AL Yu-Chen Cho
    Signed-off-by: Marcel Holtmann

    Jeffy Chen
     

21 Jun, 2017

1 commit

  • follow Johannes Berg, semantic patch file as below,
    @@
    identifier p, p2;
    expression len;
    expression skb;
    type t, t2;
    @@
    (
    -p = __skb_put(skb, len);
    +p = __skb_put_zero(skb, len);
    |
    -p = (t)__skb_put(skb, len);
    +p = __skb_put_zero(skb, len);
    )
    ... when != p
    (
    p2 = (t2)p;
    -memset(p2, 0, len);
    |
    -memset(p, 0, len);
    )

    @@
    identifier p;
    expression len;
    expression skb;
    type t;
    @@
    (
    -t p = __skb_put(skb, len);
    +t p = __skb_put_zero(skb, len);
    )
    ... when != p
    (
    -memset(p, 0, len);
    )

    @@
    type t, t2;
    identifier p, p2;
    expression skb;
    @@
    t *p;
    ...
    (
    -p = __skb_put(skb, sizeof(t));
    +p = __skb_put_zero(skb, sizeof(t));
    |
    -p = (t *)__skb_put(skb, sizeof(t));
    +p = __skb_put_zero(skb, sizeof(t));
    )
    ... when != p
    (
    p2 = (t2)p;
    -memset(p2, 0, sizeof(*p));
    |
    -memset(p, 0, sizeof(*p));
    )

    @@
    expression skb, len;
    @@
    -memset(__skb_put(skb, len), 0, len);
    +__skb_put_zero(skb, len);

    @@
    expression skb, len, data;
    @@
    -memcpy(__skb_put(skb, len), data, len);
    +__skb_put_data(skb, data, len);

    @@
    expression SKB, C, S;
    typedef u8;
    identifier fn = {__skb_put};
    fresh identifier fn2 = fn ## "_u8";
    @@
    - *(u8 *)fn(SKB, S) = C;
    + fn2(SKB, C);

    Signed-off-by: yuan linyu
    Signed-off-by: David S. Miller

    yuan linyu
     

20 Jun, 2017

1 commit

  • Rename:

    wait_queue_t => wait_queue_entry_t

    'wait_queue_t' was always a slight misnomer: its name implies that it's a "queue",
    but in reality it's a queue *entry*. The 'real' queue is the wait queue head,
    which had to carry the name.

    Start sorting this out by renaming it to 'wait_queue_entry_t'.

    This also allows the real structure name 'struct __wait_queue' to
    lose its double underscore and become 'struct wait_queue_entry',
    which is the more canonical nomenclature for such data types.

    Cc: Linus Torvalds
    Cc: Peter Zijlstra
    Cc: Thomas Gleixner
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Ingo Molnar

    Ingo Molnar
     

16 Jun, 2017

5 commits

  • Joe and Bjørn suggested that it'd be nicer to not have the
    cast in the fairly common case of doing
    *(u8 *)skb_put(skb, 1) = c;

    Add skb_put_u8() for this case, and use it across the code,
    using the following spatch:

    @@
    expression SKB, C, S;
    typedef u8;
    identifier fn = {skb_put};
    fresh identifier fn2 = fn ## "_u8";
    @@
    - *(u8 *)fn(SKB, S) = C;
    + fn2(SKB, C);

    Note that due to the "S", the spatch isn't perfect, it should
    have checked that S is 1, but there's also places that use a
    sizeof expression like sizeof(var) or sizeof(u8) etc. Turns
    out that nobody ever did something like
    *(u8 *)skb_put(skb, 2) = c;

    which would be wrong anyway since the second byte wouldn't be
    initialized.

    Suggested-by: Joe Perches
    Suggested-by: Bjørn Mork
    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • It seems like a historic accident that these return unsigned char *,
    and in many places that means casts are required, more often than not.

    Make these functions return void * and remove all the casts across
    the tree, adding a (u8 *) cast only where the unsigned char pointer
    was used directly, all done with the following spatch:

    @@
    expression SKB, LEN;
    typedef u8;
    identifier fn = { skb_push, __skb_push, skb_push_rcsum };
    @@
    - *(fn(SKB, LEN))
    + *(u8 *)fn(SKB, LEN)

    @@
    expression E, SKB, LEN;
    identifier fn = { skb_push, __skb_push, skb_push_rcsum };
    type T;
    @@
    - E = ((T *)(fn(SKB, LEN)))
    + E = fn(SKB, LEN)

    @@
    expression SKB, LEN;
    identifier fn = { skb_push, __skb_push, skb_push_rcsum };
    @@
    - fn(SKB, LEN)[0]
    + *(u8 *)fn(SKB, LEN)

    Note that the last part there converts from push(...)[0] to the
    more idiomatic *(u8 *)push(...).

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • It seems like a historic accident that these return unsigned char *,
    and in many places that means casts are required, more often than not.

    Make these functions return void * and remove all the casts across
    the tree, adding a (u8 *) cast only where the unsigned char pointer
    was used directly, all done with the following spatch:

    @@
    expression SKB, LEN;
    typedef u8;
    identifier fn = {
    skb_pull,
    __skb_pull,
    skb_pull_inline,
    __pskb_pull_tail,
    __pskb_pull,
    pskb_pull
    };
    @@
    - *(fn(SKB, LEN))
    + *(u8 *)fn(SKB, LEN)

    @@
    expression E, SKB, LEN;
    identifier fn = {
    skb_pull,
    __skb_pull,
    skb_pull_inline,
    __pskb_pull_tail,
    __pskb_pull,
    pskb_pull
    };
    type T;
    @@
    - E = ((T *)(fn(SKB, LEN)))
    + E = fn(SKB, LEN)

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • It seems like a historic accident that these return unsigned char *,
    and in many places that means casts are required, more often than not.

    Make these functions (skb_put, __skb_put and pskb_put) return void *
    and remove all the casts across the tree, adding a (u8 *) cast only
    where the unsigned char pointer was used directly, all done with the
    following spatch:

    @@
    expression SKB, LEN;
    typedef u8;
    identifier fn = { skb_put, __skb_put };
    @@
    - *(fn(SKB, LEN))
    + *(u8 *)fn(SKB, LEN)

    @@
    expression E, SKB, LEN;
    identifier fn = { skb_put, __skb_put };
    type T;
    @@
    - E = ((T *)(fn(SKB, LEN)))
    + E = fn(SKB, LEN)

    which actually doesn't cover pskb_put since there are only three
    users overall.

    A handful of stragglers were converted manually, notably a macro in
    drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
    instances in net/bluetooth/hci_sock.c. In the former file, I also
    had to fix one whitespace problem spatch introduced.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • A common pattern with skb_put() is to just want to memcpy()
    some data into the new space, introduce skb_put_data() for
    this.

    An spatch similar to the one for skb_put_zero() converts many
    of the places using it:

    @@
    identifier p, p2;
    expression len, skb, data;
    type t, t2;
    @@
    (
    -p = skb_put(skb, len);
    +p = skb_put_data(skb, data, len);
    |
    -p = (t)skb_put(skb, len);
    +p = skb_put_data(skb, data, len);
    )
    (
    p2 = (t2)p;
    -memcpy(p2, data, len);
    |
    -memcpy(p, data, len);
    )

    @@
    type t, t2;
    identifier p, p2;
    expression skb, data;
    @@
    t *p;
    ...
    (
    -p = skb_put(skb, sizeof(t));
    +p = skb_put_data(skb, data, sizeof(t));
    |
    -p = (t *)skb_put(skb, sizeof(t));
    +p = skb_put_data(skb, data, sizeof(t));
    )
    (
    p2 = (t2)p;
    -memcpy(p2, data, sizeof(*p));
    |
    -memcpy(p, data, sizeof(*p));
    )

    @@
    expression skb, len, data;
    @@
    -memcpy(skb_put(skb, len), data, len);
    +skb_put_data(skb, data, len);

    (again, manually post-processed to retain some comments)

    Reviewed-by: Stephen Hemminger
    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     

15 Jun, 2017

1 commit


12 Jun, 2017

1 commit

  • The Broadcom BCM20702 Bluetooth controller in ThinkPad-T530 devices
    report support for the Set Event Mask Page 2 command, but actually do
    return an error when trying to use it.

    < HCI Command: Read Local Supported Commands (0x04|0x0002) plen 0
    > HCI Event: Command Complete (0x0e) plen 68
    Read Local Supported Commands (0x04|0x0002) ncmd 1
    Status: Success (0x00)
    Commands: 162 entries
    ...
    Set Event Mask Page 2 (Octet 22 - Bit 2)
    ...

    < HCI Command: Set Event Mask Page 2 (0x03|0x0063) plen 8
    Mask: 0x0000000000000000
    > HCI Event: Command Complete (0x0e) plen 4
    Set Event Mask Page 2 (0x03|0x0063) ncmd 1
    Status: Unknown HCI Command (0x01)

    Since these controllers do not support any feature that would require
    the event mask page 2 to be modified, it is safe to not send this
    command at all. The default value is all bits set to zero.

    T: Bus=01 Lev=02 Prnt=02 Port=03 Cnt=03 Dev#= 9 Spd=12 MxCh= 0
    D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
    P: Vendor=0a5c ProdID=21e6 Rev= 1.12
    S: Manufacturer=Broadcom Corp
    S: Product=BCM20702A0
    S: SerialNumber=F82FA8E8CFC0
    C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA
    I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
    E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
    E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
    E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
    E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
    E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
    I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
    E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
    E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
    I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
    E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
    E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
    I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
    E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
    E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
    I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
    E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
    E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
    I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
    E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
    E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
    I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=btusb
    E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
    E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
    I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)

    Signed-off-by: Marcel Holtmann
    Reported-by: Sedat Dilek
    Tested-by: Sedat Dilek
    Signed-off-by: Szymon Janc

    Marcel Holtmann
     

10 Jun, 2017

1 commit


08 Jun, 2017

1 commit

  • Network devices can allocate reasources and private memory using
    netdev_ops->ndo_init(). However, the release of these resources
    can occur in one of two different places.

    Either netdev_ops->ndo_uninit() or netdev->destructor().

    The decision of which operation frees the resources depends upon
    whether it is necessary for all netdev refs to be released before it
    is safe to perform the freeing.

    netdev_ops->ndo_uninit() presumably can occur right after the
    NETDEV_UNREGISTER notifier completes and the unicast and multicast
    address lists are flushed.

    netdev->destructor(), on the other hand, does not run until the
    netdev references all go away.

    Further complicating the situation is that netdev->destructor()
    almost universally does also a free_netdev().

    This creates a problem for the logic in register_netdevice().
    Because all callers of register_netdevice() manage the freeing
    of the netdev, and invoke free_netdev(dev) if register_netdevice()
    fails.

    If netdev_ops->ndo_init() succeeds, but something else fails inside
    of register_netdevice(), it does call ndo_ops->ndo_uninit(). But
    it is not able to invoke netdev->destructor().

    This is because netdev->destructor() will do a free_netdev() and
    then the caller of register_netdevice() will do the same.

    However, this means that the resources that would normally be released
    by netdev->destructor() will not be.

    Over the years drivers have added local hacks to deal with this, by
    invoking their destructor parts by hand when register_netdevice()
    fails.

    Many drivers do not try to deal with this, and instead we have leaks.

    Let's close this hole by formalizing the distinction between what
    private things need to be freed up by netdev->destructor() and whether
    the driver needs unregister_netdevice() to perform the free_netdev().

    netdev->priv_destructor() performs all actions to free up the private
    resources that used to be freed by netdev->destructor(), except for
    free_netdev().

    netdev->needs_free_netdev is a boolean that indicates whether
    free_netdev() should be done at the end of unregister_netdevice().

    Now, register_netdevice() can sanely release all resources after
    ndo_ops->ndo_init() succeeds, by invoking both ndo_ops->ndo_uninit()
    and netdev->priv_destructor().

    And at the end of unregister_netdevice(), we invoke
    netdev->priv_destructor() and optionally call free_netdev().

    Signed-off-by: David S. Miller

    David S. Miller