From: Greg Kroah-Hartman Date: Mon, 3 Jul 2017 11:52:07 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.60~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2cf7273c44fab6a301263495f4cfc49d4aad12f9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: be2net-fix-status-check-in-be_cmd_pmac_add.patch coredump-ensure-proper-size-of-sparse-core-files.patch jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch mac80211-initialize-smps-field-in-ht-capabilities.patch net-mlx4_core-eliminate-warning-messages-for-srq_limit-under-sriov.patch perf-probe-fix-to-show-correct-locations-for-events-on-modules.patch ravb-fix-use-after-free-on-ifconfig-eth0-down.patch s390-ctl_reg-make-__ctl_load-a-full-memory-barrier.patch sctp-check-af-before-verify-address-in-sctp_addr_id2transport.patch swiotlb-ensure-that-page-sized-mappings-are-page-aligned.patch x86-mpx-use-compatible-types-in-comparison-to-fix-sparse-error.patch xfrm-fix-stack-access-out-of-bounds-with-config_xfrm_sub_policy.patch xfrm-null-dereference-on-allocation-failure.patch xfrm-oops-on-error-in-pfkey_msg2xfrm_state.patch --- diff --git a/queue-4.4/be2net-fix-status-check-in-be_cmd_pmac_add.patch b/queue-4.4/be2net-fix-status-check-in-be_cmd_pmac_add.patch new file mode 100644 index 00000000000..232e0694154 --- /dev/null +++ b/queue-4.4/be2net-fix-status-check-in-be_cmd_pmac_add.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Jul 3 13:41:44 CEST 2017 +From: Ivan Vecera +Date: Fri, 13 Jan 2017 22:38:27 +0100 +Subject: be2net: fix status check in be_cmd_pmac_add() + +From: Ivan Vecera + + +[ Upstream commit fe68d8bfe59c561664aa87d827aa4b320eb08895 ] + +Return value from be_mcc_notify_wait() contains a base completion status +together with an additional status. The base_status() macro need to be +used to access base status. + +Fixes: e3a7ae2 be2net: Changing MAC Address of a VF was broken +Cc: Sathya Perla +Cc: Ajit Khaparde +Cc: Sriharsha Basavapatna +Cc: Somnath Kotur +Signed-off-by: Ivan Vecera +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -1052,7 +1052,7 @@ int be_cmd_pmac_add(struct be_adapter *a + err: + spin_unlock_bh(&adapter->mcc_lock); + +- if (status == MCC_STATUS_UNAUTHORIZED_REQUEST) ++ if (base_status(status) == MCC_STATUS_UNAUTHORIZED_REQUEST) + status = -EPERM; + + return status; diff --git a/queue-4.4/coredump-ensure-proper-size-of-sparse-core-files.patch b/queue-4.4/coredump-ensure-proper-size-of-sparse-core-files.patch new file mode 100644 index 00000000000..6e42e664d91 --- /dev/null +++ b/queue-4.4/coredump-ensure-proper-size-of-sparse-core-files.patch @@ -0,0 +1,77 @@ +From foo@baz Mon Jul 3 13:34:03 CEST 2017 +From: Dave Kleikamp +Date: Wed, 11 Jan 2017 13:25:00 -0600 +Subject: coredump: Ensure proper size of sparse core files + +From: Dave Kleikamp + + +[ Upstream commit 4d22c75d4c7b5c5f4bd31054f09103ee490878fd ] + +If the last section of a core file ends with an unmapped or zero page, +the size of the file does not correspond with the last dump_skip() call. +gdb complains that the file is truncated and can be confusing to users. + +After all of the vma sections are written, make sure that the file size +is no smaller than the current file position. + +This problem can be demonstrated with gdb's bigcore testcase on the +sparc architecture. + +Signed-off-by: Dave Kleikamp +Cc: Alexander Viro +Cc: linux-fsdevel@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/binfmt_elf.c | 1 + + fs/coredump.c | 18 ++++++++++++++++++ + include/linux/coredump.h | 1 + + 3 files changed, 20 insertions(+) + +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -2295,6 +2295,7 @@ static int elf_core_dump(struct coredump + goto end_coredump; + } + } ++ dump_truncate(cprm); + + if (!elf_core_write_extra_data(cprm)) + goto end_coredump; +--- a/fs/coredump.c ++++ b/fs/coredump.c +@@ -810,3 +810,21 @@ int dump_align(struct coredump_params *c + return mod ? dump_skip(cprm, align - mod) : 1; + } + EXPORT_SYMBOL(dump_align); ++ ++/* ++ * Ensures that file size is big enough to contain the current file ++ * postion. This prevents gdb from complaining about a truncated file ++ * if the last "write" to the file was dump_skip. ++ */ ++void dump_truncate(struct coredump_params *cprm) ++{ ++ struct file *file = cprm->file; ++ loff_t offset; ++ ++ if (file->f_op->llseek && file->f_op->llseek != no_llseek) { ++ offset = file->f_op->llseek(file, 0, SEEK_CUR); ++ if (i_size_read(file->f_mapping->host) < offset) ++ do_truncate(file->f_path.dentry, offset, 0, file); ++ } ++} ++EXPORT_SYMBOL(dump_truncate); +--- a/include/linux/coredump.h ++++ b/include/linux/coredump.h +@@ -14,6 +14,7 @@ struct coredump_params; + extern int dump_skip(struct coredump_params *cprm, size_t nr); + extern int dump_emit(struct coredump_params *cprm, const void *addr, int nr); + extern int dump_align(struct coredump_params *cprm, int align); ++extern void dump_truncate(struct coredump_params *cprm); + #ifdef CONFIG_COREDUMP + extern void do_coredump(const siginfo_t *siginfo); + #else diff --git a/queue-4.4/jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch b/queue-4.4/jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch new file mode 100644 index 00000000000..592eec62b89 --- /dev/null +++ b/queue-4.4/jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch @@ -0,0 +1,72 @@ +From 7292ae3d5a18fb922be496e6bb687647193569b4 Mon Sep 17 00:00:00 2001 +From: Gleb Fotengauer-Malinovskiy +Date: Mon, 20 Mar 2017 20:15:53 +0300 +Subject: jump label: fix passing kbuild_cflags when checking for asm goto support + +From: Gleb Fotengauer-Malinovskiy + +commit 7292ae3d5a18fb922be496e6bb687647193569b4 upstream. + +The latest change of asm goto support check added passing of KBUILD_CFLAGS +to compiler. When these flags reference gcc plugins that are not built yet, +the check fails. + +When one runs "make bzImage" followed by "make modules", the kernel is always +built with HAVE_JUMP_LABEL disabled, while the modules are built depending on +CONFIG_JUMP_LABEL. If HAVE_JUMP_LABEL macro happens to be different, modules +are built with undefined references, e.g.: + +ERROR: "static_key_slow_inc" [net/netfilter/xt_TEE.ko] undefined! +ERROR: "static_key_slow_dec" [net/netfilter/xt_TEE.ko] undefined! +ERROR: "static_key_slow_dec" [net/netfilter/nft_meta.ko] undefined! +ERROR: "static_key_slow_inc" [net/netfilter/nft_meta.ko] undefined! +ERROR: "nf_hooks_needed" [net/netfilter/ipvs/ip_vs.ko] undefined! +ERROR: "nf_hooks_needed" [net/ipv6/ipv6.ko] undefined! +ERROR: "static_key_count" [net/ipv6/ipv6.ko] undefined! +ERROR: "static_key_slow_inc" [net/ipv6/ipv6.ko] undefined! + +This change moves the check before all these references are added +to KBUILD_CFLAGS. This is correct because subsequent KBUILD_CFLAGS +modifications are not relevant to this check. + +Reported-by: Anton V. Boyarshinov +Fixes: 35f860f9ba6a ("jump label: pass kbuild_cflags when checking for asm goto support") +Signed-off-by: Gleb Fotengauer-Malinovskiy +Signed-off-by: Dmitry V. Levin +Acked-by: Steven Rostedt (VMware) +Acked-by: David Lin +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + +--- + Makefile | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -633,6 +633,12 @@ endif + # Tell gcc to never replace conditional load with a non-conditional one + KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) + ++# check for 'asm goto' ++ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y) ++ KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO ++ KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO ++endif ++ + ifdef CONFIG_READABLE_ASM + # Disable optimizations that make assembler listings hard to read. + # reorder blocks reorders the control in the function +@@ -788,12 +794,6 @@ KBUILD_CFLAGS += $(call cc-option,-Wer + # use the deterministic mode of AR if available + KBUILD_ARFLAGS := $(call ar-option,D) + +-# check for 'asm goto' +-ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y) +- KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO +- KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO +-endif +- + include scripts/Makefile.kasan + include scripts/Makefile.extrawarn + diff --git a/queue-4.4/mac80211-initialize-smps-field-in-ht-capabilities.patch b/queue-4.4/mac80211-initialize-smps-field-in-ht-capabilities.patch new file mode 100644 index 00000000000..a0f035177fe --- /dev/null +++ b/queue-4.4/mac80211-initialize-smps-field-in-ht-capabilities.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Jul 3 13:34:03 CEST 2017 +From: Felix Fietkau +Date: Fri, 13 Jan 2017 11:28:25 +0100 +Subject: mac80211: initialize SMPS field in HT capabilities + +From: Felix Fietkau + + +[ Upstream commit 43071d8fb3b7f589d72663c496a6880fb097533c ] + +ibss and mesh modes copy the ht capabilites from the band without +overriding the SMPS state. Unfortunately the default value 0 for the +SMPS field means static SMPS instead of disabled. + +This results in HT ibss and mesh setups using only single-stream rates, +even though SMPS is not supposed to be active. + +Initialize SMPS to disabled for all bands on ieee80211_hw_register to +ensure that the value is sane where it is not overriden with the real +SMPS state. + +Reported-by: Elektra Wagenrad +Signed-off-by: Felix Fietkau +[move VHT TODO comment to a better place] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -891,12 +891,17 @@ int ieee80211_register_hw(struct ieee802 + supp_ht = supp_ht || sband->ht_cap.ht_supported; + supp_vht = supp_vht || sband->vht_cap.vht_supported; + +- if (sband->ht_cap.ht_supported) +- local->rx_chains = +- max(ieee80211_mcs_to_chains(&sband->ht_cap.mcs), +- local->rx_chains); ++ if (!sband->ht_cap.ht_supported) ++ continue; + + /* TODO: consider VHT for RX chains, hopefully it's the same */ ++ local->rx_chains = ++ max(ieee80211_mcs_to_chains(&sband->ht_cap.mcs), ++ local->rx_chains); ++ ++ /* no need to mask, SM_PS_DISABLED has all bits set */ ++ sband->ht_cap.cap |= WLAN_HT_CAP_SM_PS_DISABLED << ++ IEEE80211_HT_CAP_SM_PS_SHIFT; + } + + /* if low-level driver supports AP, we also support VLAN */ diff --git a/queue-4.4/net-mlx4_core-eliminate-warning-messages-for-srq_limit-under-sriov.patch b/queue-4.4/net-mlx4_core-eliminate-warning-messages-for-srq_limit-under-sriov.patch new file mode 100644 index 00000000000..e7a702a1f1a --- /dev/null +++ b/queue-4.4/net-mlx4_core-eliminate-warning-messages-for-srq_limit-under-sriov.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Jul 3 13:41:44 CEST 2017 +From: Jack Morgenstein +Date: Mon, 16 Jan 2017 18:31:39 +0200 +Subject: net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV + +From: Jack Morgenstein + + +[ Upstream commit 9577b174cd0323d287c994ef0891db71666d0765 ] + +When running SRIOV, warnings for SRQ LIMIT events flood the Hypervisor's +message log when (correct, normally operating) apps use SRQ LIMIT events +as a trigger to post WQEs to SRQs. + +Add more information to the existing debug printout for SRQ_LIMIT, and +output the warning messages only for the SRQ CATAS ERROR event. + +Fixes: acba2420f9d2 ("mlx4_core: Add wrapper functions and comm channel and slave event support to EQs") +Fixes: e0debf9cb50d ("mlx4_core: Reduce warning message for SRQ_LIMIT event to debug level") +Signed-off-by: Jack Morgenstein +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/eq.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c +@@ -542,8 +542,9 @@ static int mlx4_eq_int(struct mlx4_dev * + break; + + case MLX4_EVENT_TYPE_SRQ_LIMIT: +- mlx4_dbg(dev, "%s: MLX4_EVENT_TYPE_SRQ_LIMIT\n", +- __func__); ++ mlx4_dbg(dev, "%s: MLX4_EVENT_TYPE_SRQ_LIMIT. srq_no=0x%x, eq 0x%x\n", ++ __func__, be32_to_cpu(eqe->event.srq.srqn), ++ eq->eqn); + case MLX4_EVENT_TYPE_SRQ_CATAS_ERROR: + if (mlx4_is_master(dev)) { + /* forward only to slave owning the SRQ */ +@@ -558,15 +559,19 @@ static int mlx4_eq_int(struct mlx4_dev * + eq->eqn, eq->cons_index, ret); + break; + } +- mlx4_warn(dev, "%s: slave:%d, srq_no:0x%x, event: %02x(%02x)\n", +- __func__, slave, +- be32_to_cpu(eqe->event.srq.srqn), +- eqe->type, eqe->subtype); ++ if (eqe->type == ++ MLX4_EVENT_TYPE_SRQ_CATAS_ERROR) ++ mlx4_warn(dev, "%s: slave:%d, srq_no:0x%x, event: %02x(%02x)\n", ++ __func__, slave, ++ be32_to_cpu(eqe->event.srq.srqn), ++ eqe->type, eqe->subtype); + + if (!ret && slave != dev->caps.function) { +- mlx4_warn(dev, "%s: sending event %02x(%02x) to slave:%d\n", +- __func__, eqe->type, +- eqe->subtype, slave); ++ if (eqe->type == ++ MLX4_EVENT_TYPE_SRQ_CATAS_ERROR) ++ mlx4_warn(dev, "%s: sending event %02x(%02x) to slave:%d\n", ++ __func__, eqe->type, ++ eqe->subtype, slave); + mlx4_slave_event(dev, slave, eqe); + break; + } diff --git a/queue-4.4/perf-probe-fix-to-show-correct-locations-for-events-on-modules.patch b/queue-4.4/perf-probe-fix-to-show-correct-locations-for-events-on-modules.patch new file mode 100644 index 00000000000..3ab01c11e78 --- /dev/null +++ b/queue-4.4/perf-probe-fix-to-show-correct-locations-for-events-on-modules.patch @@ -0,0 +1,136 @@ +From foo@baz Mon Jul 3 13:41:44 CEST 2017 +From: Masami Hiramatsu +Date: Wed, 11 Jan 2017 14:59:38 +0900 +Subject: perf probe: Fix to show correct locations for events on modules + +From: Masami Hiramatsu + + +[ Upstream commit d2d4edbebe07ddb77980656abe7b9bc7a9e0cdf7 ] + +Fix to show correct locations for events on modules by relocating given +address instead of retrying after failure. + +This happens when the module text size is big enough, bigger than +sh_addr, because the original code retries with given address + sh_addr +if it failed to find CU DIE at the given address. + +Any address smaller than sh_addr always fails and it retries with the +correct address, but addresses bigger than sh_addr will get a CU DIE +which is on the given address (not adjusted by sh_addr). + +In my environment(x86-64), the sh_addr of ".text" section is 0x10030. +Since i915 is a huge kernel module, we can see this issue as below. + + $ grep "[Tt] .*\[i915\]" /proc/kallsyms | sort | head -n1 + ffffffffc0270000 t i915_switcheroo_can_switch [i915] + +ffffffffc0270000 + 0x10030 = ffffffffc0280030, so we'll check +symbols cross this boundary. + + $ grep "[Tt] .*\[i915\]" /proc/kallsyms | grep -B1 ^ffffffffc028\ + | head -n 2 + ffffffffc027ff80 t haswell_init_clock_gating [i915] + ffffffffc0280110 t valleyview_init_clock_gating [i915] + +So setup probes on both function and see what happen. + + $ sudo ./perf probe -m i915 -a haswell_init_clock_gating \ + -a valleyview_init_clock_gating + Added new events: + probe:haswell_init_clock_gating (on haswell_init_clock_gating in i915) + probe:valleyview_init_clock_gating (on valleyview_init_clock_gating in i915) + + You can now use it in all perf tools, such as: + + perf record -e probe:valleyview_init_clock_gating -aR sleep 1 + + $ sudo ./perf probe -l + probe:haswell_init_clock_gating (on haswell_init_clock_gating@gpu/drm/i915/intel_pm.c in i915) + probe:valleyview_init_clock_gating (on i915_vga_set_decode:4@gpu/drm/i915/i915_drv.c in i915) + +As you can see, haswell_init_clock_gating is correctly shown, +but valleyview_init_clock_gating is not. + +With this patch, both events are shown correctly. + + $ sudo ./perf probe -l + probe:haswell_init_clock_gating (on haswell_init_clock_gating@gpu/drm/i915/intel_pm.c in i915) + probe:valleyview_init_clock_gating (on valleyview_init_clock_gating@gpu/drm/i915/intel_pm.c in i915) + +Committer notes: + +In my case: + + # perf probe -m i915 -a haswell_init_clock_gating -a valleyview_init_clock_gating + Added new events: + probe:haswell_init_clock_gating (on haswell_init_clock_gating in i915) + probe:valleyview_init_clock_gating (on valleyview_init_clock_gating in i915) + + You can now use it in all perf tools, such as: + + perf record -e probe:valleyview_init_clock_gating -aR sleep 1 + + # perf probe -l + probe:haswell_init_clock_gating (on i915_getparam+432@gpu/drm/i915/i915_drv.c in i915) + probe:valleyview_init_clock_gating (on __i915_printk+240@gpu/drm/i915/i915_drv.c in i915) + # + + # readelf -SW /lib/modules/4.9.0+/build/vmlinux | egrep -w '.text|Name' + [Nr] Name Type Address Off Size ES Flg Lk Inf Al + [ 1] .text PROGBITS ffffffff81000000 200000 822fd3 00 AX 0 0 4096 + # + + So both are b0rked, now with the fix: + + # perf probe -m i915 -a haswell_init_clock_gating -a valleyview_init_clock_gating + Added new events: + probe:haswell_init_clock_gating (on haswell_init_clock_gating in i915) + probe:valleyview_init_clock_gating (on valleyview_init_clock_gating in i915) + + You can now use it in all perf tools, such as: + + perf record -e probe:valleyview_init_clock_gating -aR sleep 1 + + # perf probe -l + probe:haswell_init_clock_gating (on haswell_init_clock_gating@gpu/drm/i915/intel_pm.c in i915) + probe:valleyview_init_clock_gating (on valleyview_init_clock_gating@gpu/drm/i915/intel_pm.c in i915) + # + +Both looks correct. + +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/148411436777.9978.1440275861947194930.stgit@devbox +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/probe-finder.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1460,16 +1460,12 @@ int debuginfo__find_probe_point(struct d + Dwarf_Addr _addr = 0, baseaddr = 0; + const char *fname = NULL, *func = NULL, *basefunc = NULL, *tmp; + int baseline = 0, lineno = 0, ret = 0; +- bool reloc = false; + +-retry: ++ /* We always need to relocate the address for aranges */ ++ if (debuginfo__get_text_offset(dbg, &baseaddr) == 0) ++ addr += baseaddr; + /* Find cu die */ + if (!dwarf_addrdie(dbg->dbg, (Dwarf_Addr)addr, &cudie)) { +- if (!reloc && debuginfo__get_text_offset(dbg, &baseaddr) == 0) { +- addr += baseaddr; +- reloc = true; +- goto retry; +- } + pr_warning("Failed to find debug information for address %lx\n", + addr); + ret = -EINVAL; diff --git a/queue-4.4/ravb-fix-use-after-free-on-ifconfig-eth0-down.patch b/queue-4.4/ravb-fix-use-after-free-on-ifconfig-eth0-down.patch new file mode 100644 index 00000000000..703ca59d559 --- /dev/null +++ b/queue-4.4/ravb-fix-use-after-free-on-ifconfig-eth0-down.patch @@ -0,0 +1,131 @@ +From foo@baz Mon Jul 3 13:41:44 CEST 2017 +From: Eugeniu Rosca +Date: Tue, 6 Jun 2017 00:08:10 +0200 +Subject: ravb: Fix use-after-free on `ifconfig eth0 down` + +From: Eugeniu Rosca + + +[ Upstream commit 79514ef670e9e575a1fe36922268c439d0f0ca8a ] + +Commit a47b70ea86bd ("ravb: unmap descriptors when freeing rings") has +introduced the issue seen in [1] reproduced on H3ULCB board. + +Fix this by relocating the RX skb ringbuffer free operation, so that +swiotlb page unmapping can be done first. Freeing of aligned TX buffers +is not relevant to the issue seen in [1]. Still, reposition TX free +calls as well, to have all kfree() operations performed consistently +_after_ dma_unmap_*()/dma_free_*(). + +[1] Console screenshot with the problem reproduced: + +salvator-x login: root +root@salvator-x:~# ifconfig eth0 up +Micrel KSZ9031 Gigabit PHY e6800000.ethernet-ffffffff:00: \ + attached PHY driver [Micrel KSZ9031 Gigabit PHY] \ + (mii_bus:phy_addr=e6800000.ethernet-ffffffff:00, irq=235) +IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready +root@salvator-x:~# +root@salvator-x:~# ifconfig eth0 down + +================================================================== +BUG: KASAN: use-after-free in swiotlb_tbl_unmap_single+0xc4/0x35c +Write of size 1538 at addr ffff8006d884f780 by task ifconfig/1649 + +CPU: 0 PID: 1649 Comm: ifconfig Not tainted 4.12.0-rc4-00004-g112eb07287d1 #32 +Hardware name: Renesas H3ULCB board based on r8a7795 (DT) +Call trace: +[] dump_backtrace+0x0/0x3a4 +[] show_stack+0x14/0x1c +[] dump_stack+0xf8/0x150 +[] print_address_description+0x7c/0x330 +[] kasan_report+0x2e0/0x2f4 +[] check_memory_region+0x20/0x14c +[] memcpy+0x48/0x68 +[] swiotlb_tbl_unmap_single+0xc4/0x35c +[] unmap_single+0x90/0xa4 +[] swiotlb_unmap_page+0xc/0x14 +[] __swiotlb_unmap_page+0xcc/0xe4 +[] ravb_ring_free+0x514/0x870 +[] ravb_close+0x288/0x36c +[] __dev_close_many+0x14c/0x174 +[] __dev_close+0xc8/0x144 +[] __dev_change_flags+0xd8/0x194 +[] dev_change_flags+0x60/0xb0 +[] devinet_ioctl+0x484/0x9d4 +[] inet_ioctl+0x190/0x194 +[] sock_do_ioctl+0x78/0xa8 +[] sock_ioctl+0x110/0x3c4 +[] vfs_ioctl+0x90/0xa0 +[] do_vfs_ioctl+0x148/0xc38 +[] SyS_ioctl+0x44/0x74 +[] el0_svc_naked+0x24/0x28 + +The buggy address belongs to the page: +page:ffff7e001b6213c0 count:0 mapcount:0 mapping: (null) index:0x0 +flags: 0x4000000000000000() +raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff +raw: 0000000000000000 ffff7e001b6213e0 0000000000000000 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8006d884f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff8006d884f700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +>ffff8006d884f780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + ffff8006d884f800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff8006d884f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +================================================================== +Disabling lock debugging due to kernel taint +root@salvator-x:~# + +Fixes: a47b70ea86bd ("ravb: unmap descriptors when freeing rings") +Signed-off-by: Eugeniu Rosca +Acked-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb_main.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -221,18 +221,6 @@ static void ravb_ring_free(struct net_de + int ring_size; + int i; + +- /* Free RX skb ringbuffer */ +- if (priv->rx_skb[q]) { +- for (i = 0; i < priv->num_rx_ring[q]; i++) +- dev_kfree_skb(priv->rx_skb[q][i]); +- } +- kfree(priv->rx_skb[q]); +- priv->rx_skb[q] = NULL; +- +- /* Free aligned TX buffers */ +- kfree(priv->tx_align[q]); +- priv->tx_align[q] = NULL; +- + if (priv->rx_ring[q]) { + for (i = 0; i < priv->num_rx_ring[q]; i++) { + struct ravb_ex_rx_desc *desc = &priv->rx_ring[q][i]; +@@ -261,6 +249,18 @@ static void ravb_ring_free(struct net_de + priv->tx_ring[q] = NULL; + } + ++ /* Free RX skb ringbuffer */ ++ if (priv->rx_skb[q]) { ++ for (i = 0; i < priv->num_rx_ring[q]; i++) ++ dev_kfree_skb(priv->rx_skb[q][i]); ++ } ++ kfree(priv->rx_skb[q]); ++ priv->rx_skb[q] = NULL; ++ ++ /* Free aligned TX buffers */ ++ kfree(priv->tx_align[q]); ++ priv->tx_align[q] = NULL; ++ + /* Free TX skb ringbuffer. + * SKBs are freed by ravb_tx_free() call above. + */ diff --git a/queue-4.4/s390-ctl_reg-make-__ctl_load-a-full-memory-barrier.patch b/queue-4.4/s390-ctl_reg-make-__ctl_load-a-full-memory-barrier.patch new file mode 100644 index 00000000000..eb0bad5d613 --- /dev/null +++ b/queue-4.4/s390-ctl_reg-make-__ctl_load-a-full-memory-barrier.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Jul 3 13:41:44 CEST 2017 +From: Heiko Carstens +Date: Wed, 28 Dec 2016 11:33:48 +0100 +Subject: s390/ctl_reg: make __ctl_load a full memory barrier + +From: Heiko Carstens + + +[ Upstream commit e991c24d68b8c0ba297eeb7af80b1e398e98c33f ] + +We have quite a lot of code that depends on the order of the +__ctl_load inline assemby and subsequent memory accesses, like +e.g. disabling lowcore protection and the writing to lowcore. + +Since the __ctl_load macro does not have memory barrier semantics, nor +any other dependencies the compiler is, theoretically, free to shuffle +code around. Or in other words: storing to lowcore could happen before +lowcore protection is disabled. + +In order to avoid this class of potential bugs simply add a full +memory barrier to the __ctl_load macro. + +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/ctl_reg.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/include/asm/ctl_reg.h ++++ b/arch/s390/include/asm/ctl_reg.h +@@ -15,7 +15,9 @@ + BUILD_BUG_ON(sizeof(addrtype) != (high - low + 1) * sizeof(long));\ + asm volatile( \ + " lctlg %1,%2,%0\n" \ +- : : "Q" (*(addrtype *)(&array)), "i" (low), "i" (high));\ ++ : \ ++ : "Q" (*(addrtype *)(&array)), "i" (low), "i" (high) \ ++ : "memory"); \ + } + + #define __ctl_store(array, low, high) { \ diff --git a/queue-4.4/sctp-check-af-before-verify-address-in-sctp_addr_id2transport.patch b/queue-4.4/sctp-check-af-before-verify-address-in-sctp_addr_id2transport.patch new file mode 100644 index 00000000000..d5dec406748 --- /dev/null +++ b/queue-4.4/sctp-check-af-before-verify-address-in-sctp_addr_id2transport.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Jul 3 13:41:44 CEST 2017 +From: Xin Long +Date: Tue, 7 Feb 2017 20:56:08 +0800 +Subject: sctp: check af before verify address in sctp_addr_id2transport + +From: Xin Long + + +[ Upstream commit 912964eacb111551db73429719eb5fadcab0ff8a ] + +Commit 6f29a1306131 ("sctp: sctp_addr_id2transport should verify the +addr before looking up assoc") invoked sctp_verify_addr to verify the +addr. + +But it didn't check af variable beforehand, once users pass an address +with family = 0 through sockopt, sctp_get_af_specific will return NULL +and NULL pointer dereference will be caused by af->sockaddr_len. + +This patch is to fix it by returning NULL if af variable is NULL. + +Fixes: 6f29a1306131 ("sctp: sctp_addr_id2transport should verify the addr before looking up assoc") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -239,7 +239,7 @@ static struct sctp_transport *sctp_addr_ + union sctp_addr *laddr = (union sctp_addr *)addr; + struct sctp_transport *transport; + +- if (sctp_verify_addr(sk, laddr, af->sockaddr_len)) ++ if (!af || sctp_verify_addr(sk, laddr, af->sockaddr_len)) + return NULL; + + addr_asoc = sctp_endpoint_lookup_assoc(sctp_sk(sk)->ep, diff --git a/queue-4.4/series b/queue-4.4/series index e0449520354..7549dbe7729 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -70,3 +70,17 @@ hid-i2c-hid-add-sleep-between-power-on-and-reset.patch scsi-lpfc-avoid-double-free-of-resource-identifiers.patch spi-davinci-use-dma_mapping_error.patch arm64-assembler-make-adr_l-work-in-modules-under-kaslr.patch +mac80211-initialize-smps-field-in-ht-capabilities.patch +x86-mpx-use-compatible-types-in-comparison-to-fix-sparse-error.patch +coredump-ensure-proper-size-of-sparse-core-files.patch +swiotlb-ensure-that-page-sized-mappings-are-page-aligned.patch +s390-ctl_reg-make-__ctl_load-a-full-memory-barrier.patch +be2net-fix-status-check-in-be_cmd_pmac_add.patch +perf-probe-fix-to-show-correct-locations-for-events-on-modules.patch +net-mlx4_core-eliminate-warning-messages-for-srq_limit-under-sriov.patch +sctp-check-af-before-verify-address-in-sctp_addr_id2transport.patch +ravb-fix-use-after-free-on-ifconfig-eth0-down.patch +jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch +xfrm-fix-stack-access-out-of-bounds-with-config_xfrm_sub_policy.patch +xfrm-null-dereference-on-allocation-failure.patch +xfrm-oops-on-error-in-pfkey_msg2xfrm_state.patch diff --git a/queue-4.4/swiotlb-ensure-that-page-sized-mappings-are-page-aligned.patch b/queue-4.4/swiotlb-ensure-that-page-sized-mappings-are-page-aligned.patch new file mode 100644 index 00000000000..0584f652d74 --- /dev/null +++ b/queue-4.4/swiotlb-ensure-that-page-sized-mappings-are-page-aligned.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Jul 3 13:41:44 CEST 2017 +From: Nikita Yushchenko +Date: Wed, 11 Jan 2017 21:56:31 +0300 +Subject: swiotlb: ensure that page-sized mappings are page-aligned + +From: Nikita Yushchenko + + +[ Upstream commit 602d9858f07c72eab64f5f00e2fae55f9902cfbe ] + +Some drivers do depend on page mappings to be page aligned. + +Swiotlb already enforces such alignment for mappings greater than page, +extend that to page-sized mappings as well. + +Without this fix, nvme hits BUG() in nvme_setup_prps(), because that routine +assumes page-aligned mappings. + +Signed-off-by: Nikita Yushchenko +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/swiotlb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/lib/swiotlb.c ++++ b/lib/swiotlb.c +@@ -452,11 +452,11 @@ phys_addr_t swiotlb_tbl_map_single(struc + : 1UL << (BITS_PER_LONG - IO_TLB_SHIFT); + + /* +- * For mappings greater than a page, we limit the stride (and +- * hence alignment) to a page size. ++ * For mappings greater than or equal to a page, we limit the stride ++ * (and hence alignment) to a page size. + */ + nslots = ALIGN(size, 1 << IO_TLB_SHIFT) >> IO_TLB_SHIFT; +- if (size > PAGE_SIZE) ++ if (size >= PAGE_SIZE) + stride = (1 << (PAGE_SHIFT - IO_TLB_SHIFT)); + else + stride = 1; diff --git a/queue-4.4/x86-mpx-use-compatible-types-in-comparison-to-fix-sparse-error.patch b/queue-4.4/x86-mpx-use-compatible-types-in-comparison-to-fix-sparse-error.patch new file mode 100644 index 00000000000..84e2bf28853 --- /dev/null +++ b/queue-4.4/x86-mpx-use-compatible-types-in-comparison-to-fix-sparse-error.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Jul 3 13:34:03 CEST 2017 +From: Tobias Klauser +Date: Thu, 12 Jan 2017 16:53:11 +0100 +Subject: x86/mpx: Use compatible types in comparison to fix sparse error + +From: Tobias Klauser + + +[ Upstream commit 453828625731d0ba7218242ef6ec88f59408f368 ] + +info->si_addr is of type void __user *, so it should be compared against +something from the same address space. + +This fixes the following sparse error: + + arch/x86/mm/mpx.c:296:27: error: incompatible types in comparison expression (different address spaces) + +Signed-off-by: Tobias Klauser +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/mpx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -293,7 +293,7 @@ siginfo_t *mpx_generate_siginfo(struct p + * We were not able to extract an address from the instruction, + * probably because there was something invalid in it. + */ +- if (info->si_addr == (void *)-1) { ++ if (info->si_addr == (void __user *)-1) { + err = -EINVAL; + goto err_out; + } diff --git a/queue-4.4/xfrm-fix-stack-access-out-of-bounds-with-config_xfrm_sub_policy.patch b/queue-4.4/xfrm-fix-stack-access-out-of-bounds-with-config_xfrm_sub_policy.patch new file mode 100644 index 00000000000..56dd5d90a93 --- /dev/null +++ b/queue-4.4/xfrm-fix-stack-access-out-of-bounds-with-config_xfrm_sub_policy.patch @@ -0,0 +1,121 @@ +From 9b3eb54106cf6acd03f07cf0ab01c13676a226c2 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Wed, 3 May 2017 16:43:19 +0200 +Subject: xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY + +From: Sabrina Dubroca + +commit 9b3eb54106cf6acd03f07cf0ab01c13676a226c2 upstream. + +When CONFIG_XFRM_SUB_POLICY=y, xfrm_dst stores a copy of the flowi for +that dst. Unfortunately, the code that allocates and fills this copy +doesn't care about what type of flowi (flowi, flowi4, flowi6) gets +passed. In multiple code paths (from raw_sendmsg, from TCP when +replying to a FIN, in vxlan, geneve, and gre), the flowi that gets +passed to xfrm is actually an on-stack flowi4, so we end up reading +stuff from the stack past the end of the flowi4 struct. + +Since xfrm_dst->origin isn't used anywhere following commit +ca116922afa8 ("xfrm: Eliminate "fl" and "pol" args to +xfrm_bundle_ok()."), just get rid of it. xfrm_dst->partner isn't used +either, so get rid of that too. + +Fixes: 9d6ec938019c ("ipv4: Use flowi4 in public route lookup interfaces.") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/xfrm.h | 10 ---------- + net/xfrm/xfrm_policy.c | 47 ----------------------------------------------- + 2 files changed, 57 deletions(-) + +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -948,10 +948,6 @@ struct xfrm_dst { + struct flow_cache_object flo; + struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; + int num_pols, num_xfrms; +-#ifdef CONFIG_XFRM_SUB_POLICY +- struct flowi *origin; +- struct xfrm_selector *partner; +-#endif + u32 xfrm_genid; + u32 policy_genid; + u32 route_mtu_cached; +@@ -967,12 +963,6 @@ static inline void xfrm_dst_destroy(stru + dst_release(xdst->route); + if (likely(xdst->u.dst.xfrm)) + xfrm_state_put(xdst->u.dst.xfrm); +-#ifdef CONFIG_XFRM_SUB_POLICY +- kfree(xdst->origin); +- xdst->origin = NULL; +- kfree(xdst->partner); +- xdst->partner = NULL; +-#endif + } + #endif + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1776,43 +1776,6 @@ free_dst: + goto out; + } + +-#ifdef CONFIG_XFRM_SUB_POLICY +-static int xfrm_dst_alloc_copy(void **target, const void *src, int size) +-{ +- if (!*target) { +- *target = kmalloc(size, GFP_ATOMIC); +- if (!*target) +- return -ENOMEM; +- } +- +- memcpy(*target, src, size); +- return 0; +-} +-#endif +- +-static int xfrm_dst_update_parent(struct dst_entry *dst, +- const struct xfrm_selector *sel) +-{ +-#ifdef CONFIG_XFRM_SUB_POLICY +- struct xfrm_dst *xdst = (struct xfrm_dst *)dst; +- return xfrm_dst_alloc_copy((void **)&(xdst->partner), +- sel, sizeof(*sel)); +-#else +- return 0; +-#endif +-} +- +-static int xfrm_dst_update_origin(struct dst_entry *dst, +- const struct flowi *fl) +-{ +-#ifdef CONFIG_XFRM_SUB_POLICY +- struct xfrm_dst *xdst = (struct xfrm_dst *)dst; +- return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl)); +-#else +- return 0; +-#endif +-} +- + static int xfrm_expand_policies(const struct flowi *fl, u16 family, + struct xfrm_policy **pols, + int *num_pols, int *num_xfrms) +@@ -1884,16 +1847,6 @@ xfrm_resolve_and_create_bundle(struct xf + + xdst = (struct xfrm_dst *)dst; + xdst->num_xfrms = err; +- if (num_pols > 1) +- err = xfrm_dst_update_parent(dst, &pols[1]->selector); +- else +- err = xfrm_dst_update_origin(dst, fl); +- if (unlikely(err)) { +- dst_free(dst); +- XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR); +- return ERR_PTR(err); +- } +- + xdst->num_pols = num_pols; + memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols); + xdst->policy_genid = atomic_read(&pols[0]->genid); diff --git a/queue-4.4/xfrm-null-dereference-on-allocation-failure.patch b/queue-4.4/xfrm-null-dereference-on-allocation-failure.patch new file mode 100644 index 00000000000..2a9fbda4b05 --- /dev/null +++ b/queue-4.4/xfrm-null-dereference-on-allocation-failure.patch @@ -0,0 +1,34 @@ +From e747f64336fc15e1c823344942923195b800aa1e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 14 Jun 2017 13:35:37 +0300 +Subject: xfrm: NULL dereference on allocation failure + +From: Dan Carpenter + +commit e747f64336fc15e1c823344942923195b800aa1e upstream. + +The default error code in pfkey_msg2xfrm_state() is -ENOBUFS. We +added a new call to security_xfrm_state_alloc() which sets "err" to zero +so there several places where we can return ERR_PTR(0) if kmalloc() +fails. The caller is expecting error pointers so it leads to a NULL +dereference. + +Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") +Signed-off-by: Dan Carpenter +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/key/af_key.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1135,6 +1135,7 @@ static struct xfrm_state * pfkey_msg2xfr + goto out; + } + ++ err = -ENOBUFS; + key = ext_hdrs[SADB_EXT_KEY_AUTH - 1]; + if (sa->sadb_sa_auth) { + int keysize = 0; diff --git a/queue-4.4/xfrm-oops-on-error-in-pfkey_msg2xfrm_state.patch b/queue-4.4/xfrm-oops-on-error-in-pfkey_msg2xfrm_state.patch new file mode 100644 index 00000000000..aa10f5af18b --- /dev/null +++ b/queue-4.4/xfrm-oops-on-error-in-pfkey_msg2xfrm_state.patch @@ -0,0 +1,71 @@ +From 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 14 Jun 2017 13:34:05 +0300 +Subject: xfrm: Oops on error in pfkey_msg2xfrm_state() + +From: Dan Carpenter + +commit 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 upstream. + +There are some missing error codes here so we accidentally return NULL +instead of an error pointer. It results in a NULL pointer dereference. + +Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") +Signed-off-by: Dan Carpenter +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/key/af_key.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1147,8 +1147,10 @@ static struct xfrm_state * pfkey_msg2xfr + if (key) + keysize = (key->sadb_key_bits + 7) / 8; + x->aalg = kmalloc(sizeof(*x->aalg) + keysize, GFP_KERNEL); +- if (!x->aalg) ++ if (!x->aalg) { ++ err = -ENOMEM; + goto out; ++ } + strcpy(x->aalg->alg_name, a->name); + x->aalg->alg_key_len = 0; + if (key) { +@@ -1167,8 +1169,10 @@ static struct xfrm_state * pfkey_msg2xfr + goto out; + } + x->calg = kmalloc(sizeof(*x->calg), GFP_KERNEL); +- if (!x->calg) ++ if (!x->calg) { ++ err = -ENOMEM; + goto out; ++ } + strcpy(x->calg->alg_name, a->name); + x->props.calgo = sa->sadb_sa_encrypt; + } else { +@@ -1182,8 +1186,10 @@ static struct xfrm_state * pfkey_msg2xfr + if (key) + keysize = (key->sadb_key_bits + 7) / 8; + x->ealg = kmalloc(sizeof(*x->ealg) + keysize, GFP_KERNEL); +- if (!x->ealg) ++ if (!x->ealg) { ++ err = -ENOMEM; + goto out; ++ } + strcpy(x->ealg->alg_name, a->name); + x->ealg->alg_key_len = 0; + if (key) { +@@ -1228,8 +1234,10 @@ static struct xfrm_state * pfkey_msg2xfr + struct xfrm_encap_tmpl *natt; + + x->encap = kmalloc(sizeof(*x->encap), GFP_KERNEL); +- if (!x->encap) ++ if (!x->encap) { ++ err = -ENOMEM; + goto out; ++ } + + natt = x->encap; + n_type = ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1];