1. 18 Sep, 2018 1 commit
    • Dominique Martinet's avatar
      kcm: remove any offset before parsing messages · 072222b4
      Dominique Martinet authored
      The current code assumes kcm users know they need to look for the
      strparser offset within their bpf program, which is not documented
      anywhere and examples laying around do not do.
      
      The actual recv function does handle the offset well, so we can create a
      temporary clone of the skb and pull that one up as required for parsing.
      
      The pull itself has a cost if we are pulling beyond the head data,
      measured to 2-3% latency in a noisy VM with a local client stressing
      that path. The clone's impact seemed too small to measure.
      
      This bug can be exhibited easily by implementing a "trivial" kcm parser
      taking the first bytes as size, and on the client sending at least two
      such packets in a single write().
      
      Note that bpf sockmap has the same problem, both for parse and for recv,
      so it would pulling twice or a real pull within the strparser logic if
      anyone cares about that.
      Signed-off-by: default avatarDominique Martinet <asmadeus@codewreck.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      072222b4
  2. 17 Sep, 2018 15 commits
    • zhong jiang's avatar
      net: ethernet: Fix a unused function warning. · c7348091
      zhong jiang authored
      Fix the following compile warning:
      
      drivers/net/ethernet/microchip/lan743x_main.c:2964:12: warning: ‘lan743x_pm_suspend’ defined but not used [-Wunused-function]
       static int lan743x_pm_suspend(struct device *dev)
      drivers/net/ethernet/microchip/lan743x_main.c:2987:12: warning: ‘lan743x_pm_resume’ defined but not used [-Wunused-function]
       static int lan743x_pm_resume(struct device *dev)
      Signed-off-by: default avatarzhong jiang <zhongjiang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7348091
    • Andrew Lunn's avatar
      net: dsa: mv88e6xxx: Fix ATU Miss Violation · ddca24df
      Andrew Lunn authored
      Fix a cut/paste error and a typo which results in ATU miss violations
      not being reported.
      
      Fixes: 0977644c ("net: dsa: mv88e6xxx: Decode ATU problem interrupt")
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ddca24df
    • Daniel Borkmann's avatar
      tls: fix currently broken MSG_PEEK behavior · 50c6b58a
      Daniel Borkmann authored
      In kTLS MSG_PEEK behavior is currently failing, strace example:
      
        [pid  2430] socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
        [pid  2430] socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 4
        [pid  2430] bind(4, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
        [pid  2430] listen(4, 10)               = 0
        [pid  2430] getsockname(4, {sa_family=AF_INET, sin_port=htons(38855), sin_addr=inet_addr("0.0.0.0")}, [16]) = 0
        [pid  2430] connect(3, {sa_family=AF_INET, sin_port=htons(38855), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
        [pid  2430] setsockopt(3, SOL_TCP, 0x1f /* TCP_??? */, [7564404], 4) = 0
        [pid  2430] setsockopt(3, 0x11a /* SOL_?? */, 1, "\3\0033\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 40) = 0
        [pid  2430] accept(4, {sa_family=AF_INET, sin_port=htons(49636), sin_addr=inet_addr("127.0.0.1")}, [16]) = 5
        [pid  2430] setsockopt(5, SOL_TCP, 0x1f /* TCP_??? */, [7564404], 4) = 0
        [pid  2430] setsockopt(5, 0x11a /* SOL_?? */, 2, "\3\0033\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 40) = 0
        [pid  2430] close(4)                    = 0
        [pid  2430] sendto(3, "test_read_peek", 14, 0, NULL, 0) = 14
        [pid  2430] sendto(3, "_mult_recs\0", 11, 0, NULL, 0) = 11
        [pid  2430] recvfrom(5, "test_read_peektest_read_peektest"..., 64, MSG_PEEK, NULL, NULL) = 64
      
      As can be seen from strace, there are two TLS records sent,
      i) 'test_read_peek' and ii) '_mult_recs\0' where we end up
      peeking 'test_read_peektest_read_peektest'. This is clearly
      wrong, and what happens is that given peek cannot call into
      tls_sw_advance_skb() to unpause strparser and proceed with
      the next skb, we end up looping over the current one, copying
      the 'test_read_peek' over and over into the user provided
      buffer.
      
      Here, we can only peek into the currently held skb (current,
      full TLS record) as otherwise we would end up having to hold
      all the original skb(s) (depending on the peek depth) in a
      separate queue when unpausing strparser to process next
      records, minimally intrusive is to return only up to the
      current record's size (which likely was what c46234eb
      ("tls: RX path for ktls") originally intended as well). Thus,
      after patch we properly peek the first record:
      
        [pid  2046] wait4(2075,  <unfinished ...>
        [pid  2075] socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
        [pid  2075] socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 4
        [pid  2075] bind(4, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
        [pid  2075] listen(4, 10)               = 0
        [pid  2075] getsockname(4, {sa_family=AF_INET, sin_port=htons(55115), sin_addr=inet_addr("0.0.0.0")}, [16]) = 0
        [pid  2075] connect(3, {sa_family=AF_INET, sin_port=htons(55115), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
        [pid  2075] setsockopt(3, SOL_TCP, 0x1f /* TCP_??? */, [7564404], 4) = 0
        [pid  2075] setsockopt(3, 0x11a /* SOL_?? */, 1, "\3\0033\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 40) = 0
        [pid  2075] accept(4, {sa_family=AF_INET, sin_port=htons(45732), sin_addr=inet_addr("127.0.0.1")}, [16]) = 5
        [pid  2075] setsockopt(5, SOL_TCP, 0x1f /* TCP_??? */, [7564404], 4) = 0
        [pid  2075] setsockopt(5, 0x11a /* SOL_?? */, 2, "\3\0033\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 40) = 0
        [pid  2075] close(4)                    = 0
        [pid  2075] sendto(3, "test_read_peek", 14, 0, NULL, 0) = 14
        [pid  2075] sendto(3, "_mult_recs\0", 11, 0, NULL, 0) = 11
        [pid  2075] recvfrom(5, "test_read_peek", 64, MSG_PEEK, NULL, NULL) = 14
      
      Fixes: c46234eb ("tls: RX path for ktls")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50c6b58a
    • David S. Miller's avatar
      Merge branch 'hv_netvsc-associate-VF-and-PV-device-by-serial-number' · aa079bd0
      David S. Miller authored
      Stephen Hemminger says:
      
      ====================
      hv_netvsc: associate VF and PV device by serial number
      
      The Hyper-V implementation of PCI controller has concept of 32 bit serial number
      (not to be confused with PCI-E serial number).  This value is sent in the protocol
      from the host to indicate SR-IOV VF device is attached to a synthetic NIC.
      
      Using the serial number (instead of MAC address) to associate the two devices
      avoids lots of potential problems when there are duplicate MAC addresses from
      tunnels or layered devices.
      
      The patch set is broken into two parts, one is for the PCI controller
      and the other is for the netvsc device. Normally, these go through different
      trees but sending them together here for better review. The PCI changes
      were submitted previously, but the main review comment was "why do you
      need this?". This is why.
      
      v2 - slot name can be shorter.
           remove locking when creating pci_slots; see comment for explaination
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa079bd0
    • Stephen Hemminger's avatar
      hv_netvsc: pair VF based on serial number · 00d7ddba
      Stephen Hemminger authored
      Matching network device based on MAC address is problematic
      since a non VF network device can be creted with a duplicate MAC
      address causing confusion and problems.  The VMBus API does provide
      a serial number that is a better matching method.
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      00d7ddba
    • Stephen Hemminger's avatar
      PCI: hv: support reporting serial number as slot information · a15f2c08
      Stephen Hemminger authored
      The Hyper-V host API for PCI provides a unique "serial number" which
      can be used as basis for sysfs PCI slot table. This can be useful
      for cases where userspace wants to find the PCI device based on
      serial number.
      
      When an SR-IOV NIC is added, the host sends an attach message
      with serial number. The kernel doesn't use the serial number, but
      it is useful when doing the same thing in a userspace driver such
      as the DPDK. By having /sys/bus/pci/slots/N it provides a direct
      way to find the matching PCI device.
      
      There maybe some cases where serial number is not unique such
      as when using GPU's. But the PCI slot infrastructure will handle
      that.
      
      This has a side effect which may also be useful. The common udev
      network device naming policy uses the slot information (rather
      than PCI address).
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a15f2c08
    • Michael Chan's avatar
      bnxt_en: Fix VF mac address regression. · 28ea334b
      Michael Chan authored
      The recent commit to always forward the VF MAC address to the PF for
      approval may not work if the PF driver or the firmware is older.  This
      will cause the VF driver to fail during probe:
      
        bnxt_en 0000:00:03.0 (unnamed net_device) (uninitialized): hwrm req_type 0xf seq id 0x5 error 0xffff
        bnxt_en 0000:00:03.0 (unnamed net_device) (uninitialized): VF MAC address 00:00:17:02:05:d0 not approved by the PF
        bnxt_en 0000:00:03.0: Unable to initialize mac address.
        bnxt_en: probe of 0000:00:03.0 failed with error -99
      
      We fix it by treating the error as fatal only if the VF MAC address is
      locally generated by the VF.
      
      Fixes: 707e7e96 ("bnxt_en: Always forward VF MAC address to the PF.")
      Reported-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      Reported-by: default avatarSiwei Liu <loseweigh@gmail.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      28ea334b
    • Eric Dumazet's avatar
      ipv6: fix possible use-after-free in ip6_xmit() · bbd6528d
      Eric Dumazet authored
      In the unlikely case ip6_xmit() has to call skb_realloc_headroom(),
      we need to call skb_set_owner_w() before consuming original skb,
      otherwise we risk a use-after-free.
      
      Bring IPv6 in line with what we do in IPv4 to fix this.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bbd6528d
    • Colin Ian King's avatar
      net: hp100: fix always-true check for link up state · a7f38002
      Colin Ian King authored
      The operation ~(p100_inb(VG_LAN_CFG_1) & HP100_LINK_UP) returns a value
      that is always non-zero and hence the wait for the link to drop always
      terminates prematurely.  Fix this by using a logical not operator instead
      of a bitwise complement.  This issue has been in the driver since
      pre-2.6.12-rc2.
      
      Detected by CoverityScan, CID#114157 ("Logical vs. bitwise operator")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7f38002
    • Nicolas Ferre's avatar
      ARM: dts: at91: add new compatibility string for macb on sama5d3 · 321cc359
      Nicolas Ferre authored
      We need this new compatibility string as we experienced different behavior
      for this 10/100Mbits/s macb interface on this particular SoC.
      Backward compatibility is preserved as we keep the alternative strings.
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      321cc359
    • Nicolas Ferre's avatar
      net: macb: disable scatter-gather for macb on sama5d3 · eb4ed8e2
      Nicolas Ferre authored
      Create a new configuration for the sama5d3-macb new compatibility string.
      This configuration disables scatter-gather because we experienced lock down
      of the macb interface of this particular SoC under very high load.
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb4ed8e2
    • Antoine Tenart's avatar
      net: mvpp2: let phylink manage the carrier state · 41948ccb
      Antoine Tenart authored
      Net drivers using phylink shouldn't mess with the link carrier
      themselves and should let phylink manage it. The mvpp2 driver wasn't
      following this best practice as the mac_config() function made calls to
      change the link carrier state. This led to wrongly reported carrier link
      state which then triggered other issues. This patch fixes this
      behaviour.
      
      But the PPv2 driver relied on this misbehaviour in two cases: for fixed
      links and when not using phylink (ACPI mode). The later was fixed by
      adding an explicit call to link_up(), which when the ACPI mode will use
      phylink should be removed.
      
      The fixed link case was relying on the mac_config() function to set the
      link up, as we found an issue in phylink_start() which assumes the
      carrier is off. If not, the link_up() function is never called. To fix
      this, a call to netif_carrier_off() is added just before phylink_start()
      so that we do not introduce a regression in the driver.
      
      Fixes: 4bb04326 ("net: mvpp2: phylink support")
      Reported-by: default avatarRussell King <linux@armlinux.org.uk>
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      41948ccb
    • Guillaume Nault's avatar
      pppoe: fix reception of frames with no mac header · 8540827e
      Guillaume Nault authored
      pppoe_rcv() needs to look back at the Ethernet header in order to
      lookup the PPPoE session. Therefore we need to ensure that the mac
      header is big enough to contain an Ethernet header. Otherwise
      eth_hdr(skb)->h_source might access invalid data.
      
      ==================================================================
      BUG: KMSAN: uninit-value in __get_item drivers/net/ppp/pppoe.c:172 [inline]
      BUG: KMSAN: uninit-value in get_item drivers/net/ppp/pppoe.c:236 [inline]
      BUG: KMSAN: uninit-value in pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
      CPU: 0 PID: 4543 Comm: syz-executor355 Not tainted 4.16.0+ #87
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
      01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
       __get_item drivers/net/ppp/pppoe.c:172 [inline]
       get_item drivers/net/ppp/pppoe.c:236 [inline]
       pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
       __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562
       __netif_receive_skb net/core/dev.c:4627 [inline]
       netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
       netif_receive_skb+0x230/0x240 net/core/dev.c:4725
       tun_rx_batched drivers/net/tun.c:1555 [inline]
       tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962
       tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
       call_write_iter include/linux/fs.h:1782 [inline]
       new_sync_write fs/read_write.c:469 [inline]
       __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
       vfs_write+0x463/0x8d0 fs/read_write.c:544
       SYSC_write+0x172/0x360 fs/read_write.c:589
       SyS_write+0x55/0x80 fs/read_write.c:581
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x4447c9
      RSP: 002b:00007fff64c8fc28 EFLAGS: 00000297 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004447c9
      RDX: 000000000000fd87 RSI: 0000000020000600 RDI: 0000000000000004
      RBP: 00000000006cf018 R08: 00007fff64c8fda8 R09: 00007fff00006bda
      R10: 0000000000005fe7 R11: 0000000000000297 R12: 00000000004020d0
      R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
       kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
       slab_post_alloc_hook mm/slab.h:445 [inline]
       slab_alloc_node mm/slub.c:2737 [inline]
       __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:984 [inline]
       alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
       sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
       tun_alloc_skb drivers/net/tun.c:1532 [inline]
       tun_get_user+0x2242/0x7c60 drivers/net/tun.c:1829
       tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
       call_write_iter include/linux/fs.h:1782 [inline]
       new_sync_write fs/read_write.c:469 [inline]
       __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
       vfs_write+0x463/0x8d0 fs/read_write.c:544
       SYSC_write+0x172/0x360 fs/read_write.c:589
       SyS_write+0x55/0x80 fs/read_write.c:581
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      ==================================================================
      
      Fixes: 224cf5ad ("ppp: Move the PPP drivers")
      Reported-by: syzbot+f5f6080811c849739212@syzkaller.appspotmail.com
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8540827e
    • Corentin Labbe's avatar
      net: ethernet: ti: add missing GENERIC_ALLOCATOR dependency · f025571e
      Corentin Labbe authored
      This patch mades TI_DAVINCI_CPDMA select GENERIC_ALLOCATOR.
      without that, the following sparc64 build failure happen
      
      drivers/net/ethernet/ti/davinci_cpdma.o: In function `cpdma_check_free_tx_desc':
      (.text+0x278): undefined reference to `gen_pool_avail'
      drivers/net/ethernet/ti/davinci_cpdma.o: In function `cpdma_chan_submit':
      (.text+0x340): undefined reference to `gen_pool_alloc'
      (.text+0x5c4): undefined reference to `gen_pool_free'
      drivers/net/ethernet/ti/davinci_cpdma.o: In function `__cpdma_chan_free':
      davinci_cpdma.c:(.text+0x64c): undefined reference to `gen_pool_free'
      drivers/net/ethernet/ti/davinci_cpdma.o: In function `cpdma_desc_pool_destroy.isra.6':
      davinci_cpdma.c:(.text+0x17ac): undefined reference to `gen_pool_size'
      davinci_cpdma.c:(.text+0x17b8): undefined reference to `gen_pool_avail'
      davinci_cpdma.c:(.text+0x1824): undefined reference to `gen_pool_size'
      davinci_cpdma.c:(.text+0x1830): undefined reference to `gen_pool_avail'
      drivers/net/ethernet/ti/davinci_cpdma.o: In function `cpdma_ctlr_create':
      (.text+0x19f8): undefined reference to `devm_gen_pool_create'
      (.text+0x1a90): undefined reference to `gen_pool_add_virt'
      Makefile:1011: recipe for target 'vmlinux' failed
      Signed-off-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f025571e
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 0376d5dc
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-09-16
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix end boundary calculation in BTF for the type section, from Martin.
      
      2) Fix and revert subtraction of pointers that was accidentally allowed
         for unprivileged programs, from Alexei.
      
      3) Fix bpf_msg_pull_data() helper by using __GFP_COMP in order to avoid
         a warning in linearizing sg pages into a single one for large allocs,
         from Tushar.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0376d5dc
  3. 16 Sep, 2018 5 commits
    • Toshiaki Makita's avatar
      veth: Orphan skb before GRO · 4bf9ffa0
      Toshiaki Makita authored
      GRO expects skbs not to be owned by sockets, but when XDP is enabled veth
      passed skbs owned by sockets. It caused corrupted sk_wmem_alloc.
      
      Paolo Abeni reported the following splat:
      
      [  362.098904] refcount_t overflow at skb_set_owner_w+0x5e/0xa0 in iperf3[1644], uid/euid: 0/0
      [  362.108239] WARNING: CPU: 0 PID: 1644 at kernel/panic.c:648 refcount_error_report+0xa0/0xa4
      [  362.117547] Modules linked in: tcp_diag inet_diag veth intel_rapl sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_cstate intel_uncore intel_rapl_perf ipmi_ssif iTCO_wdt sg ipmi_si iTCO_vendor_support ipmi_devintf mxm_wmi ipmi_msghandler pcspkr dcdbas mei_me wmi mei lpc_ich acpi_power_meter pcc_cpufreq xfs libcrc32c sd_mod mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ixgbe igb ttm ahci mdio libahci ptp crc32c_intel drm pps_core libata i2c_algo_bit dca dm_mirror dm_region_hash dm_log dm_mod
      [  362.176622] CPU: 0 PID: 1644 Comm: iperf3 Not tainted 4.19.0-rc2.vanilla+ #2025
      [  362.184777] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.1.7 06/16/2016
      [  362.193124] RIP: 0010:refcount_error_report+0xa0/0xa4
      [  362.198758] Code: 08 00 00 48 8b 95 80 00 00 00 49 8d 8c 24 80 0a 00 00 41 89 c1 44 89 2c 24 48 89 de 48 c7 c7 18 4d e7 9d 31 c0 e8 30 fa ff ff <0f> 0b eb 88 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 41 54 49 89 fc
      [  362.219711] RSP: 0018:ffff9ee6ff603c20 EFLAGS: 00010282
      [  362.225538] RAX: 0000000000000000 RBX: ffffffff9de83e10 RCX: 0000000000000000
      [  362.233497] RDX: 0000000000000001 RSI: ffff9ee6ff6167d8 RDI: ffff9ee6ff6167d8
      [  362.241457] RBP: ffff9ee6ff603d78 R08: 0000000000000490 R09: 0000000000000004
      [  362.249416] R10: 0000000000000000 R11: ffff9ee6ff603990 R12: ffff9ee664b94500
      [  362.257377] R13: 0000000000000000 R14: 0000000000000004 R15: ffffffff9de615f9
      [  362.265337] FS:  00007f1d22d28740(0000) GS:ffff9ee6ff600000(0000) knlGS:0000000000000000
      [  362.274363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  362.280773] CR2: 00007f1d222f35d0 CR3: 0000001fddfec003 CR4: 00000000001606f0
      [  362.288733] Call Trace:
      [  362.291459]  <IRQ>
      [  362.293702]  ex_handler_refcount+0x4e/0x80
      [  362.298269]  fixup_exception+0x35/0x40
      [  362.302451]  do_trap+0x109/0x150
      [  362.306048]  do_error_trap+0xd5/0x130
      [  362.315766]  invalid_op+0x14/0x20
      [  362.319460] RIP: 0010:skb_set_owner_w+0x5e/0xa0
      [  362.324512] Code: ef ff ff 74 49 48 c7 43 60 20 7b 4a 9d 8b 85 f4 01 00 00 85 c0 75 16 8b 83 e0 00 00 00 f0 01 85 44 01 00 00 0f 88 d8 23 16 00 <5b> 5d c3 80 8b 91 00 00 00 01 8b 85 f4 01 00 00 89 83 a4 00 00 00
      [  362.345465] RSP: 0018:ffff9ee6ff603e20 EFLAGS: 00010a86
      [  362.351291] RAX: 0000000000001100 RBX: ffff9ee65deec700 RCX: ffff9ee65e829244
      [  362.359250] RDX: 0000000000000100 RSI: ffff9ee65e829100 RDI: ffff9ee65deec700
      [  362.367210] RBP: ffff9ee65e829100 R08: 000000000002a380 R09: 0000000000000000
      [  362.375169] R10: 0000000000000002 R11: fffff1a4bf77bb00 R12: ffffc0754661d000
      [  362.383130] R13: ffff9ee65deec200 R14: ffff9ee65f597000 R15: 00000000000000aa
      [  362.391092]  veth_xdp_rcv+0x4e4/0x890 [veth]
      [  362.399357]  veth_poll+0x4d/0x17a [veth]
      [  362.403731]  net_rx_action+0x2af/0x3f0
      [  362.407912]  __do_softirq+0xdd/0x29e
      [  362.411897]  do_softirq_own_stack+0x2a/0x40
      [  362.416561]  </IRQ>
      [  362.418899]  do_softirq+0x4b/0x70
      [  362.422594]  __local_bh_enable_ip+0x50/0x60
      [  362.427258]  ip_finish_output2+0x16a/0x390
      [  362.431824]  ip_output+0x71/0xe0
      [  362.440670]  __tcp_transmit_skb+0x583/0xab0
      [  362.445333]  tcp_write_xmit+0x247/0xfb0
      [  362.449609]  __tcp_push_pending_frames+0x2d/0xd0
      [  362.454760]  tcp_sendmsg_locked+0x857/0xd30
      [  362.459424]  tcp_sendmsg+0x27/0x40
      [  362.463216]  sock_sendmsg+0x36/0x50
      [  362.467104]  sock_write_iter+0x87/0x100
      [  362.471382]  __vfs_write+0x112/0x1a0
      [  362.475369]  vfs_write+0xad/0x1a0
      [  362.479062]  ksys_write+0x52/0xc0
      [  362.482759]  do_syscall_64+0x5b/0x180
      [  362.486841]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  362.492473] RIP: 0033:0x7f1d22293238
      [  362.496458] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 c5 54 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55
      [  362.517409] RSP: 002b:00007ffebaef8008 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      [  362.525855] RAX: ffffffffffffffda RBX: 0000000000002800 RCX: 00007f1d22293238
      [  362.533816] RDX: 0000000000002800 RSI: 00007f1d22d36000 RDI: 0000000000000005
      [  362.541775] RBP: 00007f1d22d36000 R08: 00000002db777a30 R09: 0000562b70712b20
      [  362.549734] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
      [  362.557693] R13: 0000000000002800 R14: 00007ffebaef8060 R15: 0000562b70712260
      
      In order to avoid this, orphan the skb before entering GRO.
      
      Fixes: 948d4f21 ("veth: Add driver XDP")
      Reported-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Tested-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4bf9ffa0
    • David S. Miller's avatar
      Merge branch 'udp-add-missing-check-on-edumx-rx-path' · 97829888
      David S. Miller authored
      Paolo Abeni says:
      
      ====================
      udp: add missing check on edumx rx path
      
      The early demux RX path for the UDP protocol is currently missing
      some checks. Both ipv4 and ipv6 implementations lack checksum conversion
      and the ipv6 implementation additionally lack the zero checksum
      validation.
      
      The first patch takes care of UDPv4 and the second one of UDPv6
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      97829888
    • Paolo Abeni's avatar
      udp6: add missing checks on edumux packet processing · eb63f296
      Paolo Abeni authored
      Currently the UDPv6 early demux rx code path lacks some mandatory
      checks, already implemented into the normal RX code path - namely
      the checksum conversion and no_check6_rx check.
      
      Similar to the previous commit, we move the common processing to
      an UDPv6 specific helper and call it from both edemux code path
      and normal code path. In respect to the UDPv4, we need to add an
      explicit check for non zero csum according to no_check6_rx value.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Suggested-by: default avatarXin Long <lucien.xin@gmail.com>
      Fixes: c9f2c1ae ("udp6: fix socket leak on early demux")
      Fixes: 2abb7cdc ("udp: Add support for doing checksum unnecessary conversion")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb63f296
    • Paolo Abeni's avatar
      udp4: fix IP_CMSG_CHECKSUM for connected sockets · 2b5a9217
      Paolo Abeni authored
      commit 2abb7cdc ("udp: Add support for doing checksum
      unnecessary conversion") left out the early demux path for
      connected sockets. As a result IP_CMSG_CHECKSUM gives wrong
      values for such socket when GRO is not enabled/available.
      
      This change addresses the issue by moving the csum conversion to a
      common helper and using such helper in both the default and the
      early demux rx path.
      
      Fixes: 2abb7cdc ("udp: Add support for doing checksum unnecessary conversion")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2b5a9217
    • Jongsung Kim's avatar
      stmmac: fix valid numbers of unicast filter entries · edf2ef72
      Jongsung Kim authored
      Synopsys DWC Ethernet MAC can be configured to have 1..32, 64, or
      128 unicast filter entries. (Table 7-8 MAC Address Registers from
      databook) Fix dwmac1000_validate_ucast_entries() to accept values
      between 1 and 32 in addition.
      Signed-off-by: default avatarJongsung Kim <neidhard.kim@lge.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      edf2ef72
  4. 14 Sep, 2018 1 commit
    • Davide Caratti's avatar
      net/sched: act_sample: fix NULL dereference in the data path · 34043d25
      Davide Caratti authored
      Matteo reported the following splat, testing the datapath of TC 'sample':
      
       BUG: KASAN: null-ptr-deref in tcf_sample_act+0xc4/0x310
       Read of size 8 at addr 0000000000000000 by task nc/433
      
       CPU: 0 PID: 433 Comm: nc Not tainted 4.19.0-rc3-kvm #17
       Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS ?-20180531_142017-buildhw-08.phx2.fedoraproject.org-1.fc28 04/01/2014
       Call Trace:
        kasan_report.cold.6+0x6c/0x2fa
        tcf_sample_act+0xc4/0x310
        ? dev_hard_start_xmit+0x117/0x180
        tcf_action_exec+0xa3/0x160
        tcf_classify+0xdd/0x1d0
        htb_enqueue+0x18e/0x6b0
        ? deref_stack_reg+0x7a/0xb0
        ? htb_delete+0x4b0/0x4b0
        ? unwind_next_frame+0x819/0x8f0
        ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
        __dev_queue_xmit+0x722/0xca0
        ? unwind_get_return_address_ptr+0x50/0x50
        ? netdev_pick_tx+0xe0/0xe0
        ? save_stack+0x8c/0xb0
        ? kasan_kmalloc+0xbe/0xd0
        ? __kmalloc_track_caller+0xe4/0x1c0
        ? __kmalloc_reserve.isra.45+0x24/0x70
        ? __alloc_skb+0xdd/0x2e0
        ? sk_stream_alloc_skb+0x91/0x3b0
        ? tcp_sendmsg_locked+0x71b/0x15a0
        ? tcp_sendmsg+0x22/0x40
        ? __sys_sendto+0x1b0/0x250
        ? __x64_sys_sendto+0x6f/0x80
        ? do_syscall_64+0x5d/0x150
        ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
        ? __sys_sendto+0x1b0/0x250
        ? __x64_sys_sendto+0x6f/0x80
        ? do_syscall_64+0x5d/0x150
        ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
        ip_finish_output2+0x495/0x590
        ? ip_copy_metadata+0x2e0/0x2e0
        ? skb_gso_validate_network_len+0x6f/0x110
        ? ip_finish_output+0x174/0x280
        __tcp_transmit_skb+0xb17/0x12b0
        ? __tcp_select_window+0x380/0x380
        tcp_write_xmit+0x913/0x1de0
        ? __sk_mem_schedule+0x50/0x80
        tcp_sendmsg_locked+0x49d/0x15a0
        ? tcp_rcv_established+0x8da/0xa30
        ? tcp_set_state+0x220/0x220
        ? clear_user+0x1f/0x50
        ? iov_iter_zero+0x1ae/0x590
        ? __fget_light+0xa0/0xe0
        tcp_sendmsg+0x22/0x40
        __sys_sendto+0x1b0/0x250
        ? __ia32_sys_getpeername+0x40/0x40
        ? _copy_to_user+0x58/0x70
        ? poll_select_copy_remaining+0x176/0x200
        ? __pollwait+0x1c0/0x1c0
        ? ktime_get_ts64+0x11f/0x140
        ? kern_select+0x108/0x150
        ? core_sys_select+0x360/0x360
        ? vfs_read+0x127/0x150
        ? kernel_write+0x90/0x90
        __x64_sys_sendto+0x6f/0x80
        do_syscall_64+0x5d/0x150
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x7fefef2b129d
       Code: ff ff ff ff eb b6 0f 1f 80 00 00 00 00 48 8d 05 51 37 0c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41
       RSP: 002b:00007fff2f5350c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
       RAX: ffffffffffffffda RBX: 000056118d60c120 RCX: 00007fefef2b129d
       RDX: 0000000000002000 RSI: 000056118d629320 RDI: 0000000000000003
       RBP: 000056118d530370 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000002000
       R13: 000056118d5c2a10 R14: 000056118d5c2a10 R15: 000056118d5303b8
      
      tcf_sample_act() tried to update its per-cpu stats, but tcf_sample_init()
      forgot to allocate them, because tcf_idr_create() was called with a wrong
      value of 'cpustats'. Setting it to true proved to fix the reported crash.
      Reported-by: default avatarMatteo Croce <mcroce@redhat.com>
      Fixes: 65a206c0 ("net/sched: Change act_api and act_xxx modules to use IDR")
      Fixes: 5c5670fa ("net/sched: Introduce sample tc action")
      Tested-by: default avatarMatteo Croce <mcroce@redhat.com>
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34043d25
  5. 13 Sep, 2018 16 commits
    • Johannes Berg's avatar
      socket: fix struct ifreq size in compat ioctl · 1cebf8f1
      Johannes Berg authored
      As reported by Reobert O'Callahan, since Viro's commit to kill
      dev_ifsioc() we attempt to copy too much data in compat mode,
      which may lead to EFAULT when the 32-bit version of struct ifreq
      sits at/near the end of a page boundary, and the next page isn't
      mapped.
      
      Fix this by passing the approprate compat/non-compat size to copy
      and using that, as before the dev_ifsioc() removal. This works
      because only the embedded "struct ifmap" has different size, and
      this is only used in SIOCGIFMAP/SIOCSIFMAP which has a different
      handler. All other parts of the union are naturally compatible.
      
      This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199469.
      
      Fixes: bf440573 ("kill dev_ifsioc()")
      Reported-by: default avatarRobert O'Callahan <robert@ocallahan.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1cebf8f1
    • Toke Høiland-Jørgensen's avatar
      gso_segment: Reset skb->mac_len after modifying network header · c56cae23
      Toke Høiland-Jørgensen authored
      When splitting a GSO segment that consists of encapsulated packets, the
      skb->mac_len of the segments can end up being set wrong, causing packet
      drops in particular when using act_mirred and ifb interfaces in
      combination with a qdisc that splits GSO packets.
      
      This happens because at the time skb_segment() is called, network_header
      will point to the inner header, throwing off the calculation in
      skb_reset_mac_len(). The network_header is subsequently adjust by the
      outer IP gso_segment handlers, but they don't set the mac_len.
      
      Fix this by adding skb_reset_mac_len() calls to both the IPv4 and IPv6
      gso_segment handlers, after they modify the network_header.
      
      Many thanks to Eric Dumazet for his help in identifying the cause of
      the bug.
      Acked-by: default avatarDave Taht <dave.taht@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarToke Høiland-Jørgensen <toke@toke.dk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c56cae23
    • David S. Miller's avatar
      Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · bffb9b51
      David S. Miller authored
      Johan Hedberg says:
      
      ====================
      pull request: bluetooth 2018-09-13
      
      A few Bluetooth fixes for the 4.19-rc series:
      
       - Fixed rw_semaphore leak in hci_ldisc
       - Fixed local Out-of-Band pairing data handling
      
      Let me know if there are any issues pulling. Thanks.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bffb9b51
    • David S. Miller's avatar
      Merge branch 'tls-don-t-leave-keys-in-kernel-memory' · 79140335
      David S. Miller authored
      Sabrina Dubroca says:
      
      ====================
      tls: don't leave keys in kernel memory
      
      There are a few places where the RX/TX key for a TLS socket is copied
      to kernel memory. This series clears those memory areas when they're no
      longer needed.
      
      v2: add union tls_crypto_context, following Vakul Garg's comment
          swap patch 2 and 3, using new union in patch 3
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79140335
    • Sabrina Dubroca's avatar
      c844eb46
    • Sabrina Dubroca's avatar
      tls: zero the crypto information from tls_context before freeing · 86029d10
      Sabrina Dubroca authored
      This contains key material in crypto_send_aes_gcm_128 and
      crypto_recv_aes_gcm_128.
      
      Introduce union tls_crypto_context, and replace the two identical
      unions directly embedded in struct tls_context with it. We can then
      use this union to clean up the memory in the new tls_ctx_free()
      function.
      
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86029d10
    • Sabrina Dubroca's avatar
      tls: don't copy the key out of tls12_crypto_info_aes_gcm_128 · 7cba09c6
      Sabrina Dubroca authored
      There's no need to copy the key to an on-stack buffer before calling
      crypto_aead_setkey().
      
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cba09c6
    • Vasily Khoruzhick's avatar
      neighbour: confirm neigh entries when ARP packet is received · f0e0d044
      Vasily Khoruzhick authored
      Update 'confirmed' timestamp when ARP packet is received. It shouldn't
      affect locktime logic and anyway entry can be confirmed by any higher-layer
      protocol. Thus it makes sense to confirm it when ARP packet is received.
      
      Fixes: 77d71233 ("neighbour: update neigh timestamps iff update is effective")
      Signed-off-by: default avatarVasily Khoruzhick <vasilykh@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0e0d044
    • Roopa Prabhu's avatar
      net: rtnl_configure_link: fix dev flags changes arg to __dev_notify_flags · 56a49d70
      Roopa Prabhu authored
      This fix addresses https://bugzilla.kernel.org/show_bug.cgi?id=201071
      
      Commit 5025f7f7 wrongly relied on __dev_change_flags to notify users of
      dev flag changes in the case when dev->rtnl_link_state = RTNL_LINK_INITIALIZED.
      Fix it by indicating flag changes explicitly to __dev_notify_flags.
      
      Fixes: 5025f7f7 ("rtnetlink: add rtnl_link_state check in rtnl_configure_link")
      Reported-By: default avatarLiam mcbirnie <liam.mcbirnie@boeing.com>
      Signed-off-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      56a49d70
    • Willy Tarreau's avatar
      net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT · 9824dfae
      Willy Tarreau authored
      Fields ->dev and ->next of struct ipddp_route may be copied to
      userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible
      to CAP_NET_ADMIN though. Let's manually copy the relevant fields
      instead of using memcpy().
      
      BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html
      Cc: Jann Horn <jannh@google.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9824dfae
    • Stephen Hemminger's avatar
      hv_netvsc: fix schedule in RCU context · 018349d7
      Stephen Hemminger authored
      When netvsc device is removed it can call reschedule in RCU context.
      This happens because canceling the subchannel setup work could (in theory)
      cause a reschedule when manipulating the timer.
      
      To reproduce, run with lockdep enabled kernel and unbind
      a network device from hv_netvsc (via sysfs).
      
      [  160.682011] WARNING: suspicious RCU usage
      [  160.707466] 4.19.0-rc3-uio+ #2 Not tainted
      [  160.709937] -----------------------------
      [  160.712352] ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section!
      [  160.723691]
      [  160.723691] other info that might help us debug this:
      [  160.723691]
      [  160.730955]
      [  160.730955] rcu_scheduler_active = 2, debug_locks = 1
      [  160.762813] 5 locks held by rebind-eth.sh/1812:
      [  160.766851]  #0: 000000008befa37a (sb_writers#6){.+.+}, at: vfs_write+0x184/0x1b0
      [  160.773416]  #1: 00000000b097f236 (&of->mutex){+.+.}, at: kernfs_fop_write+0xe2/0x1a0
      [  160.783766]  #2: 0000000041ee6889 (kn->count#3){++++}, at: kernfs_fop_write+0xeb/0x1a0
      [  160.787465]  #3: 0000000056d92a74 (&dev->mutex){....}, at: device_release_driver_internal+0x39/0x250
      [  160.816987]  #4: 0000000030f6031e (rcu_read_lock){....}, at: netvsc_remove+0x1e/0x250 [hv_netvsc]
      [  160.828629]
      [  160.828629] stack backtrace:
      [  160.831966] CPU: 1 PID: 1812 Comm: rebind-eth.sh Not tainted 4.19.0-rc3-uio+ #2
      [  160.832952] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v1.0 11/26/2012
      [  160.832952] Call Trace:
      [  160.832952]  dump_stack+0x85/0xcb
      [  160.832952]  ___might_sleep+0x1a3/0x240
      [  160.832952]  __flush_work+0x57/0x2e0
      [  160.832952]  ? __mutex_lock+0x83/0x990
      [  160.832952]  ? __kernfs_remove+0x24f/0x2e0
      [  160.832952]  ? __kernfs_remove+0x1b2/0x2e0
      [  160.832952]  ? mark_held_locks+0x50/0x80
      [  160.832952]  ? get_work_pool+0x90/0x90
      [  160.832952]  __cancel_work_timer+0x13c/0x1e0
      [  160.832952]  ? netvsc_remove+0x1e/0x250 [hv_netvsc]
      [  160.832952]  ? __lock_is_held+0x55/0x90
      [  160.832952]  netvsc_remove+0x9a/0x250 [hv_netvsc]
      [  160.832952]  vmbus_remove+0x26/0x30
      [  160.832952]  device_release_driver_internal+0x18a/0x250
      [  160.832952]  unbind_store+0xb4/0x180
      [  160.832952]  kernfs_fop_write+0x113/0x1a0
      [  160.832952]  __vfs_write+0x36/0x1a0
      [  160.832952]  ? rcu_read_lock_sched_held+0x6b/0x80
      [  160.832952]  ? rcu_sync_lockdep_assert+0x2e/0x60
      [  160.832952]  ? __sb_start_write+0x141/0x1a0
      [  160.832952]  ? vfs_write+0x184/0x1b0
      [  160.832952]  vfs_write+0xbe/0x1b0
      [  160.832952]  ksys_write+0x55/0xc0
      [  160.832952]  do_syscall_64+0x60/0x1b0
      [  160.832952]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  160.832952] RIP: 0033:0x7fe48f4c8154
      
      Resolve this by getting RTNL earlier. This is safe because the subchannel
      work queue does trylock on RTNL and will detect the race.
      
      Fixes: 7b2ee50c ("hv_netvsc: common detach logic")
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Reviewed-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      018349d7
    • Cong Wang's avatar
      net_sched: notify filter deletion when deleting a chain · f5b9bac7
      Cong Wang authored
      When we delete a chain of filters, we need to notify
      user-space we are deleting each filters in this chain
      too.
      
      Fixes: 32a4f5ec ("net: sched: introduce chain object to uapi")
      Cc: Jiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5b9bac7
    • Juergen Gross's avatar
      xen/netfront: don't bug in case of too many frags · ad4f15dc
      Juergen Gross authored
      Commit 57f230ab ("xen/netfront: raise max number of slots in
      xennet_get_responses()") raised the max number of allowed slots by one.
      This seems to be problematic in some configurations with netback using
      a larger MAX_SKB_FRAGS value (e.g. old Linux kernel with MAX_SKB_FRAGS
      defined as 18 instead of nowadays 17).
      
      Instead of BUG_ON() in this case just fall back to retransmission.
      
      Fixes: 57f230ab ("xen/netfront: raise max number of slots in xennet_get_responses()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad4f15dc
    • Xin Long's avatar
      ipv6: use rt6_info members when dst is set in rt6_fill_node · 22d0bd82
      Xin Long authored
      In inet6_rtm_getroute, since Commit 93531c67 ("net/ipv6: separate
      handling of FIB entries from dst based routes"), it has used rt->from
      to dump route info instead of rt.
      
      However for some route like cache, some of its information like flags
      or gateway is not the same as that of the 'from' one. It caused 'ip
      route get' to dump the wrong route information.
      
      In Jianlin's testing, the output information even lost the expiration
      time for a pmtu route cache due to the wrong fib6_flags.
      
      So change to use rt6_info members for dst addr, src addr, flags and
      gateway when it tries to dump a route entry without fibmatch set.
      
      v1->v2:
        - not use rt6i_prefsrc.
        - also fix the gw dump issue.
      
      Fixes: 93531c67 ("net/ipv6: separate handling of FIB entries from dst based routes")
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22d0bd82
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2018-09-12' of git://anongit.freedesktop.org/drm/drm · 7428b2e5
      Linus Torvalds authored
      Pull drm nouveau fixes from Dave Airlie:
       "I'm sending this separately as it's a bit larger than I generally like
        for one driver, but it does contain a bunch of make my nvidia laptop
        not die (runpm) and a bunch to make my docking station and monitor
        display stuff (mst) fixes.
      
        Lyude has spent a lot of time on these, and we are putting the fixes
        into distro kernels as well asap, as it helps a bunch of standard
        Lenovo laptops, so I'm fairly happy things are better than they were
        before these patches, but I decided to split them out just for
        clarification"
      
      * tag 'drm-fixes-2018-09-12' of git://anongit.freedesktop.org/drm/drm:
        drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP panels
        drm/nouveau/disp: fix DP disable race
        drm/nouveau/disp: move eDP panel power handling
        drm/nouveau/disp: remove unused struct member
        drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
        drm/nouveau/mmu: don't attempt to dereference vmm without valid instance pointer
        drm/nouveau: fix oops in client init failure path
        drm/nouveau: Fix nouveau_connector_ddc_detect()
        drm/nouveau/drm/nouveau: Don't forget to cancel hpd_work on suspend/unload
        drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early
        drm/nouveau: Reset MST branching unit before enabling
        drm/nouveau: Only write DP_MSTM_CTRL when needed
        drm/nouveau: Remove useless poll_enable() call in drm_load()
        drm/nouveau: Remove useless poll_disable() call in switcheroo_set_state()
        drm/nouveau: Remove useless poll_enable() call in switcheroo_set_state()
        drm/nouveau: Fix deadlocks in nouveau_connector_detect()
        drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect()
        drm/nouveau/drm/nouveau: Fix deadlock with fb_helper with async RPM requests
        drm/nouveau: Remove duplicate poll_enable() in pmops_runtime_suspend()
        drm/nouveau/drm/nouveau: Fix bogus drm_kms_helper_poll_enable() placement
      7428b2e5
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 67b07609
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix up several Kconfig dependencies in netfilter, from Martin Willi
          and Florian Westphal.
      
       2) Memory leak in be2net driver, from Petr Oros.
      
       3) Memory leak in E-Switch handling of mlx5 driver, from Raed Salem.
      
       4) mlx5_attach_interface needs to check for errors, from Huy Nguyen.
      
       5) tipc_release() needs to orphan the sock, from Cong Wang.
      
       6) Need to program TxConfig register after TX/RX is enabled in r8169
          driver, not beforehand, from Maciej S. Szmigiero.
      
       7) Handle 64K PAGE_SIZE properly in ena driver, from Netanel Belgazal.
      
       8) Fix crash regression in ip_do_fragment(), from Taehee Yoo.
      
       9) syzbot can create conditions where kernel log is flooded with
          synflood warnings due to creation of many listening sockets, fix
          that. From Willem de Bruijn.
      
      10) Fix RCU issues in rds socket layer, from Cong Wang.
      
      11) Fix vlan matching in nfp driver, from Pieter Jansen van Vuuren.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (59 commits)
        nfp: flower: reject tunnel encap with ipv6 outer headers for offloading
        nfp: flower: fix vlan match by checking both vlan id and vlan pcp
        tipc: check return value of __tipc_dump_start()
        s390/qeth: don't dump past end of unknown HW header
        s390/qeth: use vzalloc for QUERY OAT buffer
        s390/qeth: switch on SG by default for IQD devices
        s390/qeth: indicate error when netdev allocation fails
        rds: fix two RCU related problems
        r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
        erspan: fix error handling for erspan tunnel
        erspan: return PACKET_REJECT when the appropriate tunnel is not found
        tcp: rate limit synflood warnings further
        MIPS: lantiq: dma: add dev pointer
        netfilter: xt_hashlimit: use s->file instead of s->private
        netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT
        netfilter: cttimeout: ctnl_timeout_find_get() returns incorrect pointer to type
        netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT
        netfilter: conntrack: reset tcp maxwin on re-register
        qmi_wwan: Support dynamic config on Quectel EP06
        ethernet: renesas: convert to SPDX identifiers
        ...
      67b07609
  6. 12 Sep, 2018 2 commits