1. 21 Apr, 2019 5 commits
  2. 19 Apr, 2019 7 commits
  3. 18 Apr, 2019 11 commits
  4. 17 Apr, 2019 16 commits
    • ZhangXiaoxu's avatar
      ipv4: set the tcp_min_rtt_wlen range from 0 to one day · 19fad20d
      ZhangXiaoxu authored
      There is a UBSAN report as below:
      UBSAN: Undefined behaviour in net/ipv4/tcp_input.c:2877:56
      signed integer overflow:
      2147483647 * 1000 cannot be represented in type 'int'
      CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.1.0-rc4-00058-g582549e3 #1
      Call Trace:
       <IRQ>
       dump_stack+0x8c/0xba
       ubsan_epilogue+0x11/0x60
       handle_overflow+0x12d/0x170
       ? ttwu_do_wakeup+0x21/0x320
       __ubsan_handle_mul_overflow+0x12/0x20
       tcp_ack_update_rtt+0x76c/0x780
       tcp_clean_rtx_queue+0x499/0x14d0
       tcp_ack+0x69e/0x1240
       ? __wake_up_sync_key+0x2c/0x50
       ? update_group_capacity+0x50/0x680
       tcp_rcv_established+0x4e2/0xe10
       tcp_v4_do_rcv+0x22b/0x420
       tcp_v4_rcv+0xfe8/0x1190
       ip_protocol_deliver_rcu+0x36/0x180
       ip_local_deliver+0x15b/0x1a0
       ip_rcv+0xac/0xd0
       __netif_receive_skb_one_core+0x7f/0xb0
       __netif_receive_skb+0x33/0xc0
       netif_receive_skb_internal+0x84/0x1c0
       napi_gro_receive+0x2a0/0x300
       receive_buf+0x3d4/0x2350
       ? detach_buf_split+0x159/0x390
       virtnet_poll+0x198/0x840
       ? reweight_entity+0x243/0x4b0
       net_rx_action+0x25c/0x770
       __do_softirq+0x19b/0x66d
       irq_exit+0x1eb/0x230
       do_IRQ+0x7a/0x150
       common_interrupt+0xf/0xf
       </IRQ>
      
      It can be reproduced by:
        echo 2147483647 > /proc/sys/net/ipv4/tcp_min_rtt_wlen
      
      Fixes: f6722583 ("tcp: track min RTT using windowed min-filter")
      Signed-off-by: default avatarZhangXiaoxu <zhangxiaoxu5@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      19fad20d
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.1-2' of git://github.com/cminyard/linux-ipmi · fe5cdef2
      Linus Torvalds authored
      Pull IPMI fixes from Corey Minyard:
       "Fixes for some bugs cause by recent changes. One crash if you feed bad
        data to the module parameters, one BUG that sometimes occurs when a
        user closes the connection, and one bug that cause the driver to not
        work if the configuration information only comes in from SMBIOS"
      
      * tag 'for-linus-5.1-2' of git://github.com/cminyard/linux-ipmi:
        ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier
        ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash
        ipmi: Fix failure on SMBIOS specified devices
      fe5cdef2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 2a3a028f
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Handle init flow failures properly in iwlwifi driver, from Shahar S
          Matityahu.
      
       2) mac80211 TXQs need to be unscheduled on powersave start, from Felix
          Fietkau.
      
       3) SKB memory accounting fix in A-MDSU aggregation, from Felix Fietkau.
      
       4) Increase RCU lock hold time in mlx5 FPGA code, from Saeed Mahameed.
      
       5) Avoid checksum complete with XDP in mlx5, also from Saeed.
      
       6) Fix netdev feature clobbering in ibmvnic driver, from Thomas Falcon.
      
       7) Partial sent TLS record leak fix from Jakub Kicinski.
      
       8) Reject zero size iova range in vhost, from Jason Wang.
      
       9) Allow pending work to complete before clcsock release from Karsten
          Graul.
      
      10) Fix XDP handling max MTU in thunderx, from Matteo Croce.
      
      11) A lot of protocols look at the sa_family field of a sockaddr before
          validating it's length is large enough, from Tetsuo Handa.
      
      12) Don't write to free'd pointer in qede ptp error path, from Colin Ian
          King.
      
      13) Have to recompile IP options in ipv4_link_failure because it can be
          invoked from ARP, from Stephen Suryaputra.
      
      14) Doorbell handling fixes in qed from Denis Bolotin.
      
      15) Revert net-sysfs kobject register leak fix, it causes new problems.
          From Wang Hai.
      
      16) Spectre v1 fix in ATM code, from Gustavo A. R. Silva.
      
      17) Fix put of BROPT_VLAN_STATS_PER_PORT in bridging code, from Nikolay
          Aleksandrov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (111 commits)
        socket: fix compat SO_RCVTIMEO_NEW/SO_SNDTIMEO_NEW
        tcp: tcp_grow_window() needs to respect tcp_space()
        ocelot: Clean up stats update deferred work
        ocelot: Don't sleep in atomic context (irqs_disabled())
        net: bridge: fix netlink export of vlan_stats_per_port option
        qed: fix spelling mistake "faspath" -> "fastpath"
        tipc: set sysctl_tipc_rmem and named_timeout right range
        tipc: fix link established but not in session
        net: Fix missing meta data in skb with vlan packet
        net: atm: Fix potential Spectre v1 vulnerabilities
        net/core: work around section mismatch warning for ptp_classifier
        net: bridge: fix per-port af_packet sockets
        bnx2x: fix spelling mistake "dicline" -> "decline"
        route: Avoid crash from dereferencing NULL rt->from
        MAINTAINERS: normalize Woojung Huh's email address
        bonding: fix event handling for stacked bonds
        Revert "net-sysfs: Fix memory leak in netdev_register_kobject"
        rtnetlink: fix rtnl_valid_stats_req() nlmsg_len check
        qed: Fix the DORQ's attentions handling
        qed: Fix missing DORQ attentions
        ...
      2a3a028f
    • Corey Minyard's avatar
      ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier · 3b9a9072
      Corey Minyard authored
      free_user() could be called in atomic context.
      
      This patch pushed the free operation off into a workqueue.
      
      Example:
      
       BUG: sleeping function called from invalid context at kernel/workqueue.c:2856
       in_atomic(): 1, irqs_disabled(): 0, pid: 177, name: ksoftirqd/27
       CPU: 27 PID: 177 Comm: ksoftirqd/27 Not tainted 4.19.25-3 #1
       Hardware name: AIC 1S-HV26-08/MB-DPSB04-06, BIOS IVYBV060 10/21/2015
       Call Trace:
        dump_stack+0x5c/0x7b
        ___might_sleep+0xec/0x110
        __flush_work+0x48/0x1f0
        ? try_to_del_timer_sync+0x4d/0x80
        _cleanup_srcu_struct+0x104/0x140
        free_user+0x18/0x30 [ipmi_msghandler]
        ipmi_free_recv_msg+0x3a/0x50 [ipmi_msghandler]
        deliver_response+0xbd/0xd0 [ipmi_msghandler]
        deliver_local_response+0xe/0x30 [ipmi_msghandler]
        handle_one_recv_msg+0x163/0xc80 [ipmi_msghandler]
        ? dequeue_entity+0xa0/0x960
        handle_new_recv_msgs+0x15c/0x1f0 [ipmi_msghandler]
        tasklet_action_common.isra.22+0x103/0x120
        __do_softirq+0xf8/0x2d7
        run_ksoftirqd+0x26/0x50
        smpboot_thread_fn+0x11d/0x1e0
        kthread+0x103/0x140
        ? sort_range+0x20/0x20
        ? kthread_destroy_worker+0x40/0x40
        ret_from_fork+0x1f/0x40
      
      Fixes: 77f82696 ("ipmi: fix use-after-free of user->release_barrier.rda")
      Reported-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Cc: stable@vger.kernel.org # 5.0
      Cc: Yang Yingliang <yangyingliang@huawei.com>
      3b9a9072
    • Arnd Bergmann's avatar
      socket: fix compat SO_RCVTIMEO_NEW/SO_SNDTIMEO_NEW · e6986423
      Arnd Bergmann authored
      It looks like the new socket options only work correctly
      for native execution, but in case of compat mode fall back
      to the old behavior as we ignore the 'old_timeval' flag.
      
      Rework so we treat SO_RCVTIMEO_NEW/SO_SNDTIMEO_NEW the
      same way in compat and native 32-bit mode.
      
      Cc: Deepa Dinamani <deepa.kernel@gmail.com>
      Fixes: a9beb86a ("sock: Add SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarDeepa Dinamani <deepa.kernel@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e6986423
    • Eric Dumazet's avatar
      tcp: tcp_grow_window() needs to respect tcp_space() · 50ce163a
      Eric Dumazet authored
      For some reason, tcp_grow_window() correctly tests if enough room
      is present before attempting to increase tp->rcv_ssthresh,
      but does not prevent it to grow past tcp_space()
      
      This is causing hard to debug issues, like failing
      the (__tcp_select_window(sk) >= tp->rcv_wnd) test
      in __tcp_ack_snd_check(), causing ACK delays and possibly
      slow flows.
      
      Depending on tcp_rmem[2], MTU, skb->len/skb->truesize ratio,
      we can see the problem happening on "netperf -t TCP_RR -- -r 2000,2000"
      after about 60 round trips, when the active side no longer sends
      immediate acks.
      
      This bug predates git history.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarWei Wang <weiwan@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50ce163a
    • Claudiu Manoil's avatar
      ocelot: Clean up stats update deferred work · 1e1caa97
      Claudiu Manoil authored
      This is preventive cleanup that may save troubles later.
      No need to cancel repeateadly queued work if code is properly
      refactored.
      Don't let the ethtool -s process interfere with the stat workqueue
      scheduling.
      Signed-off-by: default avatarClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e1caa97
    • Claudiu Manoil's avatar
      ocelot: Don't sleep in atomic context (irqs_disabled()) · a8fd48b5
      Claudiu Manoil authored
      Preemption disabled at:
       [<ffff000008cabd54>] dev_set_rx_mode+0x1c/0x38
       Call trace:
       [<ffff00000808a5c0>] dump_backtrace+0x0/0x3d0
       [<ffff00000808a9a4>] show_stack+0x14/0x20
       [<ffff000008e6c0c0>] dump_stack+0xac/0xe4
       [<ffff0000080fe76c>] ___might_sleep+0x164/0x238
       [<ffff0000080fe890>] __might_sleep+0x50/0x88
       [<ffff0000082261e4>] kmem_cache_alloc+0x17c/0x1d0
       [<ffff000000ea0ae8>] ocelot_set_rx_mode+0x108/0x188 [mscc_ocelot_common]
       [<ffff000008cabcf0>] __dev_set_rx_mode+0x58/0xa0
       [<ffff000008cabd5c>] dev_set_rx_mode+0x24/0x38
      
      Fixes: a556c76a ("net: mscc: Add initial Ocelot switch support")
      Signed-off-by: default avatarClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8fd48b5
    • Nikolay Aleksandrov's avatar
      net: bridge: fix netlink export of vlan_stats_per_port option · 600bea7d
      Nikolay Aleksandrov authored
      Since the introduction of the vlan_stats_per_port option the netlink
      export of it has been broken since I made a typo and used the ifla
      attribute instead of the bridge option to retrieve its state.
      Sysfs export is fine, only netlink export has been affected.
      
      Fixes: 9163a0fc ("net: bridge: add support for per-port vlan stats")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      600bea7d
    • Colin Ian King's avatar
      qed: fix spelling mistake "faspath" -> "fastpath" · 3321b6c2
      Colin Ian King authored
      There is a spelling mistake in a DP_INFO message, fix it.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3321b6c2
    • Jie Liu's avatar
      tipc: set sysctl_tipc_rmem and named_timeout right range · 4bcd4ec1
      Jie Liu authored
      We find that sysctl_tipc_rmem and named_timeout do not have the right minimum
      setting. sysctl_tipc_rmem should be larger than zero, like sysctl_tcp_rmem.
      And named_timeout as a timeout setting should be not less than zero.
      
      Fixes: cc79dd1b ("tipc: change socket buffer overflow control to respect sk_rcvbuf")
      Fixes: a5325ae5 ("tipc: add name distributor resiliency queue")
      Signed-off-by: default avatarJie Liu <liujie165@huawei.com>
      Reported-by: default avatarQiang Ning <ningqiang1@huawei.com>
      Reviewed-by: default avatarZhiqiang Liu <liuzhiqiang26@huawei.com>
      Reviewed-by: default avatarMiaohe Lin <linmiaohe@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4bcd4ec1
    • Tuong Lien's avatar
      tipc: fix link established but not in session · f7a93780
      Tuong Lien authored
      According to the link FSM, when a link endpoint got RESET_MSG (- a
      traditional one without the stopping bit) from its peer, it moves to
      PEER_RESET state and raises a LINK_DOWN event which then resets the
      link itself. Its state will become ESTABLISHING after the reset event
      and the link will be re-established soon after this endpoint starts to
      send ACTIVATE_MSG to the peer.
      
      There is no problem with this mechanism, however the link resetting has
      cleared the link 'in_session' flag (along with the other important link
      data such as: the link 'mtu') that was correctly set up at the 1st step
      (i.e. when this endpoint received the peer RESET_MSG). As a result, the
      link will become ESTABLISHED, but the 'in_session' flag is not set, and
      all STATE_MSG from its peer will be dropped at the link_validate_msg().
      It means the link not synced and will sooner or later face a failure.
      
      Since the link reset action is obviously needed for a new link session
      (this is also true in the other situations), the problem here is that
      the link is re-established a bit too early when the link endpoints are
      not really in-sync yet. The commit forces a resync as already done in
      the previous commit 91986ee1 ("tipc: fix link session and
      re-establish issues") by simply varying the link 'peer_session' value
      at the link_reset().
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarTuong Lien <tuong.t.lien@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f7a93780
    • Yuya Kusakabe's avatar
      net: Fix missing meta data in skb with vlan packet · d85e8be2
      Yuya Kusakabe authored
      skb_reorder_vlan_header() should move XDP meta data with ethernet header
      if XDP meta data exists.
      
      Fixes: de8f3a83 ("bpf: add meta pointer for direct access")
      Signed-off-by: default avatarYuya Kusakabe <yuya.kusakabe@gmail.com>
      Signed-off-by: default avatarTakeru Hayasaka <taketarou2@gmail.com>
      Co-developed-by: default avatarTakeru Hayasaka <taketarou2@gmail.com>
      Reviewed-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d85e8be2
    • Gustavo A. R. Silva's avatar
      net: atm: Fix potential Spectre v1 vulnerabilities · 899537b7
      Gustavo A. R. Silva authored
      arg is controlled by user-space, hence leading to a potential
      exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      net/atm/lec.c:715 lec_mcast_attach() warn: potential spectre issue 'dev_lec' [r] (local cap)
      
      Fix this by sanitizing arg before using it to index dev_lec.
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      899537b7
    • Ard Biesheuvel's avatar
      net/core: work around section mismatch warning for ptp_classifier · ad910c7c
      Ard Biesheuvel authored
      The routine ptp_classifier_init() uses an initializer for an
      automatic struct type variable which refers to an __initdata
      symbol. This is perfectly legal, but may trigger a section
      mismatch warning when running the compiler in -fpic mode, due
      to the fact that the initializer may be emitted into an anonymous
      .data section thats lack the __init annotation. So work around it
      by using assignments instead.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad910c7c
    • Nikolay Aleksandrov's avatar
      net: bridge: fix per-port af_packet sockets · 3b2e2904
      Nikolay Aleksandrov authored
      When the commit below was introduced it changed two visible things:
       - the skb was no longer passed through the protocol handlers with the
         original device
       - the skb was passed up the stack with skb->dev = bridge
      
      The first change broke af_packet sockets on bridge ports. For example we
      use them for hostapd which listens for ETH_P_PAE packets on the ports.
      We discussed two possible fixes:
       - create a clone and pass it through NF_HOOK(), act on the original skb
         based on the result
       - somehow signal to the caller from the okfn() that it was called,
         meaning the skb is ok to be passed, which this patch is trying to
         implement via returning 1 from the bridge link-local okfn()
      
      Note that we rely on the fact that NF_QUEUE/STOLEN would return 0 and
      drop/error would return < 0 thus the okfn() is called only when the
      return was 1, so we signal to the caller that it was called by preserving
      the return value from nf_hook().
      
      Fixes: 8626c56c ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b2e2904
  5. 16 Apr, 2019 1 commit
    • Tony Camuso's avatar
      ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash · a885bcfd
      Tony Camuso authored
      The intended behavior of function ipmi_hardcode_init_one() is to default
      to kcs interface when no type argument is presented when initializing
      ipmi with hard coded addresses.
      
      However, the array of char pointers allocated on the stack by function
      ipmi_hardcode_init() was not inited to zeroes, so it contained stack
      debris.
      
      Consequently, passing the cruft stored in this array to function
      ipmi_hardcode_init_one() caused a crash when it was unable to detect
      that the char * being passed was nonsense and tried to access the
      address specified by the bogus pointer.
      
      The fix is simply to initialize the si_type array to zeroes, so if
      there were no type argument given to at the command line, function
      ipmi_hardcode_init_one() could properly default to the kcs interface.
      Signed-off-by: default avatarTony Camuso <tcamuso@redhat.com>
      Message-Id: <1554837603-40299-1-git-send-email-tcamuso@redhat.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      a885bcfd