1. 07 Mar, 2018 7 commits
    • Alexey Kodanev's avatar
      sch_netem: fix skb leak in netem_enqueue() · 35d889d1
      Alexey Kodanev authored
      When we exceed current packets limit and we have more than one
      segment in the list returned by skb_gso_segment(), netem drops
      only the first one, skipping the rest, hence kmemleak reports:
      
      unreferenced object 0xffff880b5d23b600 (size 1024):
        comm "softirq", pid 0, jiffies 4384527763 (age 2770.629s)
        hex dump (first 32 bytes):
          00 80 23 5d 0b 88 ff ff 00 00 00 00 00 00 00 00  ..#]............
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<00000000d8a19b9d>] __alloc_skb+0xc9/0x520
          [<000000001709b32f>] skb_segment+0x8c8/0x3710
          [<00000000c7b9bb88>] tcp_gso_segment+0x331/0x1830
          [<00000000c921cba1>] inet_gso_segment+0x476/0x1370
          [<000000008b762dd4>] skb_mac_gso_segment+0x1f9/0x510
          [<000000002182660a>] __skb_gso_segment+0x1dd/0x620
          [<00000000412651b9>] netem_enqueue+0x1536/0x2590 [sch_netem]
          [<0000000005d3b2a9>] __dev_queue_xmit+0x1167/0x2120
          [<00000000fc5f7327>] ip_finish_output2+0x998/0xf00
          [<00000000d309e9d3>] ip_output+0x1aa/0x2c0
          [<000000007ecbd3a4>] tcp_transmit_skb+0x18db/0x3670
          [<0000000042d2a45f>] tcp_write_xmit+0x4d4/0x58c0
          [<0000000056a44199>] tcp_tasklet_func+0x3d9/0x540
          [<0000000013d06d02>] tasklet_action+0x1ca/0x250
          [<00000000fcde0b8b>] __do_softirq+0x1b4/0x5a3
          [<00000000e7ed027c>] irq_exit+0x1e2/0x210
      
      Fix it by adding the rest of the segments, if any, to skb 'to_free'
      list. Add new __qdisc_drop_all() and qdisc_drop_all() functions
      because they can be useful in the future if we need to drop segmented
      GSO packets in other places.
      
      Fixes: 6071bd1a ("netem: Segment GSO packets on enqueue")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      35d889d1
    • David S. Miller's avatar
      Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 89036a2a
      David S. Miller authored
      Johan Hedberg says:
      
      ====================
      pull request: bluetooth 2018-03-05
      
      Here are a few more Bluetooth fixes for the 4.16 kernel:
      
       - btusb: reset/resume fixes for Yoga 920 and Dell OptiPlex 3060
       - Fix for missing encryption refresh with the Security Manager protocol
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89036a2a
    • Denis Kirjanov's avatar
      fsl/fman: avoid sleeping in atomic context while adding an address · 803fafbe
      Denis Kirjanov authored
      __dev_mc_add grabs an adress spinlock so use
      atomic context in kmalloc.
      
      / # ifconfig eth0 inet 192.168.0.111
      [   89.331622] BUG: sleeping function called from invalid context at mm/slab.h:420
      [   89.339002] in_atomic(): 1, irqs_disabled(): 0, pid: 1035, name: ifconfig
      [   89.345799] 2 locks held by ifconfig/1035:
      [   89.349908]  #0:  (rtnl_mutex){+.+.}, at: [<(ptrval)>] devinet_ioctl+0xc0/0x8a0
      [   89.357258]  #1:  (_xmit_ETHER){+...}, at: [<(ptrval)>] __dev_mc_add+0x28/0x80
      [   89.364520] CPU: 1 PID: 1035 Comm: ifconfig Not tainted 4.16.0-rc3-dirty #8
      [   89.371464] Call Trace:
      [   89.373908] [e959db60] [c066f948] dump_stack+0xa4/0xfc (unreliable)
      [   89.380177] [e959db80] [c00671d8] ___might_sleep+0x248/0x280
      [   89.385833] [e959dba0] [c01aec34] kmem_cache_alloc_trace+0x174/0x320
      [   89.392179] [e959dbd0] [c04ab920] dtsec_add_hash_mac_address+0x130/0x240
      [   89.398874] [e959dc00] [c04a9d74] set_multi+0x174/0x1b0
      [   89.404093] [e959dc30] [c04afb68] dpaa_set_rx_mode+0x68/0xe0
      [   89.409745] [e959dc40] [c057baf8] __dev_mc_add+0x58/0x80
      [   89.415052] [e959dc60] [c060fd64] igmp_group_added+0x164/0x190
      [   89.420878] [e959dca0] [c060ffa8] ip_mc_inc_group+0x218/0x460
      [   89.426617] [e959dce0] [c06120fc] ip_mc_up+0x3c/0x190
      [   89.431662] [e959dd10] [c0607270] inetdev_event+0x250/0x620
      [   89.437227] [e959dd50] [c005f190] notifier_call_chain+0x80/0xf0
      [   89.443138] [e959dd80] [c0573a74] __dev_notify_flags+0x54/0xf0
      [   89.448964] [e959dda0] [c05743f8] dev_change_flags+0x48/0x60
      [   89.454615] [e959ddc0] [c0606744] devinet_ioctl+0x544/0x8a0
      [   89.460180] [e959de10] [c060987c] inet_ioctl+0x9c/0x1f0
      [   89.465400] [e959de80] [c05479a8] sock_ioctl+0x168/0x460
      [   89.470708] [e959ded0] [c01cf3ec] do_vfs_ioctl+0xac/0x8c0
      [   89.476099] [e959df20] [c01cfc40] SyS_ioctl+0x40/0xc0
      [   89.481147] [e959df40] [c0011318] ret_from_syscall+0x0/0x3c
      [   89.486715] --- interrupt: c01 at 0x1006943c
      [   89.486715]     LR = 0x100c45ec
      Signed-off-by: default avatarDenis Kirjanov <kda@linux-powerpc.org>
      Acked-by: default avatarMadalin Bucur <madalin.bucur@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      803fafbe
    • David S. Miller's avatar
      Merge branch 'rhltable-dups' · 6f22c07f
      David S. Miller authored
      Paul Blakey says:
      
      ====================
      rhashtable: Fix rhltable duplicates insertion
      
      On our mlx5 driver fs_core.c, we use the rhltable interface to store
      flow groups. We noticed that sometimes we get a warning that flow group isn't
      found at removal. This rare case was caused when a specific scenario happened,
      insertion of a flow group with a similar match criteria (a duplicate),
      but only where the flow group rhash_head was second (or not first)
      on the relevant rhashtable bucket list.
      
      The first patch fixes it, and the second one adds a test that show
      it is now working.
      
      Paul.
      
      v3 --> v2 changes:
          * added missing fix in rhashtable_lookup_one code path as well.
      
      v1 --> v2 changes:
          * Changed commit messages to better reflect the change
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f22c07f
    • Paul Blakey's avatar
      test_rhashtable: add test case for rhltable with duplicate objects · 499ac3b6
      Paul Blakey authored
      Tries to insert duplicates in the middle of bucket's chain:
      bucket 1:  [[val 21 (tid=1)]] -> [[ val 1 (tid=2),  val 1 (tid=0) ]]
      
      Reuses tid to distinguish the elements insertion order.
      Signed-off-by: default avatarPaul Blakey <paulb@mellanox.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      499ac3b6
    • Paul Blakey's avatar
      rhashtable: Fix rhlist duplicates insertion · d3dcf8eb
      Paul Blakey authored
      When inserting duplicate objects (those with the same key),
      current rhlist implementation messes up the chain pointers by
      updating the bucket pointer instead of prev next pointer to the
      newly inserted node. This causes missing elements on removal and
      travesal.
      
      Fix that by properly updating pprev pointer to point to
      the correct rhash_head next pointer.
      
      Issue: 1241076
      Change-Id: I86b2c140bcb4aeb10b70a72a267ff590bb2b17e7
      Fixes: ca26893f ('rhashtable: Add rhlist interface')
      Signed-off-by: default avatarPaul Blakey <paulb@mellanox.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d3dcf8eb
    • Geert Uytterhoeven's avatar
      dt-bindings: net: renesas-ravb: Make stream buffer optional · 25b5cdfc
      Geert Uytterhoeven authored
      The Stream Buffer for EtherAVB-IF (STBE) is an optional component, and
      is not present on all SoCs.
      
      Document this in the DT bindings, including a list of SoCs that do have
      it.
      
      Fixes: 785ec874 ("ravb: document R8A77970 bindings")
      Fixes: f231c417 ("dt-bindings: net: renesas-ravb: Add support for R8A77995 RAVB")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Acked-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Reviewed-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25b5cdfc
  2. 06 Mar, 2018 8 commits
  3. 05 Mar, 2018 18 commits
  4. 04 Mar, 2018 7 commits
    • Guillaume Nault's avatar
      ppp: prevent unregistered channels from connecting to PPP units · 77f840e3
      Guillaume Nault authored
      PPP units don't hold any reference on the channels connected to it.
      It is the channel's responsibility to ensure that it disconnects from
      its unit before being destroyed.
      In practice, this is ensured by ppp_unregister_channel() disconnecting
      the channel from the unit before dropping a reference on the channel.
      
      However, it is possible for an unregistered channel to connect to a PPP
      unit: register a channel with ppp_register_net_channel(), attach a
      /dev/ppp file to it with ioctl(PPPIOCATTCHAN), unregister the channel
      with ppp_unregister_channel() and finally connect the /dev/ppp file to
      a PPP unit with ioctl(PPPIOCCONNECT).
      
      Once in this situation, the channel is only held by the /dev/ppp file,
      which can be released at anytime and free the channel without letting
      the parent PPP unit know. Then the ppp structure ends up with dangling
      pointers in its ->channels list.
      
      Prevent this scenario by forbidding unregistered channels from
      connecting to PPP units. This maintains the code logic by keeping
      ppp_unregister_channel() responsible from disconnecting the channel if
      necessary and avoids modification on the reference counting mechanism.
      
      This issue seems to predate git history (successfully reproduced on
      Linux 2.6.26 and earlier PPP commits are unrelated).
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      77f840e3
    • Davide Caratti's avatar
      tc-testing: skbmod: fix match value of ethertype · 79f3a8e6
      Davide Caratti authored
      iproute2 print_skbmod() prints the configured ethertype using format 0x%X:
      therefore, test 9aa8 systematically fails, because it configures action #4
      using ethertype 0x0031, and expects 0x0031 when it reads it back. Changing
      the expected value to 0x31 lets the test result 'not ok' become 'ok'.
      
      tested with:
       # ./tdc.py -e 9aa8
       Test 9aa8: Get a single skbmod action from a list
       All test results:
      
       1..1
       ok 1 9aa8 Get a single skbmod action from a list
      
      Fixes: cf797ac4 ("tc-testing: Add test cases for police and skbmod")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79f3a8e6
    • Shalom Toledo's avatar
      mlxsw: spectrum_switchdev: Check success of FDB add operation · 0a8a1bf1
      Shalom Toledo authored
      Until now, we assumed that in case of error when adding FDB entries, the
      write operation will fail, but this is not the case. Instead, we need to
      check that the number of entries reported in the response is equal to
      the number of entries specified in the request.
      
      Fixes: 56ade8fe ("mlxsw: spectrum: Add initial support for Spectrum ASIC")
      Reported-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarShalom Toledo <shalomt@mellanox.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0a8a1bf1
    • Linus Torvalds's avatar
      Linux 4.16-rc4 · 661e50bc
      Linus Torvalds authored
      661e50bc
    • David S. Miller's avatar
      Merge branch 'GSO_BY_FRAGS-correctness-improvements' · 19f6484f
      David S. Miller authored
      Daniel Axtens says:
      
      ====================
      GSO_BY_FRAGS correctness improvements
      
      As requested [1], I went through and had a look at users of gso_size to
      see if there were things that need to be fixed to consider
      GSO_BY_FRAGS, and I have tried to improve our helper functions to deal
      with this case.
      
      I found a few. This fixes bugs relating to the use of
      skb_gso_*_seglen() where GSO_BY_FRAGS is not considered.
      
      Patch 1 renames skb_gso_validate_mtu to skb_gso_validate_network_len.
      This is follow-up to my earlier patch 2b16f048 ("net: create
      skb_gso_validate_mac_len()"), and just makes everything a bit clearer.
      
      Patches 2 and 3 replace the final users of skb_gso_network_seglen() -
      which doesn't consider GSO_BY_FRAGS - with
      skb_gso_validate_network_len(), which does. This allows me to make the
      skb_gso_*_seglen functions private in patch 4 - now future users won't
      accidentally do the wrong comparison.
      
      Two things remain. One is qdisc_pkt_len_init, which is discussed at
      [2] - it's caught up in the GSO_DODGY mess. I don't have any expertise
      in GSO_DODGY, and it looks like a good clean fix will involve
      unpicking the whole validation mess, so I have left it for now.
      
      Secondly, there are 3 eBPF opcodes that change the gso_size of an SKB
      and don't consider GSO_BY_FRAGS. This is going through the bpf tree.
      
      Regards,
      Daniel
      
      [1] https://patchwork.ozlabs.org/comment/1852414/
      [2] https://www.spinics.net/lists/netdev/msg482397.html
      
      PS: This is all in the core networking stack. For a driver to be
      affected by this it would need to support NETIF_F_GSO_SCTP /
      NETIF_F_GSO_SOFTWARE and then either use gso_size or not be a purely
      virtual device. (Many drivers look at gso_size, but do not support
      SCTP segmentation, so the core network will segment an SCTP gso before
      it hits them.) Based on that, the only driver that may be affected is
      sunvnet, but I have no way of testing it, so I haven't looked at it.
      
      v2: split out bpf stuff
          fix review comments from Dave Miller
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      19f6484f
    • Daniel Axtens's avatar
      net: make skb_gso_*_seglen functions private · a4a77718
      Daniel Axtens authored
      They're very hard to use properly as they do not consider the
      GSO_BY_FRAGS case. Code should use skb_gso_validate_network_len
      and skb_gso_validate_mac_len as they do consider this case.
      
      Make the seglen functions static, which stops people using them
      outside of skbuff.c
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a4a77718
    • Daniel Axtens's avatar
      net: xfrm: use skb_gso_validate_network_len() to check gso sizes · 80f5974d
      Daniel Axtens authored
      Replace skb_gso_network_seglen() with
      skb_gso_validate_network_len(), as it considers the GSO_BY_FRAGS
      case.
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      80f5974d