1. 10 Apr, 2020 1 commit
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 40fc7ad2
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2020-04-10
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 13 non-merge commits during the last 7 day(s) which contain
      a total of 13 files changed, 137 insertions(+), 43 deletions(-).
      
      The main changes are:
      
      1) JIT code emission fixes for riscv and arm32, from Luke Nelson and Xi Wang.
      
      2) Disable vmlinux BTF info if GCC_PLUGIN_RANDSTRUCT is used, from Slava Bacherikov.
      
      3) Fix oob write in AF_XDP when meta data is used, from Li RongQing.
      
      4) Fix bpf_get_link_xdp_id() handling on single prog when flags are specified,
         from Andrey Ignatov.
      
      5) Fix sk_assign() BPF helper for request sockets that can have sk_reuseport
         field uninitialized, from Joe Stringer.
      
      6) Fix mprotect() test case for the BPF LSM, from KP Singh.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40fc7ad2
  2. 09 Apr, 2020 8 commits
    • Taras Chornyi's avatar
      net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin · 690cc863
      Taras Chornyi authored
      When CONFIG_IP_MULTICAST is not set and multicast ip is added to the device
      with autojoin flag or when multicast ip is deleted kernel will crash.
      
      steps to reproduce:
      
      ip addr add 224.0.0.0/32 dev eth0
      ip addr del 224.0.0.0/32 dev eth0
      
      or
      
      ip addr add 224.0.0.0/32 dev eth0 autojoin
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088
       pc : _raw_write_lock_irqsave+0x1e0/0x2ac
       lr : lock_sock_nested+0x1c/0x60
       Call trace:
        _raw_write_lock_irqsave+0x1e0/0x2ac
        lock_sock_nested+0x1c/0x60
        ip_mc_config.isra.28+0x50/0xe0
        inet_rtm_deladdr+0x1a8/0x1f0
        rtnetlink_rcv_msg+0x120/0x350
        netlink_rcv_skb+0x58/0x120
        rtnetlink_rcv+0x14/0x20
        netlink_unicast+0x1b8/0x270
        netlink_sendmsg+0x1a0/0x3b0
        ____sys_sendmsg+0x248/0x290
        ___sys_sendmsg+0x80/0xc0
        __sys_sendmsg+0x68/0xc0
        __arm64_sys_sendmsg+0x20/0x30
        el0_svc_common.constprop.2+0x88/0x150
        do_el0_svc+0x20/0x80
       el0_sync_handler+0x118/0x190
        el0_sync+0x140/0x180
      
      Fixes: 93a714d6 ("multicast: Extend ip address command to enable multicast group join/leave on")
      Signed-off-by: default avatarTaras Chornyi <taras.chornyi@plvision.eu>
      Signed-off-by: default avatarVadym Kochan <vadym.kochan@plvision.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      690cc863
    • Ka-Cheong Poon's avatar
      net/rds: Fix MR reference counting problem · 2fabef4f
      Ka-Cheong Poon authored
      In rds_free_mr(), it calls rds_destroy_mr(mr) directly.  But this
      defeats the purpose of reference counting and makes MR free handling
      impossible.  It means that holding a reference does not guarantee that
      it is safe to access some fields.  For example, In
      rds_cmsg_rdma_dest(), it increases the ref count, unlocks and then
      calls mr->r_trans->sync_mr().  But if rds_free_mr() (and
      rds_destroy_mr()) is called in between (there is no lock preventing
      this to happen), r_trans_private is set to NULL, causing a panic.
      Similar issue is in rds_rdma_unuse().
      Reported-by: default avatarzerons <sironhide0null@gmail.com>
      Signed-off-by: default avatarKa-Cheong Poon <ka-cheong.poon@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2fabef4f
    • Ka-Cheong Poon's avatar
    • Taehee Yoo's avatar
      net: macsec: fix using wrong structure in macsec_changelink() · 022e9d60
      Taehee Yoo authored
      In the macsec_changelink(), "struct macsec_tx_sa tx_sc" is used to
      store "macsec_secy.tx_sc".
      But, the struct type of tx_sc is macsec_tx_sc, not macsec_tx_sa.
      So, the macsec_tx_sc should be used instead.
      
      Test commands:
          ip link add dummy0 type dummy
          ip link add macsec0 link dummy0 type macsec
          ip link set macsec0 type macsec encrypt off
      
      Splat looks like:
      [61119.963483][ T9335] ==================================================================
      [61119.964709][ T9335] BUG: KASAN: slab-out-of-bounds in macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.965787][ T9335] Read of size 160 at addr ffff888020d69c68 by task ip/9335
      [61119.966699][ T9335]
      [61119.966979][ T9335] CPU: 0 PID: 9335 Comm: ip Not tainted 5.6.0+ #503
      [61119.967791][ T9335] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [61119.968914][ T9335] Call Trace:
      [61119.969324][ T9335]  dump_stack+0x96/0xdb
      [61119.969809][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.970554][ T9335]  print_address_description.constprop.5+0x1be/0x360
      [61119.971294][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.971973][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.972703][ T9335]  __kasan_report+0x12a/0x170
      [61119.973323][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.973942][ T9335]  kasan_report+0xe/0x20
      [61119.974397][ T9335]  check_memory_region+0x149/0x1a0
      [61119.974866][ T9335]  memcpy+0x1f/0x50
      [61119.975209][ T9335]  macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.975825][ T9335]  ? macsec_get_stats64+0x3e0/0x3e0 [macsec]
      [61119.976451][ T9335]  ? kernel_text_address+0x111/0x120
      [61119.976990][ T9335]  ? pskb_expand_head+0x25f/0xe10
      [61119.977503][ T9335]  ? stack_trace_save+0x82/0xb0
      [61119.977986][ T9335]  ? memset+0x1f/0x40
      [61119.978397][ T9335]  ? __nla_validate_parse+0x98/0x1ab0
      [61119.978936][ T9335]  ? macsec_alloc_tfm+0x90/0x90 [macsec]
      [61119.979511][ T9335]  ? __kasan_slab_free+0x111/0x150
      [61119.980021][ T9335]  ? kfree+0xce/0x2f0
      [61119.980700][ T9335]  ? netlink_trim+0x196/0x1f0
      [61119.981420][ T9335]  ? nla_memcpy+0x90/0x90
      [61119.982036][ T9335]  ? register_lock_class+0x19e0/0x19e0
      [61119.982776][ T9335]  ? memcpy+0x34/0x50
      [61119.983327][ T9335]  __rtnl_newlink+0x922/0x1270
      [ ... ]
      
      Fixes: 3cf3227a ("net: macsec: hardware offloading infrastructure")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      022e9d60
    • Colin Ian King's avatar
      net-sysfs: remove redundant assignment to variable ret · 5f0224a6
      Colin Ian King authored
      The variable ret is being initialized with a value that is never read
      and it is being updated later with a new value.  The initialization is
      redundant and can be removed.
      
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f0224a6
    • Wang Wenhu's avatar
      net: qrtr: send msgs from local of same id as broadcast · 6dbf02ac
      Wang Wenhu authored
      If the local node id(qrtr_local_nid) is not modified after its
      initialization, it equals to the broadcast node id(QRTR_NODE_BCAST).
      So the messages from local node should not be taken as broadcast
      and keep the process going to send them out anyway.
      
      The definitions are as follow:
      static unsigned int qrtr_local_nid = NUMA_NO_NODE;
      
      Fixes: fdf5fd39 ("net: qrtr: Broadcast messages only from control port")
      Signed-off-by: default avatarWang Wenhu <wenhu.wang@vivo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6dbf02ac
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2020-04-08' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 3d61a39d
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2020-04-08
      
      This series introduces some fixes to mlx5 driver.
      
      Please pull and let me know if there is any problem.
      
      For -stable v5.3
       ('net/mlx5: Fix frequent ioread PCI access during recovery')
       ('net/mlx5e: Add missing release firmware call')
      
      For -stable v5.4
       ('net/mlx5e: Fix nest_level for vlan pop action')
       ('net/mlx5e: Fix pfnum in devlink port attribute')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d61a39d
    • Lothar Rubusch's avatar
      Documentation: devlink: fix broken link warning · e750b84d
      Lothar Rubusch authored
      At 'make htmldocs' the following warning is thrown:
      
      Documentation/networking/devlink/devlink-trap.rst:302:
      WARNING: undefined label: generic-packet-trap-groups
      
      Fixes the warning by setting the label to the specified header,
      within the same document.
      Signed-off-by: default avatarLothar Rubusch <l.rubusch@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e750b84d
  3. 08 Apr, 2020 31 commits