1. 25 Jan, 2019 20 commits
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2019-01-25' of... · 51795275
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2019-01-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Just a few small fixes:
       * avoid trying to operate TDLS when not connection,
         this is not valid and led to issues
       * count TTL-dropped frames in mesh better
       * deal with new WiGig channels in regulatory code
       * remove a WARN_ON() that can trigger due to benign
         races during device/driver registration
       * fix nested netlink policy maxattrs (syzkaller)
       * fix hwsim n_limits (syzkaller)
       * propagate __aligned(2) to a surrounding struct
       * return proper error in virt_wifi error path
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51795275
    • Chaitanya Tata's avatar
      cfg80211: extend range deviation for DMG · 93183bdb
      Chaitanya Tata authored
      Recently, DMG frequency bands have been extended till 71GHz, so extend
      the range check till 20GHz (45-71GHZ), else some channels will be marked
      as disabled.
      Signed-off-by: default avatarChaitanya Tata <Chaitanya.Tata@bluwireless.co.uk>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      93183bdb
    • Chaitanya Tata's avatar
      cfg80211: reg: remove warn_on for a normal case · faae54ad
      Chaitanya Tata authored
      If there are simulatenous queries of regdb, then there might be a case
      where multiple queries can trigger request_firmware_no_wait and can have
      parallel callbacks being executed asynchronously. In this scenario we
      might hit the WARN_ON.
      
      So remove the warn_on, as the code already handles multiple callbacks
      gracefully.
      Signed-off-by: default avatarChaitanya Tata <chaitanya.tata@bluwireless.co.uk>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      faae54ad
    • Mathieu Malaterre's avatar
      mac80211: Add attribute aligned(2) to struct 'action' · 7c53eb5d
      Mathieu Malaterre authored
      During refactor in commit 9e478066 ("mac80211: fix MU-MIMO
      follow-MAC mode") a new struct 'action' was declared with packed
      attribute as:
      
        struct {
                struct ieee80211_hdr_3addr hdr;
                u8 category;
                u8 action_code;
        } __packed action;
      
      But since struct 'ieee80211_hdr_3addr' is declared with an aligned
      keyword as:
      
        struct ieee80211_hdr {
        	__le16 frame_control;
        	__le16 duration_id;
        	u8 addr1[ETH_ALEN];
        	u8 addr2[ETH_ALEN];
        	u8 addr3[ETH_ALEN];
        	__le16 seq_ctrl;
        	u8 addr4[ETH_ALEN];
        } __packed __aligned(2);
      
      Solve the ambiguity of placing aligned structure in a packed one by
      adding the aligned(2) attribute to struct 'action'.
      
      This removes the following warning (W=1):
      
        net/mac80211/rx.c:234:2: warning: alignment 1 of 'struct <anonymous>' is less than 2 [-Wpacked-not-aligned]
      
      Cc: Johannes Berg <johannes.berg@intel.com>
      Suggested-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarMathieu Malaterre <malat@debian.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      7c53eb5d
    • Balaji Pothunoori's avatar
      mac80211: don't initiate TDLS connection if station is not associated to AP · 7ed52853
      Balaji Pothunoori authored
      Following call trace is observed while adding TDLS peer entry in driver
      during TDLS setup.
      
      Call Trace:
      [<c1301476>] dump_stack+0x47/0x61
      [<c10537d2>] __warn+0xe2/0x100
      [<fa22415f>] ? sta_apply_parameters+0x49f/0x550 [mac80211]
      [<c1053895>] warn_slowpath_null+0x25/0x30
      [<fa22415f>] sta_apply_parameters+0x49f/0x550 [mac80211]
      [<fa20ad42>] ? sta_info_alloc+0x1c2/0x450 [mac80211]
      [<fa224623>] ieee80211_add_station+0xe3/0x160 [mac80211]
      [<c1876fe3>] nl80211_new_station+0x273/0x420
      [<c170f6d9>] genl_rcv_msg+0x219/0x3c0
      [<c170f4c0>] ? genl_rcv+0x30/0x30
      [<c170ee7e>] netlink_rcv_skb+0x8e/0xb0
      [<c170f4ac>] genl_rcv+0x1c/0x30
      [<c170e8aa>] netlink_unicast+0x13a/0x1d0
      [<c170ec18>] netlink_sendmsg+0x2d8/0x390
      [<c16c5acd>] sock_sendmsg+0x2d/0x40
      [<c16c6369>] ___sys_sendmsg+0x1d9/0x1e0
      
      Fixing this by allowing TDLS setup request only when we have completed
      association.
      Signed-off-by: default avatarBalaji Pothunoori <bpothuno@codeaurora.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      7ed52853
    • Johannes Berg's avatar
      nl80211: fix NLA_POLICY_NESTED() arguments · a8b5c6d6
      Johannes Berg authored
      syzbot reported an out-of-bounds read when passing certain
      malformed messages into nl80211. The specific place where
      this happened isn't interesting, the problem is that nested
      policy parsing was referring to the wrong maximum attribute
      and thus the policy wasn't long enough.
      
      Fix this by referring to the correct attribute. Since this
      is really not necessary, I'll come up with a separate patch
      to just pass the policy instead of both, in the common case
      we can infer the maxattr from the size of the policy array.
      
      Reported-by: syzbot+4157b036c5f4713b1f2f@syzkaller.appspotmail.com
      Cc: stable@vger.kernel.org
      Fixes: 9bb7e0f2 ("cfg80211: add peer measurement with FTM initiator API")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      a8b5c6d6
    • Thomas Falcon's avatar
      ibmveth: Do not process frames after calling napi_reschedule · e95d22c6
      Thomas Falcon authored
      The IBM virtual ethernet driver's polling function continues
      to process frames after rescheduling NAPI, resulting in a warning
      if it exhausted its budget. Do not restart polling after calling
      napi_reschedule. Instead let frames be processed in the following
      instance.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e95d22c6
    • Maciej Żenczykowski's avatar
      net: dev_is_mac_header_xmit() true for ARPHRD_RAWIP · 3b707c30
      Maciej Żenczykowski authored
      __bpf_redirect() and act_mirred checks this boolean
      to determine whether to prefix an ethernet header.
      Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b707c30
    • Zhang Run's avatar
      net: usb: asix: ax88772_bind return error when hw_reset fail · 6eea3527
      Zhang Run authored
      The ax88772_bind() should return error code immediately when the PHY
      was not reset properly through ax88772a_hw_reset().
      Otherwise, The asix_get_phyid() will block when get the PHY
      Identifier from the PHYSID1 MII registers through asix_mdio_read()
      due to the PHY isn't ready. Furthermore, it will produce a lot of
      error message cause system crash.As follows:
      asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write
       reg index 0x0000: -71
      asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to send
       software reset: ffffffb9
      asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write
       reg index 0x0000: -71
      asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to enable
       software MII access
      asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to read
       reg index 0x0000: -71
      asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write
       reg index 0x0000: -71
      asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to enable
       software MII access
      asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to read
       reg index 0x0000: -71
      ...
      Signed-off-by: default avatarZhang Run <zhang.run@zte.com.cn>
      Reviewed-by: default avatarYang Wei <yang.wei9@zte.com.cn>
      Tested-by: default avatarMarcel Ziswiler <marcel.ziswiler@toradex.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6eea3527
    • Sudarsana Reddy Kalluru's avatar
      MAINTAINERS: Update cavium networking drivers · d524e641
      Sudarsana Reddy Kalluru authored
      Following Marvell's acquisition of Cavium, we need to update all the
      Cavium drivers maintainer's entries to point to our new e-mail addresses.
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarAmeen Rahman <Ameen.Rahman@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d524e641
    • David S. Miller's avatar
      Merge tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux · b8812920
      David S. Miller authored
      Sasha Levin says:
      
      ====================
      Hyper-V hv_netvsc commits for 5.0
      
      Three patches from Haiyang Zhang to fix settings hash key using ethtool,
      and Adrian Vladu's first patch fixing a few spelling mistakes.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8812920
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-5.0-20190122' of... · 9620d6f6
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-5.0-20190122' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-01-22
      
      this is a pull request of 4 patches for net/master.
      
      The first patch by is by Manfred Schlaegl and reverts a patch that caused wrong
      warning messages in certain use cases. The next patch is by Oliver Hartkopp for
      the bcm that adds sanity checks for the timer value before using it to detect
      potential interger overflows. The last two patches are for the flexcan driver,
      YueHaibing's patch fixes the the return value in the error path of the
      flexcan_setup_stop_mode() function. The second patch is by Uwe Kleine-König and
      fixes a NULL pointer deref on older flexcan cores in flexcan_chip_start().
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9620d6f6
    • David S. Miller's avatar
      Merge branch 'mlx4_core-fixes' · 21507dc4
      David S. Miller authored
      Tariq Toukan says:
      
      ====================
      mlx4_core fixes for 5.0-rc
      
      This patchset includes two fixes for the mlx4_core driver.
      
      First patch by Aya fixes inaccurate parsing of some FW fields, mistakenly
      including additional (mostly reserved) bits.
      
      Second patch by Jack fixes a wrong (yet harmless) error handling of
      calls to copy_to_user() during the CQs init stage.
      
      Series generated against net commit:
      49a57857 Linux 5.0-rc3
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21507dc4
    • Jack Morgenstein's avatar
      net/mlx4_core: Fix error handling when initializing CQ bufs in the driver · ffe4cfc3
      Jack Morgenstein authored
      Procedure mlx4_init_user_cqes() handles returns by copy_to_user
      incorrectly. copy_to_user() returns the number of bytes not copied.
      Thus, a non-zero return should be treated as a -EFAULT error
      (as is done elsewhere in the kernel). However, mlx4_init_user_cqes()
      error handling simply returns the number of bytes not copied
      (instead of -EFAULT).
      
      Note, though, that this is a harmless bug: procedure mlx4_alloc_cq()
      (which is the only caller of mlx4_init_user_cqes()) treats any
      non-zero return as an error, but that returned error value is processed
      internally, and not passed further up the call stack.
      
      In addition, fixes the following sparse warning:
      warning: incorrect type in argument 1 (different address spaces)
         expected void [noderef] <asn:1>*to
         got void *buf
      
      Fixes: e4567897 ("{net, IB}/mlx4: Initialize CQ buffers in the driver when possible")
      Reported by: Dan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ffe4cfc3
    • Aya Levin's avatar
      net/mlx4_core: Add masking for a few queries on HCA caps · a40ded60
      Aya Levin authored
      Driver reads the query HCA capabilities without the corresponding masks.
      Without the correct masks, the base addresses of the queues are
      unaligned.  In addition some reserved bits were wrongly read.  Using the
      correct masks, ensures alignment of the base addresses and allows future
      firmware versions safe use of the reserved bits.
      
      Fixes: ab9c17a0 ("mlx4_core: Modify driver initialization flow to accommodate SRIOV for Ethernet")
      Fixes: 0ff1fb65 ("{NET, IB}/mlx4: Add device managed flow steering firmware API")
      Signed-off-by: default avatarAya Levin <ayal@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a40ded60
    • Xin Long's avatar
      sctp: set flow sport from saddr only when it's 0 · ecf938fe
      Xin Long authored
      Now sctp_transport_pmtu() passes transport->saddr into .get_dst() to set
      flow sport from 'saddr'. However, transport->saddr is set only when
      transport->dst exists in sctp_transport_route().
      
      If sctp_transport_pmtu() is called without transport->saddr set, like
      when transport->dst doesn't exists, the flow sport will be set to 0
      from transport->saddr, which will cause a wrong route to be got.
      
      Commit 6e91b578 ("sctp: re-use sctp_transport_pmtu in
      sctp_transport_route") made the issue be triggered more easily
      since sctp_transport_pmtu() would be called in sctp_transport_route()
      after that.
      
      In gerneral, fl4->fl4_sport should always be set to
      htons(asoc->base.bind_addr.port), unless transport->asoc doesn't exist
      in sctp_v4/6_get_dst(), which is the case:
      
        sctp_ootb_pkt_new() ->
          sctp_transport_route()
      
      For that, we can simply handle it by setting flow sport from saddr only
      when it's 0 in sctp_v4/6_get_dst().
      
      Fixes: 6e91b578 ("sctp: re-use sctp_transport_pmtu in sctp_transport_route")
      Reported-by: default avatarYing Xu <yinxu@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ecf938fe
    • Xin Long's avatar
      sctp: set chunk transport correctly when it's a new asoc · 4ff40b86
      Xin Long authored
      In the paths:
      
        sctp_sf_do_unexpected_init() ->
          sctp_make_init_ack()
        sctp_sf_do_dupcook_a/b()() ->
          sctp_sf_do_5_1D_ce()
      
      The new chunk 'retval' transport is set from the incoming chunk 'chunk'
      transport. However, 'retval' transport belong to the new asoc, which
      is a different one from 'chunk' transport's asoc.
      
      It will cause that the 'retval' chunk gets set with a wrong transport.
      Later when sending it and because of Commit b9fd6839 ("sctp: add
      sctp_packet_singleton"), sctp_packet_singleton() will set some fields,
      like vtag to 'retval' chunk from that wrong transport's asoc.
      
      This patch is to fix it by setting 'retval' transport correctly which
      belongs to the right asoc in sctp_make_init_ack() and
      sctp_sf_do_5_1D_ce().
      
      Fixes: b9fd6839 ("sctp: add sctp_packet_singleton")
      Reported-by: default avatarYing Xu <yinxu@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ff40b86
    • Xin Long's avatar
      sctp: improve the events for sctp stream adding · 8220c870
      Xin Long authored
      This patch is to improve sctp stream adding events in 2 places:
      
        1. In sctp_process_strreset_addstrm_out(), move up SCTP_MAX_STREAM
           and in stream allocation failure checks, as the adding has to
           succeed after reconf_timer stops for the in stream adding
           request retransmission.
      
        3. In sctp_process_strreset_addstrm_in(), no event should be sent,
           as no in or out stream is added here.
      
      Fixes: 50a41591 ("sctp: implement receiver-side procedures for the Add Outgoing Streams Request Parameter")
      Fixes: c5c4ebb3 ("sctp: implement receiver-side procedures for the Add Incoming Streams Request Parameter")
      Reported-by: default avatarYing Xu <yinxu@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8220c870
    • Xin Long's avatar
      sctp: improve the events for sctp stream reset · 2e6dc4d9
      Xin Long authored
      This patch is to improve sctp stream reset events in 4 places:
      
        1. In sctp_process_strreset_outreq(), the flag should always be set with
           SCTP_STREAM_RESET_INCOMING_SSN instead of OUTGOING, as receiver's in
           stream is reset here.
        2. In sctp_process_strreset_outreq(), move up SCTP_STRRESET_ERR_WRONG_SSN
           check, as the reset has to succeed after reconf_timer stops for the
           in stream reset request retransmission.
        3. In sctp_process_strreset_inreq(), no event should be sent, as no in
           or out stream is reset here.
        4. In sctp_process_strreset_resp(), SCTP_STREAM_RESET_INCOMING_SSN or
           OUTGOING event should always be sent for stream reset requests, no
           matter it fails or succeeds to process the request.
      
      Fixes: 81054476 ("sctp: implement receiver-side procedures for the Outgoing SSN Reset Request Parameter")
      Fixes: 16e1a919 ("sctp: implement receiver-side procedures for the Incoming SSN Reset Request Parameter")
      Fixes: 11ae76e6 ("sctp: implement receiver-side procedures for the Reconf Response Parameter")
      Reported-by: default avatarYing Xu <yinxu@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2e6dc4d9
    • wenxu's avatar
      ip_tunnel: Make none-tunnel-dst tunnel port work with lwtunnel · d71b5753
      wenxu authored
      ip l add dev tun type gretap key 1000
      ip a a dev tun 10.0.0.1/24
      
      Packets with tun-id 1000 can be recived by tun dev. But packet can't
      be sent through dev tun for non-tunnel-dst
      
      With this patch: tunnel-dst can be get through lwtunnel like beflow:
      ip r a 10.0.0.7 encap ip dst 172.168.0.11 dev tun
      Signed-off-by: default avatarwenxu <wenxu@ucloud.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d71b5753
  2. 23 Jan, 2019 17 commits
    • Eric Dumazet's avatar
      ax25: fix possible use-after-free · 63530aba
      Eric Dumazet authored
      syzbot found that ax25 routes where not properly protected
      against concurrent use [1].
      
      In this particular report the bug happened while
      copying ax25->digipeat.
      
      Fix this problem by making sure we call ax25_get_route()
      while ax25_route_lock is held, so that no modification
      could happen while using the route.
      
      The current two ax25_get_route() callers do not sleep,
      so this change should be fine.
      
      Once we do that, ax25_get_route() no longer needs to
      grab a reference on the found route.
      
      [1]
      ax25_connect(): syz-executor0 uses autobind, please contact jreuter@yaina.de
      BUG: KASAN: use-after-free in memcpy include/linux/string.h:352 [inline]
      BUG: KASAN: use-after-free in kmemdup+0x42/0x60 mm/util.c:113
      Read of size 66 at addr ffff888066641a80 by task syz-executor2/531
      
      ax25_connect(): syz-executor0 uses autobind, please contact jreuter@yaina.de
      CPU: 1 PID: 531 Comm: syz-executor2 Not tainted 5.0.0-rc2+ #10
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
       print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
       kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
       check_memory_region_inline mm/kasan/generic.c:185 [inline]
       check_memory_region+0x123/0x190 mm/kasan/generic.c:191
       memcpy+0x24/0x50 mm/kasan/common.c:130
       memcpy include/linux/string.h:352 [inline]
       kmemdup+0x42/0x60 mm/util.c:113
       kmemdup include/linux/string.h:425 [inline]
       ax25_rt_autobind+0x25d/0x750 net/ax25/ax25_route.c:424
       ax25_connect.cold+0x30/0xa4 net/ax25/af_ax25.c:1224
       __sys_connect+0x357/0x490 net/socket.c:1664
       __do_sys_connect net/socket.c:1675 [inline]
       __se_sys_connect net/socket.c:1672 [inline]
       __x64_sys_connect+0x73/0xb0 net/socket.c:1672
       do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x458099
      Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f870ee22c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099
      RDX: 0000000000000048 RSI: 0000000020000080 RDI: 0000000000000005
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      ax25_connect(): syz-executor4 uses autobind, please contact jreuter@yaina.de
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f870ee236d4
      R13: 00000000004be48e R14: 00000000004ce9a8 R15: 00000000ffffffff
      
      Allocated by task 526:
       save_stack+0x45/0xd0 mm/kasan/common.c:73
       set_track mm/kasan/common.c:85 [inline]
       __kasan_kmalloc mm/kasan/common.c:496 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
       kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
      ax25_connect(): syz-executor5 uses autobind, please contact jreuter@yaina.de
       kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3609
       kmalloc include/linux/slab.h:545 [inline]
       ax25_rt_add net/ax25/ax25_route.c:95 [inline]
       ax25_rt_ioctl+0x3b9/0x1270 net/ax25/ax25_route.c:233
       ax25_ioctl+0x322/0x10b0 net/ax25/af_ax25.c:1763
       sock_do_ioctl+0xe2/0x400 net/socket.c:950
       sock_ioctl+0x32f/0x6c0 net/socket.c:1074
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:509 [inline]
       do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696
       ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
       __do_sys_ioctl fs/ioctl.c:720 [inline]
       __se_sys_ioctl fs/ioctl.c:718 [inline]
       __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
       do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      ax25_connect(): syz-executor5 uses autobind, please contact jreuter@yaina.de
      Freed by task 550:
       save_stack+0x45/0xd0 mm/kasan/common.c:73
       set_track mm/kasan/common.c:85 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
       __cache_free mm/slab.c:3487 [inline]
       kfree+0xcf/0x230 mm/slab.c:3806
       ax25_rt_add net/ax25/ax25_route.c:92 [inline]
       ax25_rt_ioctl+0x304/0x1270 net/ax25/ax25_route.c:233
       ax25_ioctl+0x322/0x10b0 net/ax25/af_ax25.c:1763
       sock_do_ioctl+0xe2/0x400 net/socket.c:950
       sock_ioctl+0x32f/0x6c0 net/socket.c:1074
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:509 [inline]
       do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696
       ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
       __do_sys_ioctl fs/ioctl.c:720 [inline]
       __se_sys_ioctl fs/ioctl.c:718 [inline]
       __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
       do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff888066641a80
       which belongs to the cache kmalloc-96 of size 96
      The buggy address is located 0 bytes inside of
       96-byte region [ffff888066641a80, ffff888066641ae0)
      The buggy address belongs to the page:
      page:ffffea0001999040 count:1 mapcount:0 mapping:ffff88812c3f04c0 index:0x0
      flags: 0x1fffc0000000200(slab)
      ax25_connect(): syz-executor4 uses autobind, please contact jreuter@yaina.de
      raw: 01fffc0000000200 ffffea0001817948 ffffea0002341dc8 ffff88812c3f04c0
      raw: 0000000000000000 ffff888066641000 0000000100000020 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff888066641980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       ffff888066641a00: 00 00 00 00 00 00 00 00 02 fc fc fc fc fc fc fc
      >ffff888066641a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                         ^
       ffff888066641b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       ffff888066641b80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      63530aba
    • Edward Cree's avatar
      sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe · 33664635
      Edward Cree authored
      Use a bitmap to keep track of which partition types we've already seen;
       for duplicates, return -EEXIST from efx_ef10_mtd_probe_partition() and
       thus skip adding that partition.
      Duplicate partitions occur because of the A/B backup scheme used by newer
       sfc NICs.  Prior to this patch they cause sysfs_warn_dup errors because
       they have the same name, causing us not to expose any MTDs at all.
      Signed-off-by: default avatarEdward Cree <ecree@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      33664635
    • Adrian Vladu's avatar
      hv_netvsc: fix typos in code comments · 52d3b494
      Adrian Vladu authored
      Fix all typos from hyperv netvsc code comments.
      Signed-off-by: default avatarAdrian Vladu <avladu@cloudbasesolutions.com>
      
      Cc: "K. Y. Srinivasan" <kys@microsoft.com>
      Cc: Haiyang Zhang <haiyangz@microsoft.com>
      Cc: Stephen Hemminger <sthemmin@microsoft.com>
      Cc: Sasha Levin <sashal@kernel.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: "Alessandro Pilotti" <apilotti@cloudbasesolutions.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      52d3b494
    • Haiyang Zhang's avatar
      hv_netvsc: Fix hash key value reset after other ops · 17d91256
      Haiyang Zhang authored
      Changing mtu, channels, or buffer sizes ops call to netvsc_attach(),
      rndis_set_subchannel(), which always reset the hash key to default
      value. That will override hash key changed previously. This patch
      fixes the problem by save the hash key, then restore it when we re-
      add the netvsc device.
      
      Fixes: ff4a4419 ("netvsc: allow get/set of RSS indirection table")
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Reviewed-by: default avatarMichael Kelley <mikelley@microsoft.com>
      [sl: fix up subject line]
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      17d91256
    • Haiyang Zhang's avatar
      hv_netvsc: Refactor assignments of struct netvsc_device_info · 7c9f335a
      Haiyang Zhang authored
      These assignments occur in multiple places. The patch refactor them
      to a function for simplicity. It also puts the struct to heap area
      for future expension.
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Reviewed-by: default avatarMichael Kelley <mikelley@microsoft.com>
      [sl: fix up subject line]
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7c9f335a
    • Haiyang Zhang's avatar
      hv_netvsc: Fix ethtool change hash key error · b4a10c75
      Haiyang Zhang authored
      Hyper-V hosts require us to disable RSS before changing RSS key,
      otherwise the changing request will fail. This patch fixes the
      coding error.
      
      Fixes: ff4a4419 ("netvsc: allow get/set of RSS indirection table")
      Reported-by: default avatarWei Hu <weh@microsoft.com>
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Reviewed-by: default avatarMichael Kelley <mikelley@microsoft.com>
      [sl: fix up subject line]
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b4a10c75
    • Simon Horman's avatar
      ravb: expand rx descriptor data to accommodate hw checksum · 12da6430
      Simon Horman authored
      EtherAVB may provide a checksum of packet data appended to packet data. In
      order to allow this checksum to be received by the host descriptor data
      needs to be enlarged by 2 bytes to accommodate the checksum.
      
      In the case of MTU-sized packets without a VLAN tag the
      checksum were already accommodated by virtue of the space reserved for the
      VLAN tag. However, a packet of MTU-size with a  VLAN tag consumed all
      packet data space provided by a descriptor leaving no space for the
      trailing checksum.
      
      This was not detected by the driver which incorrectly used the last two
      bytes of packet data as the checksum and truncate the packet by two bytes.
      This resulted all such packets being dropped.
      
      A work around is to disable RX checksum offload
       # ethtool -K eth0 rx off
      
      This patch resolves this problem by increasing the size available for
      packet data in RX descriptors by two bytes.
      
      Tested on R-Car E3 (r8a77990) ES1.0 based Ebisu-4D board
      
      v2
      * Use sizeof(__sum16) directly rather than adding a driver-local
        #define for the size of the checksum provided by the hw (2 bytes).
      
      Fixes: 4d86d381 ("ravb: RX checksum offload")
      Signed-off-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12da6430
    • Andrew Lunn's avatar
      net: phy: Fixup GPLv2+ SPDX tags based on license text · ab06418b
      Andrew Lunn authored
      A few PHY drivers have the GPLv2+ license text. They then either have
      a MODULE_LICENSE() of GPLv2 only, or an SPDX tag of GPLv2 only.
      
      Since the license text is much easier to understand than either the
      SPDX tag or the MODULE_LICENSE, use it as the definitive source of the
      licence, and fixup the others when there are contradictions.
      
      Cc: David Wu <david.wu@rock-chips.com>
      Cc: Dongpo Li <lidongpo@hisilicon.com>
      Cc: Michael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Acked-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab06418b
    • Stefan Agner's avatar
      net: fec: get regulator optional · 25974d8a
      Stefan Agner authored
      According to the device tree binding the phy-supply property is
      optional. Use the regulator_get_optional API accordingly. The
      code already handles NULL just fine.
      
      This gets rid of the following warning:
        fec 2188000.ethernet: 2188000.ethernet supply phy not found, using dummy regulator
      Signed-off-by: default avatarStefan Agner <stefan@agner.ch>
      Reviewed-by: default avatarMarcel Ziswiler <marcel.ziswiler@toradex.com>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25974d8a
    • Lubomir Rintel's avatar
      net/ipv6: lower the level of "link is not ready" messages · 7c62b8dd
      Lubomir Rintel authored
      This message gets logged far too often for how interesting is it.
      
      Most distributions nowadays configure NetworkManager to use randomly
      generated MAC addresses for Wi-Fi network scans. The interfaces end up
      being periodically brought down for the address change. When they're
      subsequently brought back up, the message is logged, eventually flooding
      the log.
      
      Perhaps the message is not all that helpful: it seems to be more
      interesting to hear when the addrconf actually start, not when it does
      not. Let's lower its level.
      Signed-off-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Acked-By: default avatarThomas Haller <thaller@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7c62b8dd
    • Atsushi Nemoto's avatar
      net: altera_tse: fix connect_local_phy error path · 17b42a20
      Atsushi Nemoto authored
      The connect_local_phy should return NULL (not negative errno) on
      error, since its caller expects it.
      Signed-off-by: default avatarAtsushi Nemoto <atsushi.nemoto@sord.co.jp>
      Acked-by: default avatarThor Thayer <thor.thayer@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      17b42a20
    • Yangbo Lu's avatar
      net: dpaa2: improve PTP Kconfig option · 5d9bf433
      Yangbo Lu authored
      Converted to use "imply" instead of "select" for PTP_1588_CLOCK
      driver selecting. This could break the hard dependency between
      the PTP clock subsystem and ethernet drivers.
      This patch also set "default y" for dpaa2 ptp driver building to
      provide user an available ptp clock in default.
      Signed-off-by: default avatarYangbo Lu <yangbo.lu@nxp.com>
      Acked-by: default avatarRichard Cochran <richardcochran@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5d9bf433
    • David S. Miller's avatar
      Merge branch 'qed-Error-recovery-process' · 8fb18be9
      David S. Miller authored
      Michal Kalderon says:
      
      ====================
      qed*: Error recovery process
      
      Parity errors might happen in the device's memories due to momentary bit
      flips which are caused by radiation.
      Errors that are not correctable initiate a process kill event, which blocks
      the device access towards the host and the network, and a recovery process
      is started in the management FW and in the driver.
      
      This series adds the support of this process in the qed core module and in
      the qede driver (patches 2 & 3).
      Patch 1 in the series revises the load sequence, to avoid PCI errors that
      might be observed during a recovery process.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8fb18be9
    • Tomer Tayar's avatar
      qede: Error recovery process · 278396de
      Tomer Tayar authored
      This patch adds the error recovery process in the qede driver.
      The process includes a partial/customized driver unload and load, which
      allows it to look like a short suspend period to the kernel while
      preserving the net devices' state.
      Signed-off-by: default avatarTomer Tayar <tomer.tayar@cavium.com>
      Signed-off-by: default avatarAriel Elior <ariel.elior@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <michal.kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      278396de
    • Tomer Tayar's avatar
      qed: Add infrastructure for error detection and recovery · c75860e4
      Tomer Tayar authored
      This patch adds the detection and handling of a parity error ("process kill
      event"), including the update of the protocol drivers, and the prevention
      of any HW access that will lead to device access towards the host while
      recovery is in progress.
      It also provides the means for the protocol drivers to trigger a recovery
      process on their decision.
      Signed-off-by: default avatarTomer Tayar <tomer.tayar@cavium.com>
      Signed-off-by: default avatarAriel Elior <ariel.elior@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <michal.kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c75860e4
    • Tomer Tayar's avatar
      qed: Revise load sequence to avoid PCI errors · cfdb1b63
      Tomer Tayar authored
      Initiating final cleanup after an ungraceful driver unload can lead to bad
      PCI accesses towards the host.
      This patch revises the load sequence so final cleanup is sent while the
      internal master enable is cleared, to prevent the host accesses, and clears
      the internal error indications just before enabling the internal master
      enable.
      Signed-off-by: default avatarTomer Tayar <tomer.tayar@cavium.com>
      Signed-off-by: default avatarAriel Elior <ariel.elior@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <michal.kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cfdb1b63
    • Jakub Kicinski's avatar
      net/ipv6: don't return positive numbers when nothing was dumped · 1518039f
      Jakub Kicinski authored
      in6_dump_addrs() returns a positive 1 if there was nothing to dump.
      This return value can not be passed as return from inet6_dump_addr()
      as is, because it will confuse rtnetlink, resulting in NLMSG_DONE
      never getting set:
      
      $ ip addr list dev lo
      EOF on netlink
      Dump terminated
      
      v2: flip condition to avoid a new goto (DaveA)
      
      Fixes: 7c1e8a38 ("netlink: fixup regression in RTM_GETADDR")
      Reported-by: default avatarBrendan Galloway <brendan.galloway@netronome.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Tested-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1518039f
  3. 22 Jan, 2019 3 commits
    • Lorenzo Bianconi's avatar
      net: ip_gre: use erspan key field for tunnel lookup · cb73ee40
      Lorenzo Bianconi authored
      Use ERSPAN key header field as tunnel key in gre_parse_header routine
      since ERSPAN protocol sets the key field of the external GRE header to
      0 resulting in a tunnel lookup fail in ip6gre_err.
      In addition remove key field parsing and pskb_may_pull check in
      erspan_rcv and ip6erspan_rcv
      
      Fixes: 5a963eb6 ("ip6_gre: Add ERSPAN native tunnel support")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cb73ee40
    • Thomas Gleixner's avatar
      net: sun: cassini: Cleanup license conflict · 56cb4e50
      Thomas Gleixner authored
      The recent addition of SPDX license identifiers to the files in
      drivers/net/ethernet/sun created a licensing conflict.
      
      The cassini driver files contain a proper license notice:
      
        * This program is free software; you can redistribute it and/or
        * modify it under the terms of the GNU General Public License as
        * published by the Free Software Foundation; either version 2 of the
        * License, or (at your option) any later version.
      
      but the SPDX change added:
      
         SPDX-License-Identifier: GPL-2.0
      
      So the file got tagged GPL v2 only while in fact it is licensed under GPL
      v2 or later.
      
      It's nice that people care about the SPDX tags, but they need to be more
      careful about it. Not everything under (the) sun belongs to ...
      
      Fix up the SPDX identifier and remove the boiler plate text as it is
      redundant.
      
      Fixes: c861ef83 ("sun: Add SPDX license tags to Sun network drivers")
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Shannon Nelson <shannon.nelson@oracle.com>
      Cc: Zhu Yanjun <yanjun.zhu@oracle.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      Acked-by: default avatarShannon Nelson <shannon.lee.nelson@gmail.com>
      Reviewed-by: default avatarZhu Yanjun <yanjun.zhu@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      56cb4e50
    • Uwe Kleine-König's avatar
      can: flexcan: fix NULL pointer exception during bringup · a55234da
      Uwe Kleine-König authored
      Commit cbffaf7a ("can: flexcan: Always use last mailbox for TX")
      introduced a loop letting i run up to (including) ARRAY_SIZE(regs->mb)
      and in the body accessed regs->mb[i] which is an out-of-bounds array
      access that then resulted in an access to an reserved register area.
      
      Later this was changed by commit 0517961c ("can: flexcan: Add
      provision for variable payload size") to iterate a bit differently but
      still runs one iteration too much resulting to call
      
      	flexcan_get_mb(priv, priv->mb_count)
      
      which results in a WARN_ON and then a NULL pointer exception. This
      only affects devices compatible with "fsl,p1010-flexcan",
      "fsl,imx53-flexcan", "fsl,imx35-flexcan", "fsl,imx25-flexcan",
      "fsl,imx28-flexcan", so newer i.MX SoCs are not affected.
      
      Fixes: cbffaf7a ("can: flexcan: Always use last mailbox for TX")
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Cc: linux-stable <stable@vger.kernel.org> # >= 4.20
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      a55234da