1. 26 Aug, 2017 7 commits
  2. 25 Aug, 2017 10 commits
  3. 24 Aug, 2017 21 commits
    • Bob Peterson's avatar
      tipc: Fix tipc_sk_reinit handling of -EAGAIN · 6c7e983b
      Bob Peterson authored
      In 9dbbfb0a function tipc_sk_reinit
      had additional logic added to loop in the event that function
      rhashtable_walk_next() returned -EAGAIN. No worries.
      
      However, if rhashtable_walk_start returns -EAGAIN, it does "continue",
      and therefore skips the call to rhashtable_walk_stop(). That has
      the effect of calling rcu_read_lock() without its paired call to
      rcu_read_unlock(). Since rcu_read_lock() may be nested, the problem
      may not be apparent for a while, especially since resize events may
      be rare. But the comments to rhashtable_walk_start() state:
      
       * ...Note that we take the RCU lock in all
       * cases including when we return an error.  So you must always call
       * rhashtable_walk_stop to clean up.
      
      This patch replaces the continue with a goto and label to ensure a
      matching call to rhashtable_walk_stop().
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c7e983b
    • Arnd Bergmann's avatar
      qlge: avoid memcpy buffer overflow · e58f9583
      Arnd Bergmann authored
      gcc-8.0.0 (snapshot) points out that we copy a variable-length string
      into a fixed length field using memcpy() with the destination length,
      and that ends up copying whatever follows the string:
      
          inlined from 'ql_core_dump' at drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2:
      drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 bytes from a region of size 14 [-Werror=stringop-overflow=]
        memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
      
      Changing it to use strncpy() will instead zero-pad the destination,
      which seems to be the right thing to do here.
      
      The bug is probably harmless, but it seems like a good idea to address
      it in stable kernels as well, if only for the purpose of building with
      gcc-8 without warnings.
      
      Fixes: a61f8026 ("qlge: Add ethtool register dump function.")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e58f9583
    • Eric Dumazet's avatar
      virtio_net: be drop monitor friendly · dadc0736
      Eric Dumazet authored
      This change is needed to not fool drop monitor.
      (perf record ... -e skb:kfree_skb )
      
      Packets were properly sent and are consumed after TX completion.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dadc0736
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · af57d2b7
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are:
      
      1) Fix use after free of struct proc_dir_entry in ipt_CLUSTERIP, patch
         from Sabrina Dubroca.
      
      2) Fix spurious EINVAL errors from iptables over nft compatibility layer.
      
      3) Reload pointer to ip header only if there is non-terminal verdict,
         ie. XT_CONTINUE, otherwise invalid memory access may happen, patch
         from Taehee Yoo.
      
      4) Fix interaction between SYNPROXY and NAT, SYNPROXY adds sequence
         adjustment already, however from nf_nat_setup() assumes there's not.
         Patch from Xin Long.
      
      5) Fix burst arithmetics in nft_limit as Joe Stringer mentioned during
         NFWS in Faro. Patch from Andy Zhou.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af57d2b7
    • andy zhou's avatar
      netfilter: nf_tables: Fix nft limit burst handling · c26844ed
      andy zhou authored
      Current implementation treats the burst configuration the same as
      rate configuration. This can cause the per packet cost to be lower
      than configured. In effect, this bug causes the token bucket to be
      refilled at a higher rate than what user has specified.
      
      This patch changes the implementation so that the token bucket size
      is controlled by "rate + burst", while maintain the token bucket
      refill rate the same as user specified.
      
      Fixes: 96518518 ("netfilter: add nftables")
      Signed-off-by: default avatarAndy Zhou <azhou@ovn.org>
      Acked-by: default avatarJoe Stringer <joe@ovn.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c26844ed
    • Xin Long's avatar
      netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info · ab6dd1be
      Xin Long authored
      Commit 4440a2ab ("netfilter: synproxy: Check oom when adding synproxy
      and seqadj ct extensions") wanted to drop the packet when it fails to add
      seqadj ext due to no memory by checking if nfct_seqadj_ext_add returns
      NULL.
      
      But that nfct_seqadj_ext_add returns NULL can also happen when seqadj ext
      already exists in a nf_conn. It will cause that userspace protocol doesn't
      work when both dnat and snat are configured.
      
      Li Shuang found this issue in the case:
      
      Topo:
         ftp client                   router                  ftp server
        10.167.131.2  <-> 10.167.131.254  10.167.141.254 <-> 10.167.141.1
      
      Rules:
        # iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j \
          DNAT --to-destination 10.167.141.1
        # iptables -t nat -A POSTROUTING -o eth2 -p tcp -m tcp --dport 21 -j \
          SNAT --to-source 10.167.141.254
      
      In router, when both dnat and snat are added, nf_nat_setup_info will be
      called twice. The packet can be dropped at the 2nd time for DNAT due to
      seqadj ext is already added at the 1st time for SNAT.
      
      This patch is to fix it by checking for seqadj ext existence before adding
      it, so that the packet will not be dropped if seqadj ext already exists.
      
      Note that as Florian mentioned, as a long term, we should review ext_add()
      behaviour, it's better to return a pointer to the existing ext instead.
      
      Fixes: 4440a2ab ("netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions")
      Reported-by: default avatarLi Shuang <shuali@redhat.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ab6dd1be
    • David S. Miller's avatar
      Merge branch 'bnxt_en-bug-fixes' · d0273ef3
      David S. Miller authored
      Michael Chan says:
      
      ====================
      bnxt_en: bug fixes.
      
      3 bug fixes related to XDP ring accounting in bnxt_setup_tc(), freeing
      MSIX vectors when bnxt_re unregisters, and preserving the user-administered
      PF MAC address when disabling SRIOV.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0273ef3
    • Michael Chan's avatar
      bnxt_en: Do not setup MAC address in bnxt_hwrm_func_qcaps(). · a22a6ac2
      Michael Chan authored
      bnxt_hwrm_func_qcaps() is called during probe to get all device
      resources and it also sets up the factory MAC address.  The same function
      is called when SRIOV is disabled to reclaim all resources.  If
      the MAC address has been overridden by a user administered MAC
      address, calling this function will overwrite it.
      
      Separate the logic that sets up the default MAC address into a new
      function bnxt_init_mac_addr() that is only called during probe time.
      
      Fixes: 4a21b49b ("bnxt_en: Improve VF resource accounting.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a22a6ac2
    • Michael Chan's avatar
      bnxt_en: Free MSIX vectors when unregistering the device from bnxt_re. · 146ed3c5
      Michael Chan authored
      Take back ownership of the MSIX vectors when unregistering the device
      from bnxt_re.
      
      Fixes: a588e458 ("bnxt_en: Add interface to support RDMA driver.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      146ed3c5
    • Michael Chan's avatar
      bnxt_en: Fix .ndo_setup_tc() to include XDP rings. · 87e9b377
      Michael Chan authored
      When the number of TX rings is changed in bnxt_setup_tc(), we need to
      include the XDP rings in the total TX ring count.
      
      Fixes: 38413406 ("bnxt_en: Add support for XDP_TX action.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      87e9b377
    • Jakub Kicinski's avatar
      nfp: TX time stamp packets before HW doorbell is rung · 46f1c52e
      Jakub Kicinski authored
      TX completion may happen any time after HW queue was kicked.
      We can't access the skb afterwards.  Move the time stamping
      before ringing the doorbell.
      
      Fixes: 4c352362 ("net: add driver for Netronome NFP4000/NFP6000 NIC VFs")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      46f1c52e
    • Stefano Brivio's avatar
      sctp: Avoid out-of-bounds reads from address storage · ee6c88bb
      Stefano Brivio authored
      inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() copy
      sizeof(sockaddr_storage) bytes to fill in sockaddr structs used
      to export diagnostic information to userspace.
      
      However, the memory allocated to store sockaddr information is
      smaller than that and depends on the address family, so we leak
      up to 100 uninitialized bytes to userspace. Just use the size of
      the source structs instead, in all the three cases this is what
      userspace expects. Zero out the remaining memory.
      
      Unused bytes (i.e. when IPv4 addresses are used) in source
      structs sctp_sockaddr_entry and sctp_transport are already
      cleared by sctp_add_bind_addr() and sctp_transport_new(),
      respectively.
      
      Noticed while testing KASAN-enabled kernel with 'ss':
      
      [ 2326.885243] BUG: KASAN: slab-out-of-bounds in inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag] at addr ffff881be8779800
      [ 2326.896800] Read of size 128 by task ss/9527
      [ 2326.901564] CPU: 0 PID: 9527 Comm: ss Not tainted 4.11.0-22.el7a.x86_64 #1
      [ 2326.909236] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017
      [ 2326.917585] Call Trace:
      [ 2326.920312]  dump_stack+0x63/0x8d
      [ 2326.924014]  kasan_object_err+0x21/0x70
      [ 2326.928295]  kasan_report+0x288/0x540
      [ 2326.932380]  ? inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag]
      [ 2326.938500]  ? skb_put+0x8b/0xd0
      [ 2326.942098]  ? memset+0x31/0x40
      [ 2326.945599]  check_memory_region+0x13c/0x1a0
      [ 2326.950362]  memcpy+0x23/0x50
      [ 2326.953669]  inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag]
      [ 2326.959596]  ? inet_diag_msg_sctpasoc_fill+0x460/0x460 [sctp_diag]
      [ 2326.966495]  ? __lock_sock+0x102/0x150
      [ 2326.970671]  ? sock_def_wakeup+0x60/0x60
      [ 2326.975048]  ? remove_wait_queue+0xc0/0xc0
      [ 2326.979619]  sctp_diag_dump+0x44a/0x760 [sctp_diag]
      [ 2326.985063]  ? sctp_ep_dump+0x280/0x280 [sctp_diag]
      [ 2326.990504]  ? memset+0x31/0x40
      [ 2326.994007]  ? mutex_lock+0x12/0x40
      [ 2326.997900]  __inet_diag_dump+0x57/0xb0 [inet_diag]
      [ 2327.003340]  ? __sys_sendmsg+0x150/0x150
      [ 2327.007715]  inet_diag_dump+0x4d/0x80 [inet_diag]
      [ 2327.012979]  netlink_dump+0x1e6/0x490
      [ 2327.017064]  __netlink_dump_start+0x28e/0x2c0
      [ 2327.021924]  inet_diag_handler_cmd+0x189/0x1a0 [inet_diag]
      [ 2327.028045]  ? inet_diag_rcv_msg_compat+0x1b0/0x1b0 [inet_diag]
      [ 2327.034651]  ? inet_diag_dump_compat+0x190/0x190 [inet_diag]
      [ 2327.040965]  ? __netlink_lookup+0x1b9/0x260
      [ 2327.045631]  sock_diag_rcv_msg+0x18b/0x1e0
      [ 2327.050199]  netlink_rcv_skb+0x14b/0x180
      [ 2327.054574]  ? sock_diag_bind+0x60/0x60
      [ 2327.058850]  sock_diag_rcv+0x28/0x40
      [ 2327.062837]  netlink_unicast+0x2e7/0x3b0
      [ 2327.067212]  ? netlink_attachskb+0x330/0x330
      [ 2327.071975]  ? kasan_check_write+0x14/0x20
      [ 2327.076544]  netlink_sendmsg+0x5be/0x730
      [ 2327.080918]  ? netlink_unicast+0x3b0/0x3b0
      [ 2327.085486]  ? kasan_check_write+0x14/0x20
      [ 2327.090057]  ? selinux_socket_sendmsg+0x24/0x30
      [ 2327.095109]  ? netlink_unicast+0x3b0/0x3b0
      [ 2327.099678]  sock_sendmsg+0x74/0x80
      [ 2327.103567]  ___sys_sendmsg+0x520/0x530
      [ 2327.107844]  ? __get_locked_pte+0x178/0x200
      [ 2327.112510]  ? copy_msghdr_from_user+0x270/0x270
      [ 2327.117660]  ? vm_insert_page+0x360/0x360
      [ 2327.122133]  ? vm_insert_pfn_prot+0xb4/0x150
      [ 2327.126895]  ? vm_insert_pfn+0x32/0x40
      [ 2327.131077]  ? vvar_fault+0x71/0xd0
      [ 2327.134968]  ? special_mapping_fault+0x69/0x110
      [ 2327.140022]  ? __do_fault+0x42/0x120
      [ 2327.144008]  ? __handle_mm_fault+0x1062/0x17a0
      [ 2327.148965]  ? __fget_light+0xa7/0xc0
      [ 2327.153049]  __sys_sendmsg+0xcb/0x150
      [ 2327.157133]  ? __sys_sendmsg+0xcb/0x150
      [ 2327.161409]  ? SyS_shutdown+0x140/0x140
      [ 2327.165688]  ? exit_to_usermode_loop+0xd0/0xd0
      [ 2327.170646]  ? __do_page_fault+0x55d/0x620
      [ 2327.175216]  ? __sys_sendmsg+0x150/0x150
      [ 2327.179591]  SyS_sendmsg+0x12/0x20
      [ 2327.183384]  do_syscall_64+0xe3/0x230
      [ 2327.187471]  entry_SYSCALL64_slow_path+0x25/0x25
      [ 2327.192622] RIP: 0033:0x7f41d18fa3b0
      [ 2327.196608] RSP: 002b:00007ffc3b731218 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [ 2327.205055] RAX: ffffffffffffffda RBX: 00007ffc3b731380 RCX: 00007f41d18fa3b0
      [ 2327.213017] RDX: 0000000000000000 RSI: 00007ffc3b731340 RDI: 0000000000000003
      [ 2327.220978] RBP: 0000000000000002 R08: 0000000000000004 R09: 0000000000000040
      [ 2327.228939] R10: 00007ffc3b730f30 R11: 0000000000000246 R12: 0000000000000003
      [ 2327.236901] R13: 00007ffc3b731340 R14: 00007ffc3b7313d0 R15: 0000000000000084
      [ 2327.244865] Object at ffff881be87797e0, in cache kmalloc-64 size: 64
      [ 2327.251953] Allocated:
      [ 2327.254581] PID = 9484
      [ 2327.257215]  save_stack_trace+0x1b/0x20
      [ 2327.261485]  save_stack+0x46/0xd0
      [ 2327.265179]  kasan_kmalloc+0xad/0xe0
      [ 2327.269165]  kmem_cache_alloc_trace+0xe6/0x1d0
      [ 2327.274138]  sctp_add_bind_addr+0x58/0x180 [sctp]
      [ 2327.279400]  sctp_do_bind+0x208/0x310 [sctp]
      [ 2327.284176]  sctp_bind+0x61/0xa0 [sctp]
      [ 2327.288455]  inet_bind+0x5f/0x3a0
      [ 2327.292151]  SYSC_bind+0x1a4/0x1e0
      [ 2327.295944]  SyS_bind+0xe/0x10
      [ 2327.299349]  do_syscall_64+0xe3/0x230
      [ 2327.303433]  return_from_SYSCALL_64+0x0/0x6a
      [ 2327.308194] Freed:
      [ 2327.310434] PID = 4131
      [ 2327.313065]  save_stack_trace+0x1b/0x20
      [ 2327.317344]  save_stack+0x46/0xd0
      [ 2327.321040]  kasan_slab_free+0x73/0xc0
      [ 2327.325220]  kfree+0x96/0x1a0
      [ 2327.328530]  dynamic_kobj_release+0x15/0x40
      [ 2327.333195]  kobject_release+0x99/0x1e0
      [ 2327.337472]  kobject_put+0x38/0x70
      [ 2327.341266]  free_notes_attrs+0x66/0x80
      [ 2327.345545]  mod_sysfs_teardown+0x1a5/0x270
      [ 2327.350211]  free_module+0x20/0x2a0
      [ 2327.354099]  SyS_delete_module+0x2cb/0x2f0
      [ 2327.358667]  do_syscall_64+0xe3/0x230
      [ 2327.362750]  return_from_SYSCALL_64+0x0/0x6a
      [ 2327.367510] Memory state around the buggy address:
      [ 2327.372855]  ffff881be8779700: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
      [ 2327.380914]  ffff881be8779780: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00
      [ 2327.388972] >ffff881be8779800: 00 00 00 00 fc fc fc fc fb fb fb fb fb fb fb fb
      [ 2327.397031]                                ^
      [ 2327.401792]  ffff881be8779880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
      [ 2327.409850]  ffff881be8779900: 00 00 00 00 00 04 fc fc fc fc fc fc 00 00 00 00
      [ 2327.417907] ==================================================================
      
      This fixes CVE-2017-7558.
      
      References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266
      Fixes: 8f840e47 ("sctp: add the sctp_diag.c file")
      Cc: Xin Long <lucien.xin@gmail.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee6c88bb
    • Eric Dumazet's avatar
      net: dsa: use consume_skb() · 2b33bc8a
      Eric Dumazet authored
      Two kfree_skb() should be consume_skb(), to be friend with drop monitor
      (perf record ... -e skb:kfree_skb)
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2b33bc8a
    • David S. Miller's avatar
      Merge branch 'nfp-fixes' · 40e607cb
      David S. Miller authored
      Jakub Kicinski says:
      
      ====================
      nfp: fix SR-IOV deadlock and representor bugs
      
      This series tackles the bug I've already tried to fix in commit
      6d48ceb2 ("nfp: allocate a private workqueue for driver work").
      I created a separate workqueue to avoid possible deadlock, and
      the lockdep error disappeared, coincidentally.  The way workqueues
      are operating, separate workqueue doesn't necessarily mean separate
      thread of execution.  Luckily we can safely forego the lock.
      
      Second fix changes the order in which vNIC netdevs and representors
      are created/destroyed.  The fix is kept small and should be sufficient
      for net because of how flower uses representors, a more thorough fix
      will be targeted at net-next.
      
      Third fix avoids leaking mapped frame buffers if FW sent a frame with
      unknown portid.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40e607cb
    • Jakub Kicinski's avatar
      nfp: avoid buffer leak when representor is missing · 1691a4c0
      Jakub Kicinski authored
      When driver receives a muxed frame, but it can't find the representor
      netdev it is destined to it will try to "drop" that frame, i.e. reuse
      the buffer.  The issue is that the replacement buffer has already been
      allocated at this point, and reusing the buffer from received frame
      will leak it.  Change the code to put the new buffer on the ring
      earlier and not reuse the old buffer (make the buffer parameter
      to nfp_net_rx_drop() a NULL).
      
      Fixes: 91bf82ca ("nfp: add support for tx/rx with metadata portid")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1691a4c0
    • Jakub Kicinski's avatar
      nfp: make sure representors are destroyed before their lower netdev · 326ce603
      Jakub Kicinski authored
      App start/stop callbacks can perform application initialization.
      Unfortunately, flower app started using them for creating and
      destroying representors.  This can lead to a situation where
      lower vNIC netdev is destroyed while representors still try
      to pass traffic.  This will most likely lead to a NULL-dereference
      on the lower netdev TX path.
      
      Move the start/stop callbacks, so that representors are created/
      destroyed when vNICs are fully initialized.
      
      Fixes: 5de73ee4 ("nfp: general representor implementation")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      326ce603
    • Jakub Kicinski's avatar
      nfp: don't hold PF lock while enabling SR-IOV · d6e1ab9e
      Jakub Kicinski authored
      Enabling SR-IOV VFs will cause the PCI subsystem to schedule a
      work and flush its workqueue.  Since the nfp driver schedules its
      own work we can't enable VFs while holding driver load.  Commit
      6d48ceb2 ("nfp: allocate a private workqueue for driver work")
      tried to avoid this deadlock by creating a separate workqueue.
      Unfortunately, due to the architecture of workqueue subsystem this
      does not guarantee a separate thread of execution.  Luckily
      we can simply take pci_enable_sriov() from under the driver lock.
      
      Take pci_disable_sriov() from under the lock too for symmetry.
      
      Fixes: 6d48ceb2 ("nfp: allocate a private workqueue for driver work")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d6e1ab9e
    • David S. Miller's avatar
      Merge branch 'dst-tag-ksz-fix' · 2f19f50e
      David S. Miller authored
      Florian Fainelli says:
      
      ====================
      net: dsa: Fix tag_ksz.c
      
      This implements David's suggestion of providing low-level functions
      to control whether skb_pad() and skb_put_padto() should be freeing
      the passed skb.
      
      We make use of it to fix a double free in net/dsa/tag_ksz.c that would
      occur if we kept using skb_put_padto() in both places.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f19f50e
    • Florian Fainelli's avatar
      net: dsa: skb_put_padto() already frees nskb · 49716679
      Florian Fainelli authored
      The first call of skb_put_padto() will free up the SKB on error, but we
      return NULL which tells dsa_slave_xmit() that the original SKB should be
      freed so this would lead to a double free here.
      
      The second skb_put_padto() already frees the passed sk_buff reference
      upon error, so calling kfree_skb() on it again is not necessary.
      
      Detected by CoverityScan, CID#1416687 ("USE_AFTER_FREE")
      
      Fixes: e71cb9e0 ("net: dsa: ksz: fix skb freeing")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarWoojung Huh <Woojung.Huh@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49716679
    • Florian Fainelli's avatar
      net: core: Specify skb_pad()/skb_put_padto() SKB freeing · cd0a137a
      Florian Fainelli authored
      Rename skb_pad() into __skb_pad() and make it take a third argument:
      free_on_error which controls whether kfree_skb() should be called or
      not, skb_pad() directly makes use of it and passes true to preserve its
      existing behavior. Do exactly the same thing with __skb_put_padto() and
      skb_put_padto().
      Suggested-by: default avatarDavid Miller <davem@davemloft.net>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarWoojung Huh <Woojung.Huh@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cd0a137a
    • Stephan Gatzka's avatar
      net: stmmac: socfgpa: Ensure emac bit set in sys manager for MII/GMII/SGMII. · 013dae5d
      Stephan Gatzka authored
      When using MII/GMII/SGMII in the Altera SoC, the phy needs to be
      wired through the FPGA. To ensure correct behavior, the appropriate
      bit in the System Manager FPGA Interface Group register needs to be
      set.
      Signed-off-by: default avatarStephan Gatzka <stephan.gatzka@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      013dae5d
  4. 22 Aug, 2017 2 commits
    • Florian Fainelli's avatar
      fsl/man: Inherit parent device and of_node · a1a50c8e
      Florian Fainelli authored
      Junote Cai reported that he was not able to get a DSA setup involving the
      Freescale DPAA/FMAN driver to work and narrowed it down to
      of_find_net_device_by_node(). This function requires the network device's
      device reference to be correctly set which is the case here, though we have
      lost any device_node association there.
      
      The problem is that dpaa_eth_add_device() allocates a "dpaa-ethernet" platform
      device, and later on dpaa_eth_probe() is called but SET_NETDEV_DEV() won't be
      propagating &pdev->dev.of_node properly. Fix this by inherenting both the parent
      device and the of_node when dpaa_eth_add_device() creates the platform device.
      
      Fixes: 39339616 ("fsl/fman: Add FMan MAC driver")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1a50c8e
    • Daniel Borkmann's avatar
      bpf: fix map value attribute for hash of maps · 33ba43ed
      Daniel Borkmann authored
      Currently, iproute2's BPF ELF loader works fine with array of maps
      when retrieving the fd from a pinned node and doing a selfcheck
      against the provided map attributes from the object file, but we
      fail to do the same for hash of maps and thus refuse to get the
      map from pinned node.
      
      Reason is that when allocating hash of maps, fd_htab_map_alloc() will
      set the value size to sizeof(void *), and any user space map creation
      requests are forced to set 4 bytes as value size. Thus, selfcheck
      will complain about exposed 8 bytes on 64 bit archs vs. 4 bytes from
      object file as value size. Contract is that fdinfo or BPF_MAP_GET_FD_BY_ID
      returns the value size used to create the map.
      
      Fix it by handling it the same way as we do for array of maps, which
      means that we leave value size at 4 bytes and in the allocation phase
      round up value size to 8 bytes. alloc_htab_elem() needs an adjustment
      in order to copy rounded up 8 bytes due to bpf_fd_htab_map_update_elem()
      calling into htab_map_update_elem() with the pointer of the map
      pointer as value. Unlike array of maps where we just xchg(), we're
      using the generic htab_map_update_elem() callback also used from helper
      calls, which published the key/value already on return, so we need
      to ensure to memcpy() the right size.
      
      Fixes: bcc6b1b7 ("bpf: Add hash of maps support")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      33ba43ed