1. 16 Aug, 2019 4 commits
  2. 15 Aug, 2019 11 commits
    • David S. Miller's avatar
      Merge tag 'rxrpc-fixes-20190814' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 480fd998
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Fix local endpoint handling
      
      Here's a pair of patches that fix two issues in the handling of local
      endpoints (rxrpc_local structs):
      
       (1) Use list_replace_init() rather than list_replace() if we're going to
           unconditionally delete the replaced item later, lest the list get
           corrupted.
      
       (2) Don't access the rxrpc_local object after passing our ref to the
           workqueue, not even to illuminate tracepoints, as the work function
           may cause the object to be freed.  We have to cache the information
           beforehand.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      480fd998
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 12ed6015
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      This patchset contains Netfilter fixes for net:
      
      1) Extend selftest to cover flowtable with ipsec, from Florian Westphal.
      
      2) Fix interaction of ipsec with flowtable, also from Florian.
      
      3) User-after-free with bound set to rule that fails to load.
      
      4) Adjust state and timeout for flows that expire.
      
      5) Timeout update race with flows in teardown state.
      
      6) Ensure conntrack id hash calculation use invariants as input,
         from Dirk Morris.
      
      7) Do not push flows into flowtable for TCP fin/rst packets.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12ed6015
    • Eric Dumazet's avatar
      net/packet: fix race in tpacket_snd() · 32d3182c
      Eric Dumazet authored
      packet_sendmsg() checks tx_ring.pg_vec to decide
      if it must call tpacket_snd().
      
      Problem is that the check is lockless, meaning another thread
      can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
      tx_ring.pg_vec back to NULL.
      
      Given that tpacket_snd() grabs pg_vec_lock mutex, we can
      perform the check again to solve the race.
      
      syzbot reported :
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
      Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
      RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
      RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
      R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
      R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
      FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       packet_current_frame net/packet/af_packet.c:487 [inline]
       tpacket_snd net/packet/af_packet.c:2667 [inline]
       packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:657
       ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
       __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg net/socket.c:2439 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
       do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 69e3c75f ("net: TX_RING and packet mmap")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32d3182c
    • Wenwen Wang's avatar
      net: myri10ge: fix memory leaks · 20fb7c7a
      Wenwen Wang authored
      In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices
      related structures. Later on, myri10ge_request_irq() is used to get an irq.
      However, if this process fails, the allocated slices related structures are
      not deallocated, leading to memory leaks. To fix this issue, revise the
      target label of the goto statement to 'abort_with_slices'.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20fb7c7a
    • John Fastabend's avatar
      net: tls, fix sk_write_space NULL write when tx disabled · d85f0177
      John Fastabend authored
      The ctx->sk_write_space pointer is only set when TLS tx mode is enabled.
      When running without TX mode its a null pointer but we still set the
      sk sk_write_space pointer on close().
      
      Fix the close path to only overwrite sk->sk_write_space when the current
      pointer is to the tls_write_space function indicating the tls module should
      clean it up properly as well.
      Reported-by: default avatarHillf Danton <hdanton@sina.com>
      Cc: Ying Xue <ying.xue@windriver.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Fixes: 57c722e9 ("net/tls: swap sk_write_space on close")
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d85f0177
    • Wenwen Wang's avatar
      liquidio: add cleanup in octeon_setup_iq() · 6f967f8b
      Wenwen Wang authored
      If oct->fn_list.enable_io_queues() fails, no cleanup is executed, leading
      to memory/resource leaks. To fix this issue, invoke
      octeon_delete_instr_queue() before returning from the function.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f967f8b
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-08-15' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 0b24a441
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-08-15
      
      This series introduces two fixes to mlx5 driver.
      
      1) Eran fixes a compatibility issue with ethtool flash.
      2) Maxim fixes a race in XSK wakeup flow.
      
      Please pull and let me know if there is any problem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b24a441
    • Eran Ben Elisha's avatar
      net/mlx5e: Fix compatibility issue with ethtool flash device · f43d48d1
      Eran Ben Elisha authored
      Cited patch deleted ethtool flash device support, as ethtool core can
      fallback into devlink flash callback. However, this is supported only if
      there is a devlink port registered over the corresponding netdevice.
      
      As mlx5e do not have devlink port support over native netdevice, it broke
      the ability to flash device via ethtool.
      
      This patch re-add the ethtool callback to avoid user functionality breakage
      when trying to flash device via ethtool.
      
      Fixes: 9c8bca26 ("mlx5: Move firmware flash implementation to devlink")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      f43d48d1
    • Maxim Mikityanskiy's avatar
      net/mlx5e: Fix a race with XSKICOSQ in XSK wakeup flow · e0d57d9c
      Maxim Mikityanskiy authored
      Add a missing spinlock around XSKICOSQ usage at the activation stage,
      because there is a race between a configuration change and the
      application calling sendto().
      
      Fixes: db05815b ("net/mlx5e: Add XSK zero-copy support")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      e0d57d9c
    • Anders Roxell's avatar
      selftests: net: tcp_fastopen_backup_key.sh: fix shellcheck issue · 2aafdf5a
      Anders Roxell authored
      When running tcp_fastopen_backup_key.sh the following issue was seen in
      a busybox environment.
      ./tcp_fastopen_backup_key.sh: line 33: [: -ne: unary operator expected
      
      Shellcheck showed the following issue.
      $ shellcheck tools/testing/selftests/net/tcp_fastopen_backup_key.sh
      
      In tools/testing/selftests/net/tcp_fastopen_backup_key.sh line 33:
              if [ $val -ne 0 ]; then
                   ^-- SC2086: Double quote to prevent globbing and word splitting.
      
      Rework to do a string comparison instead.
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2aafdf5a
    • Wenwen Wang's avatar
      cxgb4: fix a memory leak bug · c554336e
      Wenwen Wang authored
      In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails,
      leading to a memory leak bug. To fix this issue, free t before returning
      the error.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c554336e
  3. 14 Aug, 2019 10 commits
    • David Howells's avatar
      rxrpc: Fix read-after-free in rxrpc_queue_local() · 06d9532f
      David Howells authored
      rxrpc_queue_local() attempts to queue the local endpoint it is given and
      then, if successful, prints a trace line.  The trace line includes the
      current usage count - but we're not allowed to look at the local endpoint
      at this point as we passed our ref on it to the workqueue.
      
      Fix this by reading the usage count before queuing the work item.
      
      Also fix the reading of local->debug_id for trace lines, which must be done
      with the same consideration as reading the usage count.
      
      Fixes: 09d2bf59 ("rxrpc: Add a tracepoint to track rxrpc_local refcounting")
      Reported-by: syzbot+78e71c5bab4f76a6a719@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      06d9532f
    • David Howells's avatar
      rxrpc: Fix local endpoint replacement · b00df840
      David Howells authored
      When a local endpoint (struct rxrpc_local) ceases to be in use by any
      AF_RXRPC sockets, it starts the process of being destroyed, but this
      doesn't cause it to be removed from the namespace endpoint list immediately
      as tearing it down isn't trivial and can't be done in softirq context, so
      it gets deferred.
      
      If a new socket comes along that wants to bind to the same endpoint, a new
      rxrpc_local object will be allocated and rxrpc_lookup_local() will use
      list_replace() to substitute the new one for the old.
      
      Then, when the dying object gets to rxrpc_local_destroyer(), it is removed
      unconditionally from whatever list it is on by calling list_del_init().
      
      However, list_replace() doesn't reset the pointers in the replaced
      list_head and so the list_del_init() will likely corrupt the local
      endpoints list.
      
      Fix this by using list_replace_init() instead.
      
      Fixes: 730c5fd4 ("rxrpc: Fix local endpoint refcounting")
      Reported-by: syzbot+193e29e9387ea5837f1d@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      b00df840
    • Pablo Neira Ayuso's avatar
      netfilter: nft_flow_offload: skip tcp rst and fin packets · dfe42be1
      Pablo Neira Ayuso authored
      TCP rst and fin packets do not qualify to place a flow into the
      flowtable. Most likely there will be no more packets after connection
      closure. Without this patch, this flow entry expires and connection
      tracking picks up the entry in ESTABLISHED state using the fixup
      timeout, which makes this look inconsistent to the user for a connection
      that is actually already closed.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      dfe42be1
    • zhengbin's avatar
      sctp: fix memleak in sctp_send_reset_streams · 6d5afe20
      zhengbin authored
      If the stream outq is not empty, need to kfree nstr_list.
      
      Fixes: d570a59c ("sctp: only allow the out stream reset when the stream outq is empty")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarzhengbin <zhengbin13@huawei.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      6d5afe20
    • David Ahern's avatar
      netlink: Fix nlmsg_parse as a wrapper for strict message parsing · d00ee64e
      David Ahern authored
      Eric reported a syzbot warning:
      
      BUG: KMSAN: uninit-value in nh_valid_get_del_req+0x6f1/0x8c0 net/ipv4/nexthop.c:1510
      CPU: 0 PID: 11812 Comm: syz-executor444 Not tainted 5.3.0-rc3+ #17
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x191/0x1f0 lib/dump_stack.c:113
       kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
       __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
       nh_valid_get_del_req+0x6f1/0x8c0 net/ipv4/nexthop.c:1510
       rtm_del_nexthop+0x1b1/0x610 net/ipv4/nexthop.c:1543
       rtnetlink_rcv_msg+0x115a/0x1580 net/core/rtnetlink.c:5223
       netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5241
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf6c/0x1050 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x110f/0x1330 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       ___sys_sendmsg+0x14ff/0x1590 net/socket.c:2311
       __sys_sendmmsg+0x53a/0xae0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2439
       __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2439
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The root cause is nlmsg_parse calling __nla_parse which means the
      header struct size is not checked.
      
      nlmsg_parse should be a wrapper around __nlmsg_parse with
      NL_VALIDATE_STRICT for the validate argument very much like
      nlmsg_parse_deprecated is for NL_VALIDATE_LIBERAL.
      
      Fixes: 3de64403 ("netlink: re-add parse/validate functions in strict mode")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      d00ee64e
    • Heiner Kallweit's avatar
      net: phy: consider AN_RESTART status when reading link status · c36757eb
      Heiner Kallweit authored
      After configuring and restarting aneg we immediately try to read the
      link status. On some systems the PHY may not yet have cleared the
      "aneg complete" and "link up" bits, resulting in a false link-up
      signal. See [0] for a report.
      Clause 22 and 45 both require the PHY to keep the AN_RESTART
      bit set until the PHY actually starts auto-negotiation.
      Let's consider this in the generic functions for reading link status.
      The commit marked as fixed is the first one where the patch applies
      cleanly.
      
      [0] https://marc.info/?t=156518400300003&r=1&w=2
      
      Fixes: c1164bb1 ("net: phy: check PMAPMD link status only in genphy_c45_read_link")
      Tested-by: default avatarYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      c36757eb
    • Wenwen Wang's avatar
      net/mlx4_en: fix a memory leak bug · 48ec7014
      Wenwen Wang authored
      In mlx4_en_config_rss_steer(), 'rss_map->indir_qp' is allocated through
      kzalloc(). After that, mlx4_qp_alloc() is invoked to configure RSS
      indirection. However, if mlx4_qp_alloc() fails, the allocated
      'rss_map->indir_qp' is not deallocated, leading to a memory leak bug.
      
      To fix the above issue, add the 'qp_alloc_err' label to free
      'rss_map->indir_qp'.
      
      Fixes: 4931c6ef ("net/mlx4_en: Optimized single ring steering")
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      48ec7014
    • Thomas Falcon's avatar
      ibmveth: Convert multicast list size for little-endian system · 66cf4710
      Thomas Falcon authored
      The ibm,mac-address-filters property defines the maximum number of
      addresses the hypervisor's multicast filter list can support. It is
      encoded as a big-endian integer in the OF device tree, but the virtual
      ethernet driver does not convert it for use by little-endian systems.
      As a result, the driver is not behaving as it should on affected systems
      when a large number of multicast addresses are assigned to the device.
      Reported-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.ibm.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      66cf4710
    • Julian Wiedmann's avatar
      s390/qeth: serialize cmd reply with concurrent timeout · 072f7940
      Julian Wiedmann authored
      Callbacks for a cmd reply run outside the protection of card->lock, to
      allow for additional cmds to be issued & enqueued in parallel.
      
      When qeth_send_control_data() bails out for a cmd without having
      received a reply (eg. due to timeout), its callback may concurrently be
      processing a reply that just arrived. In this case, the callback
      potentially accesses a stale reply->reply_param area that eg. was
      on-stack and has already been released.
      
      To avoid this race, add some locking so that qeth_send_control_data()
      can (1) wait for a concurrently running callback, and (2) zap any
      pending callback that still wants to run.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      072f7940
    • Xin Long's avatar
      sctp: fix the transport error_count check · a1794de8
      Xin Long authored
      As the annotation says in sctp_do_8_2_transport_strike():
      
        "If the transport error count is greater than the pf_retrans
         threshold, and less than pathmaxrtx ..."
      
      It should be transport->error_count checked with pathmaxrxt,
      instead of asoc->pf_retrans.
      
      Fixes: 5aa93bcf ("sctp: Implement quick failover draft from tsvwg")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      a1794de8
  4. 13 Aug, 2019 1 commit
    • Dirk Morris's avatar
      netfilter: conntrack: Use consistent ct id hash calculation · 656c8e9c
      Dirk Morris authored
      Change ct id hash calculation to only use invariants.
      
      Currently the ct id hash calculation is based on some fields that can
      change in the lifetime on a conntrack entry in some corner cases. The
      current hash uses the whole tuple which contains an hlist pointer which
      will change when the conntrack is placed on the dying list resulting in
      a ct id change.
      
      This patch also removes the reply-side tuple and extension pointer from
      the hash calculation so that the ct id will will not change from
      initialization until confirmation.
      
      Fixes: 3c791076 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
      Signed-off-by: default avatarDirk Morris <dmorris@metaloft.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      656c8e9c
  5. 12 Aug, 2019 8 commits
    • André Draszik's avatar
      net: phy: at803x: stop switching phy delay config needlessly · bb0ce4c1
      André Draszik authored
      This driver does a funny dance disabling and re-enabling
      RX and/or TX delays. In any of the RGMII-ID modes, it first
      disables the delays, just to re-enable them again right
      away. This looks like a needless exercise.
      
      Just enable the respective delays when in any of the
      relevant 'id' modes, and disable them otherwise.
      
      Also, remove comments which don't add anything that can't be
      seen by looking at the code.
      Signed-off-by: default avatarAndré Draszik <git@andred.net>
      CC: Andrew Lunn <andrew@lunn.ch>
      CC: Florian Fainelli <f.fainelli@gmail.com>
      CC: Heiner Kallweit <hkallweit1@gmail.com>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb0ce4c1
    • Nathan Chancellor's avatar
      net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx · 125b7e09
      Nathan Chancellor authored
      clang warns:
      
      drivers/net/ethernet/toshiba/tc35815.c:1507:30: warning: use of logical
      '&&' with constant operand [-Wconstant-logical-operand]
                              if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                        ^  ~~~~~~~~~~~~
      drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: use '&' for a
      bitwise operation
                              if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                        ^~
                                                        &
      drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: remove constant to
      silence this warning
                              if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                       ~^~~~~~~~~~~~~~~
      1 warning generated.
      
      Explicitly check that NET_IP_ALIGN is not zero, which matches how this
      is checked in other parts of the tree. Because NET_IP_ALIGN is a build
      time constant, this check will be constant folded away during
      optimization.
      
      Fixes: 82a9928d ("tc35815: Enable StripCRC feature")
      Link: https://github.com/ClangBuiltLinux/linux/issues/608Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      125b7e09
    • Chris Packham's avatar
      tipc: initialise addr_trail_end when setting node addresses · 8874ecae
      Chris Packham authored
      We set the field 'addr_trial_end' to 'jiffies', instead of the current
      value 0, at the moment the node address is initialized. This guarantees
      we don't inadvertently enter an address trial period when the node
      address is explicitly set by the user.
      Signed-off-by: default avatarChris Packham <chris.packham@alliedtelesis.co.nz>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8874ecae
    • Chen-Yu Tsai's avatar
      net: dsa: Check existence of .port_mdb_add callback before calling it · 58799865
      Chen-Yu Tsai authored
      The dsa framework has optional .port_mdb_{prepare,add,del} callback fields
      for drivers to handle multicast database entries. When adding an entry, the
      framework goes through a prepare phase, then a commit phase. Drivers not
      providing these callbacks should be detected in the prepare phase.
      
      DSA core may still bypass the bridge layer and call the dsa_port_mdb_add
      function directly with no prepare phase or no switchdev trans object,
      and the framework ends up calling an undefined .port_mdb_add callback.
      This results in a NULL pointer dereference, as shown in the log below.
      
      The other functions seem to be properly guarded. Do the same for
      .port_mdb_add in dsa_switch_mdb_add_bitmap() as well.
      
          8<--- cut here ---
          Unable to handle kernel NULL pointer dereference at virtual address 00000000
          pgd = (ptrval)
          [00000000] *pgd=00000000
          Internal error: Oops: 80000005 [#1] SMP ARM
          Modules linked in: rtl8xxxu rtl8192cu rtl_usb rtl8192c_common rtlwifi mac80211 cfg80211
          CPU: 1 PID: 134 Comm: kworker/1:2 Not tainted 5.3.0-rc1-00247-gd3519030752a #1
          Hardware name: Allwinner sun7i (A20) Family
          Workqueue: events switchdev_deferred_process_work
          PC is at 0x0
          LR is at dsa_switch_event+0x570/0x620
          pc : [<00000000>]    lr : [<c08533ec>]    psr: 80070013
          sp : ee871db8  ip : 00000000  fp : ee98d0a4
          r10: 0000000c  r9 : 00000008  r8 : ee89f710
          r7 : ee98d040  r6 : ee98d088  r5 : c0f04c48  r4 : ee98d04c
          r3 : 00000000  r2 : ee89f710  r1 : 00000008  r0 : ee98d040
          Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
          Control: 10c5387d  Table: 6deb406a  DAC: 00000051
          Process kworker/1:2 (pid: 134, stack limit = 0x(ptrval))
          Stack: (0xee871db8 to 0xee872000)
          1da0:                                                       ee871e14 103ace2d
          1dc0: 00000000 ffffffff 00000000 ee871e14 00000005 00000000 c08524a0 00000000
          1de0: ffffe000 c014bdfc c0f04c48 ee871e98 c0f04c48 ee9e5000 c0851120 c014bef0
          1e00: 00000000 b643aea2 ee9b4068 c08509a8 ee2bf940 ee89f710 ee871ecb 00000000
          1e20: 00000008 103ace2d 00000000 c087e248 ee29c868 103ace2d 00000001 ffffffff
          1e40: 00000000 ee871e98 00000006 00000000 c0fb2a50 c087e2d0 ffffffff c08523c4
          1e60: ffffffff c014bdfc 00000006 c0fad2d0 ee871e98 ee89f710 00000000 c014c500
          1e80: 00000000 ee89f3c0 c0f04c48 00000000 ee9e5000 c087dfb4 ee9e5000 00000000
          1ea0: ee89f710 ee871ecb 00000001 103ace2d 00000000 c0f04c48 00000000 c087e0a8
          1ec0: 00000000 efd9a3e0 0089f3c0 103ace2d ee89f700 ee89f710 ee9e5000 00000122
          1ee0: 00000100 c087e130 ee89f700 c0fad2c8 c1003ef0 c087de4c 2e928000 c0fad2ec
          1f00: c0fad2ec ee839580 ef7a62c0 ef7a9400 00000000 c087def8 c0fad2ec c01447dc
          1f20: ef315640 ef7a62c0 00000008 ee839580 ee839594 ef7a62c0 00000008 c0f03d00
          1f40: ef7a62d8 ef7a62c0 ffffe000 c0145b84 ffffe000 c0fb2420 c0bfaa8c 00000000
          1f60: ffffe000 ee84b600 ee84b5c0 00000000 ee870000 ee839580 c0145b40 ef0e5ea4
          1f80: ee84b61c c014a6f8 00000001 ee84b5c0 c014a5b0 00000000 00000000 00000000
          1fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
          1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
          1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
          [<c08533ec>] (dsa_switch_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
          [<c014bdfc>] (notifier_call_chain) from [<c014bef0>] (raw_notifier_call_chain+0x18/0x20)
          [<c014bef0>] (raw_notifier_call_chain) from [<c08509a8>] (dsa_port_mdb_add+0x48/0x74)
          [<c08509a8>] (dsa_port_mdb_add) from [<c087e248>] (__switchdev_handle_port_obj_add+0x54/0xd4)
          [<c087e248>] (__switchdev_handle_port_obj_add) from [<c087e2d0>] (switchdev_handle_port_obj_add+0x8/0x14)
          [<c087e2d0>] (switchdev_handle_port_obj_add) from [<c08523c4>] (dsa_slave_switchdev_blocking_event+0x94/0xa4)
          [<c08523c4>] (dsa_slave_switchdev_blocking_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
          [<c014bdfc>] (notifier_call_chain) from [<c014c500>] (blocking_notifier_call_chain+0x50/0x68)
          [<c014c500>] (blocking_notifier_call_chain) from [<c087dfb4>] (switchdev_port_obj_notify+0x44/0xa8)
          [<c087dfb4>] (switchdev_port_obj_notify) from [<c087e0a8>] (switchdev_port_obj_add_now+0x90/0x104)
          [<c087e0a8>] (switchdev_port_obj_add_now) from [<c087e130>] (switchdev_port_obj_add_deferred+0x14/0x5c)
          [<c087e130>] (switchdev_port_obj_add_deferred) from [<c087de4c>] (switchdev_deferred_process+0x64/0x104)
          [<c087de4c>] (switchdev_deferred_process) from [<c087def8>] (switchdev_deferred_process_work+0xc/0x14)
          [<c087def8>] (switchdev_deferred_process_work) from [<c01447dc>] (process_one_work+0x218/0x50c)
          [<c01447dc>] (process_one_work) from [<c0145b84>] (worker_thread+0x44/0x5bc)
          [<c0145b84>] (worker_thread) from [<c014a6f8>] (kthread+0x148/0x150)
          [<c014a6f8>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
          Exception stack(0xee871fb0 to 0xee871ff8)
          1fa0:                                     00000000 00000000 00000000 00000000
          1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
          1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
          Code: bad PC value
          ---[ end trace 1292c61abd17b130 ]---
      
          [<c08533ec>] (dsa_switch_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
          corresponds to
      
      	$ arm-linux-gnueabihf-addr2line -C -i -e vmlinux c08533ec
      
      	linux/net/dsa/switch.c:156
      	linux/net/dsa/switch.c:178
      	linux/net/dsa/switch.c:328
      
      Fixes: e6db98db ("net: dsa: add switch mdb bitmap functions")
      Signed-off-by: default avatarChen-Yu Tsai <wens@csie.org>
      Reviewed-by: default avatarVivien Didelot <vivien.didelot@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58799865
    • Petr Machata's avatar
      mlxsw: spectrum_ptp: Keep unmatched entries in a linked list · 8028ccda
      Petr Machata authored
      To identify timestamps for matching with their packets, Spectrum-1 uses a
      five-tuple of (port, direction, domain number, message type, sequence ID).
      If there are several clients from the same domain behind a single port
      sending Delay_Req's, the only thing differentiating these packets, as far
      as Spectrum-1 is concerned, is the sequence ID. Should sequence IDs between
      individual clients be similar, conflicts may arise. That is not a problem
      to hardware, which will simply deliver timestamps on a first comes, first
      served basis.
      
      However the driver uses a simple hash table to store the unmatched pieces.
      When a new conflicting piece arrives, it pushes out the previously stored
      one, which if it is a packet, is delivered without timestamp. Later on as
      the corresponding timestamps arrive, the first one is mismatched to the
      second packet, and the second one is never matched and eventually is GCd.
      
      To correct this issue, instead of using a simple rhashtable, use rhltable
      to keep the unmatched entries.
      
      Previously, a found unmatched entry would always be removed from the hash
      table. That is not the case anymore--an incompatible entry is left in the
      hash table. Therefore removal from the hash table cannot be used to confirm
      the validity of the looked-up pointer, instead the lookup would simply need
      to be redone. Therefore move it inside the critical section. This
      simplifies a lot of the code.
      
      Fixes: 87486427 ("mlxsw: spectrum: PTP: Support SIOCGHWTSTAMP, SIOCSHWTSTAMP ioctls")
      Reported-by: default avatarAlex Veber <alexve@mellanox.com>
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8028ccda
    • Jonathan Neuschäfer's avatar
      net: nps_enet: Fix function names in doc comments · d81f4141
      Jonathan Neuschäfer authored
      Adjust the function names in two doc comments to match the corresponding
      functions.
      Signed-off-by: default avatarJonathan Neuschäfer <j.neuschaefer@gmx.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d81f4141
    • David Howells's avatar
      rxrpc: Fix local refcounting · 68553f1a
      David Howells authored
      Fix rxrpc_unuse_local() to handle a NULL local pointer as it can be called
      on an unbound socket on which rx->local is not yet set.
      
      The following reproduced (includes omitted):
      
      	int main(void)
      	{
      		socket(AF_RXRPC, SOCK_DGRAM, AF_INET);
      		return 0;
      	}
      
      causes the following oops to occur:
      
      	BUG: kernel NULL pointer dereference, address: 0000000000000010
      	...
      	RIP: 0010:rxrpc_unuse_local+0x8/0x1b
      	...
      	Call Trace:
      	 rxrpc_release+0x2b5/0x338
      	 __sock_release+0x37/0xa1
      	 sock_close+0x14/0x17
      	 __fput+0x115/0x1e9
      	 task_work_run+0x72/0x98
      	 do_exit+0x51b/0xa7a
      	 ? __context_tracking_exit+0x4e/0x10e
      	 do_group_exit+0xab/0xab
      	 __x64_sys_exit_group+0x14/0x17
      	 do_syscall_64+0x89/0x1d4
      	 entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Reported-by: syzbot+20dee719a2e090427b5f@syzkaller.appspotmail.com
      Fixes: 730c5fd4 ("rxrpc: Fix local endpoint refcounting")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Jeffrey Altman <jaltman@auristor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      68553f1a
    • David Ahern's avatar
      netdevsim: Restore per-network namespace accounting for fib entries · 59c84b9f
      David Ahern authored
      Prior to the commit in the fixes tag, the resource controller in netdevsim
      tracked fib entries and rules per network namespace. Restore that behavior.
      
      Fixes: 5fc49422 ("netdevsim: create devlink instance per netdevsim instance")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59c84b9f
  6. 11 Aug, 2019 1 commit
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 9481382b
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2019-08-11
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) x64 JIT code generation fix for backward-jumps to 1st insn, from Alexei.
      
      2) Fix buggy multi-closing of BTF file descriptor in libbpf, from Andrii.
      
      3) Fix libbpf_num_possible_cpus() to make it thread safe, from Takshak.
      
      4) Fix bpftool to dump an error if pinning fails, from Jakub.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9481382b
  7. 10 Aug, 2019 1 commit
  8. 09 Aug, 2019 4 commits
    • Dexuan Cui's avatar
      hv_netvsc: Fix a warning of suspicious RCU usage · 6d0d779d
      Dexuan Cui authored
      This fixes a warning of "suspicious rcu_dereference_check() usage"
      when nload runs.
      
      Fixes: 776e726b ("netvsc: fix RCU warning in get_stats")
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6d0d779d
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-08-08' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 9566e650
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-08-08
      
      This series introduces some fixes to mlx5 driver.
      
      Highlights:
      1) From Tariq, Critical mlx5 kTLS fixes to better align with hw specs.
      2) From Aya, Fixes to mlx5 tx devlink health reporter.
      3) From Maxim, aRFs parsing to use flow dissector to avoid relying on
      invalid skb fields.
      
      Please pull and let me know if there is any problem.
      
      For -stable v4.3
       ('net/mlx5e: Only support tx/rx pause setting for port owner')
      For -stable v4.9
       ('net/mlx5e: Use flow keys dissector to parse packets for ARFS')
      For -stable v5.1
       ('net/mlx5e: Fix false negative indication on tx reporter CQE recovery')
       ('net/mlx5e: Remove redundant check in CQE recovery flow of tx reporter')
       ('net/mlx5e: ethtool, Avoid setting speed to 56GBASE when autoneg off')
      
      Note: when merged with net-next this minor conflict will pop up:
      ++<<<<<<< (net-next)
       +      if (is_eswitch_flow) {
       +              flow->esw_attr->match_level = match_level;
       +              flow->esw_attr->tunnel_match_level = tunnel_match_level;
      ++=======
      +       if (flow->flags & MLX5E_TC_FLOW_ESWITCH) {
      +               flow->esw_attr->inner_match_level = inner_match_level;
      +               flow->esw_attr->outer_match_level = outer_match_level;
      ++>>>>>>> (net)
      
      To resolve, use hunks from net (2nd) and replace:
      if (flow->flags & MLX5E_TC_FLOW_ESWITCH)
      with
      if (is_eswitch_flow)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9566e650
    • Taehee Yoo's avatar
      ixgbe: fix possible deadlock in ixgbe_service_task() · 8b638160
      Taehee Yoo authored
      ixgbe_service_task() calls unregister_netdev() under rtnl_lock().
      But unregister_netdev() internally calls rtnl_lock().
      So deadlock would occur.
      
      Fixes: 59dd45d5 ("ixgbe: firmware recovery mode")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8b638160
    • David S. Miller's avatar
      Merge branch 'Fix-collisions-in-socket-cookie-generation' · 703acf62
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      Fix collisions in socket cookie generation
      
      This change makes the socket cookie generator as a global counter
      instead of per netns in order to fix cookie collisions for BPF use
      cases we ran into. See main patch #1 for more details.
      
      Given the change is small/trivial and fixes an issue we're seeing
      my preference would be net tree (though it cleanly applies to
      net-next as well). Went for net tree instead of bpf tree here given
      the main change is in net/core/sock_diag.c, but either way would be
      fine with me.
      
      v1 -> v2:
        - Fix up commit description in patch #1, thanks Eric!
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      703acf62