1. 15 Jun, 2019 2 commits
    • Arthur Fabre's avatar
      bpf: Fix out of bounds memory access in bpf_sk_storage · 85749218
      Arthur Fabre authored
      bpf_sk_storage maps use multiple spin locks to reduce contention.
      The number of locks to use is determined by the number of possible CPUs.
      With only 1 possible CPU, bucket_log == 0, and 2^0 = 1 locks are used.
      
      When updating elements, the correct lock is determined with hash_ptr().
      Calling hash_ptr() with 0 bits is undefined behavior, as it does:
      
      x >> (64 - bits)
      
      Using the value results in an out of bounds memory access.
      In my case, this manifested itself as a page fault when raw_spin_lock_bh()
      is called later, when running the self tests:
      
      ./tools/testing/selftests/bpf/test_verifier 773 775
      [   16.366342] BUG: unable to handle page fault for address: ffff8fe7a66f93f8
      
      Force the minimum number of locks to two.
      Signed-off-by: default avatarArthur Fabre <afabre@cloudflare.com>
      Fixes: 6ac99e8f ("bpf: Introduce bpf sk local storage")
      Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      85749218
    • Alexei Starovoitov's avatar
      bpf, x64: fix stack layout of JITed bpf code · fe8d9571
      Alexei Starovoitov authored
      Since commit 177366bf the %rbp stopped pointing to %rbp of the
      previous stack frame. That broke frame pointer based stack unwinding.
      This commit is a partial revert of it.
      Note that the location of tail_call_cnt is fixed, since the verifier
      enforces MAX_BPF_STACK stack size for programs with tail calls.
      
      Fixes: 177366bf ("bpf: change x86 JITed program stack layout")
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      fe8d9571
  2. 14 Jun, 2019 3 commits
  3. 13 Jun, 2019 5 commits
  4. 12 Jun, 2019 2 commits
  5. 11 Jun, 2019 1 commit
    • Jonathan Lemon's avatar
      bpf: lpm_trie: check left child of last leftmost node for NULL · da2577fd
      Jonathan Lemon authored
      If the leftmost parent node of the tree has does not have a child
      on the left side, then trie_get_next_key (and bpftool map dump) will
      not look at the child on the right.  This leads to the traversal
      missing elements.
      
      Lookup is not affected.
      
      Update selftest to handle this case.
      
      Reproducer:
      
       bpftool map create /sys/fs/bpf/lpm type lpm_trie key 6 \
           value 1 entries 256 name test_lpm flags 1
       bpftool map update pinned /sys/fs/bpf/lpm key  8 0 0 0  0   0 value 1
       bpftool map update pinned /sys/fs/bpf/lpm key 16 0 0 0  0 128 value 2
       bpftool map dump   pinned /sys/fs/bpf/lpm
      
      Returns only 1 element. (2 expected)
      
      Fixes: b471f2f1 ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE")
      Signed-off-by: default avatarJonathan Lemon <jonathan.lemon@gmail.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      da2577fd
  6. 10 Jun, 2019 9 commits
    • John Hurley's avatar
      nfp: ensure skb network header is set for packet redirect · dce5cccc
      John Hurley authored
      Packets received at the NFP driver may be redirected to egress of another
      netdev (e.g. in the case of OvS internal ports). On the egress path, some
      processes, like TC egress hooks, may expect the network header offset
      field in the skb to be correctly set. If this is not the case there is
      potential for abnormal behaviour and even the triggering of BUG() calls.
      
      Set the skb network header field before the mac header pull when doing a
      packet redirect.
      
      Fixes: 27f54b58 ("nfp: allow fallback packets from non-reprs")
      Signed-off-by: default avatarJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dce5cccc
    • Yuchung Cheng's avatar
      tcp: fix undo spurious SYNACK in passive Fast Open · fcc2202a
      Yuchung Cheng authored
      Commit 794200d6 ("tcp: undo cwnd on Fast Open spurious SYNACK
      retransmit") may cause tcp_fastretrans_alert() to warn about pending
      retransmission in Open state. This is triggered when the Fast Open
      server both sends data and has spurious SYNACK retransmission during
      the handshake, and the data packets were lost or reordered.
      
      The root cause is a bit complicated:
      
      (1) Upon receiving SYN-data: a full socket is created with
          snd_una = ISN + 1 by tcp_create_openreq_child()
      
      (2) On SYNACK timeout the server/sender enters CA_Loss state.
      
      (3) Upon receiving the final ACK to complete the handshake, sender
          does not mark FLAG_SND_UNA_ADVANCED since (1)
      
          Sender then calls tcp_process_loss since state is CA_loss by (2)
      
      (4) tcp_process_loss() does not invoke undo operations but instead
          mark REXMIT_LOST to force retransmission
      
      (5) tcp_rcv_synrecv_state_fastopen() calls tcp_try_undo_loss(). It
          changes state to CA_Open but has positive tp->retrans_out
      
      (6) Next ACK triggers the WARN_ON in tcp_fastretrans_alert()
      
      The step that goes wrong is (4) where the undo operation should
      have been invoked because the ACK successfully acknowledged the
      SYN sequence. This fixes that by specifically checking undo
      when the SYN-ACK sequence is acknowledged. Then after
      tcp_process_loss() the state would be further adjusted based
      in tcp_fastretrans_alert() to avoid triggering the warning in (6).
      
      Fixes: 794200d6 ("tcp: undo cwnd on Fast Open spurious SYNACK retransmit")
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fcc2202a
    • Matteo Croce's avatar
      mpls: fix af_mpls dependencies · c1a9d659
      Matteo Croce authored
      MPLS routing code relies on sysctl to work, so let it select PROC_SYSCTL.
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Suggested-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarMatteo Croce <mcroce@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1a9d659
    • David S. Miller's avatar
      Merge branch 'ibmvnic-Fixes-for-device-reset-handling' · 7f0b44a4
      David S. Miller authored
      Thomas Falcon says:
      
      ====================
      ibmvnic: Fixes for device reset handling
      
      This series contains three unrelated fixes to issues seen during
      device resets. The first patch fixes an error when the driver requests
      to deactivate the link of an uninitialized device, resulting in a
      failure to reset. Next, a patch to fix multicast transmission
      failures seen after a driver reset. The final patch fixes mishandling
      of memory allocation failures during device initialization, which
      caused a kernel oops.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7f0b44a4
    • Thomas Falcon's avatar
      ibmvnic: Fix unchecked return codes of memory allocations · 7c940b1a
      Thomas Falcon authored
      The return values for these memory allocations are unchecked,
      which may cause an oops if the driver does not handle them after
      a failure. Fix by checking the function's return code.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7c940b1a
    • Thomas Falcon's avatar
      ibmvnic: Refresh device multicast list after reset · be32a243
      Thomas Falcon authored
      It was observed that multicast packets were no longer received after
      a device reset.  The fix is to resend the current multicast list to
      the backing device after recovery.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be32a243
    • Thomas Falcon's avatar
      ibmvnic: Do not close unopened driver during reset · 1f94608b
      Thomas Falcon authored
      Check driver state before halting it during a reset. If the driver is
      not running, do nothing. Otherwise, a request to deactivate a down link
      can cause an error and the reset will fail.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f94608b
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 4172eadb
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-06-07
      
      This series introduces some fixes to mlx5 driver.
      
      Please pull and let me know if there is any problem.
      
      For -stable v4.17
        ('net/mlx5: Avoid reloading already removed devices')
      
      For -stable v5.0
        ('net/mlx5e: Avoid detaching non-existing netdev under switchdev mode')
      
      For -stable v5.1
        ('net/mlx5e: Fix source port matching in fdb peer flow rule')
        ('net/mlx5e: Support tagged tunnel over bond')
        ('net/mlx5e: Add ndo_set_feature for uplink representor')
        ('net/mlx5: Update pci error handler entries and command translation')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4172eadb
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-5.2-20190607' of... · 62f42a11
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-5.2-20190607' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-06-07
      
      this is a pull reqeust of 9 patches for net/master.
      
      The first patch is by Alexander Dahl and removes a duplicate menu entry from
      the Kconfig. The next patch by Joakim Zhang fixes the timeout in the flexcan
      driver when setting small bit rates. Anssi Hannula's patch for the xilinx_can
      driver fixes the bittiming_const for CAN FD core. The two patches by Sean
      Nyekjaer bring mcp25625 to the existing mcp251x driver. The patch by Eugen
      Hristev implements an errata for the m_can driver. YueHaibing's patch fixes the
      error handling ing can_init(). The patch by Fabio Estevam for the flexcan
      driver removes an unneeded registration message during flexcan_probe(). And the
      last patch is by Willem de Bruijn and adds the missing purging the  socket
      error queue on sock destruct.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62f42a11
  7. 09 Jun, 2019 4 commits
  8. 07 Jun, 2019 14 commits