1. 23 Jan, 2020 33 commits
    • Finn Thain's avatar
      net/sonic: Fix receive buffer replenishment · 89ba879e
      Finn Thain authored
      As soon as the driver is finished with a receive buffer it allocs a new
      one and overwrites the corresponding RRA entry with a new buffer pointer.
      
      Problem is, the buffer pointer is split across two word-sized registers.
      It can't be updated in one atomic store. So this operation races with the
      chip while it stores received packets and advances its RRP register.
      This could result in memory corruption by a DMA write.
      
      Avoid this problem by adding buffers only at the location given by the
      RWP register, in accordance with the National Semiconductor datasheet.
      
      Re-factor this code into separate functions to calculate a RRA pointer
      and to update the RWP.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89ba879e
    • Finn Thain's avatar
      net/sonic: Improve receive descriptor status flag check · 94b16634
      Finn Thain authored
      After sonic_tx_timeout() calls sonic_init(), it can happen that
      sonic_rx() will subsequently encounter a receive descriptor with no
      flags set. Remove the comment that says that this can't happen.
      
      When giving a receive descriptor to the SONIC, clear the descriptor
      status field. That way, any rx descriptor with flags set can only be
      a newly received packet.
      
      Don't process a descriptor without the LPKT bit set. The buffer is
      still in use by the SONIC.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      94b16634
    • Finn Thain's avatar
      net/sonic: Avoid needless receive descriptor EOL flag updates · eaabfd19
      Finn Thain authored
      The while loop in sonic_rx() traverses the rx descriptor ring. It stops
      when it reaches a descriptor that the SONIC has not used. Each iteration
      advances the EOL flag so the SONIC can keep using more descriptors.
      Therefore, the while loop has no definite termination condition.
      
      The algorithm described in the National Semiconductor literature is quite
      different. It consumes descriptors up to the one with its EOL flag set
      (which will also have its "in use" flag set). All freed descriptors are
      then returned to the ring at once, by adjusting the EOL flags (and link
      pointers).
      
      Adopt the algorithm from datasheet as it's simpler, terminates quickly
      and avoids a lot of pointless descriptor EOL flag changes.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eaabfd19
    • Finn Thain's avatar
      net/sonic: Fix receive buffer handling · 9e311820
      Finn Thain authored
      The SONIC can sometimes advance its rx buffer pointer (RRP register)
      without advancing its rx descriptor pointer (CRDA register). As a result
      the index of the current rx descriptor may not equal that of the current
      rx buffer. The driver mistakenly assumes that they are always equal.
      This assumption leads to incorrect packet lengths and possible packet
      duplication. Avoid this by calling a new function to locate the buffer
      corresponding to a given descriptor.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e311820
    • Finn Thain's avatar
      net/sonic: Fix interface error stats collection · 427db97d
      Finn Thain authored
      The tx_aborted_errors statistic should count packets flagged with EXD,
      EXC, FU, or BCM bits because those bits denote an aborted transmission.
      That corresponds to the bitmask 0x0446, not 0x0642. Use macros for these
      constants to avoid mistakes. Better to leave out FIFO Underruns (FU) as
      there's a separate counter for that purpose.
      
      Don't lump all these errors in with the general tx_errors counter as
      that's used for tx timeout events.
      
      On the rx side, don't count RDE and RBAE interrupts as dropped packets.
      These interrupts don't indicate a lost packet, just a lack of resources.
      When a lack of resources results in a lost packet, this gets reported
      in the rx_missed_errors counter (along with RFO events).
      
      Don't double-count rx_frame_errors and rx_crc_errors.
      
      Don't use the general rx_errors counter for events that already have
      special counters.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      427db97d
    • Finn Thain's avatar
      net/sonic: Use MMIO accessors · e3885f57
      Finn Thain authored
      The driver accesses descriptor memory which is simultaneously accessed by
      the chip, so the compiler must not be allowed to re-order CPU accesses.
      sonic_buf_get() used 'volatile' to prevent that. sonic_buf_put() should
      have done so too but was overlooked.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3885f57
    • Finn Thain's avatar
      net/sonic: Clear interrupt flags immediately · 5fedabf5
      Finn Thain authored
      The chip can change a packet's descriptor status flags at any time.
      However, an active interrupt flag gets cleared rather late. This
      allows a race condition that could theoretically lose an interrupt.
      Fix this by clearing asserted interrupt flags immediately.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5fedabf5
    • Finn Thain's avatar
      net/sonic: Add mutual exclusion for accessing shared state · 865ad2f2
      Finn Thain authored
      The netif_stop_queue() call in sonic_send_packet() races with the
      netif_wake_queue() call in sonic_interrupt(). This causes issues
      like "NETDEV WATCHDOG: eth0 (macsonic): transmit queue 0 timed out".
      Fix this by disabling interrupts when accessing tx_skb[] and next_tx.
      Update a comment to clarify the synchronization properties.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      865ad2f2
    • Madalin Bucur's avatar
      net: fsl/fman: rename IF_MODE_XGMII to IF_MODE_10G · 457bfc0a
      Madalin Bucur authored
      As the only 10G PHY interface type defined at the moment the code
      was developed was XGMII, although the PHY interface mode used was
      not XGMII, XGMII was used in the code to denote 10G. This patch
      renames the 10G interface mode to remove the ambiguity.
      Signed-off-by: default avatarMadalin Bucur <madalin.bucur@oss.nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      457bfc0a
    • David S. Miller's avatar
      Merge branch 'net-fsl-fman-address-erratum-A011043' · 72b59174
      David S. Miller authored
      Madalin Bucur says:
      
      ====================
      net: fsl/fman: address erratum A011043
      
      This addresses a HW erratum on some QorIQ DPAA devices.
      
      MDIO reads to internal PCS registers may result in having
      the MDIO_CFG[MDIO_RD_ER] bit set, even when there is no
      error and read data (MDIO_DATA[MDIO_DATA]) is correct.
      Software may get false read error when reading internal
      PCS registers through MDIO. As a workaround, all internal
      MDIO accesses should ignore the MDIO_CFG[MDIO_RD_ER] bit.
      When the issue was present, one could see such errors
      during boot:
      
        mdio_bus ffe4e5000: Error while reading PHY0 reg at 3.3
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72b59174
    • Madalin Bucur's avatar
      net/fsl: treat fsl,erratum-a011043 · 1d3ca681
      Madalin Bucur authored
      When fsl,erratum-a011043 is set, adjust for erratum A011043:
      MDIO reads to internal PCS registers may result in having
      the MDIO_CFG[MDIO_RD_ER] bit set, even when there is no
      error and read data (MDIO_DATA[MDIO_DATA]) is correct.
      Software may get false read error when reading internal
      PCS registers through MDIO. As a workaround, all internal
      MDIO accesses should ignore the MDIO_CFG[MDIO_RD_ER] bit.
      Signed-off-by: default avatarMadalin Bucur <madalin.bucur@oss.nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1d3ca681
    • Madalin Bucur's avatar
      powerpc/fsl/dts: add fsl,erratum-a011043 · 73d527ae
      Madalin Bucur authored
      Add fsl,erratum-a011043 to internal MDIO buses.
      Software may get false read error when reading internal
      PCS registers through MDIO. As a workaround, all internal
      MDIO accesses should ignore the MDIO_CFG[MDIO_RD_ER] bit.
      Signed-off-by: default avatarMadalin Bucur <madalin.bucur@oss.nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      73d527ae
    • Madalin Bucur's avatar
      dt-bindings: net: add fsl,erratum-a011043 · 2934d2c6
      Madalin Bucur authored
      Add an entry for erratum A011043: the MDIO_CFG[MDIO_RD_ER]
      bit may be falsely set when reading internal PCS registers.
      MDIO reads to internal PCS registers may result in having
      the MDIO_CFG[MDIO_RD_ER] bit set, even when there is no
      error and read data (MDIO_DATA[MDIO_DATA]) is correct.
      Software may get false read error when reading internal
      PCS registers through MDIO. As a workaround, all internal
      MDIO accesses should ignore the MDIO_CFG[MDIO_RD_ER] bit.
      Signed-off-by: default avatarMadalin Bucur <madalin.bucur@oss.nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2934d2c6
    • Manish Chopra's avatar
      qlcnic: Fix CPU soft lockup while collecting firmware dump · 22e98449
      Manish Chopra authored
      Driver while collecting firmware dump takes longer time to
      collect/process some of the firmware dump entries/memories.
      Bigger capture masks makes it worse as it results in larger
      amount of data being collected and results in CPU soft lockup.
      Place cond_resched() in some of the driver flows that are
      expectedly time consuming to relinquish the CPU to avoid CPU
      soft lockup panic.
      Signed-off-by: default avatarShahed Shaikh <shshaikh@marvell.com>
      Tested-by: default avatarYonggen Xu <Yonggen.Xu@dell.com>
      Signed-off-by: default avatarManish Chopra <manishc@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22e98449
    • Kristian Evensen's avatar
      fou: Fix IPv6 netlink policy · bb48eb9b
      Kristian Evensen authored
      When submitting v2 of "fou: Support binding FoU socket" (1713cb37),
      I accidentally sent the wrong version of the patch and one fix was
      missing. In the initial version of the patch, as well as the version 2
      that I submitted, I incorrectly used ".type" for the two V6-attributes.
      The correct is to use ".len".
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Fixes: 1713cb37 ("fou: Support binding FoU socket")
      Signed-off-by: default avatarKristian Evensen <kristian.evensen@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb48eb9b
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-2020-01-23' of... · 5169adbc
      David S. Miller authored
      Merge tag 'wireless-drivers-2020-01-23' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.5
      
      Second set of fixes for v5.5. There are quite a few patches,
      especially on iwlwifi, due to me being on a long break. Libertas also
      has a security fix and mt76 a build fix.
      
      iwlwifi
      
      * don't send the PPAG command when PPAG is disabled, since it can cause problems
      
      * a few fixes for a HW bug
      
      * a fix for RS offload;
      
      * a fix for 3168 devices where the NVM tables where the wrong tables were being read
      
      * fix a couple of potential memory leaks in TXQ code
      
      * disable L0S states in all hardware since our hardware doesn't
       officially support them anymore (and older versions of the hardware
       had instability in these states)
      
      * remove lar_disable parameter since it has been causing issues for
        some people who erroneously disable it
      
      * force the debug monitor HW to stop also when debug is disabled,
        since it sometimes stays on and prevents low system power states
      
      * don't send IWL_MVM_RXQ_NSSN_SYNC notification due to DMA problems
      
      libertas
      
      * fix two buffer overflows
      
      mt76
      
      * build fix related to CONFIG_MT76_LEDS
      
      * fix off by one in bitrates handling
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5169adbc
    • Eric Dumazet's avatar
      tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() · 1efba987
      Eric Dumazet authored
      If both IFF_NAPI_FRAGS mode and XDP are enabled, and the XDP program
      consumes the skb, we need to clear the napi.skb (or risk
      a use-after-free) and release the mutex (or risk a deadlock)
      
      WARNING: lock held when returning to user space!
      5.5.0-rc6-syzkaller #0 Not tainted
      ------------------------------------------------
      syz-executor.0/455 is leaving the kernel with locks still held!
      1 lock held by syz-executor.0/455:
       #0: ffff888098f6e748 (&tfile->napi_mutex){+.+.}, at: tun_get_user+0x1604/0x3fc0 drivers/net/tun.c:1835
      
      Fixes: 90e33d45 ("tun: enable napi_gro_frags() for TUN/TAP driver")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Petar Penkov <ppenkov@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1efba987
    • Ido Schimmel's avatar
      mlxsw: spectrum_acl: Fix use-after-free during reload · 971de2e5
      Ido Schimmel authored
      During reload (or module unload), the router block is de-initialized.
      Among other things, this results in the removal of a default multicast
      route from each active virtual router (VRF). These default routes are
      configured during initialization to trap packets to the CPU. In
      Spectrum-2, unlike Spectrum-1, multicast routes are implemented using
      ACL rules.
      
      Since the router block is de-initialized before the ACL block, it is
      possible that the ACL rules corresponding to the default routes are
      deleted while being accessed by the ACL delayed work that queries rules'
      activity from the device. This can result in a rare use-after-free [1].
      
      Fix this by protecting the rules list accessed by the delayed work with
      a lock. We cannot use a spinlock as the activity read operation is
      blocking.
      
      [1]
      [  123.331662] ==================================================================
      [  123.339920] BUG: KASAN: use-after-free in mlxsw_sp_acl_rule_activity_update_work+0x330/0x3b0
      [  123.349381] Read of size 8 at addr ffff8881f3bb4520 by task kworker/0:2/78
      [  123.357080]
      [  123.358773] CPU: 0 PID: 78 Comm: kworker/0:2 Not tainted 5.5.0-rc5-custom-33108-gf5df95d3ef41 #2209
      [  123.368898] Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018
      [  123.378456] Workqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work
      [  123.385970] Call Trace:
      [  123.388734]  dump_stack+0xc6/0x11e
      [  123.392568]  print_address_description.constprop.4+0x21/0x340
      [  123.403236]  __kasan_report.cold.8+0x76/0xb1
      [  123.414884]  kasan_report+0xe/0x20
      [  123.418716]  mlxsw_sp_acl_rule_activity_update_work+0x330/0x3b0
      [  123.444034]  process_one_work+0xb06/0x19a0
      [  123.453731]  worker_thread+0x91/0xe90
      [  123.467348]  kthread+0x348/0x410
      [  123.476847]  ret_from_fork+0x24/0x30
      [  123.480863]
      [  123.482545] Allocated by task 73:
      [  123.486273]  save_stack+0x19/0x80
      [  123.490000]  __kasan_kmalloc.constprop.6+0xc1/0xd0
      [  123.495379]  mlxsw_sp_acl_rule_create+0xa7/0x230
      [  123.500566]  mlxsw_sp2_mr_tcam_route_create+0xf6/0x3e0
      [  123.506334]  mlxsw_sp_mr_tcam_route_create+0x5b4/0x820
      [  123.512102]  mlxsw_sp_mr_table_create+0x3b5/0x690
      [  123.517389]  mlxsw_sp_vr_get+0x289/0x4d0
      [  123.521797]  mlxsw_sp_fib_node_get+0xa2/0x990
      [  123.526692]  mlxsw_sp_router_fib4_event_work+0x54c/0x2d60
      [  123.532752]  process_one_work+0xb06/0x19a0
      [  123.537352]  worker_thread+0x91/0xe90
      [  123.541471]  kthread+0x348/0x410
      [  123.545103]  ret_from_fork+0x24/0x30
      [  123.549113]
      [  123.550795] Freed by task 518:
      [  123.554231]  save_stack+0x19/0x80
      [  123.557958]  __kasan_slab_free+0x125/0x170
      [  123.562556]  kfree+0xd7/0x3a0
      [  123.565895]  mlxsw_sp_acl_rule_destroy+0x63/0xd0
      [  123.571081]  mlxsw_sp2_mr_tcam_route_destroy+0xd5/0x130
      [  123.576946]  mlxsw_sp_mr_tcam_route_destroy+0xba/0x260
      [  123.582714]  mlxsw_sp_mr_table_destroy+0x1ab/0x290
      [  123.588091]  mlxsw_sp_vr_put+0x1db/0x350
      [  123.592496]  mlxsw_sp_fib_node_put+0x298/0x4c0
      [  123.597486]  mlxsw_sp_vr_fib_flush+0x15b/0x360
      [  123.602476]  mlxsw_sp_router_fib_flush+0xba/0x470
      [  123.607756]  mlxsw_sp_vrs_fini+0xaa/0x120
      [  123.612260]  mlxsw_sp_router_fini+0x137/0x384
      [  123.617152]  mlxsw_sp_fini+0x30a/0x4a0
      [  123.621374]  mlxsw_core_bus_device_unregister+0x159/0x600
      [  123.627435]  mlxsw_devlink_core_bus_device_reload_down+0x7e/0xb0
      [  123.634176]  devlink_reload+0xb4/0x380
      [  123.638391]  devlink_nl_cmd_reload+0x610/0x700
      [  123.643382]  genl_rcv_msg+0x6a8/0xdc0
      [  123.647497]  netlink_rcv_skb+0x134/0x3a0
      [  123.651904]  genl_rcv+0x29/0x40
      [  123.655436]  netlink_unicast+0x4d4/0x700
      [  123.659843]  netlink_sendmsg+0x7c0/0xc70
      [  123.664251]  __sys_sendto+0x265/0x3c0
      [  123.668367]  __x64_sys_sendto+0xe2/0x1b0
      [  123.672773]  do_syscall_64+0xa0/0x530
      [  123.676892]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  123.682552]
      [  123.684238] The buggy address belongs to the object at ffff8881f3bb4500
      [  123.684238]  which belongs to the cache kmalloc-128 of size 128
      [  123.698261] The buggy address is located 32 bytes inside of
      [  123.698261]  128-byte region [ffff8881f3bb4500, ffff8881f3bb4580)
      [  123.711303] The buggy address belongs to the page:
      [  123.716682] page:ffffea0007ceed00 refcount:1 mapcount:0 mapping:ffff888236403500 index:0x0
      [  123.725958] raw: 0200000000000200 dead000000000100 dead000000000122 ffff888236403500
      [  123.734646] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
      [  123.743315] page dumped because: kasan: bad access detected
      [  123.749562]
      [  123.751241] Memory state around the buggy address:
      [  123.756620]  ffff8881f3bb4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  123.764716]  ffff8881f3bb4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  123.772812] >ffff8881f3bb4500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  123.780904]                                ^
      [  123.785697]  ffff8881f3bb4580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  123.793793]  ffff8881f3bb4600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  123.801883] ==================================================================
      
      Fixes: cf7221a4 ("mlxsw: spectrum_router: Add Multicast routing support for Spectrum-2")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      971de2e5
    • David S. Miller's avatar
      Merge branch 'r8152-serial-fixes' · edf9acf5
      David S. Miller authored
      Hayes Wang says:
      
      ====================
      r8152: serial fixes
      
      v3:
      1. Fix the typos for patch #5 and #6.
      2. Modify the commit message of patch #9.
      
      v2:
      For patch #2, move declaring the variable "ocp_data".
      
      v1:
      These patches are used to fix some issues for RTL8153.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      edf9acf5
    • Hayes Wang's avatar
      r8152: disable DelayPhyPwrChg · aa475d93
      Hayes Wang authored
      When enabling this, the device would wait an internal signal which
      wouldn't be triggered. Then, the device couldn't enter P3 mode, so
      the power consumption is increased.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa475d93
    • Hayes Wang's avatar
      r8152: avoid the MCU to clear the lanwake · 19813162
      Hayes Wang authored
      Avoid the MCU to clear the lanwake after suspending. It may cause the
      WOL fail. Disable LANWAKE_CLR_EN before suspending. Besides,enable it
      and reset the lanwake status when resuming or initializing.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      19813162
    • Hayes Wang's avatar
      r8152: don't enable U1U2 with USB_SPEED_HIGH for RTL8153B · a0246daf
      Hayes Wang authored
      For certain platforms, it causes USB reset periodically.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a0246daf
    • Hayes Wang's avatar
      r8152: disable test IO for RTL8153B · d7f1b596
      Hayes Wang authored
      For RTL8153B with QFN32, disable test IO. Otherwise, it may cause
      abnormal behavior for the device randomly.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d7f1b596
    • Hayes Wang's avatar
      r8152: Disable PLA MCU clock speed down · 08997b5e
      Hayes Wang authored
      PLA MCU clock speed down could only be enabled when tx/rx are disabled.
      Otherwise, the packet loss may occur.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      08997b5e
    • Hayes Wang's avatar
      r8152: disable U2P3 for RTL8153B · 809a7fc6
      Hayes Wang authored
      Enable U2P3 may miss zero packet for bulk-in.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      809a7fc6
    • Hayes Wang's avatar
      r8152: get default setting of WOL before initializing · 9583a363
      Hayes Wang authored
      Initailization would reset runtime suspend by tp->saved_wolopts, so
      the tp->saved_wolopts should be set before initializing.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9583a363
    • Hayes Wang's avatar
      r8152: reset flow control patch when linking on for RTL8153B · f99cd20e
      Hayes Wang authored
      When linking ON, the patch of flow control has to be reset. This
      makes sure the patch works normally.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f99cd20e
    • Hayes Wang's avatar
      r8152: fix runtime resume for linking change · a3914272
      Hayes Wang authored
      Fix the runtime resume doesn't work normally for linking change.
      
      1. Reset the settings and status of runtime suspend.
      2. Sync the linking status.
      3. Poll the linking change.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a3914272
    • Eric Dumazet's avatar
      gtp: make sure only SOCK_DGRAM UDP sockets are accepted · 940ba149
      Eric Dumazet authored
      A malicious user could use RAW sockets and fool
      GTP using them as standard SOCK_DGRAM UDP sockets.
      
      BUG: KMSAN: uninit-value in udp_tunnel_encap_enable include/net/udp_tunnel.h:174 [inline]
      BUG: KMSAN: uninit-value in setup_udp_tunnel_sock+0x45e/0x6f0 net/ipv4/udp_tunnel.c:85
      CPU: 0 PID: 11262 Comm: syz-executor613 Not tainted 5.5.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       udp_tunnel_encap_enable include/net/udp_tunnel.h:174 [inline]
       setup_udp_tunnel_sock+0x45e/0x6f0 net/ipv4/udp_tunnel.c:85
       gtp_encap_enable_socket+0x37f/0x5a0 drivers/net/gtp.c:827
       gtp_encap_enable drivers/net/gtp.c:844 [inline]
       gtp_newlink+0xfb/0x1e50 drivers/net/gtp.c:666
       __rtnl_newlink net/core/rtnetlink.c:3305 [inline]
       rtnl_newlink+0x2973/0x3920 net/core/rtnetlink.c:3363
       rtnetlink_rcv_msg+0x1153/0x1570 net/core/rtnetlink.c:5424
       netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x441359
      Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fff1cd0ac28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441359
      RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
      R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020d0
      R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
       kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:307 [inline]
       kmsan_alloc_page+0x12a/0x310 mm/kmsan/kmsan_shadow.c:336
       __alloc_pages_nodemask+0x57f2/0x5f60 mm/page_alloc.c:4800
       alloc_pages_current+0x67d/0x990 mm/mempolicy.c:2207
       alloc_pages include/linux/gfp.h:534 [inline]
       alloc_slab_page+0x111/0x12f0 mm/slub.c:1511
       allocate_slab mm/slub.c:1656 [inline]
       new_slab+0x2bc/0x1130 mm/slub.c:1722
       new_slab_objects mm/slub.c:2473 [inline]
       ___slab_alloc+0x1533/0x1f30 mm/slub.c:2624
       __slab_alloc mm/slub.c:2664 [inline]
       slab_alloc_node mm/slub.c:2738 [inline]
       slab_alloc mm/slub.c:2783 [inline]
       kmem_cache_alloc+0xb23/0xd70 mm/slub.c:2788
       sk_prot_alloc+0xf2/0x620 net/core/sock.c:1597
       sk_alloc+0xf0/0xbe0 net/core/sock.c:1657
       inet_create+0x7c7/0x1370 net/ipv4/af_inet.c:321
       __sock_create+0x8eb/0xf00 net/socket.c:1420
       sock_create net/socket.c:1471 [inline]
       __sys_socket+0x1a1/0x600 net/socket.c:1513
       __do_sys_socket net/socket.c:1522 [inline]
       __se_sys_socket+0x8d/0xb0 net/socket.c:1520
       __x64_sys_socket+0x4a/0x70 net/socket.c:1520
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Pablo Neira <pablo@netfilter.org>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      940ba149
    • Eric Dumazet's avatar
      net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() · d836f5c6
      Eric Dumazet authored
      rtnl_create_link() needs to apply dev->min_mtu and dev->max_mtu
      checks that we apply in do_setlink()
      
      Otherwise malicious users can crash the kernel, for example after
      an integer overflow :
      
      BUG: KASAN: use-after-free in memset include/linux/string.h:365 [inline]
      BUG: KASAN: use-after-free in __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
      Write of size 32 at addr ffff88819f20b9c0 by task swapper/0/0
      
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       check_memory_region_inline mm/kasan/generic.c:185 [inline]
       check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
       memset+0x24/0x40 mm/kasan/common.c:108
       memset include/linux/string.h:365 [inline]
       __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
       alloc_skb include/linux/skbuff.h:1049 [inline]
       alloc_skb_with_frags+0x93/0x590 net/core/skbuff.c:5664
       sock_alloc_send_pskb+0x7ad/0x920 net/core/sock.c:2242
       sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2259
       mld_newpack+0x1d7/0x7f0 net/ipv6/mcast.c:1609
       add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1713
       add_grec+0x7db/0x10b0 net/ipv6/mcast.c:1844
       mld_send_cr net/ipv6/mcast.c:1970 [inline]
       mld_ifc_timer_expire+0x3d3/0x950 net/ipv6/mcast.c:2477
       call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
       expire_timers kernel/time/timer.c:1449 [inline]
       __run_timers kernel/time/timer.c:1773 [inline]
       __run_timers kernel/time/timer.c:1740 [inline]
       run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       invoke_softirq kernel/softirq.c:373 [inline]
       irq_exit+0x19b/0x1e0 kernel/softirq.c:413
       exiting_irq arch/x86/include/asm/apic.h:536 [inline]
       smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
       </IRQ>
      RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
      Code: 98 6b ea f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 44 1c 60 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 34 1c 60 00 fb f4 <c3> cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 4e 5d 9a f9 e8 79
      RSP: 0018:ffffffff89807ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
      RAX: 1ffffffff13266ae RBX: ffffffff8987a1c0 RCX: 0000000000000000
      RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8987aa54
      RBP: ffffffff89807d18 R08: ffffffff8987a1c0 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
      R13: ffffffff8a799980 R14: 0000000000000000 R15: 0000000000000000
       arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690
       default_idle_call+0x84/0xb0 kernel/sched/idle.c:94
       cpuidle_idle_call kernel/sched/idle.c:154 [inline]
       do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269
       cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361
       rest_init+0x23b/0x371 init/main.c:451
       arch_call_rest_init+0xe/0x1b
       start_kernel+0x904/0x943 init/main.c:784
       x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
       x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471
       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242
      
      The buggy address belongs to the page:
      page:ffffea00067c82c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
      raw: 057ffe0000000000 ffffea00067c82c8 ffffea00067c82c8 0000000000000000
      raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88819f20b880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff88819f20b900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff88819f20b980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
       ffff88819f20ba00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff88819f20ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      
      Fixes: 61e84623 ("net: centralize net_device min/max MTU checking")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d836f5c6
    • Michael Ellerman's avatar
      airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE · 78f7a756
      Michael Ellerman authored
      The driver for Cisco Aironet 4500 and 4800 series cards (airo.c),
      implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl().
      
      The ioctl handler copies an aironet_ioctl struct from userspace, which
      includes a command. Some of the commands are handled in readrids(),
      where the user controlled command is converted into a driver-internal
      value called "ridcode".
      
      There are two command values, AIROGWEPKTMP and AIROGWEPKNV, which
      correspond to ridcode values of RID_WEP_TEMP and RID_WEP_PERM
      respectively. These commands both have checks that the user has
      CAP_NET_ADMIN, with the comment that "Only super-user can read WEP
      keys", otherwise they return -EPERM.
      
      However there is another command value, AIRORRID, that lets the user
      specify the ridcode value directly, with no other checks. This means
      the user can bypass the CAP_NET_ADMIN check on AIROGWEPKTMP and
      AIROGWEPKNV.
      
      Fix it by moving the CAP_NET_ADMIN check out of the command handling
      and instead do it later based on the ridcode. That way regardless of
      whether the ridcode is set via AIROGWEPKTMP or AIROGWEPKNV, or passed
      in using AIRORID, we always do the CAP_NET_ADMIN check.
      
      Found by Ilja by code inspection, not tested as I don't have the
      required hardware.
      Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      78f7a756
    • Michael Ellerman's avatar
      airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE · d6bce213
      Michael Ellerman authored
      The driver for Cisco Aironet 4500 and 4800 series cards (airo.c),
      implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl().
      
      The ioctl handler copies an aironet_ioctl struct from userspace, which
      includes a command and a length. Some of the commands are handled in
      readrids(), which kmalloc()'s a buffer of RIDSIZE (2048) bytes.
      
      That buffer is then passed to PC4500_readrid(), which has two cases.
      The else case does some setup and then reads up to RIDSIZE bytes from
      the hardware into the kmalloc()'ed buffer.
      
      Here len == RIDSIZE, pBuf is the kmalloc()'ed buffer:
      
      	// read the rid length field
      	bap_read(ai, pBuf, 2, BAP1);
      	// length for remaining part of rid
      	len = min(len, (int)le16_to_cpu(*(__le16*)pBuf)) - 2;
      	...
      	// read remainder of the rid
      	rc = bap_read(ai, ((__le16*)pBuf)+1, len, BAP1);
      
      PC4500_readrid() then returns to readrids() which does:
      
      	len = comp->len;
      	if (copy_to_user(comp->data, iobuf, min(len, (int)RIDSIZE))) {
      
      Where comp->len is the user controlled length field.
      
      So if the "rid length field" returned by the hardware is < 2048, and
      the user requests 2048 bytes in comp->len, we will leak the previous
      contents of the kmalloc()'ed buffer to userspace.
      
      Fix it by kzalloc()'ing the buffer.
      
      Found by Ilja by code inspection, not tested as I don't have the
      required hardware.
      Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d6bce213
    • Andrew Lunn's avatar
      MAINTAINERS: Make Russell King designated reviewer of phylib · 3adb4eaa
      Andrew Lunn authored
      phylink and phylib are interconnected. It makes sense for phylib and
      phy driver patches to be also reviewed by the phylink maintainer.
      So add Russell King as a designed reviewer of phylib.
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3adb4eaa
  2. 22 Jan, 2020 7 commits
    • William Dauchy's avatar
      net, ip6_tunnel: fix namespaces move · 5311a69a
      William Dauchy authored
      in the same manner as commit d0f41851 ("net, ip_tunnel: fix
      namespaces move"), fix namespace moving as it was broken since commit
      8d79266b ("ip6_tunnel: add collect_md mode to IPv6 tunnel"), but for
      ipv6 this time; there is no reason to keep it for ip6_tunnel.
      
      Fixes: 8d79266b ("ip6_tunnel: add collect_md mode to IPv6 tunnel")
      Signed-off-by: default avatarWilliam Dauchy <w.dauchy@criteo.com>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5311a69a
    • Eric Dumazet's avatar
      net_sched: use validated TCA_KIND attribute in tc_new_tfilter() · 36d79af7
      Eric Dumazet authored
      sysbot found another issue in tc_new_tfilter().
      We probably should use @name which contains the sanitized
      version of TCA_KIND.
      
      BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:608 [inline]
      BUG: KMSAN: uninit-value in string+0x522/0x690 lib/vsprintf.c:689
      CPU: 1 PID: 10753 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       string_nocheck lib/vsprintf.c:608 [inline]
       string+0x522/0x690 lib/vsprintf.c:689
       vsnprintf+0x207d/0x31b0 lib/vsprintf.c:2574
       __request_module+0x2ad/0x11c0 kernel/kmod.c:143
       tcf_proto_lookup_ops+0x241/0x720 net/sched/cls_api.c:139
       tcf_proto_create net/sched/cls_api.c:262 [inline]
       tc_new_tfilter+0x2a4e/0x5010 net/sched/cls_api.c:2058
       rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
       netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45b349
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f88b3948c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f88b39496d4 RCX: 000000000045b349
      RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
      RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 000000000000099f R14: 00000000004cb163 R15: 000000000075bfd4
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2774 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
       __kmalloc_reserve net/core/skbuff.c:141 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
       alloc_skb include/linux/skbuff.h:1049 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
       netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 6f96c3c6 ("net_sched: fix backward compatibility for TCA_KIND")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      36d79af7
    • Paolo Abeni's avatar
      Revert "udp: do rmem bulk free even if the rx sk queue is empty" · d39ca259
      Paolo Abeni authored
      This reverts commit 0d4a6608.
      
      Williem reported that after commit 0d4a6608 ("udp: do rmem bulk
      free even if the rx sk queue is empty") the memory allocated by
      an almost idle system with many UDP sockets can grow a lot.
      
      For stable kernel keep the solution as simple as possible and revert
      the offending commit.
      Reported-by: default avatarWillem de Bruijn <willemdebruijn.kernel@gmail.com>
      Diagnosed-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Fixes: 0d4a6608 ("udp: do rmem bulk free even if the rx sk queue is empty")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d39ca259
    • David S. Miller's avatar
    • Maxim Mikityanskiy's avatar
      net: Fix packet reordering caused by GRO and listified RX cooperation · c8079432
      Maxim Mikityanskiy authored
      Commit 323ebb61 ("net: use listified RX for handling GRO_NORMAL
      skbs") introduces batching of GRO_NORMAL packets in napi_frags_finish,
      and commit 6570bc79 ("net: core: use listified Rx for GRO_NORMAL in
      napi_gro_receive()") adds the same to napi_skb_finish. However,
      dev_gro_receive (that is called just before napi_{frags,skb}_finish) can
      also pass skbs to the networking stack: e.g., when the GRO session is
      flushed, napi_gro_complete is called, which passes pp directly to
      netif_receive_skb_internal, skipping napi->rx_list. It means that the
      packet stored in pp will be handled by the stack earlier than the
      packets that arrived before, but are still waiting in napi->rx_list. It
      leads to TCP reorderings that can be observed in the TCPOFOQueue counter
      in netstat.
      
      This commit fixes the reordering issue by making napi_gro_complete also
      use napi->rx_list, so that all packets going through GRO will keep their
      order. In order to keep napi_gro_flush working properly, gro_normal_list
      calls are moved after the flush to clear napi->rx_list.
      
      iwlwifi calls napi_gro_flush directly and does the same thing that is
      done by gro_normal_list, so the same change is applied there:
      napi_gro_flush is moved to be before the flush of napi->rx_list.
      
      A few other drivers also use napi_gro_flush (brocade/bna/bnad.c,
      cortina/gemini.c, hisilicon/hns3/hns3_enet.c). The first two also use
      napi_complete_done afterwards, which performs the gro_normal_list flush,
      so they are fine. The latter calls napi_gro_receive right after
      napi_gro_flush, so it can end up with non-empty napi->rx_list anyway.
      
      Fixes: 323ebb61 ("net: use listified RX for handling GRO_NORMAL skbs")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@mellanox.com>
      Cc: Alexander Lobakin <alobakin@dlink.ru>
      Cc: Edward Cree <ecree@solarflare.com>
      Acked-by: default avatarAlexander Lobakin <alobakin@dlink.ru>
      Acked-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Acked-by: default avatarEdward Cree <ecree@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8079432
    • Richard Palethorpe's avatar
      can, slip: Protect tty->disc_data in write_wakeup and close with RCU · 0ace17d5
      Richard Palethorpe authored
      write_wakeup can happen in parallel with close/hangup where tty->disc_data
      is set to NULL and the netdevice is freed thus also freeing
      disc_data. write_wakeup accesses disc_data so we must prevent close from
      freeing the netdev while write_wakeup has a non-NULL view of
      tty->disc_data.
      
      We also need to make sure that accesses to disc_data are atomic. Which can
      all be done with RCU.
      
      This problem was found by Syzkaller on SLCAN, but the same issue is
      reproducible with the SLIP line discipline using an LTP test based on the
      Syzkaller reproducer.
      
      A fix which didn't use RCU was posted by Hillf Danton.
      
      Fixes: 661f7fda ("slip: Fix deadlock in write_wakeup")
      Fixes: a8e83b17 ("slcan: Port write_wakeup deadlock fix from slip")
      Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com
      Signed-off-by: default avatarRichard Palethorpe <rpalethorpe@suse.com>
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Cc: Marc Kleine-Budde <mkl@pengutronix.de>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Tyler Hall <tylerwhall@gmail.com>
      Cc: linux-can@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: syzkaller@googlegroups.com
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0ace17d5
    • Jakub Sitnicki's avatar
      net, sk_msg: Don't check if sock is locked when tearing down psock · 58c8db92
      Jakub Sitnicki authored
      As John Fastabend reports [0], psock state tear-down can happen on receive
      path *after* unlocking the socket, if the only other psock user, that is
      sockmap or sockhash, releases its psock reference before tcp_bpf_recvmsg
      does so:
      
       tcp_bpf_recvmsg()
        psock = sk_psock_get(sk)                         <- refcnt 2
        lock_sock(sk);
        ...
                                        sock_map_free()  <- refcnt 1
        release_sock(sk)
        sk_psock_put()                                   <- refcnt 0
      
      Remove the lockdep check for socket lock in psock tear-down that got
      introduced in 7e81a353 ("bpf: Sockmap, ensure sock lock held during
      tear down").
      
      [0] https://lore.kernel.org/netdev/5e25dc995d7d_74082aaee6e465b441@john-XPS-13-9370.notmuch/
      
      Fixes: 7e81a353 ("bpf: Sockmap, ensure sock lock held during tear down")
      Reported-by: syzbot+d73682fcf7fee6982fe3@syzkaller.appspotmail.com
      Suggested-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58c8db92