1. 03 Nov, 2016 4 commits
    • Eric Dumazet's avatar
      tcp: fix potential memory corruption · ac9e70b1
      Eric Dumazet authored
      Imagine initial value of max_skb_frags is 17, and last
      skb in write queue has 15 frags.
      
      Then max_skb_frags is lowered to 14 or smaller value.
      
      tcp_sendmsg() will then be allowed to add additional page frags
      and eventually go past MAX_SKB_FRAGS, overflowing struct
      skb_shared_info.
      
      Fixes: 5f74f82e ("net:Add sysctl_max_skb_frags")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Hans Westgaard Ry <hans.westgaard.ry@oracle.com>
      Cc: Håkon Bugge <haakon.bugge@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac9e70b1
    • Mintz, Yuval's avatar
      qede: Correctly map aggregation replacement pages · 9512925a
      Mintz, Yuval authored
      Driver allocates replacement buffers before-hand to make
      sure whenever an aggregation begins there would be a replacement
      for the Rx buffers, as we can't release the buffer until
      aggregation is terminated and driver logic assumes the Rx rings
      are always full.
      
      For every other Rx page that's being allocated [I.e., regular]
      the page is being completely mapped while for the replacement
      buffers only the first portion of the page is being mapped.
      This means that:
        a. Once replacement buffer replenishes the regular Rx ring,
      assuming there's more than a single packet on page we'd post unmapped
      memory toward HW [assuming mapping is actually done in granularity
      smaller than page].
        b. Unmaps are being done for the entire page, which is incorrect.
      
      Fixes: 55482edc ("qede: Add slowpath/fastpath support and enable hardware GRO")
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9512925a
    • Hariprasad Shenai's avatar
    • WANG Cong's avatar
      inet: fix sleeping inside inet_wait_for_connect() · 14135f30
      WANG Cong authored
      Andrey reported this kernel warning:
      
        WARNING: CPU: 0 PID: 4608 at kernel/sched/core.c:7724
        __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
        do not call blocking ops when !TASK_RUNNING; state=1 set at
        [<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
        kernel/sched/wait.c:178
        Modules linked in:
        CPU: 0 PID: 4608 Comm: syz-executor Not tainted 4.9.0-rc2+ #320
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
         ffff88006625f7a0 ffffffff81b46914 ffff88006625f818 0000000000000000
         ffffffff84052960 0000000000000000 ffff88006625f7e8 ffffffff81111237
         ffff88006aceac00 ffffffff00001e2c ffffed000cc4beff ffffffff84052960
        Call Trace:
         [<     inline     >] __dump_stack lib/dump_stack.c:15
         [<ffffffff81b46914>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
         [<ffffffff81111237>] __warn+0x1a7/0x1f0 kernel/panic.c:550
         [<ffffffff8111132c>] warn_slowpath_fmt+0xac/0xd0 kernel/panic.c:565
         [<ffffffff811922fc>] __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
         [<     inline     >] slab_pre_alloc_hook mm/slab.h:393
         [<     inline     >] slab_alloc_node mm/slub.c:2634
         [<     inline     >] slab_alloc mm/slub.c:2716
         [<ffffffff81508da0>] __kmalloc_track_caller+0x150/0x2a0 mm/slub.c:4240
         [<ffffffff8146be14>] kmemdup+0x24/0x50 mm/util.c:113
         [<ffffffff8388b2cf>] dccp_feat_clone_sp_val.part.5+0x4f/0xe0 net/dccp/feat.c:374
         [<     inline     >] dccp_feat_clone_sp_val net/dccp/feat.c:1141
         [<     inline     >] dccp_feat_change_recv net/dccp/feat.c:1141
         [<ffffffff8388d491>] dccp_feat_parse_options+0xaa1/0x13d0 net/dccp/feat.c:1411
         [<ffffffff83894f01>] dccp_parse_options+0x721/0x1010 net/dccp/options.c:128
         [<ffffffff83891280>] dccp_rcv_state_process+0x200/0x15b0 net/dccp/input.c:644
         [<ffffffff838b8a94>] dccp_v4_do_rcv+0xf4/0x1a0 net/dccp/ipv4.c:681
         [<     inline     >] sk_backlog_rcv ./include/net/sock.h:872
         [<ffffffff82b7ceb6>] __release_sock+0x126/0x3a0 net/core/sock.c:2044
         [<ffffffff82b7d189>] release_sock+0x59/0x1c0 net/core/sock.c:2502
         [<     inline     >] inet_wait_for_connect net/ipv4/af_inet.c:547
         [<ffffffff8316b2a2>] __inet_stream_connect+0x5d2/0xbb0 net/ipv4/af_inet.c:617
         [<ffffffff8316b8d5>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:656
         [<ffffffff82b705e4>] SYSC_connect+0x244/0x2f0 net/socket.c:1533
         [<ffffffff82b72dd4>] SyS_connect+0x24/0x30 net/socket.c:1514
         [<ffffffff83fbf701>] entry_SYSCALL_64_fastpath+0x1f/0xc2
        arch/x86/entry/entry_64.S:209
      
      Unlike commit 26cabd31
      ("sched, net: Clean up sk_wait_event() vs. might_sleep()"), the
      sleeping function is called before schedule_timeout(), this is indeed
      a bug. Fix this by moving the wait logic to the new API, it is similar
      to commit ff960a73
      ("netdev, sched/wait: Fix sleeping inside wait event").
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      14135f30
  2. 02 Nov, 2016 4 commits
  3. 01 Nov, 2016 9 commits
  4. 31 Oct, 2016 16 commits
  5. 30 Oct, 2016 4 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 2a26d99b
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Lots of fixes, mostly drivers as is usually the case.
      
         1) Don't treat zero DMA address as invalid in vmxnet3, from Alexey
            Khoroshilov.
      
         2) Fix element timeouts in netfilter's nft_dynset, from Anders K.
            Pedersen.
      
         3) Don't put aead_req crypto struct on the stack in mac80211, from
            Ard Biesheuvel.
      
         4) Several uninitialized variable warning fixes from Arnd Bergmann.
      
         5) Fix memory leak in cxgb4, from Colin Ian King.
      
         6) Fix bpf handling of VLAN header push/pop, from Daniel Borkmann.
      
         7) Several VRF semantic fixes from David Ahern.
      
         8) Set skb->protocol properly in ip6_tnl_xmit(), from Eli Cooper.
      
         9) Socket needs to be locked in udp_disconnect(), from Eric Dumazet.
      
        10) Div-by-zero on 32-bit fix in mlx4 driver, from Eugenia Emantayev.
      
        11) Fix stale link state during failover in NCSCI driver, from Gavin
            Shan.
      
        12) Fix netdev lower adjacency list traversal, from Ido Schimmel.
      
        13) Propvide proper handle when emitting notifications of filter
            deletes, from Jamal Hadi Salim.
      
        14) Memory leaks and big-endian issues in rtl8xxxu, from Jes Sorensen.
      
        15) Fix DESYNC_FACTOR handling in ipv6, from Jiri Bohac.
      
        16) Several routing offload fixes in mlxsw driver, from Jiri Pirko.
      
        17) Fix broadcast sync problem in TIPC, from Jon Paul Maloy.
      
        18) Validate chunk len before using it in SCTP, from Marcelo Ricardo
            Leitner.
      
        19) Revert a netns locking change that causes regressions, from Paul
            Moore.
      
        20) Add recursion limit to GRO handling, from Sabrina Dubroca.
      
        21) GFP_KERNEL in irq context fix in ibmvnic, from Thomas Falcon.
      
        22) Avoid accessing stale vxlan/geneve socket in data path, from
            Pravin Shelar"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (189 commits)
        geneve: avoid using stale geneve socket.
        vxlan: avoid using stale vxlan socket.
        qede: Fix out-of-bound fastpath memory access
        net: phy: dp83848: add dp83822 PHY support
        enic: fix rq disable
        tipc: fix broadcast link synchronization problem
        ibmvnic: Fix missing brackets in init_sub_crq_irqs
        ibmvnic: Fix releasing of sub-CRQ IRQs in interrupt context
        Revert "ibmvnic: Fix releasing of sub-CRQ IRQs in interrupt context"
        arch/powerpc: Update parameters for csum_tcpudp_magic & csum_tcpudp_nofold
        net/mlx4_en: Save slave ethtool stats command
        net/mlx4_en: Fix potential deadlock in port statistics flow
        net/mlx4: Fix firmware command timeout during interrupt test
        net/mlx4_core: Do not access comm channel if it has not yet been initialized
        net/mlx4_en: Fix panic during reboot
        net/mlx4_en: Process all completions in RX rings after port goes up
        net/mlx4_en: Resolve dividing by zero in 32-bit system
        net/mlx4_core: Change the default value of enable_qos
        net/mlx4_core: Avoid setting ports to auto when only one port type is supported
        net/mlx4_core: Fix the resource-type enum in res tracker to conform to FW spec
        ...
      2a26d99b
    • pravin shelar's avatar
      geneve: avoid using stale geneve socket. · fceb9c3e
      pravin shelar authored
      This patch is similar to earlier vxlan patch.
      Geneve device close operation frees geneve socket. This
      operation can race with geneve-xmit function which
      dereferences geneve socket. Following patch uses RCU
      mechanism to avoid this situation.
      Signed-off-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Acked-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fceb9c3e
    • pravin shelar's avatar
      vxlan: avoid using stale vxlan socket. · c6fcc4fc
      pravin shelar authored
      When vxlan device is closed vxlan socket is freed. This
      operation can race with vxlan-xmit function which
      dereferences vxlan socket. Following patch uses RCU
      mechanism to avoid this situation.
      Signed-off-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c6fcc4fc
    • Mintz, Yuval's avatar
      qede: Fix out-of-bound fastpath memory access · 087892d2
      Mintz, Yuval authored
      Driver allocates a shadow array for transmitted SKBs with X entries;
      That means valid indices are {0,...,X - 1}. [X == 8191]
      Problem is the driver also uses X as a mask for a
      producer/consumer in order to choose the right entry in the
      array which allows access to entry X which is out of bounds.
      
      To fix this, simply allocate X + 1 entries in the shadow array.
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      087892d2
  6. 29 Oct, 2016 3 commits
    • Roger Quadros's avatar
      net: phy: dp83848: add dp83822 PHY support · 30347834
      Roger Quadros authored
      This PHY has a compatible register set with DP83848x so
      add support for it.
      Acked-by: default avatarAndrew F. Davis <afd@ti.com>
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      30347834
    • Govindarajulu Varadarajan's avatar
      enic: fix rq disable · 9fe1c98a
      Govindarajulu Varadarajan authored
      When MTU is changed from 9000 to 1500 while there is burst of inbound 9000
      bytes packets, adaptor sometimes delivers 9000 bytes packets to 1500 bytes
      buffers. This causes memory corruption and sometimes crash.
      
      This is because of a race condition in adaptor between "RQ disable"
      clearing descriptor mini-cache and mini-cache valid bit being set by
      completion of descriptor fetch. This can result in stale RQ desc being
      cached and used when packets arrive. In this case, the stale descriptor
      have old MTU value.
      
      Solution is to write RQ->disable twice. The first write will stop any
      further desc fetches, allowing the second disable to clear the mini-cache
      valid bit without danger of a race.
      
      Also, the check for rq->running becoming 0 after writing rq->enable to 0
      is not done properly. When incoming packets are flooding the interface,
      rq->running will pulse high for each dropped packet. Since the driver was
      waiting for 10us between each poll, it is possible to see rq->running = 1
      1000 times in a row, even though it is not actually stuck running.
      This results in false failure of vnic_rq_disable(). Fix is to try more
      than 1000 time without delay between polls to ensure we do not miss when
      running goes low.
      
      In old adaptors rq->enable needs to be re-written to 0 when posted_index
      is reset in vnic_rq_clean() in order to keep rq->prefetch_index in sync.
      Signed-off-by: default avatarGovindarajulu Varadarajan <_govind@gmx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9fe1c98a
    • Jon Paul Maloy's avatar
      tipc: fix broadcast link synchronization problem · 06bd2b1e
      Jon Paul Maloy authored
      In commit 2d18ac4b ("tipc: extend broadcast link initialization
      criteria") we tried to fix a problem with the initial synchronization
      of broadcast link acknowledge values. Unfortunately that solution is
      not sufficient to solve the issue.
      
      We have seen it happen that LINK_PROTOCOL/STATE packets with a valid
      non-zero unicast acknowledge number may bypass BCAST_PROTOCOL
      initialization, NAME_DISTRIBUTOR and other STATE packets with invalid
      broadcast acknowledge numbers, leading to premature opening of the
      broadcast link. When the bypassed packets finally arrive, they are
      inadvertently accepted, and the already correctly initialized
      acknowledge number in the broadcast receive link is overwritten by
      the invalid (zero) value of the said packets. After this the broadcast
      link goes stale.
      
      We now fix this by marking the packets where we know the acknowledge
      value is or may be invalid, and then ignoring the acks from those.
      
      To this purpose, we claim an unused bit in the header to indicate that
      the value is invalid. We set the bit to 1 in the initial BCAST_PROTOCOL
      synchronization packet and all initial ("bulk") NAME_DISTRIBUTOR
      packets, plus those LINK_PROTOCOL packets sent out before the broadcast
      links are fully synchronized.
      
      This minor protocol update is fully backwards compatible.
      Reported-by: default avatarJohn Thompson <thompa.atl@gmail.com>
      Tested-by: default avatarJohn Thompson <thompa.atl@gmail.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      06bd2b1e