1. 08 Jul, 2018 2 commits
  2. 07 Jul, 2018 28 commits
    • David S. Miller's avatar
      Merge branch 'net-sched-fix-NULL-dereference-in-goto-chain-control-action' · de508f8b
      David S. Miller authored
      Davide Caratti says:
      
      ====================
      net/sched: fix NULL dereference in 'goto chain' control action
      
      in a couple of TC actions (i.e. csum and tunnel_key), the control action
      is stored together with the action-specific configuration data.
      This avoids a race condition (see [1]), but it causes a crash when 'goto
      chain' is used with the above actions. Since this race condition is
      tolerated on the other TC actions (it's present even on actions where the
      spinlock is still used), storing the control action in the common area
      should be acceptable for tunnel_key and csum as well.
      
      [1] https://www.spinics.net/lists/netdev/msg472047.html
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      de508f8b
    • Davide Caratti's avatar
      net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is used · 38230a3e
      Davide Caratti authored
      the control action in the common member of struct tcf_tunnel_key must be a
      valid value, as it can contain the chain index when 'goto chain' is used.
      Ensure that the control action can be read as x->tcfa_action, when x is a
      pointer to struct tc_action and x->ops->type is TCA_ACT_TUNNEL_KEY, to
      prevent the following command:
      
       # tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
       > $tcflags dst_mac $h2mac action tunnel_key unset goto chain 1
      
      from causing a NULL dereference when a matching packet is received:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
       PGD 80000001097ac067 P4D 80000001097ac067 PUD 103b0a067 PMD 0
       Oops: 0000 [#1] SMP PTI
       CPU: 0 PID: 3491 Comm: mausezahn Tainted: G            E     4.18.0-rc2.auguri+ #421
       Hardware name: Hewlett-Packard HP Z220 CMT Workstation/1790, BIOS K51 v01.58 02/07/2013
       RIP: 0010:tcf_action_exec+0xb8/0x100
       Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
       RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246
       RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001
       RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
       RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c
       R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800
       R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40
       FS:  00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0
       Call Trace:
        <IRQ>
        fl_classify+0x1ad/0x1c0 [cls_flower]
        ? __update_load_avg_se.isra.47+0x1ca/0x1d0
        ? __update_load_avg_se.isra.47+0x1ca/0x1d0
        ? update_load_avg+0x665/0x690
        ? update_load_avg+0x665/0x690
        ? kmem_cache_alloc+0x38/0x1c0
        tcf_classify+0x89/0x140
        __netif_receive_skb_core+0x5ea/0xb70
        ? enqueue_entity+0xd0/0x270
        ? process_backlog+0x97/0x150
        process_backlog+0x97/0x150
        net_rx_action+0x14b/0x3e0
        __do_softirq+0xde/0x2b4
        do_softirq_own_stack+0x2a/0x40
        </IRQ>
        do_softirq.part.18+0x49/0x50
        __local_bh_enable_ip+0x49/0x50
        __dev_queue_xmit+0x4ab/0x8a0
        ? wait_woken+0x80/0x80
        ? packet_sendmsg+0x38f/0x810
        ? __dev_queue_xmit+0x8a0/0x8a0
        packet_sendmsg+0x38f/0x810
        sock_sendmsg+0x36/0x40
        __sys_sendto+0x10e/0x140
        ? do_vfs_ioctl+0xa4/0x630
        ? syscall_trace_enter+0x1df/0x2e0
        ? __audit_syscall_exit+0x22a/0x290
        __x64_sys_sendto+0x24/0x30
        do_syscall_64+0x5b/0x180
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x7fd67e18dc93
       Code: 48 8b 0d 18 83 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c7 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 2b f7 ff ff 48 89 04 24
       RSP: 002b:00007ffe0189b748 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
       RAX: ffffffffffffffda RBX: 00000000020ca010 RCX: 00007fd67e18dc93
       RDX: 0000000000000062 RSI: 00000000020ca322 RDI: 0000000000000003
       RBP: 00007ffe0189b780 R08: 00007ffe0189b760 R09: 0000000000000014
       R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000062
       R13: 00000000020ca322 R14: 00007ffe0189b760 R15: 0000000000000003
       Modules linked in: act_tunnel_key act_gact cls_flower sch_ingress vrf veth act_csum(E) xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek coretemp snd_hda_codec_generic kvm_intel kvm irqbypass snd_hda_intel crct10dif_pclmul crc32_pclmul hp_wmi ghash_clmulni_intel pcbc snd_hda_codec aesni_intel sparse_keymap rfkill snd_hda_core snd_hwdep snd_seq crypto_simd iTCO_wdt gpio_ich iTCO_vendor_support wmi_bmof cryptd mei_wdt glue_helper snd_seq_device snd_pcm pcspkr snd_timer snd i2c_i801 lpc_ich sg soundcore wmi mei_me
        mei ie31200_edac nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod sr_mod cdrom i915 video i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ahci crc32c_intel libahci serio_raw sfc libata mtd drm ixgbe mdio i2c_core e1000e dca
       CR2: 0000000000000000
       ---[ end trace 1ab8b5b5d4639dfc ]---
       RIP: 0010:tcf_action_exec+0xb8/0x100
       Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
       RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246
       RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001
       RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
       RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c
       R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800
       R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40
       FS:  00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0
       Kernel panic - not syncing: Fatal exception in interrupt
       Kernel Offset: 0x11400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
       ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      Fixes: d0f6dd8a ("net/sched: Introduce act_tunnel_key")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      38230a3e
    • Davide Caratti's avatar
      net/sched: act_csum: fix NULL dereference when 'goto chain' is used · 11a245e2
      Davide Caratti authored
      the control action in the common member of struct tcf_csum must be a valid
      value, as it can contain the chain index when 'goto chain' is used. Ensure
      that the control action can be read as x->tcfa_action, when x is a pointer
      to struct tc_action and x->ops->type is TCA_ACT_CSUM, to prevent the
      following command:
      
        # tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
        > $tcflags dst_mac $h2mac action csum ip or tcp or udp or sctp goto chain 1
      
      from triggering a NULL pointer dereference when a matching packet is
      received.
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
       PGD 800000010416b067 P4D 800000010416b067 PUD 1041be067 PMD 0
       Oops: 0000 [#1] SMP PTI
       CPU: 0 PID: 3072 Comm: mausezahn Tainted: G            E     4.18.0-rc2.auguri+ #421
       Hardware name: Hewlett-Packard HP Z220 CMT Workstation/1790, BIOS K51 v01.58 02/07/2013
       RIP: 0010:tcf_action_exec+0xb8/0x100
       Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
       RSP: 0018:ffffa020dea03c40 EFLAGS: 00010246
       RAX: 0000000020000001 RBX: ffffa020d7ccef00 RCX: 0000000000000054
       RDX: 0000000000000000 RSI: ffffa020ca5ae000 RDI: ffffa020d7ccef00
       RBP: ffffa020dea03e60 R08: 0000000000000000 R09: ffffa020dea03c9c
       R10: ffffa020dea03c78 R11: 0000000000000008 R12: ffffa020d3fe4f00
       R13: ffffa020d3fe4f08 R14: 0000000000000001 R15: ffffa020d53ca300
       FS:  00007f5a46942740(0000) GS:ffffa020dea00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000000 CR3: 0000000104218002 CR4: 00000000001606f0
       Call Trace:
        <IRQ>
        fl_classify+0x1ad/0x1c0 [cls_flower]
        ? arp_rcv+0x121/0x1b0
        ? __x2apic_send_IPI_dest+0x40/0x40
        ? smp_reschedule_interrupt+0x1c/0xd0
        ? reschedule_interrupt+0xf/0x20
        ? reschedule_interrupt+0xa/0x20
        ? device_is_rmrr_locked+0xe/0x50
        ? iommu_should_identity_map+0x49/0xd0
        ? __intel_map_single+0x30/0x140
        ? e1000e_update_rdt_wa.isra.52+0x22/0xb0 [e1000e]
        ? e1000_alloc_rx_buffers+0x233/0x250 [e1000e]
        ? kmem_cache_alloc+0x38/0x1c0
        tcf_classify+0x89/0x140
        __netif_receive_skb_core+0x5ea/0xb70
        ? enqueue_task_fair+0xb6/0x7d0
        ? process_backlog+0x97/0x150
        process_backlog+0x97/0x150
        net_rx_action+0x14b/0x3e0
        __do_softirq+0xde/0x2b4
        do_softirq_own_stack+0x2a/0x40
        </IRQ>
        do_softirq.part.18+0x49/0x50
        __local_bh_enable_ip+0x49/0x50
        __dev_queue_xmit+0x4ab/0x8a0
        ? wait_woken+0x80/0x80
        ? packet_sendmsg+0x38f/0x810
        ? __dev_queue_xmit+0x8a0/0x8a0
        packet_sendmsg+0x38f/0x810
        sock_sendmsg+0x36/0x40
        __sys_sendto+0x10e/0x140
        ? do_vfs_ioctl+0xa4/0x630
        ? syscall_trace_enter+0x1df/0x2e0
        ? __audit_syscall_exit+0x22a/0x290
        __x64_sys_sendto+0x24/0x30
        do_syscall_64+0x5b/0x180
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x7f5a45cbec93
       Code: 48 8b 0d 18 83 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c7 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 2b f7 ff ff 48 89 04 24
       RSP: 002b:00007ffd0ee6d748 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
       RAX: ffffffffffffffda RBX: 0000000001161010 RCX: 00007f5a45cbec93
       RDX: 0000000000000062 RSI: 0000000001161322 RDI: 0000000000000003
       RBP: 00007ffd0ee6d780 R08: 00007ffd0ee6d760 R09: 0000000000000014
       R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000062
       R13: 0000000001161322 R14: 00007ffd0ee6d760 R15: 0000000000000003
       Modules linked in: act_csum act_gact cls_flower sch_ingress vrf veth act_tunnel_key(E) xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel snd_hda_codec_hdmi snd_hda_codec_realtek kvm snd_hda_codec_generic hp_wmi iTCO_wdt sparse_keymap rfkill mei_wdt iTCO_vendor_support wmi_bmof gpio_ich irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel snd_hda_intel crypto_simd cryptd snd_hda_codec glue_helper snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm pcspkr i2c_i801 snd_timer snd sg lpc_ich soundcore wmi mei_me
        mei ie31200_edac nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sr_mod cdrom sd_mod ahci libahci crc32c_intel i915 ixgbe serio_raw libata video dca i2c_algo_bit sfc drm_kms_helper syscopyarea mtd sysfillrect mdio sysimgblt fb_sys_fops drm e1000e i2c_core
       CR2: 0000000000000000
       ---[ end trace 3c9e9d1a77df4026 ]---
       RIP: 0010:tcf_action_exec+0xb8/0x100
       Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
       RSP: 0018:ffffa020dea03c40 EFLAGS: 00010246
       RAX: 0000000020000001 RBX: ffffa020d7ccef00 RCX: 0000000000000054
       RDX: 0000000000000000 RSI: ffffa020ca5ae000 RDI: ffffa020d7ccef00
       RBP: ffffa020dea03e60 R08: 0000000000000000 R09: ffffa020dea03c9c
       R10: ffffa020dea03c78 R11: 0000000000000008 R12: ffffa020d3fe4f00
       R13: ffffa020d3fe4f08 R14: 0000000000000001 R15: ffffa020d53ca300
       FS:  00007f5a46942740(0000) GS:ffffa020dea00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000000 CR3: 0000000104218002 CR4: 00000000001606f0
       Kernel panic - not syncing: Fatal exception in interrupt
       Kernel Offset: 0x26400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
       ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      Fixes: 9c5f69bb ("net/sched: act_csum: don't use spinlock in the fast path")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      11a245e2
    • Harini Katakam's avatar
      net: macb: Allocate valid memory for TX and RX BD prefetch · 404cd086
      Harini Katakam authored
      GEM version in ZynqMP and most versions greater than r1p07 supports
      TX and RX BD prefetch. The number of BDs that can be prefetched is a
      HW configurable parameter. For ZynqMP, this parameter is 4.
      
      When GEM DMA is accessing the last BD in the ring, even before the
      BD is processed and the WRAP bit is noticed, it will have prefetched
      BDs outside the BD ring. These will not be processed but it is
      necessary to have accessible memory after the last BD. Especially
      in cases where SMMU is used, memory locations immediately after the
      last BD may not have translation tables triggering HRESP errors. Hence
      always allocate extra BDs to accommodate for prefetch.
      The value of tx/rx bd prefetch for any given SoC version is:
      2 ^ (corresponding field in design config 10 register).
      (value of this field >= 1)
      
      Added a capability flag so that older IP versions that do not have
      DCFG10 or this prefetch capability are not affected.
      Signed-off-by: default avatarHarini Katakam <harini.katakam@xilinx.com>
      Reviewed-by: default avatarClaudiu Beznea <claudiu.beznea@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      404cd086
    • Harini Katakam's avatar
      net: macb: Free RX ring for all queues · e50b770e
      Harini Katakam authored
      rx ring is allocated for all queues in macb_alloc_consistent.
      Free the same for all queues instead of just Q0.
      Signed-off-by: default avatarHarini Katakam <harini.katakam@xilinx.com>
      Reviewed-by: default avatarClaudiu Beznea <claudiu.beznea@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e50b770e
    • Ursula Braun's avatar
      net/smc: reduce sock_put() for fallback sockets · e1bbdd57
      Ursula Braun authored
      smc_release() calls a sock_put() for smc fallback sockets to cover
      the passive closing sock_hold() in __smc_connect() and
      smc_tcp_listen_work(). This does not make sense for sockets in state
      SMC_LISTEN and SMC_INIT.
      An SMC socket stays in state SMC_INIT if connect fails. The sock_put
      in smc_connect_abort() does not cover all failures. Move it into
      smc_connect_decline_fallback().
      
      Fixes: ee9dfbef ("net/smc: handle sockopts forcing fallback")
      Reported-by: syzbot+3a0748c8f2f210c0ef9b@syzkaller.appspotmail.com
      Reported-by: syzbot+9e60d2428a42049a592a@syzkaller.appspotmail.com
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e1bbdd57
    • Arnd Bergmann's avatar
      net: bridge: fix br_vlan_get_{pvid,info} return values · 000244d3
      Arnd Bergmann authored
      These two functions return the regular -EINVAL failure in the normal
      code path, but return a nonstandard '-1' error otherwise, which gets
      interpreted as -EPERM.
      
      Let's change it to -EINVAL for the dummy functions as well.
      
      Fixes: 4d4fd361 ("net: bridge: Publish bridge accessor functions")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      000244d3
    • Casey Leedom's avatar
      cxgb4: assume flash part size to be 4MB, if it can't be determined · 843789f6
      Casey Leedom authored
      t4_get_flash_params() fails in a fatal fashion if the FLASH part isn't
      one of the recognized parts. But this leads to desperate efforts to update
      drivers when various FLASH parts which we are using suddenly become
      unavailable and we need to substitute new FLASH parts.  This has lead to
      more than one Customer Field Emergency when a Customer has an old driver
      and suddenly can't use newly shipped adapters.
      
      This commit fixes this by simply assuming that the FLASH part is 4MB in
      size if it can't be identified. Note that all Chelsio adapters will have
      flash parts which are at least 4MB in size.
      Signed-off-by: default avatarCasey Leedom <leedom@chelsio.com>
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      843789f6
    • David S. Miller's avatar
      Merge branch 'tipc-dad-fixes' · 7f978e85
      David S. Miller authored
      Jon Maloy says:
      
      ====================
      tipc: fixes in duplicate address discovery function
      
      commit 25b0b9c4 ("tipc: handle collisions of 32-bit node address
      hash values") introduced new functionality that has turned out to
      contain several bugs and weaknesses.
      
      We address those in this series.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7f978e85
    • Jon Maloy's avatar
      tipc: make function tipc_net_finalize() thread safe · 9faa89d4
      Jon Maloy authored
      The setting of the node address is not thread safe, meaning that
      two discoverers may decide to set it simultanously, with a duplicate
      entry in the name table as result. We fix that with this commit.
      
      Fixes: 25b0b9c4 ("tipc: handle collisions of 32-bit node address hash values")
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9faa89d4
    • Jon Maloy's avatar
      tipc: fix correct setting of message type in second discoverer · 92018c7c
      Jon Maloy authored
      The duplicate address discovery protocol is not safe against two
      discoverers running in parallel. The one executing first after the
      trial period is over will set the node address and change its own
      message type to DSC_REQ_MSG. The one executing last may find that the
      node address is already set, and never change message type, with the
      result that its links may never be established.
      
      In this commmit we ensure that the message type always is set correctly
      after the trial period is over.
      
      Fixes: 25b0b9c4 ("tipc: handle collisions of 32-bit node address hash values")
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      92018c7c
    • Jon Maloy's avatar
      tipc: correct discovery message handling during address trial period · e415577f
      Jon Maloy authored
      With the duplicate address discovery protocol for tipc nodes addresses
      we introduced a one second trial period before a node is allocated a
      hash number to use as address.
      
      Unfortunately, we miss to handle the case when a regular LINK REQUEST/
      RESPONSE arrives from a cluster node during the trial period. Such
      messages are not ignored as they should be, leading to links setup
      attempts while the node still has no address.
      
      Fixes: 25b0b9c4 ("tipc: handle collisions of 32-bit node address hash values")
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e415577f
    • Jon Maloy's avatar
      tipc: fix wrong return value from function tipc_node_try_addr() · 2a57f182
      Jon Maloy authored
      The function for checking if there is an node address conflict is
      supposed to return a suggestion for a new address if it finds a
      conflict, and zero otherwise. But in case the peer being checked
      is previously unknown it does instead return a "suggestion" for
      the checked address itself. This results in a DSC_TRIAL_FAIL_MSG
      being sent unecessarily to the peer, and sometimes makes the trial
      period starting over again.
      
      Fixes: 25b0b9c4 ("tipc: handle collisions of 32-bit node address hash values")
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a57f182
    • David S. Miller's avatar
      Merge branch 'ravb-sh_eth-fix-sleep-in-atomic-by-reusing-shared-ethtool-handlers' · 0f62aeec
      David S. Miller authored
      Vladimir Zapolskiy says:
      
      ====================
      ravb/sh_eth: fix sleep in atomic by reusing shared ethtool handlers
      
      For ages trivial changes to RAVB and SuperH ethernet links by means of
      standard 'ethtool' trigger a 'sleeping function called from invalid
      context' bug, to visualize it on r8a7795 ULCB:
      
        % ethtool -r eth0
        BUG: sleeping function called from invalid context at kernel/locking/mutex.c:747
        in_atomic(): 1, irqs_disabled(): 128, pid: 554, name: ethtool
        INFO: lockdep is turned off.
        irq event stamp: 0
        hardirqs last  enabled at (0): [<0000000000000000>]           (null)
        hardirqs last disabled at (0): [<ffff0000080e1d3c>] copy_process.isra.7.part.8+0x2cc/0x1918
        softirqs last  enabled at (0): [<ffff0000080e1d3c>] copy_process.isra.7.part.8+0x2cc/0x1918
        softirqs last disabled at (0): [<0000000000000000>]           (null)
        CPU: 5 PID: 554 Comm: ethtool Not tainted 4.17.0-rc4-arm64-renesas+ #33
        Hardware name: Renesas H3ULCB board based on r8a7795 ES2.0+ (DT)
        Call trace:
         dump_backtrace+0x0/0x198
         show_stack+0x24/0x30
         dump_stack+0xb8/0xf4
         ___might_sleep+0x1c8/0x1f8
         __might_sleep+0x58/0x90
         __mutex_lock+0x50/0x890
         mutex_lock_nested+0x3c/0x50
         phy_start_aneg_priv+0x38/0x180
         phy_start_aneg+0x24/0x30
         ravb_nway_reset+0x3c/0x68
         dev_ethtool+0x3dc/0x2338
         dev_ioctl+0x19c/0x490
         sock_do_ioctl+0xe0/0x238
         sock_ioctl+0x254/0x460
         do_vfs_ioctl+0xb0/0x918
         ksys_ioctl+0x50/0x80
         sys_ioctl+0x34/0x48
         __sys_trace_return+0x0/0x4
      
      The root cause is that an attempt to modify ECMR and GECMR registers
      only when RX/TX function is disabled was too overcomplicated in its
      original implementation, also processing of an optional Link Change
      interrupt added even more complexity, as a result the implementation
      was error prone.
      
      The new locking scheme is confirmed to be correct by dumping driver
      specific and generic PHY framework function calls with aid of ftrace
      while running more or less advanced tests.
      
      Please note that sh_eth patches from the series were built-tested only.
      
      On purpose I do not add Fixes tags, the reused PHY handlers were added
      way later than the fixed problems were firstly found in the drivers.
      
      Changes from v1 to v2:
      * the original patches are split to bugfixes and enhancements only,
        both v1 and v2 series are absolutely equal in total, thus I omit
        description of changes in individual patches,
      * the latter implies that there should be no strict need for retesting,
        but because formally two series are different, I have to drop the tags
        given by Geert and Andrew, please send your tags again.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0f62aeec
    • Vladimir Zapolskiy's avatar
      ravb: remove custom .set_link_ksettings from ethtool ops · 44f3d558
      Vladimir Zapolskiy authored
      The generic phy_ethtool_set_link_ksettings() function from phylib can
      be used instead of in-house ravb_set_link_ksettings().
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44f3d558
    • Vladimir Zapolskiy's avatar
      ravb: remove custom .get_link_ksettings from ethtool ops · 468e40b5
      Vladimir Zapolskiy authored
      The generic phy_ethtool_get_link_ksettings() function from phylib can be
      used instead of in-house ravb_get_link_ksettings().
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      468e40b5
    • Vladimir Zapolskiy's avatar
      ravb: remove useless serialization in ravb_get_link_ksettings() · efdf7511
      Vladimir Zapolskiy authored
      phy_ethtool_ksettings_get() call does not modify device state or device
      driver state, hence there is no need to utilize a driver specific
      spinlock.
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efdf7511
    • Vladimir Zapolskiy's avatar
      ravb: remove custom .nway_reset from ethtool ops · eeb07284
      Vladimir Zapolskiy authored
      The generic phy_ethtool_nway_reset() function from phylib can be used
      instead of in-house ravb_nway_reset().
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eeb07284
    • Vladimir Zapolskiy's avatar
      ravb: simplify link auto-negotiation by ethtool · 2a150c50
      Vladimir Zapolskiy authored
      There is no need to call a heavyweight phy_start_aneg() for phy
      auto-negotiation by ethtool, the phy is already initialized and
      link auto-negotiation is started by calling phy_start() from
      ravb_phy_start() when a network device is opened.
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a150c50
    • Vladimir Zapolskiy's avatar
      ravb: fix invalid context bug while changing link options by ethtool · 05925e52
      Vladimir Zapolskiy authored
      The change fixes sleep in atomic context bug, which is encountered
      every time when link settings are changed by ethtool.
      
      Since commit 35b5f6b1 ("PHYLIB: Locking fixes for PHY I/O
      potentially sleeping") phy_start_aneg() function utilizes a mutex
      to serialize changes to phy state, however that helper function is
      called in atomic context under a grabbed spinlock, because
      phy_start_aneg() is called by phy_ethtool_ksettings_set() and by
      replaced phy_ethtool_sset() helpers from phylib.
      
      Now duplex mode setting is enforced in ravb_adjust_link() only, also
      now RX/TX is disabled when link is put down or modifications to E-MAC
      registers ECMR and GECMR are expected for both cases of checked and
      ignored link status pin state from E-MAC interrupt handler.
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      05925e52
    • Vladimir Zapolskiy's avatar
      ravb: fix invalid context bug while calling auto-negotiation by ethtool · 0973a4dd
      Vladimir Zapolskiy authored
      Since commit 35b5f6b1 ("PHYLIB: Locking fixes for PHY I/O
      potentially sleeping") phy_start_aneg() function utilizes a mutex
      to serialize changes to phy state, however the helper function is
      called in atomic context.
      
      The bug can be reproduced by running "ethtool -r" command, the bug
      is reported if CONFIG_DEBUG_ATOMIC_SLEEP build option is enabled.
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0973a4dd
    • Vladimir Zapolskiy's avatar
      sh_eth: remove custom .set_link_ksettings from ethtool ops · 6783f50e
      Vladimir Zapolskiy authored
      The generic phy_ethtool_set_link_ksettings() function from phylib can
      be used instead of in-house sh_eth_set_link_ksettings().
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6783f50e
    • Vladimir Zapolskiy's avatar
      sh_eth: remove custom .get_link_ksettings from ethtool ops · 45abbd43
      Vladimir Zapolskiy authored
      The generic phy_ethtool_get_link_ksettings() function from phylib can be
      used instead of in-house sh_eth_get_link_ksettings().
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45abbd43
    • Vladimir Zapolskiy's avatar
      sh_eth: remove useless serialization in sh_eth_get_link_ksettings() · f3146f37
      Vladimir Zapolskiy authored
      phy_ethtool_ksettings_get() call does not modify device state or device
      driver state, hence there is no need to utilize a driver specific
      spinlock.
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f3146f37
    • Vladimir Zapolskiy's avatar
      sh_eth: remove custom .nway_reset from ethtool ops · 4c10628a
      Vladimir Zapolskiy authored
      The generic phy_ethtool_nway_reset() function from phylib can be used
      instead of in-house sh_eth_nway_reset().
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4c10628a
    • Vladimir Zapolskiy's avatar
      sh_eth: simplify link auto-negotiation by ethtool · e0afa103
      Vladimir Zapolskiy authored
      There is no need to call a heavyweight phy_start_aneg() for phy
      auto-negotiation by ethtool, the phy is already initialized and
      link auto-negotiation is started by calling phy_start() from
      sh_eth_phy_start() when a network device is opened.
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e0afa103
    • Vladimir Zapolskiy's avatar
      sh_eth: fix invalid context bug while changing link options by ethtool · 5cb3f52a
      Vladimir Zapolskiy authored
      The change fixes sleep in atomic context bug, which is encountered
      every time when link settings are changed by ethtool.
      
      Since commit 35b5f6b1 ("PHYLIB: Locking fixes for PHY I/O
      potentially sleeping") phy_start_aneg() function utilizes a mutex
      to serialize changes to phy state, however that helper function is
      called in atomic context under a grabbed spinlock, because
      phy_start_aneg() is called by phy_ethtool_ksettings_set() and by
      replaced phy_ethtool_sset() helpers from phylib.
      
      Now duplex mode setting is enforced in sh_eth_adjust_link() only,
      also now RX/TX is disabled when link is put down or modifications
      to E-MAC registers ECMR and GECMR are expected for both cases of
      checked and ignored link status pin state from E-MAC interrupt handler.
      
      For reference the change is a partial rework of commit 1e1b812b
      ("sh_eth: fix handling of no LINK signal").
      
      Fixes: dc19e4e5 ("sh: sh_eth: Add support ethtool")
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5cb3f52a
    • Vladimir Zapolskiy's avatar
      sh_eth: fix invalid context bug while calling auto-negotiation by ethtool · 53a710b5
      Vladimir Zapolskiy authored
      Since commit 35b5f6b1 ("PHYLIB: Locking fixes for PHY I/O
      potentially sleeping") phy_start_aneg() function utilizes a mutex
      to serialize changes to phy state, however the helper function is
      called in atomic context.
      
      The bug can be reproduced by running "ethtool -r" command, the bug
      is reported if CONFIG_DEBUG_ATOMIC_SLEEP build option is enabled.
      
      Fixes: dc19e4e5 ("sh: sh_eth: Add support ethtool")
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      53a710b5
  3. 06 Jul, 2018 4 commits
  4. 05 Jul, 2018 6 commits
    • Matevz Vucnik's avatar
      qmi_wwan: add support for Quectel EG91 · 38cd58ed
      Matevz Vucnik authored
      This adds the USB id of LTE modem Quectel EG91. It requires the
      same quirk as other Quectel modems to make it work.
      Signed-off-by: default avatarMatevz Vucnik <vucnikm@gmail.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      38cd58ed
    • David S. Miller's avatar
      Merge branch 'qrtr-Broadcasting-control-messages' · 16fd5d53
      David S. Miller authored
      Arun Kumar Neelakantam says:
      
      ====================
      net: qrtr: Broadcasting control messages
      
      Allow messages only from control port to broadcast to avoid unnecessary
      messages and reset the node to local router NODE ID in control messages
      otherwise remote routers consider the packets as invalid and Drops it.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16fd5d53
    • Arun Kumar Neelakantam's avatar
      net: qrtr: Reset the node and port ID of broadcast messages · d27e77a3
      Arun Kumar Neelakantam authored
      All the control messages broadcast to remote routers are using
      QRTR_NODE_BCAST instead of using local router NODE ID which cause
      the packets to be dropped on remote router due to invalid NODE ID.
      Signed-off-by: default avatarArun Kumar Neelakantam <aneela@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d27e77a3
    • Arun Kumar Neelakantam's avatar
      net: qrtr: Broadcast messages only from control port · fdf5fd39
      Arun Kumar Neelakantam authored
      The broadcast node id should only be sent with the control port id.
      Signed-off-by: default avatarArun Kumar Neelakantam <aneela@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fdf5fd39
    • Paul Moore's avatar
      ipv6: make ipv6_renew_options() interrupt/kernel safe · a9ba23d4
      Paul Moore authored
      At present the ipv6_renew_options_kern() function ends up calling into
      access_ok() which is problematic if done from inside an interrupt as
      access_ok() calls WARN_ON_IN_IRQ() on some (all?) architectures
      (x86-64 is affected).  Example warning/backtrace is shown below:
      
       WARNING: CPU: 1 PID: 3144 at lib/usercopy.c:11 _copy_from_user+0x85/0x90
       ...
       Call Trace:
        <IRQ>
        ipv6_renew_option+0xb2/0xf0
        ipv6_renew_options+0x26a/0x340
        ipv6_renew_options_kern+0x2c/0x40
        calipso_req_setattr+0x72/0xe0
        netlbl_req_setattr+0x126/0x1b0
        selinux_netlbl_inet_conn_request+0x80/0x100
        selinux_inet_conn_request+0x6d/0xb0
        security_inet_conn_request+0x32/0x50
        tcp_conn_request+0x35f/0xe00
        ? __lock_acquire+0x250/0x16c0
        ? selinux_socket_sock_rcv_skb+0x1ae/0x210
        ? tcp_rcv_state_process+0x289/0x106b
        tcp_rcv_state_process+0x289/0x106b
        ? tcp_v6_do_rcv+0x1a7/0x3c0
        tcp_v6_do_rcv+0x1a7/0x3c0
        tcp_v6_rcv+0xc82/0xcf0
        ip6_input_finish+0x10d/0x690
        ip6_input+0x45/0x1e0
        ? ip6_rcv_finish+0x1d0/0x1d0
        ipv6_rcv+0x32b/0x880
        ? ip6_make_skb+0x1e0/0x1e0
        __netif_receive_skb_core+0x6f2/0xdf0
        ? process_backlog+0x85/0x250
        ? process_backlog+0x85/0x250
        ? process_backlog+0xec/0x250
        process_backlog+0xec/0x250
        net_rx_action+0x153/0x480
        __do_softirq+0xd9/0x4f7
        do_softirq_own_stack+0x2a/0x40
        </IRQ>
        ...
      
      While not present in the backtrace, ipv6_renew_option() ends up calling
      access_ok() via the following chain:
      
        access_ok()
        _copy_from_user()
        copy_from_user()
        ipv6_renew_option()
      
      The fix presented in this patch is to perform the userspace copy
      earlier in the call chain such that it is only called when the option
      data is actually coming from userspace; that place is
      do_ipv6_setsockopt().  Not only does this solve the problem seen in
      the backtrace above, it also allows us to simplify the code quite a
      bit by removing ipv6_renew_options_kern() completely.  We also take
      this opportunity to cleanup ipv6_renew_options()/ipv6_renew_option()
      a small amount as well.
      
      This patch is heavily based on a rough patch by Al Viro.  I've taken
      his original patch, converted a kmemdup() call in do_ipv6_setsockopt()
      to a memdup_user() call, made better use of the e_inval jump target in
      the same function, and cleaned up the use ipv6_renew_option() by
      ipv6_renew_options().
      
      CC: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a9ba23d4
    • Dan Carpenter's avatar
      qed: off by one in qed_parse_mcp_trace_buf() · 0df8adbb
      Dan Carpenter authored
      If format_idx == s_mcp_trace_meta.formats_num then we read one element
      beyond the end of the s_mcp_trace_meta.formats[] array.
      
      Fixes: 50bc60cb ("qed*: Utilize FW 8.33.11.0")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarTomer Tayar <Tomer.Tayar@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0df8adbb