1. 11 May, 2018 7 commits
    • Roman Mashak's avatar
      net sched actions: fix invalid pointer dereferencing if skbedit flags missing · af5d0184
      Roman Mashak authored
      When application fails to pass flags in netlink TLV for a new skbedit action,
      the kernel results in the following oops:
      
      [    8.307732] BUG: unable to handle kernel paging request at 0000000000021130
      [    8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0
      [    8.310595] Oops: 0000 [#1] SMP PTI
      [    8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw
      [    8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357
      [    8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140
      [    8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246
      [    8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000
      [    8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100
      [    8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122
      [    8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000
      [    8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000
      [    8.325590] FS:  00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000
      [    8.327001] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0
      [    8.329289] Call Trace:
      [    8.329735]  tcf_skbedit_init+0xa7/0xb0
      [    8.330423]  tcf_action_init_1+0x362/0x410
      [    8.331139]  ? try_to_wake_up+0x44/0x430
      [    8.331817]  tcf_action_init+0x103/0x190
      [    8.332511]  tc_ctl_action+0x11a/0x220
      [    8.333174]  rtnetlink_rcv_msg+0x23d/0x2e0
      [    8.333902]  ? _cond_resched+0x16/0x40
      [    8.334569]  ? __kmalloc_node_track_caller+0x5b/0x2c0
      [    8.335440]  ? rtnl_calcit.isra.31+0xf0/0xf0
      [    8.336178]  netlink_rcv_skb+0xdb/0x110
      [    8.336855]  netlink_unicast+0x167/0x220
      [    8.337550]  netlink_sendmsg+0x2a7/0x390
      [    8.338258]  sock_sendmsg+0x30/0x40
      [    8.338865]  ___sys_sendmsg+0x2c5/0x2e0
      [    8.339531]  ? pagecache_get_page+0x27/0x210
      [    8.340271]  ? filemap_fault+0xa2/0x630
      [    8.340943]  ? page_add_file_rmap+0x108/0x200
      [    8.341732]  ? alloc_set_pte+0x2aa/0x530
      [    8.342573]  ? finish_fault+0x4e/0x70
      [    8.343332]  ? __handle_mm_fault+0xbc1/0x10d0
      [    8.344337]  ? __sys_sendmsg+0x53/0x80
      [    8.345040]  __sys_sendmsg+0x53/0x80
      [    8.345678]  do_syscall_64+0x4f/0x100
      [    8.346339]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [    8.347206] RIP: 0033:0x7f591191da67
      [    8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [    8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67
      [    8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003
      [    8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000
      [    8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000
      [    8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0
      [    8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00
      00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30
      74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c
      [    8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840
      [    8.359770] CR2: 0000000000021130
      [    8.360438] ---[ end trace 60c66be45dfc14f0 ]---
      
      The caller calls action's ->init() and passes pointer to "struct tc_action *a",
      which later may be initialized to point at the existing action, otherwise
      "struct tc_action *a" is still invalid, and therefore dereferencing it is an
      error as happens in tcf_idr_release, where refcnt is decremented.
      
      So in case of missing flags tcf_idr_release must be called only for
      existing actions.
      
      v2:
          - prepare patch for net tree
      
      Fixes: 5e1567ae ("net sched: skbedit action fix late binding")
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af5d0184
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2018-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 5ae4bbf7
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2018-05-10
      
      the following series includes some fixes for mlx5 core driver.
      Please pull and let me know if there's any problem.
      
      For -stable v4.5
      ("net/mlx5: E-Switch, Include VF RDMA stats in vport statistics")
      
      For -stable v4.10
      ("net/mlx5e: Err if asked to offload TC match on frag being first")
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ae4bbf7
    • Andrey Ignatov's avatar
      ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg · 1b97013b
      Andrey Ignatov authored
      Fix more memory leaks in ip_cmsg_send() callers. Part of them were fixed
      earlier in 91948309.
      
      * udp_sendmsg one was there since the beginning when linux sources were
        first added to git;
      * ping_v4_sendmsg one was copy/pasted in c319b4d7.
      
      Whenever return happens in udp_sendmsg() or ping_v4_sendmsg() IP options
      have to be freed if they were allocated previously.
      
      Add label so that future callers (if any) can use it instead of kfree()
      before return that is easy to forget.
      
      Fixes: c319b4d7 (net: ipv4: add IPPROTO_ICMP socket kind)
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b97013b
    • Christophe JAILLET's avatar
      mlxsw: core: Fix an error handling path in 'mlxsw_core_bus_device_register()' · 8ccc1131
      Christophe JAILLET authored
      Resources are not freed in the reverse order of the allocation.
      Labels are also mixed-up.
      
      Fix it and reorder code and labels in the error handling path of
      'mlxsw_core_bus_device_register()'
      
      Fixes: ef3116e5 ("mlxsw: spectrum: Register KVD resources with devlink")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ccc1131
    • David S. Miller's avatar
      Merge branch 'bonding-bug-fixes-and-regressions' · 89dd2e75
      David S. Miller authored
      Debabrata Banerjee says:
      
      ====================
      bonding: bug fixes and regressions
      
      Fixes to bonding driver for balance-alb mode, suitable for stable.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89dd2e75
    • Debabrata Banerjee's avatar
      bonding: send learning packets for vlans on slave · 21706ee8
      Debabrata Banerjee authored
      There was a regression at some point from the intended functionality of
      commit f60c3704 ("bonding: Fix alb mode to only use first level
      vlans.")
      
      Given the return value vlan_get_encap_level() we need to store the nest
      level of the bond device, and then compare the vlan's encap level to
      this. Without this, this check always fails and learning packets are
      never sent.
      
      In addition, this same commit caused a regression in the behavior of
      balance_alb, which requires learning packets be sent for all interfaces
      using the slave's mac in order to load balance properly. For vlan's
      that have not set a user mac, we can send after checking one bit.
      Otherwise we need send the set mac, albeit defeating rx load balancing
      for that vlan.
      Signed-off-by: default avatarDebabrata Banerjee <dbanerje@akamai.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21706ee8
    • Debabrata Banerjee's avatar
      bonding: do not allow rlb updates to invalid mac · 4fa8667c
      Debabrata Banerjee authored
      Make sure multicast, broadcast, and zero mac's cannot be the output of rlb
      updates, which should all be directed arps. Receive load balancing will be
      collapsed if any of these happen, as the switch will broadcast.
      Signed-off-by: default avatarDebabrata Banerjee <dbanerje@akamai.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4fa8667c
  2. 10 May, 2018 28 commits
  3. 09 May, 2018 1 commit
    • Heiner Kallweit's avatar
      r8169: fix powering up RTL8168h · 3148dedf
      Heiner Kallweit authored
      Since commit a92a0849 "r8169: improve runtime pm in general and
      suspend unused ports" interfaces w/o link are runtime-suspended after
      10s. On systems where drivers take longer to load this can lead to the
      situation that the interface is runtime-suspended already when it's
      initially brought up.
      This shouldn't be a problem because rtl_open() resumes MAC/PHY.
      However with at least one chip version the interface doesn't properly
      come up, as reported here:
      https://bugzilla.kernel.org/show_bug.cgi?id=199549
      
      The vendor driver uses a delay to give certain chip versions some
      time to resume before starting the PHY configuration. So let's do
      the same. I don't know which chip versions may be affected,
      therefore apply this delay always.
      
      This patch was reported to fix the issue for RTL8168h.
      I was able to reproduce the issue on an Asus H310I-Plus which also
      uses a RTL8168h. Also in my case the patch fixed the issue.
      Reported-by: default avatarSlava Kardakov <ojab@ojab.ru>
      Tested-by: default avatarSlava Kardakov <ojab@ojab.ru>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3148dedf
  4. 08 May, 2018 4 commits