1. 15 Mar, 2021 1 commit
    • Xie He's avatar
      net: hdlc_x25: Prevent racing between "x25_close" and "x25_xmit"/"x25_rx" · bf0ffea3
      Xie He authored
      "x25_close" is called by "hdlc_close" in "hdlc.c", which is called by
      hardware drivers' "ndo_stop" function.
      "x25_xmit" is called by "hdlc_start_xmit" in "hdlc.c", which is hardware
      drivers' "ndo_start_xmit" function.
      "x25_rx" is called by "hdlc_rcv" in "hdlc.c", which receives HDLC frames
      from "net/core/dev.c".
      
      "x25_close" races with "x25_xmit" and "x25_rx" because their callers race.
      
      However, we need to ensure that the LAPB APIs called in "x25_xmit" and
      "x25_rx" are called before "lapb_unregister" is called in "x25_close".
      
      This patch adds locking to ensure when "x25_xmit" and "x25_rx" are doing
      their work, "lapb_unregister" is not yet called in "x25_close".
      
      Reasons for not solving the racing between "x25_close" and "x25_xmit" by
      calling "netif_tx_disable" in "x25_close":
      1. We still need to solve the racing between "x25_close" and "x25_rx";
      2. The design of the HDLC subsystem assumes the HDLC hardware drivers
      have full control over the TX queue, and the HDLC protocol drivers (like
      this driver) have no control. Controlling the queue here in the protocol
      driver may interfere with hardware drivers' control of the queue.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXie He <xie.he.0141@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf0ffea3
  2. 14 Mar, 2021 4 commits
    • Alexander Lobakin's avatar
      flow_dissector: fix byteorder of dissected ICMP ID · a25f8222
      Alexander Lobakin authored
      flow_dissector_key_icmp::id is of type u16 (CPU byteorder),
      ICMP header has its ID field in network byteorder obviously.
      Sparse says:
      
      net/core/flow_dissector.c:178:43: warning: restricted __be16 degrades to integer
      
      Convert ID value to CPU byteorder when storing it into
      flow_dissector_key_icmp.
      
      Fixes: 5dec597e ("flow_dissector: extract more ICMP information")
      Signed-off-by: default avatarAlexander Lobakin <alobakin@pm.me>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a25f8222
    • Eric Dumazet's avatar
      net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() · 50535249
      Eric Dumazet authored
      struct sockaddr_qrtr has a 2-byte hole, and qrtr_recvmsg() currently
      does not clear it before copying kernel data to user space.
      
      It might be too late to name the hole since sockaddr_qrtr structure is uapi.
      
      BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249
      CPU: 0 PID: 29705 Comm: syz-executor.3 Not tainted 5.11.0-rc7-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:79 [inline]
       dump_stack+0x21c/0x280 lib/dump_stack.c:120
       kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
       kmsan_internal_check_memory+0x202/0x520 mm/kmsan/kmsan.c:402
       kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249
       instrument_copy_to_user include/linux/instrumented.h:121 [inline]
       _copy_to_user+0x1ac/0x270 lib/usercopy.c:33
       copy_to_user include/linux/uaccess.h:209 [inline]
       move_addr_to_user+0x3a2/0x640 net/socket.c:237
       ____sys_recvmsg+0x696/0xd50 net/socket.c:2575
       ___sys_recvmsg net/socket.c:2610 [inline]
       do_recvmmsg+0xa97/0x22d0 net/socket.c:2710
       __sys_recvmmsg net/socket.c:2789 [inline]
       __do_sys_recvmmsg net/socket.c:2812 [inline]
       __se_sys_recvmmsg+0x24a/0x410 net/socket.c:2805
       __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2805
       do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x465f69
      Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f43659d6188 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
      RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465f69
      RDX: 0000000000000008 RSI: 0000000020003e40 RDI: 0000000000000003
      RBP: 00000000004bfa8f R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000010060 R11: 0000000000000246 R12: 000000000056bf60
      R13: 0000000000a9fb1f R14: 00007f43659d6300 R15: 0000000000022000
      
      Local variable ----addr@____sys_recvmsg created at:
       ____sys_recvmsg+0x168/0xd50 net/socket.c:2550
       ____sys_recvmsg+0x168/0xd50 net/socket.c:2550
      
      Bytes 2-3 of 12 are uninitialized
      Memory access of size 12 starts at ffff88817c627b40
      Data copied to user address 0000000020000140
      
      Fixes: bdabad3e ("net: Add Qualcomm IPC router")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Courtney Cavin <courtney.cavin@sonymobile.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50535249
    • Tong Zhang's avatar
      net: arcnet: com20020 fix error handling · 6577b9a5
      Tong Zhang authored
      There are two issues when handling error case in com20020pci_probe()
      
      1. priv might be not initialized yet when calling com20020pci_remove()
      from com20020pci_probe(), since the priv is set at the very last but it
      can jump to error handling in the middle and priv remains NULL.
      2. memory leak - the net device is allocated in alloc_arcdev but not
      properly released if error happens in the middle of the big for loop
      
      [    1.529110] BUG: kernel NULL pointer dereference, address: 0000000000000008
      [    1.531447] RIP: 0010:com20020pci_remove+0x15/0x60 [com20020_pci]
      [    1.536805] Call Trace:
      [    1.536939]  com20020pci_probe+0x3f2/0x48c [com20020_pci]
      [    1.537226]  local_pci_probe+0x48/0x80
      [    1.539918]  com20020pci_init+0x3f/0x1000 [com20020_pci]
      Signed-off-by: default avatarTong Zhang <ztong0001@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6577b9a5
    • Eva Dengler's avatar
      devlink: fix typo in documentation · ad236ccd
      Eva Dengler authored
      This commit fixes three spelling typos in devlink-dpipe.rst and
      devlink-port.rst.
      Signed-off-by: default avatarEva Dengler <eva.dengler@fau.de>
      Acked-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad236ccd
  3. 13 Mar, 2021 9 commits
  4. 12 Mar, 2021 15 commits
    • liuyacan's avatar
      net: correct sk_acceptq_is_full() · f211ac15
      liuyacan authored
      The "backlog" argument in listen() specifies
      the maximom length of pending connections,
      so the accept queue should be considered full
      if there are exactly "backlog" elements.
      Signed-off-by: default avatarliuyacan <yacanliu@163.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f211ac15
    • David S. Miller's avatar
      Revert "net: bonding: fix error return code of bond_neigh_init()" · 080bfa1e
      David S. Miller authored
      This reverts commit 2055a99d.
      
      This change rejects legitimate configurations.
      
      A slave doesn't need to exist nor implement ndo_slave_setup.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      080bfa1e
    • Li RongQing's avatar
      igb: avoid premature Rx buffer reuse · 98dfb02a
      Li RongQing authored
      Igb needs a similar fix as commit 75aab4e1 ("i40e: avoid
      premature Rx buffer reuse")
      
      The page recycle code, incorrectly, relied on that a page fragment
      could not be freed inside xdp_do_redirect(). This assumption leads to
      that page fragments that are used by the stack/XDP redirect can be
      reused and overwritten.
      
      To avoid this, store the page count prior invoking xdp_do_redirect().
      
      Longer explanation:
      
      Intel NICs have a recycle mechanism. The main idea is that a page is
      split into two parts. One part is owned by the driver, one part might
      be owned by someone else, such as the stack.
      
      t0: Page is allocated, and put on the Rx ring
                    +---------------
      used by NIC ->| upper buffer
      (rx_buffer)   +---------------
                    | lower buffer
                    +---------------
        page count  == USHRT_MAX
        rx_buffer->pagecnt_bias == USHRT_MAX
      
      t1: Buffer is received, and passed to the stack (e.g.)
                    +---------------
                    | upper buff (skb)
                    +---------------
      used by NIC ->| lower buffer
      (rx_buffer)   +---------------
        page count  == USHRT_MAX
        rx_buffer->pagecnt_bias == USHRT_MAX - 1
      
      t2: Buffer is received, and redirected
                    +---------------
                    | upper buff (skb)
                    +---------------
      used by NIC ->| lower buffer
      (rx_buffer)   +---------------
      
      Now, prior calling xdp_do_redirect():
        page count  == USHRT_MAX
        rx_buffer->pagecnt_bias == USHRT_MAX - 2
      
      This means that buffer *cannot* be flipped/reused, because the skb is
      still using it.
      
      The problem arises when xdp_do_redirect() actually frees the
      segment. Then we get:
        page count  == USHRT_MAX - 1
        rx_buffer->pagecnt_bias == USHRT_MAX - 2
      
      From a recycle perspective, the buffer can be flipped and reused,
      which means that the skb data area is passed to the Rx HW ring!
      
      To work around this, the page count is stored prior calling
      xdp_do_redirect().
      
      Fixes: 9cbc948b ("igb: add XDP support")
      Signed-off-by: default avatarLi RongQing <lirongqing@baidu.com>
      Reviewed-by: default avatarAlexander Duyck <alexanderduyck@fb.com>
      Tested-by: default avatarVishakha Jambekar <vishakha.jambekar@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      98dfb02a
    • Maciej Fijalkowski's avatar
      ixgbe: move headroom initialization to ixgbe_configure_rx_ring · 76064573
      Maciej Fijalkowski authored
      ixgbe_rx_offset(), that is supposed to initialize the Rx buffer headroom,
      relies on __IXGBE_RX_BUILD_SKB_ENABLED flag.
      
      Currently, the callsite of mentioned function is placed incorrectly
      within ixgbe_setup_rx_resources() where Rx ring's build skb flag is not
      set yet. This causes the XDP_REDIRECT to be partially broken due to
      inability to create xdp_frame in the headroom space, as the headroom is
      0.
      
      Fix this by moving ixgbe_rx_offset() to ixgbe_configure_rx_ring() after
      the flag setting, which happens to be set in ixgbe_set_rx_buffer_len.
      
      Fixes: c0d4e9d2 ("ixgbe: store the result of ixgbe_rx_offset() onto ixgbe_ring")
      Signed-off-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Tested-by: default avatarVishakha Jambekar <vishakha.jambekar@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      76064573
    • Maciej Fijalkowski's avatar
      ice: move headroom initialization to ice_setup_rx_ctx · 89861c48
      Maciej Fijalkowski authored
      ice_rx_offset(), that is supposed to initialize the Rx buffer headroom,
      relies on ICE_RX_FLAGS_RING_BUILD_SKB flag as well as XDP prog presence.
      
      Currently, the callsite of mentioned function is placed incorrectly
      within ice_setup_rx_ring() where Rx ring's build skb flag is not
      set yet. This causes the XDP_REDIRECT to be partially broken due to
      inability to create xdp_frame in the headroom space, as the headroom is
      0.
      
      Fix this by moving ice_rx_offset() to ice_setup_rx_ctx() after the flag
      setting.
      
      Fixes: f1b1f409 ("ice: store the result of ice_rx_offset() onto ice_ring")
      Signed-off-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Tested-by: default avatarKiran Bhandare <kiranx.bhandare@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      89861c48
    • Maciej Fijalkowski's avatar
      i40e: move headroom initialization to i40e_configure_rx_ring · a8660626
      Maciej Fijalkowski authored
      i40e_rx_offset(), that is supposed to initialize the Rx buffer headroom,
      relies on I40E_RXR_FLAGS_BUILD_SKB_ENABLED flag.
      
      Currently, the callsite of mentioned function is placed incorrectly
      within i40e_setup_rx_descriptors() where Rx ring's build skb flag is not
      set yet. This causes the XDP_REDIRECT to be partially broken due to
      inability to create xdp_frame in the headroom space, as the headroom is
      0.
      
      For the record, below is the call graph:
      
      i40e_vsi_open
       i40e_vsi_setup_rx_resources
        i40e_setup_rx_descriptors
         i40e_rx_offset() <-- sets offset to 0 as build_skb flag is set below
      
       i40e_vsi_configure_rx
        i40e_configure_rx_ring
         set_ring_build_skb_enabled(ring) <-- set build_skb flag
      
      Fix this by moving i40e_rx_offset() to i40e_configure_rx_ring() after
      the flag setting.
      
      Fixes: f7bb0d71 ("i40e: store the result of i40e_rx_offset() onto i40e_ring")
      Reported-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Co-developed-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Acked-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Tested-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Tested-by: default avatarKiran Bhandare <kiranx.bhandare@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      a8660626
    • Magnus Karlsson's avatar
      ice: fix napi work done reporting in xsk path · ed0907e3
      Magnus Karlsson authored
      Fix the wrong napi work done reporting in the xsk path of the ice
      driver. The code in the main Rx processing loop was written to assume
      that the buffer allocation code returns true if all allocations where
      successful and false if not. In contrast with all other Intel NIC xsk
      drivers, the ice_alloc_rx_bufs_zc() has the inverted logic messing up
      the work done reporting in the napi loop.
      
      This can be fixed either by inverting the return value from
      ice_alloc_rx_bufs_zc() in the function that uses this in an incorrect
      way, or by changing the return value of ice_alloc_rx_bufs_zc(). We
      chose the latter as it makes all the xsk allocation functions for
      Intel NICs behave in the same way. My guess is that it was this
      unexpected discrepancy that gave rise to this bug in the first place.
      
      Fixes: 5bb0c4b5 ("ice, xsk: Move Rx allocation out of while-loop")
      Reported-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Signed-off-by: default avatarMagnus Karlsson <magnus.karlsson@intel.com>
      Tested-by: default avatarKiran Bhandare <kiranx.bhandare@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      ed0907e3
    • David S. Miller's avatar
      Merge branch 'htb-fixes' · 451b2596
      David S. Miller authored
      Maxim Mikityanskiy says:
      
      ====================
      Bugfixes for HTB
      
      The HTB offload feature introduced a few bugs in HTB. One affects the
      non-offload mode, preventing attaching qdiscs to HTB classes, and the
      other affects the error flow, when the netdev doesn't support the
      offload, but it was requested. This short series fixes them.
      ====================
      Acked-by: default avatarCong Wang <cong.wang@bytedance.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      451b2596
    • Maxim Mikityanskiy's avatar
      sch_htb: Fix offload cleanup in htb_destroy on htb_init failure · fb3a3e37
      Maxim Mikityanskiy authored
      htb_init may fail to do the offload if it's not supported or if a
      runtime error happens when allocating direct qdiscs. In those cases
      TC_HTB_CREATE command is not sent to the driver, however, htb_destroy
      gets called anyway and attempts to send TC_HTB_DESTROY.
      
      It shouldn't happen, because the driver didn't receive TC_HTB_CREATE,
      and also because the driver may not support ndo_setup_tc at all, while
      q->offload is true, and htb_destroy mistakenly thinks the offload is
      supported. Trying to call ndo_setup_tc in the latter case will lead to a
      NULL pointer dereference.
      
      This commit fixes the issues with htb_destroy by deferring assignment of
      q->offload until after the TC_HTB_CREATE command. The necessary cleanup
      of the offload entities is already done in htb_init.
      
      Reported-by: syzbot+b53a709f04722ca12a3c@syzkaller.appspotmail.com
      Fixes: d03b195b ("sch_htb: Hierarchical QoS hardware offload")
      Suggested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fb3a3e37
    • Maxim Mikityanskiy's avatar
      sch_htb: Fix select_queue for non-offload mode · 93bde210
      Maxim Mikityanskiy authored
      htb_select_queue assumes it's always the offload mode, and it ends up in
      calling ndo_setup_tc without any checks. It may lead to a NULL pointer
      dereference if ndo_setup_tc is not implemented, or to an error returned
      from the driver, which will prevent attaching qdiscs to HTB classes in
      the non-offload mode.
      
      This commit fixes the bug by adding the missing check to
      htb_select_queue. In the non-offload mode it will return sch->dev_queue,
      mimicking tc_modify_qdisc's behavior for the case where select_queue is
      not implemented.
      
      Reported-by: syzbot+b53a709f04722ca12a3c@syzkaller.appspotmail.com
      Fixes: d03b195b ("sch_htb: Hierarchical QoS hardware offload")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      93bde210
    • Florian Fainelli's avatar
      net: phy: broadcom: Add power down exit reset state delay · 7a1468ba
      Florian Fainelli authored
      Per the datasheet, when we clear the power down bit, the PHY remains in
      an internal reset state for 40us and then resume normal operation.
      Account for that delay to avoid any issues in the future if
      genphy_resume() changes.
      
      Fixes: fe26821f ("net: phy: broadcom: Wire suspend/resume for BCM54810")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7a1468ba
    • Tong Zhang's avatar
      mISDN: fix crash in fritzpci · a9f81244
      Tong Zhang authored
      setup_fritz() in avmfritz.c might fail with -EIO and in this case the
      isac.type and isac.write_reg is not initialized and remains 0(NULL).
      A subsequent call to isac_release() will dereference isac->write_reg and
      crash.
      
      [    1.737444] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [    1.737809] #PF: supervisor instruction fetch in kernel mode
      [    1.738106] #PF: error_code(0x0010) - not-present page
      [    1.738378] PGD 0 P4D 0
      [    1.738515] Oops: 0010 [#1] SMP NOPTI
      [    1.738711] CPU: 0 PID: 180 Comm: systemd-udevd Not tainted 5.12.0-rc2+ #78
      [    1.739077] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-p
      rebuilt.qemu.org 04/01/2014
      [    1.739664] RIP: 0010:0x0
      [    1.739807] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
      [    1.740200] RSP: 0018:ffffc9000027ba10 EFLAGS: 00010202
      [    1.740478] RAX: 0000000000000000 RBX: ffff888102f41840 RCX: 0000000000000027
      [    1.740853] RDX: 00000000000000ff RSI: 0000000000000020 RDI: ffff888102f41800
      [    1.741226] RBP: ffffc9000027ba20 R08: ffff88817bc18440 R09: ffffc9000027b808
      [    1.741600] R10: 0000000000000001 R11: 0000000000000001 R12: ffff888102f41840
      [    1.741976] R13: 00000000fffffffb R14: ffff888102f41800 R15: ffff8881008b0000
      [    1.742351] FS:  00007fda3a38a8c0(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000
      [    1.742774] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    1.743076] CR2: ffffffffffffffd6 CR3: 00000001021ec000 CR4: 00000000000006f0
      [    1.743452] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [    1.743828] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [    1.744206] Call Trace:
      [    1.744339]  isac_release+0xcc/0xe0 [mISDNipac]
      [    1.744582]  fritzpci_probe.cold+0x282/0x739 [avmfritz]
      [    1.744861]  local_pci_probe+0x48/0x80
      [    1.745063]  pci_device_probe+0x10f/0x1c0
      [    1.745278]  really_probe+0xfb/0x420
      [    1.745471]  driver_probe_device+0xe9/0x160
      [    1.745693]  device_driver_attach+0x5d/0x70
      [    1.745917]  __driver_attach+0x8f/0x150
      [    1.746123]  ? device_driver_attach+0x70/0x70
      [    1.746354]  bus_for_each_dev+0x7e/0xc0
      [    1.746560]  driver_attach+0x1e/0x20
      [    1.746751]  bus_add_driver+0x152/0x1f0
      [    1.746957]  driver_register+0x74/0xd0
      [    1.747157]  ? 0xffffffffc00d8000
      [    1.747334]  __pci_register_driver+0x54/0x60
      [    1.747562]  AVM_init+0x36/0x1000 [avmfritz]
      [    1.747791]  do_one_initcall+0x48/0x1d0
      [    1.747997]  ? __cond_resched+0x19/0x30
      [    1.748206]  ? kmem_cache_alloc_trace+0x390/0x440
      [    1.748458]  ? do_init_module+0x28/0x250
      [    1.748669]  do_init_module+0x62/0x250
      [    1.748870]  load_module+0x23ee/0x26a0
      [    1.749073]  __do_sys_finit_module+0xc2/0x120
      [    1.749307]  ? __do_sys_finit_module+0xc2/0x120
      [    1.749549]  __x64_sys_finit_module+0x1a/0x20
      [    1.749782]  do_syscall_64+0x38/0x90
      Signed-off-by: default avatarTong Zhang <ztong0001@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a9f81244
    • Lv Yunlong's avatar
      net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template · db74623a
      Lv Yunlong authored
      In qlcnic_83xx_get_minidump_template, fw_dump->tmpl_hdr was freed by
      vfree(). But unfortunately, it is used when extended is true.
      
      Fixes: 7061b2bd ("qlogic: Deletion of unnecessary checks before two function calls")
      Signed-off-by: default avatarLv Yunlong <lyl2019@mail.ustc.edu.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      db74623a
    • David S. Miller's avatar
      Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · ce6c13e4
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2021-03-11
      
      This series contains updates to igc and e1000e drivers.
      
      Sasha adds locking to reset task to prevent race condition for igc.
      
      Muhammad fixes reporting of supported pause frame as well as advertised
      pause frame for Tx/Rx off for igc.
      
      Andre fixes timestamp retrieval from the wrong timer for igc.
      
      Vitaly adds locking to reset task to prevent race condition for e1000e.
      
      Dinghao Liu adds a missed check to return on error in
      e1000_set_d0_lplu_state_82571.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce6c13e4
    • Tonghao Zhang's avatar
      net: sock: simplify tw proto registration · b80350f3
      Tonghao Zhang authored
      Introduce the new function tw_prot_init (inspired by
      req_prot_init) to simplify "proto_register" function.
      
      tw_prot_cleanup will take care of a partially initialized
      timewait_sock_ops.
      Signed-off-by: default avatarTonghao Zhang <xiangxia.m.yue@gmail.com>
      Reviewed-by: default avatarAlexander Duyck <alexanderduyck@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b80350f3
  5. 11 Mar, 2021 7 commits
  6. 10 Mar, 2021 4 commits
    • Florian Fainelli's avatar
      net: dsa: b53: VLAN filtering is global to all users · d45c36ba
      Florian Fainelli authored
      The bcm_sf2 driver uses the b53 driver as a library but does not make
      usre of the b53_setup() function, this made it fail to inherit the
      vlan_filtering_is_global attribute. Fix this by moving the assignment to
      b53_switch_alloc() which is used by bcm_sf2.
      
      Fixes: 7228b23e ("net: dsa: b53: Let DSA handle mismatched VLAN filtering settings")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d45c36ba
    • Eric Dumazet's avatar
      net: sched: validate stab values · e323d865
      Eric Dumazet authored
      iproute2 package is well behaved, but malicious user space can
      provide illegal shift values and trigger UBSAN reports.
      
      Add stab parameter to red_check_params() to validate user input.
      
      syzbot reported:
      
      UBSAN: shift-out-of-bounds in ./include/net/red.h:312:18
      shift exponent 111 is too large for 64-bit type 'long unsigned int'
      CPU: 1 PID: 14662 Comm: syz-executor.3 Not tainted 5.12.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:79 [inline]
       dump_stack+0x141/0x1d7 lib/dump_stack.c:120
       ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
       __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
       red_calc_qavg_from_idle_time include/net/red.h:312 [inline]
       red_calc_qavg include/net/red.h:353 [inline]
       choke_enqueue.cold+0x18/0x3dd net/sched/sch_choke.c:221
       __dev_xmit_skb net/core/dev.c:3837 [inline]
       __dev_queue_xmit+0x1943/0x2e00 net/core/dev.c:4150
       neigh_hh_output include/net/neighbour.h:499 [inline]
       neigh_output include/net/neighbour.h:508 [inline]
       ip6_finish_output2+0x911/0x1700 net/ipv6/ip6_output.c:117
       __ip6_finish_output net/ipv6/ip6_output.c:182 [inline]
       __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161
       ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192
       NF_HOOK_COND include/linux/netfilter.h:290 [inline]
       ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:215
       dst_output include/net/dst.h:448 [inline]
       NF_HOOK include/linux/netfilter.h:301 [inline]
       NF_HOOK include/linux/netfilter.h:295 [inline]
       ip6_xmit+0x127e/0x1eb0 net/ipv6/ip6_output.c:320
       inet6_csk_xmit+0x358/0x630 net/ipv6/inet6_connection_sock.c:135
       dccp_transmit_skb+0x973/0x12c0 net/dccp/output.c:138
       dccp_send_reset+0x21b/0x2b0 net/dccp/output.c:535
       dccp_finish_passive_close net/dccp/proto.c:123 [inline]
       dccp_finish_passive_close+0xed/0x140 net/dccp/proto.c:118
       dccp_terminate_connection net/dccp/proto.c:958 [inline]
       dccp_close+0xb3c/0xe60 net/dccp/proto.c:1028
       inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
       inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478
       __sock_release+0xcd/0x280 net/socket.c:599
       sock_close+0x18/0x20 net/socket.c:1258
       __fput+0x288/0x920 fs/file_table.c:280
       task_work_run+0xdd/0x1a0 kernel/task_work.c:140
       tracehook_notify_resume include/linux/tracehook.h:189 [inline]
      
      Fixes: 8afa10cb ("net_sched: red: Avoid illegal values")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e323d865
    • David S. Miller's avatar
    • Rafał Miłecki's avatar
      net: dsa: bcm_sf2: use 2 Gbps IMP port link on BCM4908 · 8373a0fe
      Rafał Miłecki authored
      BCM4908 uses 2 Gbps link between switch and the Ethernet interface.
      Without this BCM4908 devices were able to achieve only 2 x ~895 Mb/s.
      This allows handling e.g. NAT traffic with 940 Mb/s.
      Signed-off-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8373a0fe