- 15 Jun, 2018 27 commits
-
-
Guillaume Nault authored
The /proc/net/pppol2tp handlers (pppol2tp_seq_*()) iterate over all L2TPv2 tunnels, and rightfully expect that only PPP sessions can be found there. However, l2tp_netlink accepts creating Ethernet sessions regardless of the underlying tunnel version. This confuses pppol2tp_seq_session_show(), which expects that l2tp_session_priv() returns a pppol2tp_session structure. When the session is an Ethernet pseudo-wire, a struct l2tp_eth_sess is returned instead. This leads to invalid memory access when pppol2tp_session_get_sock() later tries to dereference ps->sk. Fixes: d9e31d17 ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by:
Guillaume Nault <g.nault@alphalink.fr> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Ido Schimmel says: ==================== mlxsw: IPv6 and reference counting fixes The first three patches fix a mismatch between the new IPv6 behavior introduced in commit f34436a4 ("net/ipv6: Simplify route replace and appending into multipath route") and mlxsw. The patches allow the driver to support multipathing in IPv6 overlays with GRE tunnel devices. A selftest will be submitted when net-next opens. The last patch fixes a reference count problem of the port_vlan struct. I plan to simplify the code in net-next, so that reference counting is not necessary anymore. ==================== Signed-off-by:
-
Petr Machata authored
Switchdev notifications for addition of SWITCHDEV_OBJ_ID_PORT_VLAN are distributed not only on clean addition, but also when flags on an existing VLAN are changed. mlxsw_sp_bridge_port_vlan_add() calls mlxsw_sp_port_vlan_get() to get at the port_vlan in question, which implicitly references the object. This then leads to discrepancies in reference counting when the VLAN is removed. spectrum.c warns about the problem when the module is removed: [13578.493090] WARNING: CPU: 0 PID: 2454 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2973 mlxsw_sp_port_remove+0xfd/0x110 [mlxsw_spectrum] [...] [13578.627106] Call Trace: [13578.629617] mlxsw_sp_fini+0x2a/0xe0 [mlxsw_spectrum] [13578.634748] mlxsw_core_bus_device_unregister+0x3e/0x130 [mlxsw_core] [13578.641290] mlxsw_pci_remove+0x13/0x40 [mlxsw_pci] [13578.646238] pci_device_remove+0x31/0xb0 [13578.650244] device_release_driver_internal+0x14f/0x220 [13578.655562] driver_detach+0x32/0x70 [13578.659183] bus_remove_driver+0x47/0xa0 [13578.663134] pci_unregister_driver+0x1e/0x80 [13578.667486] mlxsw_sp_module_exit+0xc/0x3fa [mlxsw_spectrum] [13578.673207] __x64_sys_delete_module+0x13b/0x1e0 [13578.677888] ? exit_to_usermode_loop+0x78/0x80 [13578.682374] do_syscall_64+0x39/0xe0 [13578.685976] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fix by putting the port_vlan when mlxsw_sp_port_vlan_bridge_join() determines it's a flag-only change. Fixes: b3529af6 ("spectrum: Reference count VLAN entries") Signed-off-by:
Petr Machata <petrm@mellanox.com> Acked-by:
Jiri Pirko <jiri@mellanox.com> Signed-off-by:
Ido Schimmel <idosch@mellanox.com> Signed-off-by:
-
Ido Schimmel authored
Commit f34436a4 ("net/ipv6: Simplify route replace and appending into multipath route") changed the IPv6 route replace logic so that the first matching route (i.e., same metric) is replaced. Have mlxsw replace the first matching route as well. Fixes: f34436a4 ("net/ipv6: Simplify route replace and appending into multipath route") Signed-off-by:
-
Ido Schimmel authored
Commit f34436a4 ("net/ipv6: Simplify route replace and appending into multipath route") changed the IPv6 route append logic so that dev-only routes can be appended and not only gatewayed routes. Align mlxsw with the new behaviour. Fixes: f34436a4 ("net/ipv6: Simplify route replace and appending into multipath route") Signed-off-by:
-
Ido Schimmel authored
Current code will emit an append event in the FIB notification chain for any route added with NLM_F_APPEND set, even if the route was not appended to any existing route. This is inconsistent with IPv4 where such an event is only emitted when the new route is appended after an existing one. Align IPv6 behavior with IPv4, thereby allowing listeners to more easily handle these events. Fixes: f34436a4 ("net/ipv6: Simplify route replace and appending into multipath route") Signed-off-by:
David Ahern <dsahern@gmail.com> Signed-off-by:
-
David S. Miller authored
Merge tag 'mac80211-for-davem-2018-06-15' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== A handful of fixes: * missing RCU grace period enforcement led to drivers freeing data structures before; fix from Dedy Lansky. * hwsim module init error paths were messed up; fixed it myself after a report from Colin King (who had sent a partial patch) * kernel-doc tag errors; fix from Luca Coelho * initialize the on-stack sinfo data structure when getting station information; fix from Sven Eckelmann * TXQ state dumping is now done from init, and when TXQs aren't initialized yet at that point, bad things happen, move the initialization; fix from Toke Høiland-Jørgensen. ==================== Signed-off-by:
-
Elad Nachman authored
stmmac reception handler calls stmmac_rx_vlan() to strip the vlan before calling napi_gro_receive(). The function assumes VLAN tagged frames are always tagged with 802.1Q protocol, and assigns ETH_P_8021Q to the skb by hard-coding the parameter on call to __vlan_hwaccel_put_tag() . This causes packets not to be passed to the VLAN slave if it was created with 802.1AD protocol (ip link add link eth0 eth0.100 type vlan proto 802.1ad id 100). This fix passes the protocol from the VLAN header into __vlan_hwaccel_put_tag() instead of using the hard-coded value of ETH_P_8021Q. NETIF_F_HW_VLAN_STAG_RX check was added and the strip action is now dependent on the correct combination of features and the detected vlan tag. NETIF_F_HW_VLAN_STAG_RX feature was added to be in line with the driver actual abilities. Signed-off-by:
Elad Nachman <eladn@gilat.com> Reviewed-by:
Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp> Signed-off-by:
-
Dedy Lansky authored
Callers of cfg80211_unregister_wdev can free the wdev object immediately after this function returns. This may crash the kernel because this wdev object is still in use by other threads. Add synchronize_rcu() after list_del_rcu to make sure wdev object can be safely freed. Signed-off-by:
Dedy Lansky <dlansky@codeaurora.org> Signed-off-by:
Johannes Berg <johannes@sipsolutions.net>
-
Toke Høiland-Jørgensen authored
On init, ieee80211_if_add() dumps the interface. Since that now includes a dump of the TXQ state, we need to initialise that before the dump happens. So move up the TXQ initialisation to to before the call to ieee80211_if_add(). Fixes: 52539ca8 ("cfg80211: Expose TXQ stats and parameters to userspace") Reported-by:
Niklas Cassel <niklas.cassel@linaro.org> Signed-off-by:
Toke Høiland-Jørgensen <toke@toke.dk> Tested-by:
-
Johannes Berg authored
We didn't free the workqueue on any errors, nor did we correctly check for rhashtable allocation errors, nor did we free the hashtable on error. Reported-by:
Colin King <colin.king@canonical.com> Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
Johannes Berg <johannes.berg@intel.com> Signed-off-by:
-
Sven Eckelmann authored
Most of the implementations behind cfg80211_get_station will not initialize sinfo to zero before manipulating it. For example, the member "filled", which indicates the filled in parts of this struct, is often only modified by enabling certain bits in the bitfield while keeping the remaining bits in their original state. A caller without a preinitialized sinfo.filled can then no longer decide which parts of sinfo were filled in by cfg80211_get_station (or actually the underlying implementations). cfg80211_get_station must therefore take care that sinfo is initialized to zero. Otherwise, the caller may tries to read information which was not filled in and which must therefore also be considered uninitialized. In batadv_v_elp_get_throughput's case, an invalid "random" expected throughput may be stored for this neighbor and thus the B.A.T.M.A.N V algorithm may switch to non-optimal neighbors for certain destinations. Fixes: 7406353d ("cfg80211: implement cfg80211_get_station cfg80211 API") Reported-by:
Thomas Lauer <holminateur@gmail.com> Reported-by:
Marcel Schmidt <ff.z-casparistrasse@mailbox.org> Cc: b.a.t.m.a.n@lists.open-mesh.org Signed-off-by:
Sven Eckelmann <sven@narfation.org> Signed-off-by:
-
Luca Coelho authored
There is a bunch of tags marking constants with &, which means struct or enum name. Replace them with %, which is the correct tag for constants. Signed-off-by:
Luca Coelho <luciano.coelho@intel.com> Signed-off-by:
-
Haiyang Zhang authored
These fields in struct ndis_ipsecv2_offload and struct ndis_rsc_offload are one byte according to the specs. This patch defines them with the right size. These structs are not in use right now, but will be used soon. Signed-off-by:
Haiyang Zhang <haiyangz@microsoft.com> Signed-off-by:
-
Santosh Shilimkar authored
Loop transport which is self loopback, remote port congestion update isn't relevant. Infact the xmit path already ignores it. Receive path needs to do the same. Reported-by: syzbot+4c20b3866171ce8441d2@syzkaller.appspotmail.com Reviewed-by:
Sowmini Varadhan <sowmini.varadhan@oracle.com> Signed-off-by:
Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by:
-
David S. Miller authored
Guillaume Nault says: ==================== l2tp: pppol2tp_connect() fixes This series fixes a few remaining issues with pppol2tp_connect(). It doesn't try to prevent invalid configurations that have no effect on kernel's reliability. That would be work for a future patch set. Patch 2 is the most important as it avoids an invalid pointer dereference crashing the kernel. It depends on patch 1 for correctly identifying L2TP session types. Patches 3 and 4 avoid creating stale tunnels and sessions. ==================== Signed-off-by: -
Guillaume Nault authored
pppol2tp_connect() may create a tunnel or a session. Remove them in case of error. Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by:
-
Guillaume Nault authored
If 'fd' is negative, l2tp_tunnel_create() creates a tunnel socket using the configuration passed in 'tcfg'. Currently, pppol2tp_connect() sets the relevant fields to zero, tricking l2tp_tunnel_create() into setting up an unusable kernel socket. We can't set 'tcfg' with the required fields because there's no way to get them from the current connect() parameters. So let's restrict kernel sockets creation to the netlink API, which is the original use case. Fixes: 789a4a2c ("l2tp: Add support for static unmanaged L2TPv3 tunnels") Signed-off-by:
-
Guillaume Nault authored
l2tp_session_priv() returns a struct pppol2tp_session pointer only for PPPoL2TP sessions. In particular, if the session is an L2TP_PWTYPE_ETH pseudo-wire, l2tp_session_priv() returns a pointer to an l2tp_eth_sess structure, which is much smaller than struct pppol2tp_session. This leads to invalid memory dereference when trying to lock ps->sk_lock. Fixes: d9e31d17 ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by:
-
Guillaume Nault authored
Define cfg.pw_type so that the new session is created with its .pwtype field properly set (L2TP_PWTYPE_PPP). Not setting the pseudo-wire type had several annoying effects: * Invalid value returned in the L2TP_ATTR_PW_TYPE attribute when dumping sessions with the netlink API. * Impossibility to delete the session using the netlink API (because l2tp_nl_cmd_session_delete() gets the deletion callback function from an array indexed by the session's pseudo-wire type). Also, there are several cases where we should check a session's pseudo-wire type. For example, pppol2tp_connect() should refuse to connect a session that is not PPPoL2TP, but that requires the session's .pwtype field to be properly set. Fixes: f7faffa3 ("l2tp: Add L2TPv3 protocol support") Signed-off-by: -
David S. Miller authored
Radhey Shyam Pandey says: ==================== emaclite bug fixes and code cleanup This patch series fixes bug in emaclite remove and mdio_setup routines. It does minor code cleanup. ==================== Signed-off-by: -
Radhey Shyam Pandey authored
Errors are already reported in xemaclite_mdio_setup so avoid reporting it again. Signed-off-by:
Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com> Signed-off-by:
Michal Simek <michal.simek@xilinx.com> Reviewed-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
-
Radhey Shyam Pandey authored
Remove unused 'has_mdio' flag. Signed-off-by:
-
Radhey Shyam Pandey authored
Since 'has_mdio' flag is not used,sequence insmod->rmmod-> insmod leads to failure as MDIO unregister doesn't happen in .remove(). Fix it by checking MII bus pointer instead. Signed-off-by:
-
Radhey Shyam Pandey authored
To ensure MDIO bus is not double freed in remove() path assign lp->mii_bus after MDIO bus registration. Signed-off-by:
-
Frank van der Linden authored
commit 079096f1 ("tcp/dccp: install syn_recv requests into ehash table") introduced an optimization for the handling of child sockets created for a new TCP connection. But this optimization passes any data associated with the last ACK of the connection handshake up the stack without verifying its checksum, because it calls tcp_child_process(), which in turn calls tcp_rcv_state_process() directly. These lower-level processing functions do not do any checksum verification. Insert a tcp_checksum_complete call in the TCP_NEW_SYN_RECEIVE path to fix this. Fixes: 079096f1 ("tcp/dccp: install syn_recv requests into ehash table") Signed-off-by:
Frank van der Linden <fllinden@amazon.com> Signed-off-by:
Eric Dumazet <edumazet@google.com> Tested-by:
Balbir Singh <bsingharora@gmail.com> Reviewed-by:
-
YueHaibing authored
Add missing of_node_put() call for device node returned by of_parse_phandle(). Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Acked-by:
Timur Tabi <timur@codeaurora.org> Signed-off-by:
-
- 14 Jun, 2018 1 commit
-
-
Xin Long authored
Now sctp GSO uses skb_gro_receive() to append the data into head skb frag_list. However it actually only needs very few code from skb_gro_receive(). Besides, NAPI_GRO_CB has to be set while most of its members are not needed here. This patch is to add sctp_packet_gso_append() to build GSO frames instead of skb_gro_receive(), and it would avoid many unnecessary checks and make the code clearer. Note that sctp will use page frags instead of frag_list to build GSO frames in another patch. But it may take time, as sctp's GSO frames may have different size. skb_segment() can only split it into the frags with the same size, which would break the border of sctp chunks. Signed-off-by:
Xin Long <lucien.xin@gmail.com> Reviewed-by:
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Acked-by:
Neil Horman <nhorman@tuxdriver.com> Signed-off-by:
-
- 13 Jun, 2018 1 commit
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nfDavid S. Miller authored
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter patches for your net tree: 1) Fix NULL pointer dereference from nf_nat_decode_session() if NAT is not loaded, from Prashant Bhole. 2) Fix socket extension module autoload. 3) Don't bogusly reject sets with the NFT_SET_EVAL flag set on from the dynset extension. 4) Fix races with nf_tables module removal and netns exit path, patches from Florian Westphal. 5) Don't hit BUG_ON if jumpstack goes too deep, instead hit WARN_ON_ONCE, from Taehee Yoo. 6) Another NULL pointer dereference from ctnetlink, again if NAT is not loaded, from Florian Westphal. 7) Fix x_tables match list corruption in xt_connmark module removal path, also from Florian. 8) nf_conncount doesn't properly deal with conntrack zones, hence garbage collector may get rid of entries in a different zone. From Yi-Hung Wei. ==================== Signed-off-by:
-
- 12 Jun, 2018 11 commits
-
-
Juergen Gross authored
The max number of slots used in xennet_get_responses() is set to MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD). In old kernel-xen MAX_SKB_FRAGS was 18, while nowadays it is 17. This difference is resulting in frequent messages "too many slots" and a reduced network throughput for some workloads (factor 10 below that of a kernel-xen based guest). Replacing MAX_SKB_FRAGS by XEN_NETIF_NR_SLOTS_MIN for calculation of the max number of slots to use solves that problem (tests showed no more messages "too many slots" and throughput was as high as with the kernel-xen based guest system). Replace MAX_SKB_FRAGS-2 by XEN_NETIF_NR_SLOTS_MIN-1 in netfront_tx_slot_available() for making it clearer what is really being tested without actually modifying the tested value. Signed-off-by:
Juergen Gross <jgross@suse.com> Reviewed-by:
Boris Ostrovsky <boris.ostrovsky@oracle.com> Signed-off-by:
-
Cong Wang authored
smc->clcsock is an internal TCP socket, after TCP socket converts to ->poll_mask, ->poll doesn't exist any more. So just convert smc socket to ->poll_mask too. Fixes: 2c7d3dac ("net/tcp: convert to ->poll_mask") Reported-by: syzbot+f5066e369b2d5fff630f@syzkaller.appspotmail.com Cc: Christoph Hellwig <hch@lst.de> Cc: Ursula Braun <ubraun@linux.ibm.com> Signed-off-by:
Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by:
-
Christophe JAILLET authored
If 'of_device_get_match_data()' fails, we need to release some resources as done in the other error handling path of this function. Fixes: efacb568 ("net: stmmac: dwmac-meson: extend phy mode setting") Signed-off-by:
Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by:
-
Davide Caratti authored
fix failures in the 'teardown' stage of test b7b8, probably a leftover of commit 7c5995b3 ("tc-testing: fixed copy-pasting error in ife tests") Fixes: a56e6bcd ("tc-testing: updated ife test cases") Signed-off-by:
Davide Caratti <dcaratti@redhat.com> Signed-off-by:
-
Vadim Lomovtsev authored
For each network interface linux network stack issue ndo_set_rx_mode call in order to configure MAC address filters (e.g. for multicast filtering). Currently ThunderX NICVF driver has only one ordered workqueue to process such requests for all VFs. And because of that it is possible that subsequent call to ndo_set_rx_mode would corrupt data which is currently in use by nicvf_set_rx_mode_task. Which in turn could cause following issue: [...] [ 48.978341] Unable to handle kernel paging request at virtual address 1fffff0000000000 [ 48.986275] Mem abort info: [ 48.989058] Exception class = DABT (current EL), IL = 32 bits [ 48.994965] SET = 0, FnV = 0 [ 48.998020] EA = 0, S1PTW = 0 [ 49.001152] Data abort info: [ 49.004022] ISV = 0, ISS = 0x00000004 [ 49.007869] CM = 0, WnR = 0 [ 49.010826] [1fffff0000000000] address between user and kernel address ranges [ 49.017963] Internal error: Oops: 96000004 [#1] SMP [...] [ 49.072138] task: ffff800fdd675400 task.stack: ffff000026440000 [ 49.078051] PC is at prefetch_freepointer.isra.37+0x28/0x3c [ 49.083613] LR is at kmem_cache_alloc_trace+0xc8/0x1fc [...] [ 49.272684] [<ffff0000082738f0>] prefetch_freepointer.isra.37+0x28/0x3c [ 49.279286] [<ffff000008276bc8>] kmem_cache_alloc_trace+0xc8/0x1fc [ 49.285455] [<ffff0000082c0c0c>] alloc_fdtable+0x78/0x134 [ 49.290841] [<ffff0000082c15c0>] dup_fd+0x254/0x2f4 [ 49.295709] [<ffff0000080d1954>] copy_process.isra.38.part.39+0x64c/0x1168 [ 49.302572] [<ffff0000080d264c>] _do_fork+0xfc/0x3b0 [ 49.307524] [<ffff0000080d29e8>] SyS_clone+0x44/0x50 [...] This patch is to prevent such concurrent data write with spinlock. Reported-by:
Dean Nelson <dnelson@redhat.com> Signed-off-by:
Vadim Lomovtsev <Vadim.Lomovtsev@cavium.com> Signed-off-by:
-
Linus Walleij authored
The GPIO MDIO driver now needs only <linux/gpio/consumer.h> so cut the legacy <linux/gpio.h> and <linux/of_gpio.h> includes that are no longer used. Signed-off-by:
Linus Walleij <linus.walleij@linaro.org> Reviewed-by:
-
David S. Miller authored
Stephen Hemminger says: ==================== hv_netvsc: notification and namespace fixes This set of patches addresses two set of fixes. First it backs out the common callback model which was merged in net-next without completing all the review feedback or getting maintainer approval. Then it fixes the transparent VF management code to handle network namespaces. ==================== Signed-off-by: -
Stephen Hemminger authored
When VF is added, the paravirtual device is already present and may have been moved to another network namespace. For example, sometimes the management interface is put in another net namespace in some environments. The VF should get moved to where the netvsc device is when the VF is discovered. The user can move it later (if desired). Signed-off-by:
Stephen Hemminger <sthemmin@microsoft.com> Signed-off-by:
-
Stephen Hemminger authored
When finding the parent netvsc device, the search needs to be across all netvsc device instances (independent of network namespace). Find parent device of VF using upper_dev_get routine which searches only adjacent list. Fixes: e8ff40d4 ("hv_netvsc: improve VF device matching") Signed-off-by:
-
Stephen Hemminger authored
The callback model of handling network failover is not suitable in the current form. 1. It was merged without addressing all the review feedback. 2. It was merged without approval of any of the netvsc maintainers. 3. Design discussion on how to handle PV/VF fallback is still not complete. 4. IMHO the code model using callbacks is trying to make something common which isn't. Revert the netvsc specific changes for now. Does not impact ongoing development of failover model for virtio. Revisit this after a simpler library based failover kernel routines are extracted. This reverts commit 9c6ffbac ("hv_netvsc: fix error return code in netvsc_probe()") and commit 1ff78076 ("netvsc: refactor notifier/event handling code to use the failover framework") Signed-off-by: -
David S. Miller authored
Jakub Kicinski says: ==================== nfp: fix a warning, stats, naming and route leak Various fixes for the NFP. Patch 1 fixes a harmless GCC 8 warning. Patch 2 ensures statistics are correct after users decrease the number of channels/rings. Patch 3 restores phy_port_name behaviour for flower, ndo_get_phy_port_name used to return -EOPNOTSUPP on one of the netdevs, and we need to keep it that way otherwise interface names may change. Patch 4 fixes refcnt leak in flower tunnel offload code. ==================== Signed-off-by:
-
