1. 10 Jul, 2020 3 commits
    • Vlad Buslov's avatar
      net/mxl5e: Verify that rpriv is not NULL · 2fb15e72
      Vlad Buslov authored
      In helper function is_flow_rule_duplicate_allowed() verify that rpviv
      pointer is not NULL before dereferencing it. This can happen when device is
      in NIC mode and leads to following crash:
      
      [90444.046419] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [90444.048149] #PF: supervisor read access in kernel mode
      [90444.049781] #PF: error_code(0x0000) - not-present page
      [90444.051386] PGD 80000003d35a4067 P4D 80000003d35a4067 PUD 3d35a3067 PMD 0
      [90444.053051] Oops: 0000 [#1] SMP PTI
      [90444.054683] CPU: 16 PID: 31736 Comm: tc Not tainted 5.8.0-rc1+ #1157
      [90444.056340] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017
      [90444.058079] RIP: 0010:mlx5e_configure_flower+0x3aa/0x9b0 [mlx5_core]
      [90444.059753] Code: 24 50 49 8b 95 08 02 00 00 48 b8 00 08 00 00 04 00 00 00 48 21 c2 48 39 c2 74 0a 41 f6 85 0d 02 00 00 20 74 16 48 8b 44 24 20 <48> 8b 00 66 83 78 20 ff 74 07 4d 89 aa e0 00 00 00 48 83 7d 28 00
      [90444.063232] RSP: 0018:ffffabe9c61ff768 EFLAGS: 00010246
      [90444.065014] RAX: 0000000000000000 RBX: ffff9b13c4c91e80 RCX: 00000000000093fa
      [90444.066784] RDX: 0000000400000800 RSI: 0000000000000000 RDI: 000000000002d5e0
      [90444.068533] RBP: ffff9b174d308468 R08: 0000000000000000 R09: ffff9b17d63003f0
      [90444.070285] R10: ffff9b17ea288600 R11: 0000000000000000 R12: ffffabe9c61ff878
      [90444.072032] R13: ffff9b174d300000 R14: ffffabe9c61ffbb8 R15: ffff9b174d300880
      [90444.073760] FS:  00007f3c23775480(0000) GS:ffff9b13efc80000(0000) knlGS:0000000000000000
      [90444.075492] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [90444.077266] CR2: 0000000000000000 CR3: 00000003e2a60002 CR4: 00000000001606e0
      [90444.079024] Call Trace:
      [90444.080753]  tc_setup_cb_add+0xca/0x1e0
      [90444.082415]  fl_hw_replace_filter+0x15f/0x1f0 [cls_flower]
      [90444.084119]  fl_change+0xa59/0x13dc [cls_flower]
      [90444.085772]  ? wait_for_completion+0xa8/0xf0
      [90444.087364]  tc_new_tfilter+0x3f5/0xa60
      [90444.088960]  rtnetlink_rcv_msg+0xeb/0x360
      [90444.090514]  ? __d_lookup_done+0x76/0xe0
      [90444.092034]  ? proc_alloc_inode+0x16/0x70
      [90444.093560]  ? prep_new_page+0x8c/0xf0
      [90444.095048]  ? _cond_resched+0x15/0x30
      [90444.096483]  ? rtnl_calcit.isra.0+0x110/0x110
      [90444.097907]  netlink_rcv_skb+0x49/0x110
      [90444.099289]  netlink_unicast+0x191/0x230
      [90444.100629]  netlink_sendmsg+0x243/0x480
      [90444.101984]  sock_sendmsg+0x5e/0x60
      [90444.103305]  ____sys_sendmsg+0x1f3/0x260
      [90444.104597]  ? copy_msghdr_from_user+0x5c/0x90
      [90444.105916]  ? __mod_lruvec_state+0x3c/0xe0
      [90444.107210]  ___sys_sendmsg+0x81/0xc0
      [90444.108484]  ? do_filp_open+0xa5/0x100
      [90444.109732]  ? handle_mm_fault+0x117b/0x1e00
      [90444.110970]  ? __check_object_size+0x46/0x147
      [90444.112205]  ? __check_object_size+0x136/0x147
      [90444.113402]  __sys_sendmsg+0x59/0xa0
      [90444.114587]  do_syscall_64+0x4d/0x90
      [90444.115782]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [90444.116953] RIP: 0033:0x7f3c2393b7b8
      [90444.118101] Code: Bad RIP value.
      [90444.119240] RSP: 002b:00007ffc6ad8e6c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [90444.120408] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3c2393b7b8
      [90444.121583] RDX: 0000000000000000 RSI: 00007ffc6ad8e740 RDI: 0000000000000003
      [90444.122750] RBP: 000000005eea0c3a R08: 0000000000000001 R09: 00007ffc6ad8e68c
      [90444.123928] R10: 0000000000404fa8 R11: 0000000000000246 R12: 0000000000000001
      [90444.125073] R13: 0000000000000000 R14: 00007ffc6ad92a00 R15: 00000000004866a0
      [90444.126221] Modules linked in: act_skbedit act_tunnel_key act_mirred bonding vxlan ip6_udp_tunnel udp_tunnel nfnetlink act_gact cls_flower sch_ingress openvswitch nsh nf_conncount nfsv3 nfs_acl nfs lockd grace fscache tun bridge stp llc sunrpc rdma_ucm rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core intel_r
      apl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel mlxfw kvm act_ct nf_flow_table nf_nat nf_conntrack irqbypass crct10dif_pclmul nf_defrag_ipv6 igb ipmi_ssif libcrc32c crc32_pclmul crc32c_intel ipmi_si nf_defrag_ipv4 ptp ghash_clmulni_intel mei_me ses iTCO_wdt i2c_i801 pps_core
      ioatdma iTCO_vendor_support joydev mei enclosure intel_cstate i2c_smbus wmi dca ipmi_devintf intel_uncore lpc_ich ipmi_msghandler pcspkr acpi_pad acpi_power_meter ast i2c_algo_bit drm_vram_helper drm_kms_helper drm_ttm_helper ttm drm mpt3sas raid_class scsi_transport_sas
      [90444.136253] CR2: 0000000000000000
      [90444.137621] ---[ end trace 924af62aa2b151bd ]---
      
      Fixes: 553f9328 ("net/mlx5e: Support tc block sharing for representors")
      Reported-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      2fb15e72
    • Vu Pham's avatar
      net/mlx5: E-Switch, Fix vlan or qos setting in legacy mode · 01f3d5db
      Vu Pham authored
      Refactoring eswitch ingress acl codes accidentally inserts extra
      memset zero that removes vlan and/or qos setting in legacy mode.
      
      Fixes: 07bab950 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes")
      Signed-off-by: default avatarVu Pham <vuhuong@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      01f3d5db
    • Eran Ben Elisha's avatar
      net/mlx5: Fix eeprom support for SFP module · 47afbdd2
      Eran Ben Elisha authored
      Fix eeprom SFP query support by setting i2c_addr, offset and page number
      correctly. Unlike QSFP modules, SFP eeprom params are as follow:
      - i2c_addr is 0x50 for offset 0 - 255 and 0x51 for offset 256 - 511.
      - Page number is always zero.
      - Page offset is always relative to zero.
      
      As part of eeprom query, query the module ID (SFP / QSFP*) via helper
      function to set the params accordingly.
      
      In addition, change mlx5_qsfp_eeprom_page() input type to be u16 to avoid
      unnecessary casting.
      
      Fixes: a708fb7b ("net/mlx5e: ethtool, Add support for EEPROM high pages query")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarHuy Nguyen <huyn@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      47afbdd2
  2. 09 Jul, 2020 4 commits
    • Christoph Paasch's avatar
      tcp: make sure listeners don't initialize congestion-control state · ce69e563
      Christoph Paasch authored
      syzkaller found its way into setsockopt with TCP_CONGESTION "cdg".
      tcp_cdg_init() does a kcalloc to store the gradients. As sk_clone_lock
      just copies all the memory, the allocated pointer will be copied as
      well, if the app called setsockopt(..., TCP_CONGESTION) on the listener.
      If now the socket will be destroyed before the congestion-control
      has properly been initialized (through a call to tcp_init_transfer), we
      will end up freeing memory that does not belong to that particular
      socket, opening the door to a double-free:
      
      [   11.413102] ==================================================================
      [   11.414181] BUG: KASAN: double-free or invalid-free in tcp_cleanup_congestion_control+0x58/0xd0
      [   11.415329]
      [   11.415560] CPU: 3 PID: 4884 Comm: syz-executor.5 Not tainted 5.8.0-rc2 #80
      [   11.416544] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      [   11.418148] Call Trace:
      [   11.418534]  <IRQ>
      [   11.418834]  dump_stack+0x7d/0xb0
      [   11.419297]  print_address_description.constprop.0+0x1a/0x210
      [   11.422079]  kasan_report_invalid_free+0x51/0x80
      [   11.423433]  __kasan_slab_free+0x15e/0x170
      [   11.424761]  kfree+0x8c/0x230
      [   11.425157]  tcp_cleanup_congestion_control+0x58/0xd0
      [   11.425872]  tcp_v4_destroy_sock+0x57/0x5a0
      [   11.426493]  inet_csk_destroy_sock+0x153/0x2c0
      [   11.427093]  tcp_v4_syn_recv_sock+0xb29/0x1100
      [   11.427731]  tcp_get_cookie_sock+0xc3/0x4a0
      [   11.429457]  cookie_v4_check+0x13d0/0x2500
      [   11.433189]  tcp_v4_do_rcv+0x60e/0x780
      [   11.433727]  tcp_v4_rcv+0x2869/0x2e10
      [   11.437143]  ip_protocol_deliver_rcu+0x23/0x190
      [   11.437810]  ip_local_deliver+0x294/0x350
      [   11.439566]  __netif_receive_skb_one_core+0x15d/0x1a0
      [   11.441995]  process_backlog+0x1b1/0x6b0
      [   11.443148]  net_rx_action+0x37e/0xc40
      [   11.445361]  __do_softirq+0x18c/0x61a
      [   11.445881]  asm_call_on_stack+0x12/0x20
      [   11.446409]  </IRQ>
      [   11.446716]  do_softirq_own_stack+0x34/0x40
      [   11.447259]  do_softirq.part.0+0x26/0x30
      [   11.447827]  __local_bh_enable_ip+0x46/0x50
      [   11.448406]  ip_finish_output2+0x60f/0x1bc0
      [   11.450109]  __ip_queue_xmit+0x71c/0x1b60
      [   11.451861]  __tcp_transmit_skb+0x1727/0x3bb0
      [   11.453789]  tcp_rcv_state_process+0x3070/0x4d3a
      [   11.456810]  tcp_v4_do_rcv+0x2ad/0x780
      [   11.457995]  __release_sock+0x14b/0x2c0
      [   11.458529]  release_sock+0x4a/0x170
      [   11.459005]  __inet_stream_connect+0x467/0xc80
      [   11.461435]  inet_stream_connect+0x4e/0xa0
      [   11.462043]  __sys_connect+0x204/0x270
      [   11.465515]  __x64_sys_connect+0x6a/0xb0
      [   11.466088]  do_syscall_64+0x3e/0x70
      [   11.466617]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   11.467341] RIP: 0033:0x7f56046dc469
      [   11.467844] Code: Bad RIP value.
      [   11.468282] RSP: 002b:00007f5604dccdd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
      [   11.469326] RAX: ffffffffffffffda RBX: 000000000068bf00 RCX: 00007f56046dc469
      [   11.470379] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004
      [   11.471311] RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000
      [   11.472286] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      [   11.473341] R13: 000000000041427c R14: 00007f5604dcd5c0 R15: 0000000000000003
      [   11.474321]
      [   11.474527] Allocated by task 4884:
      [   11.475031]  save_stack+0x1b/0x40
      [   11.475548]  __kasan_kmalloc.constprop.0+0xc2/0xd0
      [   11.476182]  tcp_cdg_init+0xf0/0x150
      [   11.476744]  tcp_init_congestion_control+0x9b/0x3a0
      [   11.477435]  tcp_set_congestion_control+0x270/0x32f
      [   11.478088]  do_tcp_setsockopt.isra.0+0x521/0x1a00
      [   11.478744]  __sys_setsockopt+0xff/0x1e0
      [   11.479259]  __x64_sys_setsockopt+0xb5/0x150
      [   11.479895]  do_syscall_64+0x3e/0x70
      [   11.480395]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   11.481097]
      [   11.481321] Freed by task 4872:
      [   11.481783]  save_stack+0x1b/0x40
      [   11.482230]  __kasan_slab_free+0x12c/0x170
      [   11.482839]  kfree+0x8c/0x230
      [   11.483240]  tcp_cleanup_congestion_control+0x58/0xd0
      [   11.483948]  tcp_v4_destroy_sock+0x57/0x5a0
      [   11.484502]  inet_csk_destroy_sock+0x153/0x2c0
      [   11.485144]  tcp_close+0x932/0xfe0
      [   11.485642]  inet_release+0xc1/0x1c0
      [   11.486131]  __sock_release+0xc0/0x270
      [   11.486697]  sock_close+0xc/0x10
      [   11.487145]  __fput+0x277/0x780
      [   11.487632]  task_work_run+0xeb/0x180
      [   11.488118]  __prepare_exit_to_usermode+0x15a/0x160
      [   11.488834]  do_syscall_64+0x4a/0x70
      [   11.489326]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Wei Wang fixed a part of these CDG-malloc issues with commit c1201444
      ("tcp: memset ca_priv data to 0 properly").
      
      This patch here fixes the listener-scenario: We make sure that listeners
      setting the congestion-control through setsockopt won't initialize it
      (thus CDG never allocates on listeners). For those who use AF_UNSPEC to
      reuse a socket, tcp_disconnect() is changed to cleanup afterwards.
      
      (The issue can be reproduced at least down to v4.4.x.)
      
      Cc: Wei Wang <weiwan@google.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Fixes: 2b0a8c9e ("tcp: add CDG congestion control")
      Signed-off-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce69e563
    • Michal Kubecek's avatar
      ethtool: fix genlmsg_put() failure handling in ethnl_default_dumpit() · 365f9ae4
      Michal Kubecek authored
      If the genlmsg_put() call in ethnl_default_dumpit() fails, we bail out
      without checking if we already have some messages in current skb like we do
      with ethnl_default_dump_one() failure later. Therefore if existing messages
      almost fill up the buffer so that there is not enough space even for
      netlink and genetlink header, we lose all prepared messages and return and
      error.
      
      Rather than duplicating the skb->len check, move the genlmsg_put(),
      genlmsg_cancel() and genlmsg_end() calls into ethnl_default_dump_one().
      This is also more logical as all message composition will be in
      ethnl_default_dump_one() and only iteration logic will be left in
      ethnl_default_dumpit().
      
      Fixes: 728480f1 ("ethtool: default handlers for GET requests")
      Reported-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      365f9ae4
    • Cong Wang's avatar
      net_sched: fix a memory leak in atm_tc_init() · 306381ae
      Cong Wang authored
      When tcf_block_get() fails inside atm_tc_init(),
      atm_tc_put() is called to release the qdisc p->link.q.
      But the flow->ref prevents it to do so, as the flow->ref
      is still zero.
      
      Fix this by moving the p->link.ref initialization before
      tcf_block_get().
      
      Fixes: 6529eaba ("net: sched: introduce tcf block infractructure")
      Reported-and-tested-by: syzbot+d411cff6ab29cc2c311b@syzkaller.appspotmail.com
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      306381ae
    • Sudarsana Reddy Kalluru's avatar
      qed: Populate nvm-file attributes while reading nvm config partition. · 13cf8aab
      Sudarsana Reddy Kalluru authored
      NVM config file address will be modified when the MBI image is upgraded.
      Driver would return stale config values if user reads the nvm-config
      (via ethtool -d) in this state. The fix is to re-populate nvm attribute
      info while reading the nvm config values/partition.
      
      Changes from previous version:
      -------------------------------
      v3: Corrected the formatting in 'Fixes' tag.
      v2: Added 'Fixes' tag.
      
      Fixes: 1ac4329a ("qed: Add configuration information to register dump and debug data")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <skalluru@marvell.com>
      Signed-off-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      13cf8aab
  3. 08 Jul, 2020 10 commits
    • Rahul Lakkireddy's avatar
      cxgb4: fix all-mask IP address comparison · 76c4d85c
      Rahul Lakkireddy authored
      Convert all-mask IP address to Big Endian, instead, for comparison.
      
      Fixes: f286dd8e ("cxgb4: use correct type for all-mask IP address comparison")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      76c4d85c
    • Hamish Martin's avatar
      tipc: fix retransmission on unicast links · a34f8291
      Hamish Martin authored
      A scenario has been observed where a 'bc_init' message for a link is not
      retransmitted if it fails to be received by the peer. This leads to the
      peer never establishing the link fully and it discarding all other data
      received on the link. In this scenario the message is lost in transit to
      the peer.
      
      The issue is traced to the 'nxt_retr' field of the skb not being
      initialised for links that aren't a bc_sndlink. This leads to the
      comparison in tipc_link_advance_transmq() that gates whether to attempt
      retransmission of a message performing in an undesirable way.
      Depending on the relative value of 'jiffies', this comparison:
          time_before(jiffies, TIPC_SKB_CB(skb)->nxt_retr)
      may return true or false given that 'nxt_retr' remains at the
      uninitialised value of 0 for non bc_sndlinks.
      
      This is most noticeable shortly after boot when jiffies is initialised
      to a high value (to flush out rollover bugs) and we compare a jiffies of,
      say, 4294940189 to zero. In that case time_before returns 'true' leading
      to the skb not being retransmitted.
      
      The fix is to ensure that all skbs have a valid 'nxt_retr' time set for
      them and this is achieved by refactoring the setting of this value into
      a central function.
      With this fix, transmission losses of 'bc_init' messages do not stall
      the link establishment forever because the 'bc_init' message is
      retransmitted and the link eventually establishes correctly.
      
      Fixes: 382f598f ("tipc: reduce duplicate packets for unicast traffic")
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Signed-off-by: default avatarHamish Martin <hamish.martin@alliedtelesis.co.nz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a34f8291
    • Xin Long's avatar
      l2tp: remove skb_dst_set() from l2tp_xmit_skb() · 27d53323
      Xin Long authored
      In the tx path of l2tp, l2tp_xmit_skb() calls skb_dst_set() to set
      skb's dst. However, it will eventually call inet6_csk_xmit() or
      ip_queue_xmit() where skb's dst will be overwritten by:
      
         skb_dst_set_noref(skb, dst);
      
      without releasing the old dst in skb. Then it causes dst/dev refcnt leak:
      
        unregister_netdevice: waiting for eth0 to become free. Usage count = 1
      
      This can be reproduced by simply running:
      
        # modprobe l2tp_eth && modprobe l2tp_ip
        # sh ./tools/testing/selftests/net/l2tp.sh
      
      So before going to inet6_csk_xmit() or ip_queue_xmit(), skb's dst
      should be dropped. This patch is to fix it by removing skb_dst_set()
      from l2tp_xmit_skb() and moving skb_dst_drop() into l2tp_xmit_core().
      
      Fixes: 3557baab ("[L2TP]: PPP over L2TP driver core")
      Reported-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarJames Chapman <jchapman@katalix.com>
      Tested-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      27d53323
    • David S. Miller's avatar
      Merge branch 'net-smc-fixes' · 1412bb2b
      David S. Miller authored
      Karsten Graul says:
      
      ====================
      net/smc: fixes 2020-07-08
      
      Please apply the following patch series for smc to netdev's net tree.
      
      The patches fix problems found during more testing of SMC
      functionality, resulting in hang conditions and unneeded link
      deactivations. The clc module was hardened to be prepared for
      possible future SMCD versions.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1412bb2b
    • Ursula Braun's avatar
      net/smc: tolerate future SMCD versions · fb4f7926
      Ursula Braun authored
      CLC proposal messages of future SMCD versions could be larger than SMCD
      V1 CLC proposal messages.
      To enable toleration in SMC V1 the receival of CLC proposal messages
      is adapted:
      * accept larger length values in CLC proposal
      * check trailing eye catcher for incoming CLC proposal with V1 length only
      * receive the whole CLC proposal even in cases it does not fit into the
        V1 buffer
      
      Fixes: e7b7a64a ("smc: support variable CLC proposal messages")
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fb4f7926
    • Ursula Braun's avatar
      net/smc: switch smcd_dev_list spinlock to mutex · 82087c03
      Ursula Braun authored
      The similar smc_ib_devices spinlock has been converted to a mutex.
      Protecting the smcd_dev_list by a mutex is possible as well. This
      patch converts the smcd_dev_list spinlock to a mutex.
      
      Fixes: c6ba7c9b ("net/smc: add base infrastructure for SMC-D and ISM")
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      82087c03
    • Ursula Braun's avatar
      net/smc: fix sleep bug in smc_pnet_find_roce_resource() · 92f3cb0e
      Ursula Braun authored
      Tests showed this BUG:
      [572555.252867] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:935
      [572555.252876] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 131031, name: smcapp
      [572555.252879] INFO: lockdep is turned off.
      [572555.252883] CPU: 1 PID: 131031 Comm: smcapp Tainted: G           O      5.7.0-rc3uschi+ #356
      [572555.252885] Hardware name: IBM 3906 M03 703 (LPAR)
      [572555.252887] Call Trace:
      [572555.252896]  [<00000000ac364554>] show_stack+0x94/0xe8
      [572555.252901]  [<00000000aca1f400>] dump_stack+0xa0/0xe0
      [572555.252906]  [<00000000ac3c8c10>] ___might_sleep+0x260/0x280
      [572555.252910]  [<00000000acdc0c98>] __mutex_lock+0x48/0x940
      [572555.252912]  [<00000000acdc15c2>] mutex_lock_nested+0x32/0x40
      [572555.252975]  [<000003ff801762d0>] mlx5_lag_get_roce_netdev+0x30/0xc0 [mlx5_core]
      [572555.252996]  [<000003ff801fb3aa>] mlx5_ib_get_netdev+0x3a/0xe0 [mlx5_ib]
      [572555.253007]  [<000003ff80063848>] smc_pnet_find_roce_resource+0x1d8/0x310 [smc]
      [572555.253011]  [<000003ff800602f0>] __smc_connect+0x1f0/0x3e0 [smc]
      [572555.253015]  [<000003ff80060634>] smc_connect+0x154/0x190 [smc]
      [572555.253022]  [<00000000acbed8d4>] __sys_connect+0x94/0xd0
      [572555.253025]  [<00000000acbef620>] __s390x_sys_socketcall+0x170/0x360
      [572555.253028]  [<00000000acdc6800>] system_call+0x298/0x2b8
      [572555.253030] INFO: lockdep is turned off.
      
      Function smc_pnet_find_rdma_dev() might be called from
      smc_pnet_find_roce_resource(). It holds the smc_ib_devices list
      spinlock while calling infiniband op get_netdev(). At least for mlx5
      the get_netdev operation wants mutex serialization, which conflicts
      with the smc_ib_devices spinlock.
      This patch switches the smc_ib_devices spinlock into a mutex to
      allow sleeping when calling get_netdev().
      
      Fixes: a4cf0443 ("smc: introduce SMC as an IB-client")
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      92f3cb0e
    • Karsten Graul's avatar
      net/smc: fix work request handling · b7eede75
      Karsten Graul authored
      Wait for pending sends only when smc_switch_conns() found a link to move
      the connections to. Do not wait during link freeing, this can lead to
      permanent hang situations. And refuse to provide a new tx slot on an
      unusable link.
      
      Fixes: c6f02ebe ("net/smc: switch connections to alternate link")
      Reviewed-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7eede75
    • Karsten Graul's avatar
      net/smc: separate LLC wait queues for flow and messages · 6778a6be
      Karsten Graul authored
      There might be races in scenarios where both SMC link groups are on the
      same system. Prevent that by creating separate wait queues for LLC flows
      and messages. Switch to non-interruptable versions of wait_event() and
      wake_up() for the llc flow waiter to make sure the waiters get control
      sequentially. Fine tune the llc_flow_lock to include the assignment of
      the message. Write to system log when an unexpected message was
      dropped. And remove an extra indirection and use the existing local
      variable lgr in smc_llc_enqueue().
      
      Fixes: 555da9af ("net/smc: add event-based llc_flow framework")
      Reviewed-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6778a6be
    • Dmitry Bogdanov's avatar
      net: atlantic: fix ip dst and ipv6 address filters · a42e6aee
      Dmitry Bogdanov authored
      This patch fixes ip dst and ipv6 address filters.
      There were 2 mistakes in the code, which led to the issue:
      * invalid register was used for ipv4 dst address;
      * incorrect write order of dwords for ipv6 addresses.
      
      Fixes: 23e7a718 ("net: aquantia: add rx-flow filter definitions")
      Signed-off-by: default avatarDmitry Bogdanov <dbogdanov@marvell.com>
      Signed-off-by: default avatarMark Starovoytov <mstarovoitov@marvell.com>
      Signed-off-by: default avatarAlexander Lobakin <alobakin@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a42e6aee
  4. 07 Jul, 2020 18 commits
    • Shannon Nelson's avatar
      ionic: centralize queue reset code · 086c18f2
      Shannon Nelson authored
      The queue reset pattern is used in a couple different places,
      only slightly different from each other, and could cause
      issues if one gets changed and the other didn't.  This puts
      them together so that only one version is needed, yet each
      can have slighty different effects by passing in a pointer
      to a work function to do whatever configuration twiddling is
      needed in the middle of the reset.
      
      This specifically addresses issues seen where under loops
      of changing ring size or queue count parameters we could
      occasionally bump into the netdev watchdog.
      
      v2: added more commit message commentary
      
      Fixes: 4d03e00a ("ionic: Add initial ethtool support")
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Acked-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      086c18f2
    • Toke Høiland-Jørgensen's avatar
      vlan: consolidate VLAN parsing code and limit max parsing depth · 469acedd
      Toke Høiland-Jørgensen authored
      Toshiaki pointed out that we now have two very similar functions to extract
      the L3 protocol number in the presence of VLAN tags. And Daniel pointed out
      that the unbounded parsing loop makes it possible for maliciously crafted
      packets to loop through potentially hundreds of tags.
      
      Fix both of these issues by consolidating the two parsing functions and
      limiting the VLAN tag parsing to a max depth of 8 tags. As part of this,
      switch over __vlan_get_protocol() to use skb_header_pointer() instead of
      pskb_may_pull(), to avoid the possible side effects of the latter and keep
      the skb pointer 'const' through all the parsing functions.
      
      v2:
      - Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT)
      Reported-by: default avatarToshiaki Makita <toshiaki.makita1@gmail.com>
      Reported-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Fixes: d7bf2ebe ("sched: consistently handle layer3 header accesses in the presence of VLANs")
      Signed-off-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      469acedd
    • Alexander Lobakin's avatar
      net: qed: fix buffer overflow on ethtool -d · da328711
      Alexander Lobakin authored
      When generating debug dump, driver firstly collects all data in binary
      form, and then performs per-feature formatting to human-readable if it
      is supported.
      
      For ethtool -d, this is roughly incorrect for two reasons. First of all,
      drivers should always provide only original raw dumps to Ethtool without
      any changes.
      The second, and more critical, is that Ethtool's output buffer size is
      strictly determined by ethtool_ops::get_regs_len(), and all data *must*
      fit in it. The current version of driver always returns the size of raw
      data, but the size of the formatted buffer exceeds it in most cases.
      This leads to out-of-bound writes and memory corruption.
      
      Address both issues by adding an option to return original, non-formatted
      debug data, and using it for Ethtool case.
      
      v2:
       - Expand commit message to make it more clear;
       - No functional changes.
      
      Fixes: c965db44 ("qed: Add support for debug data collection")
      Signed-off-by: default avatarAlexander Lobakin <alobakin@marvell.com>
      Signed-off-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      da328711
    • Linus Lüssing's avatar
      bridge: mcast: Fix MLD2 Report IPv6 payload length check · 5fc6266a
      Linus Lüssing authored
      Commit e57f6185 ("net: bridge: mcast: fix stale nsrcs pointer in
      igmp3/mld2 report handling") introduced a bug in the IPv6 header payload
      length check which would potentially lead to rejecting a valid MLD2 Report:
      
      The check needs to take into account the 2 bytes for the "Number of
      Sources" field in the "Multicast Address Record" before reading it.
      And not the size of a pointer to this field.
      
      Fixes: e57f6185 ("net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling")
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5fc6266a
    • Martin Varghese's avatar
      net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb · 394de110
      Martin Varghese authored
      The packets from tunnel devices (eg bareudp) may have only
      metadata in the dst pointer of skb. Hence a pointer check of
      neigh_lookup is needed in dst_neigh_lookup_skb
      
      Kernel crashes when packets from bareudp device is processed in
      the kernel neighbour subsytem.
      
      [  133.384484] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [  133.385240] #PF: supervisor instruction fetch in kernel mode
      [  133.385828] #PF: error_code(0x0010) - not-present page
      [  133.386603] PGD 0 P4D 0
      [  133.386875] Oops: 0010 [#1] SMP PTI
      [  133.387275] CPU: 0 PID: 5045 Comm: ping Tainted: G        W         5.8.0-rc2+ #15
      [  133.388052] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
      [  133.391076] RIP: 0010:0x0
      [  133.392401] Code: Bad RIP value.
      [  133.394029] RSP: 0018:ffffb79980003d50 EFLAGS: 00010246
      [  133.396656] RAX: 0000000080000102 RBX: ffff9de2fe0d6600 RCX: ffff9de2fe5e9d00
      [  133.399018] RDX: 0000000000000000 RSI: ffff9de2fe5e9d00 RDI: ffff9de2fc21b400
      [  133.399685] RBP: ffff9de2fe5e9d00 R08: 0000000000000000 R09: 0000000000000000
      [  133.400350] R10: ffff9de2fbc6be22 R11: ffff9de2fe0d6600 R12: ffff9de2fc21b400
      [  133.401010] R13: ffff9de2fe0d6628 R14: 0000000000000001 R15: 0000000000000003
      [  133.401667] FS:  00007fe014918740(0000) GS:ffff9de2fec00000(0000) knlGS:0000000000000000
      [  133.402412] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  133.402948] CR2: ffffffffffffffd6 CR3: 000000003bb72000 CR4: 00000000000006f0
      [  133.403611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  133.404270] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  133.404933] Call Trace:
      [  133.405169]  <IRQ>
      [  133.405367]  __neigh_update+0x5a4/0x8f0
      [  133.405734]  arp_process+0x294/0x820
      [  133.406076]  ? __netif_receive_skb_core+0x866/0xe70
      [  133.406557]  arp_rcv+0x129/0x1c0
      [  133.406882]  __netif_receive_skb_one_core+0x95/0xb0
      [  133.407340]  process_backlog+0xa7/0x150
      [  133.407705]  net_rx_action+0x2af/0x420
      [  133.408457]  __do_softirq+0xda/0x2a8
      [  133.408813]  asm_call_on_stack+0x12/0x20
      [  133.409290]  </IRQ>
      [  133.409519]  do_softirq_own_stack+0x39/0x50
      [  133.410036]  do_softirq+0x50/0x60
      [  133.410401]  __local_bh_enable_ip+0x50/0x60
      [  133.410871]  ip_finish_output2+0x195/0x530
      [  133.411288]  ip_output+0x72/0xf0
      [  133.411673]  ? __ip_finish_output+0x1f0/0x1f0
      [  133.412122]  ip_send_skb+0x15/0x40
      [  133.412471]  raw_sendmsg+0x853/0xab0
      [  133.412855]  ? insert_pfn+0xfe/0x270
      [  133.413827]  ? vvar_fault+0xec/0x190
      [  133.414772]  sock_sendmsg+0x57/0x80
      [  133.415685]  __sys_sendto+0xdc/0x160
      [  133.416605]  ? syscall_trace_enter+0x1d4/0x2b0
      [  133.417679]  ? __audit_syscall_exit+0x1d9/0x280
      [  133.418753]  ? __prepare_exit_to_usermode+0x5d/0x1a0
      [  133.419819]  __x64_sys_sendto+0x24/0x30
      [  133.420848]  do_syscall_64+0x4d/0x90
      [  133.421768]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  133.422833] RIP: 0033:0x7fe013689c03
      [  133.423749] Code: Bad RIP value.
      [  133.424624] RSP: 002b:00007ffc7288f418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      [  133.425940] RAX: ffffffffffffffda RBX: 000056151fc63720 RCX: 00007fe013689c03
      [  133.427225] RDX: 0000000000000040 RSI: 000056151fc63720 RDI: 0000000000000003
      [  133.428481] RBP: 00007ffc72890b30 R08: 000056151fc60500 R09: 0000000000000010
      [  133.429757] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
      [  133.431041] R13: 000056151fc636e0 R14: 000056151fc616bc R15: 0000000000000080
      [  133.432481] Modules linked in: mpls_iptunnel act_mirred act_tunnel_key cls_flower sch_ingress veth mpls_router ip_tunnel bareudp ip6_udp_tunnel udp_tunnel macsec udp_diag inet_diag unix_diag af_packet_diag netlink_diag binfmt_misc xt_MASQUERADE iptable_nat xt_addrtype xt_conntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc ebtable_filter ebtables overlay ip6table_filter ip6_tables iptable_filter sunrpc ext4 mbcache jbd2 pcspkr i2c_piix4 virtio_balloon joydev ip_tables xfs libcrc32c ata_generic qxl pata_acpi drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm ata_piix libata virtio_net net_failover virtio_console failover virtio_blk i2c_core virtio_pci virtio_ring serio_raw floppy virtio dm_mirror dm_region_hash dm_log dm_mod
      [  133.444045] CR2: 0000000000000000
      [  133.445082] ---[ end trace f4aeee1958fd1638 ]---
      [  133.446236] RIP: 0010:0x0
      [  133.447180] Code: Bad RIP value.
      [  133.448152] RSP: 0018:ffffb79980003d50 EFLAGS: 00010246
      [  133.449363] RAX: 0000000080000102 RBX: ffff9de2fe0d6600 RCX: ffff9de2fe5e9d00
      [  133.450835] RDX: 0000000000000000 RSI: ffff9de2fe5e9d00 RDI: ffff9de2fc21b400
      [  133.452237] RBP: ffff9de2fe5e9d00 R08: 0000000000000000 R09: 0000000000000000
      [  133.453722] R10: ffff9de2fbc6be22 R11: ffff9de2fe0d6600 R12: ffff9de2fc21b400
      [  133.455149] R13: ffff9de2fe0d6628 R14: 0000000000000001 R15: 0000000000000003
      [  133.456520] FS:  00007fe014918740(0000) GS:ffff9de2fec00000(0000) knlGS:0000000000000000
      [  133.458046] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  133.459342] CR2: ffffffffffffffd6 CR3: 000000003bb72000 CR4: 00000000000006f0
      [  133.460782] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  133.462240] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  133.463697] Kernel panic - not syncing: Fatal exception in interrupt
      [  133.465226] Kernel Offset: 0xfa00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      [  133.467025] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      Fixes: aaa0c23c ("Fix dst_neigh_lookup/dst_neigh_lookup_skb return value handling bug")
      Signed-off-by: default avatarMartin Varghese <martin.varghese@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      394de110
    • wenxu's avatar
      net/sched: act_ct: add miss tcf_lastuse_update. · 8367b3ab
      wenxu authored
      When tcf_ct_act execute the tcf_lastuse_update should
      be update or the used stats never update
      
      filter protocol ip pref 3 flower chain 0
      filter protocol ip pref 3 flower chain 0 handle 0x1
        eth_type ipv4
        dst_ip 1.1.1.1
        ip_flags frag/firstfrag
        skip_hw
        not_in_hw
       action order 1: ct zone 1 nat pipe
        index 1 ref 1 bind 1 installed 103 sec used 103 sec
       Action statistics:
       Sent 151500 bytes 101 pkt (dropped 0, overlimits 0 requeues 0)
       backlog 0b 0p requeues 0
       cookie 4519c04dc64a1a295787aab13b6a50fb
      Signed-off-by: default avatarwenxu <wenxu@ucloud.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8367b3ab
    • Sebastian Andrzej Siewior's avatar
      net/mlx5e: Do not include rwlock.h directly · f0b594df
      Sebastian Andrzej Siewior authored
      rwlock.h should not be included directly. Instead linux/splinlock.h
      should be included. Including it directly will break the RT build.
      
      Fixes: 549c243e ("net/mlx5e: Extract neigh-specific code from en_rep.c to rep/neigh.c")
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Acked-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0b594df
    • Paolo Abeni's avatar
      mptcp: fix DSS map generation on fin retransmission · 9c29e361
      Paolo Abeni authored
      The RFC 8684 mandates that no-data DATA FIN packets should carry
      a DSS with 0 sequence number and data len equal to 1. Currently,
      on FIN retransmission we re-use the existing mapping; if the previous
      fin transmission was part of a partially acked data packet, we could
      end-up writing in the egress packet a non-compliant DSS.
      
      The above will be detected by a "Bad mapping" warning on the receiver
      side.
      
      This change addresses the issue explicitly checking for 0 len packet
      when adding the DATA_FIN option.
      
      Fixes: 6d0060f6 ("mptcp: Write MPTCP DSS headers to outgoing data packets")
      Reported-by: syzbot+42a07faa5923cfaeb9c9@syzkaller.appspotmail.com
      Tested-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Reviewed-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9c29e361
    • Sabrina Dubroca's avatar
      ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg · 5eff0690
      Sabrina Dubroca authored
      IPv4 ping sockets don't set fl4.fl4_icmp_{type,code}, which leads to
      incomplete IPsec ACQUIRE messages being sent to userspace. Currently,
      both raw sockets and IPv6 ping sockets set those fields.
      
      Expected output of "ip xfrm monitor":
          acquire proto esp
            sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 8 code 0 dev ens4
            policy src 10.0.2.15/32 dst 8.8.8.8/32
              <snip>
      
      Currently with ping sockets:
          acquire proto esp
            sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 0 code 0 dev ens4
            policy src 10.0.2.15/32 dst 8.8.8.8/32
              <snip>
      
      The Libreswan test suite found this problem after Fedora changed the
      value for the sysctl net.ipv4.ping_group_range.
      
      Fixes: c319b4d7 ("net: ipv4: add IPPROTO_ICMP socket kind")
      Reported-by: default avatarPaul Wouters <pwouters@redhat.com>
      Tested-by: default avatarPaul Wouters <pwouters@redhat.com>
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5eff0690
    • Tobias Waldekranz's avatar
      net: ethernet: fec: prevent tx starvation under high rx load · 7cdaa4cc
      Tobias Waldekranz authored
      In the ISR, we poll the event register for the queues in need of
      service and then enter polled mode. After this point, the event
      register will never be read again until we exit polled mode.
      
      In a scenario where a UDP flow is routed back out through the same
      interface, i.e. "router-on-a-stick" we'll typically only see an rx
      queue event initially. Once we start to process the incoming flow
      we'll be locked polled mode, but we'll never clean the tx rings since
      that event is never caught.
      
      Eventually the netdev watchdog will trip, causing all buffers to be
      dropped and then the process starts over again.
      
      Rework the NAPI poll to keep trying to consome the entire budget as
      long as new events are coming in, making sure to service all rx/tx
      queues, in priority order, on each pass.
      
      Fixes: 4d494cdc ("net: fec: change data structure to support multiqueue")
      Signed-off-by: default avatarTobias Waldekranz <tobias@waldekranz.com>
      Tested-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Reviewed-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cdaa4cc
    • Tom Rix's avatar
      net: sky2: initialize return of gm_phy_read · 28b18e4e
      Tom Rix authored
      clang static analysis flags this garbage return
      
      drivers/net/ethernet/marvell/sky2.c:208:2: warning: Undefined or garbage value returned to caller [core.uninitialized.UndefReturn]
              return v;
              ^~~~~~~~
      
      static inline u16 gm_phy_read( ...
      {
      	u16 v;
      	__gm_phy_read(hw, port, reg, &v);
      	return v;
      }
      
      __gm_phy_read can return without setting v.
      
      So handle similar to skge.c's gm_phy_read, initialize v.
      Signed-off-by: default avatarTom Rix <trix@redhat.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      28b18e4e
    • Cong Wang's avatar
      cgroup: fix cgroup_sk_alloc() for sk_clone_lock() · ad0f75e5
      Cong Wang authored
      When we clone a socket in sk_clone_lock(), its sk_cgrp_data is
      copied, so the cgroup refcnt must be taken too. And, unlike the
      sk_alloc() path, sock_update_netprioidx() is not called here.
      Therefore, it is safe and necessary to grab the cgroup refcnt
      even when cgroup_sk_alloc is disabled.
      
      sk_clone_lock() is in BH context anyway, the in_interrupt()
      would terminate this function if called there. And for sk_alloc()
      skcd->val is always zero. So it's safe to factor out the code
      to make it more readable.
      
      The global variable 'cgroup_sk_alloc_disabled' is used to determine
      whether to take these reference counts. It is impossible to make
      the reference counting correct unless we save this bit of information
      in skcd->val. So, add a new bit there to record whether the socket
      has already taken the reference counts. This obviously relies on
      kmalloc() to align cgroup pointers to at least 4 bytes,
      ARCH_KMALLOC_MINALIGN is certainly larger than that.
      
      This bug seems to be introduced since the beginning, commit
      d979a39d ("cgroup: duplicate cgroup reference when cloning sockets")
      tried to fix it but not compeletely. It seems not easy to trigger until
      the recent commit 090e28b2
      ("netprio_cgroup: Fix unlimited memory leak of v2 cgroups") was merged.
      
      Fixes: bd1060a1 ("sock, cgroup: add sock->sk_cgroup")
      Reported-by: default avatarCameron Berkenpas <cam@neo-zeon.de>
      Reported-by: default avatarPeter Geis <pgwipeout@gmail.com>
      Reported-by: default avatarLu Fengqi <lufq.fnst@cn.fujitsu.com>
      Reported-by: default avatarDaniël Sonck <dsonck92@gmail.com>
      Reported-by: default avatarZhang Qiang <qiang.zhang@windriver.com>
      Tested-by: default avatarCameron Berkenpas <cam@neo-zeon.de>
      Tested-by: default avatarPeter Geis <pgwipeout@gmail.com>
      Tested-by: default avatarThomas Lamprecht <t.lamprecht@proxmox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Zefan Li <lizefan@huawei.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Roman Gushchin <guro@fb.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad0f75e5
    • David Ahern's avatar
      ipv6: Fix use of anycast address with loopback · aea23c32
      David Ahern authored
      Thomas reported a regression with IPv6 and anycast using the following
      reproducer:
      
          echo 1 >  /proc/sys/net/ipv6/conf/all/forwarding
          ip -6 a add fc12::1/16 dev lo
          sleep 2
          echo "pinging lo"
          ping6 -c 2 fc12::
      
      The conversion of addrconf_f6i_alloc to use ip6_route_info_create missed
      the use of fib6_is_reject which checks addresses added to the loopback
      interface and sets the REJECT flag as needed. Update fib6_is_reject for
      loopback checks to handle RTF_ANYCAST addresses.
      
      Fixes: c7a1ce39 ("ipv6: Change addrconf_f6i_alloc to use ip6_route_info_create")
      Reported-by: thomas.gambier@nexedi.com
      Signed-off-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aea23c32
    • AceLan Kao's avatar
      net: usb: qmi_wwan: add support for Quectel EG95 LTE modem · f815dd5c
      AceLan Kao authored
      Add support for Quectel Wireless Solutions Co., Ltd. EG95 LTE modem
      
      T:  Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#=  5 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=2c7c ProdID=0195 Rev=03.18
      S:  Manufacturer=Android
      S:  Product=Android
      C:  #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I:  If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      Signed-off-by: default avatarAceLan Kao <acelan.kao@canonical.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f815dd5c
    • David S. Miller's avatar
      Merge branch 'net-ipa-fix-warning-reported-errors' · 92cffd48
      David S. Miller authored
      Alex Elder says:
      
      ====================
      net: ipa: fix warning-reported errors
      
      Building the kernel with W=1 produces numerous warnings for the IPA
      code.  Some of those warnings turn out to flag real problems, and
      this series fixes them.  The first patch fixes the most important
      ones, but the second and third are problems I think are worth
      treating as bugs as well.
      
      Note:  I'll happily combine any of these if someone prefers that.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      92cffd48
    • Alex Elder's avatar
      net: ipa: include declarations in "ipa_gsi.c" · a21c1f02
      Alex Elder authored
      Include "ipa_gsi.h" in "ipa_gsi.c", so the public functions are
      defined before they are used in "ipa_gsi.c".  This addresses some
      warnings that are reported with a "W=1" build.
      
      Fixes: c3f398b1 ("soc: qcom: ipa: IPA interface to GSI")
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a21c1f02
    • Alex Elder's avatar
      net: ipa: declare struct types in "ipa_gsi.h" · 3c90e95b
      Alex Elder authored
      Pointers to two struct types are used in "ipa_gsi.h", without those
      struct types being forward-declared.  Add these declarations.
      
      Fixes: c3f398b1 ("soc: qcom: ipa: IPA interface to GSI")
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3c90e95b
    • Alex Elder's avatar
      net: ipa: fix QMI structure definition bugs · 74478ea4
      Alex Elder authored
      Building with "W=1" did exactly what it was supposed to do, namely
      point out some suspicious-looking code to be verified not to contain
      bugs.
      
      Some QMI message structures defined in "ipa_qmi_msg.c" contained
      some bad field names (duplicating the "elem_size" field instead of
      defining the "offset" field), almost certainly due to copy/paste
      errors that weren't obvious in a scan of the code.  Fix these bugs.
      
      Fixes: 530f9216 ("soc: qcom: ipa: AP/modem communications")
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      74478ea4
  5. 06 Jul, 2020 5 commits
    • David Ahern's avatar
      ipv6: fib6_select_path can not use out path for nexthop objects · 34fe5a1c
      David Ahern authored
      Brian reported a crash in IPv6 code when using rpfilter with a setup
      running FRR and external nexthop objects. The root cause of the crash
      is fib6_select_path setting fib6_nh in the result to NULL because of
      an improper check for nexthop objects.
      
      More specifically, rpfilter invokes ip6_route_lookup with flowi6_oif
      set causing fib6_select_path to be called with have_oif_match set.
      fib6_select_path has early check on have_oif_match and jumps to the
      out label which presumes a builtin fib6_nh. This path is invalid for
      nexthop objects; for external nexthops fib6_select_path needs to just
      return if the fib6_nh has already been set in the result otherwise it
      returns after the call to nexthop_path_fib6_result. Update the check
      on have_oif_match to not bail on external nexthops.
      
      Update selftests for this problem.
      
      Fixes: f88d8ea6 ("ipv6: Plumb support for nexthop object in a fib6_info")
      Reported-by: default avatarBrian Rak <brak@choopa.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34fe5a1c
    • David S. Miller's avatar
      Merge branch 'hns3-fixes' · eadede5f
      David S. Miller authored
      Huazhong Tan says:
      
      ====================
      net: hns3: fixes for -net
      
      There are some fixes about reset issue and a use-after-free
      of self-test.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eadede5f
    • Yonglong Liu's avatar
      net: hns3: fix use-after-free when doing self test · a0665621
      Yonglong Liu authored
      Enable promisc mode of PF, set VF link state to enable, and
      run iperf of the VF, then do self test of the PF. The self test
      will fail with a low frequency, and may cause a use-after-free
      problem.
      
      [   87.142126] selftest:000004a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   87.159722] ==================================================================
      [   87.174187] BUG: KASAN: use-after-free in hex_dump_to_buffer+0x140/0x608
      [   87.187600] Read of size 1 at addr ffff003b22828000 by task ethtool/1186
      [   87.201012]
      [   87.203978] CPU: 7 PID: 1186 Comm: ethtool Not tainted 5.5.0-rc4-gfd51c473-dirty #4
      [   87.219306] Hardware name: Huawei TaiShan 2280 V2/BC82AMDA, BIOS TA BIOS 2280-A CS V2.B160.01 01/15/2020
      [   87.238292] Call trace:
      [   87.243173]  dump_backtrace+0x0/0x280
      [   87.250491]  show_stack+0x24/0x30
      [   87.257114]  dump_stack+0xe8/0x140
      [   87.263911]  print_address_description.isra.8+0x70/0x380
      [   87.274538]  __kasan_report+0x12c/0x230
      [   87.282203]  kasan_report+0xc/0x18
      [   87.288999]  __asan_load1+0x60/0x68
      [   87.295969]  hex_dump_to_buffer+0x140/0x608
      [   87.304332]  print_hex_dump+0x140/0x1e0
      [   87.312000]  hns3_lb_check_skb_data+0x168/0x170
      [   87.321060]  hns3_clean_rx_ring+0xa94/0xfe0
      [   87.329422]  hns3_self_test+0x708/0x8c0
      
      The length of packet sent by the selftest process is only
      128 + 14 bytes, and the min buffer size of a BD is 256 bytes,
      and the receive process will make sure the packet sent by
      the selftest process is in the linear part, so only check
      the linear part in hns3_lb_check_skb_data().
      
      So fix this use-after-free by using skb_headlen() to dump
      skb->data instead of skb->len.
      
      Fixes: c39c4d98 ("net: hns3: Add mac loopback selftest support in hns3 driver")
      Signed-off-by: default avatarYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a0665621
    • Huazhong Tan's avatar
      net: hns3: add a missing uninit debugfs when unload driver · e22b5e72
      Huazhong Tan authored
      When unloading driver, if flag HNS3_NIC_STATE_INITED has been
      already cleared, the debugfs will not be uninitialized, so fix it.
      
      Fixes: b2292360 ("net: hns3: Add debugfs framework registration")
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e22b5e72
    • Huazhong Tan's avatar
      net: hns3: fix for mishandle of asserting VF reset fail · cddd5648
      Huazhong Tan authored
      When asserts VF reset fail, flag HCLGEVF_STATE_CMD_DISABLE
      and handshake status should not set, otherwise the retry will
      fail. So adds a check for asserting VF reset and returns
      directly when fails.
      
      Fixes: ef5f8e50 ("net: hns3: stop handling command queue while resetting VF")
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cddd5648