1. 07 Dec, 2019 1 commit
  2. 06 Dec, 2019 7 commits
    • Eric Dumazet's avatar
      net: avoid an indirect call in ____sys_recvmsg() · 1af66221
      Eric Dumazet authored
      CONFIG_RETPOLINE=y made indirect calls expensive.
      
      gcc seems to add an indirect call in ____sys_recvmsg().
      
      Rewriting the code slightly makes sure to avoid this indirection.
      
      Alternative would be to not call sock_recvmsg() and instead
      use security_socket_recvmsg() and sock_recvmsg_nosec(),
      but this is less readable IMO.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: David Laight <David.Laight@aculab.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1af66221
    • Chuhong Yuan's avatar
      phy: mdio-thunder: add missed pci_release_regions in remove · 462f8554
      Chuhong Yuan authored
      The driver forgets to call pci_release_regions() in remove like that
      in probe failure.
      Add the missed call to fix it.
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      462f8554
    • Taehee Yoo's avatar
      tipc: fix ordering of tipc module init and exit routine · 9cf1cd8e
      Taehee Yoo authored
      In order to set/get/dump, the tipc uses the generic netlink
      infrastructure. So, when tipc module is inserted, init function
      calls genl_register_family().
      After genl_register_family(), set/get/dump commands are immediately
      allowed and these callbacks internally use the net_generic.
      net_generic is allocated by register_pernet_device() but this
      is called after genl_register_family() in the __init function.
      So, these callbacks would use un-initialized net_generic.
      
      Test commands:
          #SHELL1
          while :
          do
              modprobe tipc
              modprobe -rv tipc
          done
      
          #SHELL2
          while :
          do
              tipc link list
          done
      
      Splat looks like:
      [   59.616322][ T2788] kasan: CONFIG_KASAN_INLINE enabled
      [   59.617234][ T2788] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [   59.618398][ T2788] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [   59.619389][ T2788] CPU: 3 PID: 2788 Comm: tipc Not tainted 5.4.0+ #194
      [   59.620231][ T2788] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   59.621428][ T2788] RIP: 0010:tipc_bcast_get_broadcast_mode+0x131/0x310 [tipc]
      [   59.622379][ T2788] Code: c7 c6 ef 8b 38 c0 65 ff 0d 84 83 c9 3f e8 d7 a5 f2 e3 48 8d bb 38 11 00 00 48 b8 00 00 00 00
      [   59.622550][ T2780] NET: Registered protocol family 30
      [   59.624627][ T2788] RSP: 0018:ffff88804b09f578 EFLAGS: 00010202
      [   59.624630][ T2788] RAX: dffffc0000000000 RBX: 0000000000000011 RCX: 000000008bc66907
      [   59.624631][ T2788] RDX: 0000000000000229 RSI: 000000004b3cf4cc RDI: 0000000000001149
      [   59.624633][ T2788] RBP: ffff88804b09f588 R08: 0000000000000003 R09: fffffbfff4fb3df1
      [   59.624635][ T2788] R10: fffffbfff50318f8 R11: ffff888066cadc18 R12: ffffffffa6cc2f40
      [   59.624637][ T2788] R13: 1ffff11009613eba R14: ffff8880662e9328 R15: ffff8880662e9328
      [   59.624639][ T2788] FS:  00007f57d8f7b740(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000
      [   59.624645][ T2788] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   59.625875][ T2780] tipc: Started in single node mode
      [   59.626128][ T2788] CR2: 00007f57d887a8c0 CR3: 000000004b140002 CR4: 00000000000606e0
      [   59.633991][ T2788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   59.635195][ T2788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   59.636478][ T2788] Call Trace:
      [   59.637025][ T2788]  tipc_nl_add_bc_link+0x179/0x1470 [tipc]
      [   59.638219][ T2788]  ? lock_downgrade+0x6e0/0x6e0
      [   59.638923][ T2788]  ? __tipc_nl_add_link+0xf90/0xf90 [tipc]
      [   59.639533][ T2788]  ? tipc_nl_node_dump_link+0x318/0xa50 [tipc]
      [   59.640160][ T2788]  ? mutex_lock_io_nested+0x1380/0x1380
      [   59.640746][ T2788]  tipc_nl_node_dump_link+0x4fd/0xa50 [tipc]
      [   59.641356][ T2788]  ? tipc_nl_node_reset_link_stats+0x340/0x340 [tipc]
      [   59.642088][ T2788]  ? __skb_ext_del+0x270/0x270
      [   59.642594][ T2788]  genl_lock_dumpit+0x85/0xb0
      [   59.643050][ T2788]  netlink_dump+0x49c/0xed0
      [   59.643529][ T2788]  ? __netlink_sendskb+0xc0/0xc0
      [   59.644044][ T2788]  ? __netlink_dump_start+0x190/0x800
      [   59.644617][ T2788]  ? __mutex_unlock_slowpath+0xd0/0x670
      [   59.645177][ T2788]  __netlink_dump_start+0x5a0/0x800
      [   59.645692][ T2788]  genl_rcv_msg+0xa75/0xe90
      [   59.646144][ T2788]  ? __lock_acquire+0xdfe/0x3de0
      [   59.646692][ T2788]  ? genl_family_rcv_msg_attrs_parse+0x320/0x320
      [   59.647340][ T2788]  ? genl_lock_dumpit+0xb0/0xb0
      [   59.647821][ T2788]  ? genl_unlock+0x20/0x20
      [   59.648290][ T2788]  ? genl_parallel_done+0xe0/0xe0
      [   59.648787][ T2788]  ? find_held_lock+0x39/0x1d0
      [   59.649276][ T2788]  ? genl_rcv+0x15/0x40
      [   59.649722][ T2788]  ? lock_contended+0xcd0/0xcd0
      [   59.650296][ T2788]  netlink_rcv_skb+0x121/0x350
      [   59.650828][ T2788]  ? genl_family_rcv_msg_attrs_parse+0x320/0x320
      [   59.651491][ T2788]  ? netlink_ack+0x940/0x940
      [   59.651953][ T2788]  ? lock_acquire+0x164/0x3b0
      [   59.652449][ T2788]  genl_rcv+0x24/0x40
      [   59.652841][ T2788]  netlink_unicast+0x421/0x600
      [ ... ]
      
      Fixes: 7e436905 ("tipc: fix a slab object leak")
      Fixes: a62fbcce ("tipc: make subscriber server support net namespace")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9cf1cd8e
    • Vladyslav Tarasiuk's avatar
      mqprio: Fix out-of-bounds access in mqprio_dump · 9f104c77
      Vladyslav Tarasiuk authored
      When user runs a command like
      tc qdisc add dev eth1 root mqprio
      KASAN stack-out-of-bounds warning is emitted.
      Currently, NLA_ALIGN macro used in mqprio_dump provides too large
      buffer size as argument for nla_put and memcpy down the call stack.
      The flow looks like this:
      1. nla_put expects exact object size as an argument;
      2. Later it provides this size to memcpy;
      3. To calculate correct padding for SKB, nla_put applies NLA_ALIGN
         macro itself.
      
      Therefore, NLA_ALIGN should not be applied to the nla_put parameter.
      Otherwise it will lead to out-of-bounds memory access in memcpy.
      
      Fixes: 4e8b86c0 ("mqprio: Introduce new hardware offload mode and shaper in mqprio")
      Signed-off-by: default avatarVladyslav Tarasiuk <vladyslavt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9f104c77
    • Jongsung Kim's avatar
      net: stmmac: reset Tx desc base address before restarting Tx · f421031e
      Jongsung Kim authored
      Refer to the databook of DesignWare Cores Ethernet MAC Universal:
      
      6.2.1.5 Register 4 (Transmit Descriptor List Address Register
      
      If this register is not changed when the ST bit is set to 0, then
      the DMA takes the descriptor address where it was stopped earlier.
      
      The stmmac_tx_err() does zero indices to Tx descriptors, but does
      not reset HW current Tx descriptor address. To fix inconsistency,
      the base address of the Tx descriptors should be rewritten before
      restarting Tx.
      Signed-off-by: default avatarJongsung Kim <neidhard.kim@lge.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f421031e
    • Yangbo Lu's avatar
      enetc: disable EEE autoneg by default · a6a10d45
      Yangbo Lu authored
      The EEE support has not been enabled on ENETC, but it may connect
      to a PHY which supports EEE and advertises EEE by default, while
      its link partner also advertises EEE. If this happens, the PHY enters
      low power mode when the traffic rate is low and causes packet loss.
      This patch disables EEE advertisement by default for any PHY that
      ENETC connects to, to prevent the above unwanted outcome.
      Signed-off-by: default avatarYangbo Lu <yangbo.lu@nxp.com>
      Reviewed-by: default avatarClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a6a10d45
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · ae72555b
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2019-12-05
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 6 non-merge commits during the last 1 day(s) which contain
      a total of 14 files changed, 116 insertions(+), 37 deletions(-).
      
      The main changes are:
      
      1) three selftests fixes, from Stanislav.
      
      2) one samples fix, from Jesper.
      
      3) one verifier fix, from Yonghong.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae72555b
  3. 05 Dec, 2019 26 commits
    • Eric Biggers's avatar
      ppp: fix out-of-bounds access in bpf_prog_create() · 0033b34a
      Eric Biggers authored
      sock_fprog_kern::len is in units of struct sock_filter, not bytes.
      
      Fixes: 3e859adf ("compat_ioctl: unify copy-in of ppp filters")
      Reported-by: syzbot+eb853b51b10f1befa0b7@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0033b34a
    • David S. Miller's avatar
      Merge branch 'hns3-fixes' · a116f4e2
      David S. Miller authored
      Huazhong Tan says:
      
      ====================
      net: hns3: fixes for -net
      
      This patchset includes misc fixes for the HNS3 ethernet driver.
      
      [patch 1/3] fixes a TX queue not restarted problem.
      
      [patch 2/3] fixes a use-after-free issue.
      
      [patch 3/3] fixes a VF ID issue for setting VF VLAN.
      
      change log:
      V1->V2: keeps 'ring' as parameter in hns3_nic_maybe_stop_tx()
      	in [patch 1/3], suggestted by David.
      	rewrites [patch 2/3]'s commit log to make it be easier
      	to understand, suggestted by David.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a116f4e2
    • Jian Shen's avatar
      net: hns3: fix VF ID issue for setting VF VLAN · 1c985508
      Jian Shen authored
      Previously, when set VF VLAN with command "ip link set <pf name>
      vf <vf id> vlan <vlan id>", the VF ID 0 is handled as PF incorrectly,
      which should be the first VF. This patch fixes it.
      
      Fixes: 21e043cd ("net: hns3: fix set port based VLAN for PF")
      Signed-off-by: default avatarJian Shen <shenjian15@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1c985508
    • Yunsheng Lin's avatar
      net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx() · d1a37ded
      Yunsheng Lin authored
      Currently, hns3_nic_maybe_stop_tx() uses skb_copy() to linearize a
      SKB if the BD num required by the SKB does not meet the hardware
      limitation, and it linearizes the SKB by allocating a new linearized SKB
      and freeing the old SKB, if hns3_nic_maybe_stop_tx() returns -EBUSY
      because there are no enough space in the ring to send the linearized
      skb to hardware, the sch_direct_xmit() still hold reference to old SKB
      and try to retransmit the old SKB when dev_hard_start_xmit() return
      TX_BUSY, which may cause use after freed problem.
      
      This patch fixes it by using __skb_linearize() to linearize the
      SKB in hns3_nic_maybe_stop_tx().
      
      Fixes: 51e8439f ("net: hns3: add 8 BD limit for tx flow")
      Signed-off-by: default avatarYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d1a37ded
    • Yunsheng Lin's avatar
      net: hns3: fix for TX queue not restarted problem · 2a597eff
      Yunsheng Lin authored
      There is timing window between ring_space checking and
      netif_stop_subqueue when transmiting a SKB, and the TX BD
      cleaning may be executed during the time window, which may
      caused TX queue not restarted problem.
      
      This patch fixes it by rechecking the ring_space after
      netif_stop_subqueue to make sure TX queue is restarted.
      
      Also, the ring->next_to_clean is updated even when pkts is
      zero, because all the TX BD cleaned may be non-SKB, so it
      needs to check if TX queue need to be restarted.
      
      Fixes: 76ad4f0e ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
      Signed-off-by: default avatarYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a597eff
    • Grygorii Strashko's avatar
      net: ethernet: ti: cpsw_switchdev: fix unmet direct dependencies detected for NET_SWITCHDEV · aacf6578
      Grygorii Strashko authored
      Replace "select NET_SWITCHDEV" vs "depends on NET_SWITCHDEV" to fix Kconfig
      warning with CONFIG_COMPILE_TEST=y
      
      WARNING: unmet direct dependencies detected for NET_SWITCHDEV
        Depends on [n]: NET [=y] && INET [=n]
        Selected by [y]:
        - TI_CPSW_SWITCHDEV [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_TI [=y] && (ARCH_DAVINCI || ARCH_OMAP2PLUS || COMPILE_TEST [=y])
      
      because TI_CPSW_SWITCHDEV blindly selects NET_SWITCHDEV even though
      INET is not set/enabled, while NET_SWITCHDEV depends on INET.
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Fixes: ed3525ed ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aacf6578
    • David S. Miller's avatar
      Merge branch 's390-fixes' · b8744052
      David S. Miller authored
      Julian Wiedmann says:
      
      ====================
      s390/qeth: fixes 2019-12-05
      
      please apply the following fixes to your net tree.
      
      The first two patches target the RX data path, the third fixes a memory
      leak when shutting down a qeth device.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8744052
    • Julian Wiedmann's avatar
      s390/qeth: fix dangling IO buffers after halt/clear · f9e50b02
      Julian Wiedmann authored
      The cio layer's intparm logic does not align itself well with how qeth
      manages cmd IOs. When an active IO gets terminated via halt/clear, the
      corresponding IRQ's intparm does not reflect the cmd buffer but rather
      the intparm that was passed to ccw_device_halt() / ccw_device_clear().
      This behaviour was recently clarified in
      commit b91d9e67 ("s390/cio: fix intparm documentation").
      
      As a result, qeth_irq() currently doesn't cancel a cmd that was
      terminated via halt/clear. This primarily causes us to leak
      card->read_cmd after the qeth device is removed, since our IO path still
      holds a refcount for this cmd.
      
      For qeth this means that we need to keep track of which IO is pending on
      a device ('active_cmd'), and use this as the intparm when calling
      halt/clear. Otherwise qeth_irq() can't match the subsequent IRQ to its
      cmd buffer.
      Since we now keep track of the _expected_ intparm, we can also detect
      any mismatch; this would constitute a bug somewhere in the lower layers.
      In this case cancel the active cmd - we effectively "lost" the IRQ and
      should not expect any further notification for this IO.
      
      Fixes: 40554895 ("s390/qeth: add support for dynamically allocated cmds")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9e50b02
    • Julian Wiedmann's avatar
      s390/qeth: ensure linear access to packet headers · f677fcb9
      Julian Wiedmann authored
      When the RX path builds non-linear skbs, the packet headers can
      currently spill over into page fragments. Depending on the packet type
      and what fields we need to access in the headers, this could cause us
      to go past the end of skb->data.
      
      So for non-linear packets, copy precisely the length of the necessary
      headers ('linear_len') into skb->data.
      And don't copy more, upper-level protocols will peel whatever additional
      packet headers they need.
      
      Fixes: 4a71df50 ("qeth: new qeth device driver")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f677fcb9
    • Julian Wiedmann's avatar
      s390/qeth: guard against runt packets · 5b55633f
      Julian Wiedmann authored
      Depending on a packet's type, the RX path needs to access fields in the
      packet headers and thus requires a minimum packet length.
      Enforce this length when building the skb.
      
      On the other hand a single runt packet is no reason to drop the whole
      RX buffer. So just skip it, and continue processing on the next packet.
      
      Fixes: 4a71df50 ("qeth: new qeth device driver")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b55633f
    • Mian Yousaf Kaukab's avatar
      net: thunderx: start phy before starting autonegotiation · a350d2e7
      Mian Yousaf Kaukab authored
      Since commit 2b3e88ea ("net: phy: improve phy state checking")
      phy_start_aneg() expects phy state to be >= PHY_UP. Call phy_start()
      before calling phy_start_aneg() during probe so that autonegotiation
      is initiated.
      
      As phy_start() takes care of calling phy_start_aneg(), drop the explicit
      call to phy_start_aneg().
      
      Network fails without this patch on Octeon TX.
      
      Fixes: 2b3e88ea ("net: phy: improve phy state checking")
      Signed-off-by: default avatarMian Yousaf Kaukab <ykaukab@suse.de>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a350d2e7
    • Taehee Yoo's avatar
      hsr: fix a NULL pointer dereference in hsr_dev_xmit() · df95467b
      Taehee Yoo authored
      hsr_dev_xmit() calls hsr_port_get_hsr() to find master node and that would
      return NULL if master node is not existing in the list.
      But hsr_dev_xmit() doesn't check return pointer so a NULL dereference
      could occur.
      
      Test commands:
          ip netns add nst
          ip link add veth0 type veth peer name veth1
          ip link add veth2 type veth peer name veth3
          ip link set veth1 netns nst
          ip link set veth3 netns nst
          ip link set veth0 up
          ip link set veth2 up
          ip link add hsr0 type hsr slave1 veth0 slave2 veth2
          ip a a 192.168.100.1/24 dev hsr0
          ip link set hsr0 up
          ip netns exec nst ip link set veth1 up
          ip netns exec nst ip link set veth3 up
          ip netns exec nst ip link add hsr1 type hsr slave1 veth1 slave2 veth3
          ip netns exec nst ip a a 192.168.100.2/24 dev hsr1
          ip netns exec nst ip link set hsr1 up
          hping3 192.168.100.2 -2 --flood &
          modprobe -rv hsr
      
      Splat looks like:
      [  217.351122][ T1635] kasan: CONFIG_KASAN_INLINE enabled
      [  217.352969][ T1635] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  217.354297][ T1635] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  217.355507][ T1635] CPU: 1 PID: 1635 Comm: hping3 Not tainted 5.4.0+ #192
      [  217.356472][ T1635] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [  217.357804][ T1635] RIP: 0010:hsr_dev_xmit+0x34/0x90 [hsr]
      [  217.373010][ T1635] Code: 48 8d be 00 0c 00 00 be 04 00 00 00 48 83 ec 08 e8 21 be ff ff 48 8d 78 10 48 ba 00 b
      [  217.376919][ T1635] RSP: 0018:ffff8880cd8af058 EFLAGS: 00010202
      [  217.377571][ T1635] RAX: 0000000000000000 RBX: ffff8880acde6840 RCX: 0000000000000002
      [  217.379465][ T1635] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000010
      [  217.380274][ T1635] RBP: ffff8880acde6840 R08: ffffed101b440d5d R09: 0000000000000001
      [  217.381078][ T1635] R10: 0000000000000001 R11: ffffed101b440d5c R12: ffff8880bffcc000
      [  217.382023][ T1635] R13: ffff8880bffcc088 R14: 0000000000000000 R15: ffff8880ca675c00
      [  217.383094][ T1635] FS:  00007f060d9d1740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
      [  217.384289][ T1635] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  217.385009][ T1635] CR2: 00007faf15381dd0 CR3: 00000000d523c001 CR4: 00000000000606e0
      [  217.385940][ T1635] Call Trace:
      [  217.386544][ T1635]  dev_hard_start_xmit+0x160/0x740
      [  217.387114][ T1635]  __dev_queue_xmit+0x1961/0x2e10
      [  217.388118][ T1635]  ? check_object+0xaf/0x260
      [  217.391466][ T1635]  ? __alloc_skb+0xb9/0x500
      [  217.392017][ T1635]  ? init_object+0x6b/0x80
      [  217.392629][ T1635]  ? netdev_core_pick_tx+0x2e0/0x2e0
      [  217.393175][ T1635]  ? __alloc_skb+0xb9/0x500
      [  217.393727][ T1635]  ? rcu_read_lock_sched_held+0x90/0xc0
      [  217.394331][ T1635]  ? rcu_read_lock_bh_held+0xa0/0xa0
      [  217.395013][ T1635]  ? kasan_unpoison_shadow+0x30/0x40
      [  217.395668][ T1635]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
      [  217.396280][ T1635]  ? __kmalloc_node_track_caller+0x3a8/0x3f0
      [  217.399007][ T1635]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
      [  217.400093][ T1635]  ? __kmalloc_reserve.isra.46+0x2e/0xb0
      [  217.401118][ T1635]  ? memset+0x1f/0x40
      [  217.402529][ T1635]  ? __alloc_skb+0x317/0x500
      [  217.404915][ T1635]  ? arp_xmit+0xca/0x2c0
      [ ... ]
      
      Fixes: 311633b6 ("hsr: switch ->dellink() to ->ndo_uninit()")
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df95467b
    • Yonghong Song's avatar
      selftests/bpf: Add a fexit/bpf2bpf test with target bpf prog no callees · 8f9081c9
      Yonghong Song authored
      The existing fexit_bpf2bpf test covers the target progrm with callees.
      This patch added a test for the target program without callees.
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Link: https://lore.kernel.org/bpf/20191205010607.177904-1-yhs@fb.com
      8f9081c9
    • Yonghong Song's avatar
      bpf: Fix a bug when getting subprog 0 jited image in check_attach_btf_id · e9eeec58
      Yonghong Song authored
      For jited bpf program, if the subprogram count is 1, i.e.,
      there is no callees in the program, prog->aux->func will be NULL
      and prog->bpf_func points to image address of the program.
      
      If there is more than one subprogram, prog->aux->func is populated,
      and subprogram 0 can be accessed through either prog->bpf_func or
      prog->aux->func[0]. Other subprograms should be accessed through
      prog->aux->func[subprog_id].
      
      This patch fixed a bug in check_attach_btf_id(), where
      prog->aux->func[subprog_id] is used to access any subprogram which
      caused a segfault like below:
        [79162.619208] BUG: kernel NULL pointer dereference, address:
        0000000000000000
        ......
        [79162.634255] Call Trace:
        [79162.634974]  ? _cond_resched+0x15/0x30
        [79162.635686]  ? kmem_cache_alloc_trace+0x162/0x220
        [79162.636398]  ? selinux_bpf_prog_alloc+0x1f/0x60
        [79162.637111]  bpf_prog_load+0x3de/0x690
        [79162.637809]  __do_sys_bpf+0x105/0x1740
        [79162.638488]  do_syscall_64+0x5b/0x180
        [79162.639147]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
        ......
      
      Fixes: 5b92a28a ("bpf: Support attaching tracing BPF program to other BPF programs")
      Reported-by: default avatarEelco Chaudron <echaudro@redhat.com>
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Link: https://lore.kernel.org/bpf/20191205010606.177774-1-yhs@fb.com
      e9eeec58
    • Stanislav Fomichev's avatar
      selftests/bpf: De-flake test_tcpbpf · ef8c84ef
      Stanislav Fomichev authored
      It looks like BPF program that handles BPF_SOCK_OPS_STATE_CB state
      can race with the bpf_map_lookup_elem("global_map"); I sometimes
      see the failures in this test and re-running helps.
      
      Since we know that we expect the callback to be called 3 times (one
      time for listener socket, two times for both ends of the connection),
      let's export this number and add simple retry logic around that.
      
      Also, let's make EXPECT_EQ() not return on failure, but continue
      evaluating all conditions; that should make potential debugging
      easier.
      
      With this fix in place I don't observe the flakiness anymore.
      Signed-off-by: default avatarStanislav Fomichev <sdf@google.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Cc: Lawrence Brakmo <brakmo@fb.com>
      Link: https://lore.kernel.org/bpf/20191204190955.170934-1-sdf@google.com
      ef8c84ef
    • Stanislav Fomichev's avatar
      selftests/bpf: Bring back c++ include/link test · 6bf6affe
      Stanislav Fomichev authored
      Commit 5c26f9a7 ("libbpf: Don't use cxx to test_libpf target")
      converted existing c++ test to c. We still want to include and
      link against libbpf from c++ code, so reinstate this test back,
      this time in a form of a selftest with a clear comment about
      its purpose.
      
      v2:
      * -lelf -> $(LDLIBS) (Andrii Nakryiko)
      
      Fixes: 5c26f9a7 ("libbpf: Don't use cxx to test_libpf target")
      Signed-off-by: default avatarStanislav Fomichev <sdf@google.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Link: https://lore.kernel.org/bpf/20191202215931.248178-1-sdf@google.com
      6bf6affe
    • Stanislav Fomichev's avatar
      selftests/bpf: Don't hard-code root cgroup id · 01d434ce
      Stanislav Fomichev authored
      Commit 40430452 ("kernfs: use 64bit inos if ino_t is 64bit") changed
      the way cgroup ids are exposed to the userspace. Instead of assuming
      fixed root id, let's query it.
      
      Fixes: 40430452 ("kernfs: use 64bit inos if ino_t is 64bit")
      Signed-off-by: default avatarStanislav Fomichev <sdf@google.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Link: https://lore.kernel.org/bpf/20191202200143.250793-1-sdf@google.com
      01d434ce
    • Jesper Dangaard Brouer's avatar
      samples/bpf: Fix broken xdp_rxq_info due to map order assumptions · edbca120
      Jesper Dangaard Brouer authored
      In the days of using bpf_load.c the order in which the 'maps' sections
      were defines in BPF side (*_kern.c) file, were used by userspace side
      to identify the map via using the map order as an index. In effect the
      order-index is created based on the order the maps sections are stored
      in the ELF-object file, by the LLVM compiler.
      
      This have also carried over in libbpf via API bpf_map__next(NULL, obj)
      to extract maps in the order libbpf parsed the ELF-object file.
      
      When BTF based maps were introduced a new section type ".maps" were
      created. I found that the LLVM compiler doesn't create the ".maps"
      sections in the order they are defined in the C-file. The order in the
      ELF file is based on the order the map pointer is referenced in the code.
      
      This combination of changes lead to xdp_rxq_info mixing up the map
      file-descriptors in userspace, resulting in very broken behaviour, but
      without warning the user.
      
      This patch fix issue by instead using bpf_object__find_map_by_name()
      to find maps via their names. (Note, this is the ELF name, which can
      be longer than the name the kernel retains).
      
      Fixes: be5bca44 ("samples: bpf: convert some XDP samples from bpf_load to libbpf")
      Fixes: 451d1dc8 ("samples: bpf: update map definition to new syntax BTF-defined map")
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Link: https://lore.kernel.org/bpf/157529025128.29832.5953245340679936909.stgit@firesoul
      edbca120
    • Martin Varghese's avatar
      net: Fixed updating of ethertype in skb_mpls_push() · d04ac224
      Martin Varghese authored
      The skb_mpls_push was not updating ethertype of an ethernet packet if
      the packet was originally received from a non ARPHRD_ETHER device.
      
      In the below OVS data path flow, since the device corresponding to
      port 7 is an l3 device (ARPHRD_NONE) the skb_mpls_push function does
      not update the ethertype of the packet even though the previous
      push_eth action had added an ethernet header to the packet.
      
      recirc_id(0),in_port(7),eth_type(0x0800),ipv4(tos=0/0xfc,ttl=64,frag=no),
      actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),
      push_mpls(label=13,tc=0,ttl=64,bos=1,eth_type=0x8847),4
      
      Fixes: 8822e270 ("net: core: move push MPLS functionality from OvS to core helper")
      Signed-off-by: default avatarMartin Varghese <martin.varghese@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d04ac224
    • Alexandru Ardelean's avatar
      NFC: NCI: use new `delay` structure for SPI transfer delays · 099ffd7e
      Alexandru Ardelean authored
      In a recent change to the SPI subsystem [1], a new `delay` struct was added
      to replace the `delay_usecs`. This change replaces the current `delay_secs`
      with `delay` for this driver.
      
      The `spi_transfer_delay_exec()` function [in the SPI framework] makes sure
      that both `delay_usecs` & `delay` are used (in this order to preserve
      backwards compatibility).
      
      [1] commit bebcfd27 ("spi: introduce `delay` field for
      `spi_transfer` + spi_transfer_delay_exec()")
      Signed-off-by: default avatarAlexandru Ardelean <alexandru.ardelean@analog.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      099ffd7e
    • Russell King's avatar
      net: sfp: fix hwmon · 38ecd706
      Russell King authored
      The referenced commit below allowed more than one hwmon device to be
      created per SFP, which is definitely not what we want. Avoid this by
      only creating the hwmon device just as we transition to WAITDEV state.
      
      Fixes: 139d3a21 ("net: sfp: allow modules with slow diagnostics to probe")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      38ecd706
    • Russell King's avatar
      net: sfp: fix unbind · 0cb96b57
      Russell King authored
      When unbinding, we don't correctly tear down the module state, leaving
      (for example) the hwmon registration behind. Ensure everything is
      properly removed by sending a remove event at unbind.
      
      Fixes: 6b0da5c9 ("net: sfp: track upstream's attachment state in state machine")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0cb96b57
    • Shannon Nelson's avatar
      ionic: keep users rss hash across lif reset · ffac2027
      Shannon Nelson authored
      If the user has specified their own RSS hash key, don't
      lose it across queue resets such as DOWN/UP, MTU change,
      and number of channels change.  This is fixed by moving
      the key initialization to a little earlier in the lif
      creation.
      
      Also, let's clean up the RSS config a little better on
      the way down by setting it all to 0.
      
      Fixes: aa319881 ("ionic: Add RSS support")
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ffac2027
    • Jonathan Lemon's avatar
      xdp: obtain the mem_id mutex before trying to remove an entry. · 86c76c09
      Jonathan Lemon authored
      A lockdep splat was observed when trying to remove an xdp memory
      model from the table since the mutex was obtained when trying to
      remove the entry, but not before the table walk started:
      
      Fix the splat by obtaining the lock before starting the table walk.
      
      Fixes: c3f812ce ("page_pool: do not release pool until inflight == 0.")
      Reported-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarJonathan Lemon <jonathan.lemon@gmail.com>
      Tested-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Acked-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Acked-by: default avatarIlias Apalodimas <ilias.apalodimas@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86c76c09
    • Aaron Conole's avatar
      act_ct: support asymmetric conntrack · 95219afb
      Aaron Conole authored
      The act_ct TC module shares a common conntrack and NAT infrastructure
      exposed via netfilter.  It's possible that a packet needs both SNAT and
      DNAT manipulation, due to e.g. tuple collision.  Netfilter can support
      this because it runs through the NAT table twice - once on ingress and
      again after egress.  The act_ct action doesn't have such capability.
      
      Like netfilter hook infrastructure, we should run through NAT twice to
      keep the symmetry.
      
      Fixes: b57dc7c1 ("net/sched: Introduce action ct")
      Signed-off-by: default avatarAaron Conole <aconole@redhat.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95219afb
    • Aaron Conole's avatar
      openvswitch: support asymmetric conntrack · 5d50aa83
      Aaron Conole authored
      The openvswitch module shares a common conntrack and NAT infrastructure
      exposed via netfilter.  It's possible that a packet needs both SNAT and
      DNAT manipulation, due to e.g. tuple collision.  Netfilter can support
      this because it runs through the NAT table twice - once on ingress and
      again after egress.  The openvswitch module doesn't have such capability.
      
      Like netfilter hook infrastructure, we should run through NAT twice to
      keep the symmetry.
      
      Fixes: 05752523 ("openvswitch: Interface with NAT.")
      Signed-off-by: default avatarAaron Conole <aconole@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5d50aa83
  4. 04 Dec, 2019 3 commits
  5. 03 Dec, 2019 3 commits
    • Yoshiki Komachi's avatar
      cls_flower: Fix the behavior using port ranges with hw-offload · 8ffb055b
      Yoshiki Komachi authored
      The recent commit 5c72299f ("net: sched: cls_flower: Classify
      packets using port ranges") had added filtering based on port ranges
      to tc flower. However the commit missed necessary changes in hw-offload
      code, so the feature gave rise to generating incorrect offloaded flow
      keys in NIC.
      
      One more detailed example is below:
      
      $ tc qdisc add dev eth0 ingress
      $ tc filter add dev eth0 ingress protocol ip flower ip_proto tcp \
        dst_port 100-200 action drop
      
      With the setup above, an exact match filter with dst_port == 0 will be
      installed in NIC by hw-offload. IOW, the NIC will have a rule which is
      equivalent to the following one.
      
      $ tc qdisc add dev eth0 ingress
      $ tc filter add dev eth0 ingress protocol ip flower ip_proto tcp \
        dst_port 0 action drop
      
      The behavior was caused by the flow dissector which extracts packet
      data into the flow key in the tc flower. More specifically, regardless
      of exact match or specified port ranges, fl_init_dissector() set the
      FLOW_DISSECTOR_KEY_PORTS flag in struct flow_dissector to extract port
      numbers from skb in skb_flow_dissect() called by fl_classify(). Note
      that device drivers received the same struct flow_dissector object as
      used in skb_flow_dissect(). Thus, offloaded drivers could not identify
      which of these is used because the FLOW_DISSECTOR_KEY_PORTS flag was
      set to struct flow_dissector in either case.
      
      This patch adds the new FLOW_DISSECTOR_KEY_PORTS_RANGE flag and the new
      tp_range field in struct fl_flow_key to recognize which filters are applied
      to offloaded drivers. At this point, when filters based on port ranges
      passed to drivers, drivers return the EOPNOTSUPP error because they do
      not support the feature (the newly created FLOW_DISSECTOR_KEY_PORTS_RANGE
      flag).
      
      Fixes: 5c72299f ("net: sched: cls_flower: Classify packets using port ranges")
      Signed-off-by: default avatarYoshiki Komachi <komachi.yoshiki@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ffb055b
    • Dust Li's avatar
      net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues · 2f23cd42
      Dust Li authored
      sch->q.len hasn't been set if the subqueue is a NOLOCK qdisc
       in mq_dump() and mqprio_dump().
      
      Fixes: ce679e8d ("net: sched: add support for TCQ_F_NOLOCK subqueues to sch_mqprio")
      Signed-off-by: default avatarDust Li <dust.li@linux.alibaba.com>
      Signed-off-by: default avatarTony Lu <tonylu@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f23cd42
    • Eric Dumazet's avatar
      tcp: refactor tcp_retransmit_timer() · 0d580fbd
      Eric Dumazet authored
      It appears linux-4.14 stable needs a backport of commit
      88f8598d ("tcp: exit if nothing to retransmit on RTO timeout")
      
      Since tcp_rtx_queue_empty() is not in pre 4.15 kernels,
      let's refactor tcp_retransmit_timer() to only use tcp_rtx_queue_head()
      
      I will provide to stable teams the squashed patches.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d580fbd