1. 18 Aug, 2019 7 commits
  2. 17 Aug, 2019 2 commits
  3. 16 Aug, 2019 4 commits
  4. 15 Aug, 2019 11 commits
    • David S. Miller's avatar
      Merge tag 'rxrpc-fixes-20190814' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 480fd998
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Fix local endpoint handling
      
      Here's a pair of patches that fix two issues in the handling of local
      endpoints (rxrpc_local structs):
      
       (1) Use list_replace_init() rather than list_replace() if we're going to
           unconditionally delete the replaced item later, lest the list get
           corrupted.
      
       (2) Don't access the rxrpc_local object after passing our ref to the
           workqueue, not even to illuminate tracepoints, as the work function
           may cause the object to be freed.  We have to cache the information
           beforehand.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      480fd998
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 12ed6015
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      This patchset contains Netfilter fixes for net:
      
      1) Extend selftest to cover flowtable with ipsec, from Florian Westphal.
      
      2) Fix interaction of ipsec with flowtable, also from Florian.
      
      3) User-after-free with bound set to rule that fails to load.
      
      4) Adjust state and timeout for flows that expire.
      
      5) Timeout update race with flows in teardown state.
      
      6) Ensure conntrack id hash calculation use invariants as input,
         from Dirk Morris.
      
      7) Do not push flows into flowtable for TCP fin/rst packets.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12ed6015
    • Eric Dumazet's avatar
      net/packet: fix race in tpacket_snd() · 32d3182c
      Eric Dumazet authored
      packet_sendmsg() checks tx_ring.pg_vec to decide
      if it must call tpacket_snd().
      
      Problem is that the check is lockless, meaning another thread
      can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
      tx_ring.pg_vec back to NULL.
      
      Given that tpacket_snd() grabs pg_vec_lock mutex, we can
      perform the check again to solve the race.
      
      syzbot reported :
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
      Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
      RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
      RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
      R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
      R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
      FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       packet_current_frame net/packet/af_packet.c:487 [inline]
       tpacket_snd net/packet/af_packet.c:2667 [inline]
       packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:657
       ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
       __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg net/socket.c:2439 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
       do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 69e3c75f ("net: TX_RING and packet mmap")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32d3182c
    • Wenwen Wang's avatar
      net: myri10ge: fix memory leaks · 20fb7c7a
      Wenwen Wang authored
      In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices
      related structures. Later on, myri10ge_request_irq() is used to get an irq.
      However, if this process fails, the allocated slices related structures are
      not deallocated, leading to memory leaks. To fix this issue, revise the
      target label of the goto statement to 'abort_with_slices'.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20fb7c7a
    • John Fastabend's avatar
      net: tls, fix sk_write_space NULL write when tx disabled · d85f0177
      John Fastabend authored
      The ctx->sk_write_space pointer is only set when TLS tx mode is enabled.
      When running without TX mode its a null pointer but we still set the
      sk sk_write_space pointer on close().
      
      Fix the close path to only overwrite sk->sk_write_space when the current
      pointer is to the tls_write_space function indicating the tls module should
      clean it up properly as well.
      Reported-by: default avatarHillf Danton <hdanton@sina.com>
      Cc: Ying Xue <ying.xue@windriver.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Fixes: 57c722e9 ("net/tls: swap sk_write_space on close")
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d85f0177
    • Wenwen Wang's avatar
      liquidio: add cleanup in octeon_setup_iq() · 6f967f8b
      Wenwen Wang authored
      If oct->fn_list.enable_io_queues() fails, no cleanup is executed, leading
      to memory/resource leaks. To fix this issue, invoke
      octeon_delete_instr_queue() before returning from the function.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f967f8b
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-08-15' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 0b24a441
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-08-15
      
      This series introduces two fixes to mlx5 driver.
      
      1) Eran fixes a compatibility issue with ethtool flash.
      2) Maxim fixes a race in XSK wakeup flow.
      
      Please pull and let me know if there is any problem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b24a441
    • Eran Ben Elisha's avatar
      net/mlx5e: Fix compatibility issue with ethtool flash device · f43d48d1
      Eran Ben Elisha authored
      Cited patch deleted ethtool flash device support, as ethtool core can
      fallback into devlink flash callback. However, this is supported only if
      there is a devlink port registered over the corresponding netdevice.
      
      As mlx5e do not have devlink port support over native netdevice, it broke
      the ability to flash device via ethtool.
      
      This patch re-add the ethtool callback to avoid user functionality breakage
      when trying to flash device via ethtool.
      
      Fixes: 9c8bca26 ("mlx5: Move firmware flash implementation to devlink")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      f43d48d1
    • Maxim Mikityanskiy's avatar
      net/mlx5e: Fix a race with XSKICOSQ in XSK wakeup flow · e0d57d9c
      Maxim Mikityanskiy authored
      Add a missing spinlock around XSKICOSQ usage at the activation stage,
      because there is a race between a configuration change and the
      application calling sendto().
      
      Fixes: db05815b ("net/mlx5e: Add XSK zero-copy support")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      e0d57d9c
    • Anders Roxell's avatar
      selftests: net: tcp_fastopen_backup_key.sh: fix shellcheck issue · 2aafdf5a
      Anders Roxell authored
      When running tcp_fastopen_backup_key.sh the following issue was seen in
      a busybox environment.
      ./tcp_fastopen_backup_key.sh: line 33: [: -ne: unary operator expected
      
      Shellcheck showed the following issue.
      $ shellcheck tools/testing/selftests/net/tcp_fastopen_backup_key.sh
      
      In tools/testing/selftests/net/tcp_fastopen_backup_key.sh line 33:
              if [ $val -ne 0 ]; then
                   ^-- SC2086: Double quote to prevent globbing and word splitting.
      
      Rework to do a string comparison instead.
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2aafdf5a
    • Wenwen Wang's avatar
      cxgb4: fix a memory leak bug · c554336e
      Wenwen Wang authored
      In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails,
      leading to a memory leak bug. To fix this issue, free t before returning
      the error.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c554336e
  5. 14 Aug, 2019 11 commits
  6. 13 Aug, 2019 1 commit
    • Dirk Morris's avatar
      netfilter: conntrack: Use consistent ct id hash calculation · 656c8e9c
      Dirk Morris authored
      Change ct id hash calculation to only use invariants.
      
      Currently the ct id hash calculation is based on some fields that can
      change in the lifetime on a conntrack entry in some corner cases. The
      current hash uses the whole tuple which contains an hlist pointer which
      will change when the conntrack is placed on the dying list resulting in
      a ct id change.
      
      This patch also removes the reply-side tuple and extension pointer from
      the hash calculation so that the ct id will will not change from
      initialization until confirmation.
      
      Fixes: 3c791076 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
      Signed-off-by: default avatarDirk Morris <dmorris@metaloft.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      656c8e9c
  7. 12 Aug, 2019 4 commits
    • André Draszik's avatar
      net: phy: at803x: stop switching phy delay config needlessly · bb0ce4c1
      André Draszik authored
      This driver does a funny dance disabling and re-enabling
      RX and/or TX delays. In any of the RGMII-ID modes, it first
      disables the delays, just to re-enable them again right
      away. This looks like a needless exercise.
      
      Just enable the respective delays when in any of the
      relevant 'id' modes, and disable them otherwise.
      
      Also, remove comments which don't add anything that can't be
      seen by looking at the code.
      Signed-off-by: default avatarAndré Draszik <git@andred.net>
      CC: Andrew Lunn <andrew@lunn.ch>
      CC: Florian Fainelli <f.fainelli@gmail.com>
      CC: Heiner Kallweit <hkallweit1@gmail.com>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb0ce4c1
    • Balakrishna Godavarthi's avatar
      Bluetooth: btqca: Reset download type to default · 12072a68
      Balakrishna Godavarthi authored
      This patch will reset the download flag to default value
      before retrieving the download mode type.
      
      Fixes: 32646db8 ("Bluetooth: btqca: inject command complete event during fw download")
      Signed-off-by: default avatarBalakrishna Godavarthi <bgodavar@codeaurora.org>
      Tested-by: default avatarClaire Chang <tientzu@chromium.org>
      Reviewed-by: default avatarClaire Chang <tientzu@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      12072a68
    • Claire Chang's avatar
      Bluetooth: btqca: release_firmware after qca_inject_cmd_complete_event · c7c5ae29
      Claire Chang authored
      commit 32646db8 ("Bluetooth: btqca: inject command complete event
      during fw download") added qca_inject_cmd_complete_event() for certain
      qualcomm chips. However, qca_download_firmware() will return without
      calling release_firmware() in this case.
      
      This leads to a memory leak like the following found by kmemleak:
      
      unreferenced object 0xfffffff3868a5880 (size 128):
        comm "kworker/u17:5", pid 347, jiffies 4294676481 (age 312.157s)
        hex dump (first 32 bytes):
          ac fd 00 00 00 00 00 00 00 d0 7e 17 80 ff ff ff  ..........~.....
          00 00 00 00 00 00 00 00 00 59 8a 86 f3 ff ff ff  .........Y......
        backtrace:
          [<00000000978ce31d>] kmem_cache_alloc_trace+0x194/0x298
          [<000000006ea0398c>] _request_firmware+0x74/0x4e4
          [<000000004da31ca0>] request_firmware+0x44/0x64
          [<0000000094572996>] qca_download_firmware+0x74/0x6e4 [btqca]
          [<00000000b24d615a>] qca_uart_setup+0xc0/0x2b0 [btqca]
          [<00000000364a6d5a>] qca_setup+0x204/0x570 [hci_uart]
          [<000000006be1a544>] hci_uart_setup+0xa8/0x148 [hci_uart]
          [<00000000d64c0f4f>] hci_dev_do_open+0x144/0x530 [bluetooth]
          [<00000000f69f5110>] hci_power_on+0x84/0x288 [bluetooth]
          [<00000000d4151583>] process_one_work+0x210/0x420
          [<000000003cf3dcfb>] worker_thread+0x2c4/0x3e4
          [<000000007ccaf055>] kthread+0x124/0x134
          [<00000000bef1f723>] ret_from_fork+0x10/0x18
          [<00000000c36ee3dd>] 0xffffffffffffffff
      unreferenced object 0xfffffff37b16de00 (size 128):
        comm "kworker/u17:5", pid 347, jiffies 4294676873 (age 311.766s)
        hex dump (first 32 bytes):
          da 07 00 00 00 00 00 00 00 50 ff 0b 80 ff ff ff  .........P......
          00 00 00 00 00 00 00 00 00 dd 16 7b f3 ff ff ff  ...........{....
        backtrace:
          [<00000000978ce31d>] kmem_cache_alloc_trace+0x194/0x298
          [<000000006ea0398c>] _request_firmware+0x74/0x4e4
          [<000000004da31ca0>] request_firmware+0x44/0x64
          [<0000000094572996>] qca_download_firmware+0x74/0x6e4 [btqca]
          [<000000000cde20a9>] qca_uart_setup+0x144/0x2b0 [btqca]
          [<00000000364a6d5a>] qca_setup+0x204/0x570 [hci_uart]
          [<000000006be1a544>] hci_uart_setup+0xa8/0x148 [hci_uart]
          [<00000000d64c0f4f>] hci_dev_do_open+0x144/0x530 [bluetooth]
          [<00000000f69f5110>] hci_power_on+0x84/0x288 [bluetooth]
          [<00000000d4151583>] process_one_work+0x210/0x420
          [<000000003cf3dcfb>] worker_thread+0x2c4/0x3e4
          [<000000007ccaf055>] kthread+0x124/0x134
          [<00000000bef1f723>] ret_from_fork+0x10/0x18
          [<00000000c36ee3dd>] 0xffffffffffffffff
      
      Make sure release_firmware() is called aftre
      qca_inject_cmd_complete_event() to avoid the memory leak.
      
      Fixes: 32646db8 ("Bluetooth: btqca: inject command complete event during fw download")
      Signed-off-by: default avatarClaire Chang <tientzu@chromium.org>
      Reviewed-by: default avatarBalakrishna Godavarthi <bgodavar@codeaurora.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      c7c5ae29
    • Fabian Henneke's avatar
      Bluetooth: hidp: Let hidp_send_message return number of queued bytes · 48d9cc9d
      Fabian Henneke authored
      Let hidp_send_message return the number of successfully queued bytes
      instead of an unconditional 0.
      
      With the return value fixed to 0, other drivers relying on hidp, such as
      hidraw, can not return meaningful values from their respective
      implementations of write(). In particular, with the current behavior, a
      hidraw device's write() will have different return values depending on
      whether the device is connected via USB or Bluetooth, which makes it
      harder to abstract away the transport layer.
      Signed-off-by: default avatarFabian Henneke <fabian.henneke@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      48d9cc9d