1. 01 May, 2018 1 commit
    • Eric Dumazet's avatar
      ipv6: fix uninit-value in ip6_multipath_l3_keys() · cea67a2d
      Eric Dumazet authored
      syzbot/KMSAN reported an uninit-value in ip6_multipath_l3_keys(),
      root caused to a bad assumption of ICMP header being already
      pulled in skb->head
      
      ip_multipath_l3_keys() does the correct thing, so it is an IPv6 only bug.
      
      BUG: KMSAN: uninit-value in ip6_multipath_l3_keys net/ipv6/route.c:1830 [inline]
      BUG: KMSAN: uninit-value in rt6_multipath_hash+0x5c4/0x640 net/ipv6/route.c:1858
      CPU: 0 PID: 4507 Comm: syz-executor661 Not tainted 4.16.0+ #87
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
       ip6_multipath_l3_keys net/ipv6/route.c:1830 [inline]
       rt6_multipath_hash+0x5c4/0x640 net/ipv6/route.c:1858
       ip6_route_input+0x65a/0x920 net/ipv6/route.c:1884
       ip6_rcv_finish+0x413/0x6e0 net/ipv6/ip6_input.c:69
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ipv6_rcv+0x1e16/0x2340 net/ipv6/ip6_input.c:208
       __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562
       __netif_receive_skb net/core/dev.c:4627 [inline]
       netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
       netif_receive_skb+0x230/0x240 net/core/dev.c:4725
       tun_rx_batched drivers/net/tun.c:1555 [inline]
       tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962
       tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
       call_write_iter include/linux/fs.h:1782 [inline]
       new_sync_write fs/read_write.c:469 [inline]
       __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
       vfs_write+0x463/0x8d0 fs/read_write.c:544
       SYSC_write+0x172/0x360 fs/read_write.c:589
       SyS_write+0x55/0x80 fs/read_write.c:581
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Fixes: 23aebdac ("ipv6: Compute multipath hash for ICMP errors from offending packet")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jakub Sitnicki <jkbs@redhat.com>
      Acked-by: default avatarJakub Sitnicki <jkbs@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cea67a2d
  2. 30 Apr, 2018 5 commits
  3. 28 Apr, 2018 3 commits
  4. 27 Apr, 2018 16 commits
    • Lance Richardson's avatar
      net: support compat 64-bit time in {s,g}etsockopt · 988bf724
      Lance Richardson authored
      For the x32 ABI, struct timeval has two 64-bit fields. However
      the kernel currently interprets the user-space values used for
      the SO_RCVTIMEO and SO_SNDTIMEO socket options as having a pair
      of 32-bit fields.
      
      When the seconds portion of the requested timeout is less than 2**32,
      the seconds portion of the effective timeout is correct but the
      microseconds portion is zero.  When the seconds portion of the
      requested timeout is zero and the microseconds portion is non-zero,
      the kernel interprets the timeout as zero (never timeout).
      
      Fix by using 64-bit time for SO_RCVTIMEO/SO_SNDTIMEO as required
      for the ABI.
      
      The code included below demonstrates the problem.
      
      Results before patch:
          $ gcc -m64 -Wall -O2 -o socktmo socktmo.c && ./socktmo
          recv time: 2.008181 seconds
          send time: 2.015985 seconds
      
          $ gcc -m32 -Wall -O2 -o socktmo socktmo.c && ./socktmo
          recv time: 2.016763 seconds
          send time: 2.016062 seconds
      
          $ gcc -mx32 -Wall -O2 -o socktmo socktmo.c && ./socktmo
          recv time: 1.007239 seconds
          send time: 1.023890 seconds
      
      Results after patch:
          $ gcc -m64 -O2 -Wall -o socktmo socktmo.c && ./socktmo
          recv time: 2.010062 seconds
          send time: 2.015836 seconds
      
          $ gcc -m32 -O2 -Wall -o socktmo socktmo.c && ./socktmo
          recv time: 2.013974 seconds
          send time: 2.015981 seconds
      
          $ gcc -mx32 -O2 -Wall -o socktmo socktmo.c && ./socktmo
          recv time: 2.030257 seconds
          send time: 2.013383 seconds
      
       #include <stdio.h>
       #include <stdlib.h>
       #include <sys/socket.h>
       #include <sys/types.h>
       #include <sys/time.h>
      
       void checkrc(char *str, int rc)
       {
               if (rc >= 0)
                       return;
      
               perror(str);
               exit(1);
       }
      
       static char buf[1024];
       int main(int argc, char **argv)
       {
               int rc;
               int socks[2];
               struct timeval tv;
               struct timeval start, end, delta;
      
               rc = socketpair(AF_UNIX, SOCK_STREAM, 0, socks);
               checkrc("socketpair", rc);
      
               /* set timeout to 1.999999 seconds */
               tv.tv_sec = 1;
               tv.tv_usec = 999999;
               rc = setsockopt(socks[0], SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof tv);
               rc = setsockopt(socks[0], SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof tv);
               checkrc("setsockopt", rc);
      
               /* measure actual receive timeout */
               gettimeofday(&start, NULL);
               rc = recv(socks[0], buf, sizeof buf, 0);
               gettimeofday(&end, NULL);
               timersub(&end, &start, &delta);
      
               printf("recv time: %ld.%06ld seconds\n",
                      (long)delta.tv_sec, (long)delta.tv_usec);
      
               /* fill send buffer */
               do {
                       rc = send(socks[0], buf, sizeof buf, 0);
               } while (rc > 0);
      
               /* measure actual send timeout */
               gettimeofday(&start, NULL);
               rc = send(socks[0], buf, sizeof buf, 0);
               gettimeofday(&end, NULL);
               timersub(&end, &start, &delta);
      
               printf("send time: %ld.%06ld seconds\n",
                      (long)delta.tv_sec, (long)delta.tv_usec);
               exit(0);
       }
      
      Fixes: 515c7af8 ("x32: Use compat shims for {g,s}etsockopt")
      Reported-by: default avatarGopal RajagopalSai <gopalsr83@gmail.com>
      Signed-off-by: default avatarLance Richardson <lance.richardson.net@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      988bf724
    • Vivien Didelot's avatar
      MAINTAINERS: add davem in NETWORKING DRIVERS · 0b21bca0
      Vivien Didelot authored
      "./scripts/get_maintainer.pl -f" does not actually show us David as the
      maintainer of drivers/net directories such as team, bonding, phy or dsa.
      Adding him in an M: entry of NETWORKING DRIVERS fixes this.
      Signed-off-by: default avatarVivien Didelot <vivien.didelot@savoirfairelinux.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b21bca0
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2018-04-25' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · e8e96081
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2018-04-26
      
      This pull request includes fixes for mlx5 core and netdev driver.
      
      Please pull and let me know if there's any problems.
      
      For -stable v4.12
          net/mlx5e: TX, Use correct counter in dma_map error flow
      For -stable v4.13
          net/mlx5: Avoid cleaning flow steering table twice during error flow
      For -stable v4.14
          net/mlx5e: Allow offloading ipv4 header re-write for icmp
      For -stable v4.15
          net/mlx5e: DCBNL fix min inline header size for dscp
      For -stable v4.16
          net/mlx5: Fix mlx5_get_vector_affinity function
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e8e96081
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2018-04-26' of... · 1da9a586
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2018-04-26' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.17
      
      A few fixes for 4.17 but nothing really special. The new ETSI WMM
      parameter support for iwlwifi is not technically a bugfix but
      important for regulatory compliance.
      
      iwlwifi
      
      * use new ETSI WMM parameters from regulatory database
      
      * fix a regression with the older firmware API 31 (eg. 31.560484.0)
      
      brcmfmac
      
      * fix a double free in nvmam loading fails
      
      rtlwifi
      
      * yet another fix for ant_sel module parameter
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1da9a586
    • Ido Schimmel's avatar
      mlxsw: spectrum_switchdev: Do not remove mrouter port from MDB's ports list · c7f46cca
      Ido Schimmel authored
      When IGMP snooping is enabled on a bridge, traffic forwarded by an MDB
      entry should be sent to both ports member in the MDB's ports list and
      mrouter ports.
      
      In case a port needs to be removed from an MDB's ports list, but this
      port is also configured as an mrouter port, then do not update the
      device so that it will continue to forward traffic through that port.
      
      Fix a copy-paste error that checked that IGMP snooping is enabled twice
      instead of checking the port's mrouter state.
      
      Fixes: ded711c8 ("mlxsw: spectrum_switchdev: Consider mrouter status for mdb changes")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reported-by: default avatarColin King <colin.king@canonical.com>
      Reviewed-by: default avatarNogah Frankel <nogahf@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7f46cca
    • Xin Long's avatar
      sctp: clear the new asoc's stream outcnt in sctp_stream_update · 6a9a27d5
      Xin Long authored
      When processing a duplicate cookie-echo chunk, sctp moves the new
      temp asoc's stream out/in into the old asoc, and later frees this
      new temp asoc.
      
      But now after this move, the new temp asoc's stream->outcnt is not
      cleared while stream->out is set to NULL, which would cause a same
      crash as the one fixed in Commit 79d08951 ("sctp: fix error
      path in sctp_stream_init") when freeing this asoc later.
      
      This fix is to clear this outcnt in sctp_stream_update.
      
      Fixes: f952be79 ("sctp: introduce struct sctp_stream_out_ext")
      Reported-by: default avatarJianwen Ji <jiji@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6a9a27d5
    • SZ Lin (林上智)'s avatar
      NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 · 9306b38e
      SZ Lin (林上智) authored
      This patch adds support for PID 0x90b2 of ublox R410M.
      
      qmicli -d /dev/cdc-wdm0 --dms-get-manufacturer
      [/dev/cdc-wdm0] Device manufacturer retrieved:
              Manufacturer: 'u-blox'
      
      qmicli -d /dev/cdc-wdm0 --dms-get-model
      [/dev/cdc-wdm0] Device model retrieved:
              Model: 'SARA-R410M-02B'
      Signed-off-by: default avatarSZ Lin (林上智) <sz.lin@moxa.com>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9306b38e
    • Xin Long's avatar
      sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr · d625329b
      Xin Long authored
      Since sctp ipv6 socket also supports v4 addrs, it's possible to
      compare two v4 addrs in pf v6 .cmp_addr, sctp_inet6_cmp_addr.
      
      However after Commit 1071ec9d ("sctp: do not check port in
      sctp_inet6_cmp_addr"), it no longer calls af1->cmp_addr, which
      in this case is sctp_v4_cmp_addr, but calls __sctp_v6_cmp_addr
      where it handles them as two v6 addrs. It would cause a out of
      bounds crash.
      
      syzbot found this crash when trying to bind two v4 addrs to a
      v6 socket.
      
      This patch fixes it by adding the process for two v4 addrs in
      sctp_inet6_cmp_addr.
      
      Fixes: 1071ec9d ("sctp: do not check port in sctp_inet6_cmp_addr")
      Reported-by: syzbot+cd494c1dd681d4d93ebb@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d625329b
    • Florian Fainelli's avatar
      net: systemport: Correclty disambiguate driver instances · 1f3ccc3c
      Florian Fainelli authored
      While adding the DSA notifier, we will be sending DSA notifications with
      info->master that is going to point to a particular net_device instance.
      
      Our logic in bcm_sysport_map_queues() correctly disambiguates net_device
      instances that are not covered by our own driver, but it will not make
      sure that info->master points to a particular driver instance that we
      are interested in. In a system where e.g: two or more SYSTEMPORT
      instances are registered, this would lead in programming two or more
      times the queue mapping, completely messing with the logic which does
      the queue/port allocation and tracking.
      
      Fix this by looking at the notifier_block pointer which is unique per
      instance and allows us to go back to our driver private structure, and
      in turn to the backing net_device instance.
      
      Fixes: d1565763 ("net: systemport: Establish lower/upper queue mapping")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarVivien Didelot <vivien.didelot@savoirfairelinux.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f3ccc3c
    • Anders Roxell's avatar
      selftests: net: add in_netns.sh TEST_GEN_PROGS_EXTENDED · 9faedd64
      Anders Roxell authored
      Script in_netns.sh is a utility function and not its own test so it
      shouldn't be part of the TEST_PROGS. The in_netns.sh get used by
      run_afpackettests.
      To install in_netns.sh without being added to the main run_kselftest.sh
      script use the TEST_GEN_PROGS_EXTENDED variable.
      
      Fixes: 5ff9c1a3 ("selftests: net: add in_netns.sh to TEST_PROGS")
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9faedd64
    • Yuchung Cheng's avatar
      tcp: ignore Fast Open on repair mode · 16ae6aa1
      Yuchung Cheng authored
      The TCP repair sequence of operation is to first set the socket in
      repair mode, then inject the TCP stats into the socket with repair
      socket options, then call connect() to re-activate the socket. The
      connect syscall simply returns and set state to ESTABLISHED
      mode. As a result Fast Open is meaningless for TCP repair.
      
      However allowing sendto() system call with MSG_FASTOPEN flag half-way
      during the repair operation could unexpectedly cause data to be
      sent, before the operation finishes changing the internal TCP stats
      (e.g. MSS).  This in turn triggers TCP warnings on inconsistent
      packet accounting.
      
      The fix is to simply disallow Fast Open operation once the socket
      is in the repair mode.
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Reviewed-by: default avatarNeal Cardwell <ncardwell@google.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16ae6aa1
    • David S. Miller's avatar
      Merge branch 'mvpp2-fixes' · cc2180a5
      David S. Miller authored
      Maxime Chevallier says:
      
      ====================
      net: mvpp2: Fix hangs when starting some interfaces on 7k/8k
      
      Armada 7K / 8K clock management has recently been reworked, see :
      
      commit c7e92def ("clk: mvebu: cp110: Fix clock tree representation")
      
      I have been experiencing overall system hangs on MacchiatoBin when starting
      the eth1 interface since then. It turns out some clocks dependencies were
      missing in the PPv2 and xmdio driver, the clock rework made this visible.
      
      This is the V2 series, that adds support for the missing 'MG Core clock' in
      mvpp2, and fixes an issue with the error path for the axi_clk.
      
      Thanks to Gregory Clement for finding the root cause of this bug.
      
      V2 : Remove all DT patches from this series, they will be merged through
           the mvebu tree.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cc2180a5
    • Maxime Chevallier's avatar
      net: mvpp2: Fix clock resource by adding missing mg_core_clk · 9af771ce
      Maxime Chevallier authored
      Marvell's PPv2.2 IP needs an additional clock named "MG Core clock".
      This is required on Armada 7K and 8K.
      
      This commit adds the required clock in mvpp2, making sure it's only
      used on PPv2.2.
      
      Fixes: c7e92def ("clk: mvebu: cp110: Fix clock tree representation")
      Signed-off-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9af771ce
    • Maxime Chevallier's avatar
      net: mvpp2: Fix clk error path in mvpp2_probe · 45f972ad
      Maxime Chevallier authored
      When clk_prepare_enable fails for the axi_clk, the mg_clk isn't properly
      cleaned up. Add another jump label to handle that case, and make sure we
      jump to it in the later error cases.
      
      Fixes: 4792ea04 ("net: mvpp2: Fix clock resource by adding an optional bus clock")
      Signed-off-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Acked-by: default avatarGregory CLEMENT <gregory.clement@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45f972ad
    • Jakub Kicinski's avatar
      nfp: don't depend on eth_tbl being available · c55ca688
      Jakub Kicinski authored
      For very very old generation of the management FW Ethernet port
      information table may theoretically not be available.  This in
      turn will cause the nfp_port structures to not be allocated.
      
      Make sure we don't crash the kernel when there is no eth_tbl:
      
      RIP: 0010:nfp_net_pci_probe+0xf2/0xb40 [nfp]
      ...
      Call Trace:
        nfp_pci_probe+0x6de/0xab0 [nfp]
        local_pci_probe+0x47/0xa0
        work_for_cpu_fn+0x1a/0x30
        process_one_work+0x1de/0x3e0
      
      Found while working with broken/development version of management FW.
      
      Fixes: a5950182 ("nfp: map mac_stats and vf_cfg BARs")
      Fixes: 93da7d96 ("nfp: provide nfp_port to of nfp_net_get_mac_addr()")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarDirk van der Merwe <dirk.vandermerwe@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c55ca688
    • Jon Maloy's avatar
      tipc: fix bug in function tipc_nl_node_dump_monitor · 7dbc73e6
      Jon Maloy authored
      Commit 36a50a98 ("tipc: fix infinite loop when dumping link monitor
      summary") intended to fix a problem with user tool looping when max
      number of bearers are enabled.
      
      Unfortunately, the wrong version of the commit was posted, so the
      problem was not solved at all.
      
      This commit adds the missing part.
      
      Fixes: 36a50a98 ("tipc: fix infinite loop when dumping link monitor summary")
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7dbc73e6
  5. 26 Apr, 2018 8 commits
  6. 25 Apr, 2018 7 commits
    • John Fastabend's avatar
      bpf: fix for lex/yacc build error with gcc-5 · 9c299a32
      John Fastabend authored
      Fix build error found with Ubuntu shipped gcc-5
      
      ~/git/bpf/tools/bpf$ make all
      
      Auto-detecting system features:
      ...                        libbfd: [ OFF ]
      ...        disassembler-four-args: [ OFF ]
      
        CC       bpf_jit_disasm.o
        LINK     bpf_jit_disasm
        CC       bpf_dbg.o
      /home/john/git/bpf/tools/bpf/bpf_dbg.c: In function ‘cmd_load’:
      /home/john/git/bpf/tools/bpf/bpf_dbg.c:1077:13: warning: ‘cont’ may be used uninitialized in this function [-Wmaybe-uninitialized]
        } else if (matches(subcmd, "pcap") == 0) {
                   ^
        LINK     bpf_dbg
        CC       bpf_asm.o
      make: *** No rule to make target `bpf_exp.yacc.o', needed by `bpf_asm'.  Stop.
      
      Fixes: 5a8997f2 ("tools: bpf: respect output directory during build")
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      9c299a32
    • Dag Moxnes's avatar
      rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp · 91a82529
      Dag Moxnes authored
      The function rds_ib_setup_qp is calling rds_ib_get_client_data and
      should correspondingly call rds_ib_dev_put. This call was lost in
      the non-error path with the introduction of error handling done in
      commit 3b12f73a ("rds: ib: add error handle")
      Signed-off-by: default avatarDag Moxnes <dag.moxnes@oracle.com>
      Reviewed-by: default avatarHåkon Bugge <haakon.bugge@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      91a82529
    • Ursula Braun's avatar
      net/smc: keep clcsock reference in smc_tcp_listen_work() · 070204a3
      Ursula Braun authored
      The internal CLC socket should exist till the SMC-socket is released.
      Function tcp_listen_worker() releases the internal CLC socket of a
      listen socket, if an smc_close_active() is called. This function
      is called for the final release(), but it is called for shutdown
      SHUT_RDWR as well. This opens a door for protection faults, if
      socket calls using the internal CLC socket are called for a
      shutdown listen socket.
      
      With the changes of
      commit 3d502067 ("net/smc: simplify wait when closing listen socket")
      there is no need anymore to release the internal CLC socket in
      function tcp_listen_worker((). It is sufficient to release it in
      smc_release().
      
      Fixes: 127f4970 ("net/smc: release clcsock from tcp_listen_worker")
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Reported-by: syzbot+9045fc589fcd196ef522@syzkaller.appspotmail.com
      Reported-by: syzbot+28a2c86cf19c81d871fa@syzkaller.appspotmail.com
      Reported-by: syzbot+9605e6cace1b5efd4a0a@syzkaller.appspotmail.com
      Reported-by: syzbot+cf9012c597c8379d535c@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      070204a3
    • Alexandre Belloni's avatar
      net: phy: allow scanning busses with missing phys · 02a6efca
      Alexandre Belloni authored
      Some MDIO busses will error out when trying to read a phy address with no
      phy present at that address. In that case, probing the bus will fail
      because __mdiobus_register() is scanning the bus for all possible phys
      addresses.
      
      In case MII_PHYSID1 returns -EIO or -ENODEV, consider there is no phy at
      this address and set the phy ID to 0xffffffff which is then properly
      handled in get_phy_device().
      Suggested-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02a6efca
    • Gianluca Borello's avatar
      bpf, x64: fix JIT emission for dead code · 1612a981
      Gianluca Borello authored
      Commit 2a5418a1 ("bpf: improve dead code sanitizing") replaced dead
      code with a series of ja-1 instructions, for safety. That made JIT
      compilation much more complex for some BPF programs. One instance of such
      programs is, for example:
      
      bool flag = false
      ...
      /* A bunch of other code */
      ...
      if (flag)
              do_something()
      
      In some cases llvm is not able to remove at compile time the code for
      do_something(), so the generated BPF program ends up with a large amount
      of dead instructions. In one specific real life example, there are two
      series of ~500 and ~1000 dead instructions in the program. When the
      verifier replaces them with a series of ja-1 instructions, it causes an
      interesting behavior at JIT time.
      
      During the first pass, since all the instructions are estimated at 64
      bytes, the ja-1 instructions end up being translated as 5 bytes JMP
      instructions (0xE9), since the jump offsets become increasingly large (>
      127) as each instruction gets discovered to be 5 bytes instead of the
      estimated 64.
      
      Starting from the second pass, the first N instructions of the ja-1
      sequence get translated into 2 bytes JMPs (0xEB) because the jump offsets
      become <= 127 this time. In particular, N is defined as roughly 127 / (5
      - 2) ~= 42. So, each further pass will make the subsequent N JMP
      instructions shrink from 5 to 2 bytes, making the image shrink every time.
      This means that in order to have the entire program converge, there need
      to be, in the real example above, at least ~1000 / 42 ~= 24 passes just
      for translating the dead code. If we add this number to the passes needed
      to translate the other non dead code, it brings such program to 40+
      passes, and JIT doesn't complete. Ultimately the userspace loader fails
      because such BPF program was supposed to be part of a prog array owner
      being JITed.
      
      While it is certainly possible to try to refactor such programs to help
      the compiler remove dead code, the behavior is not really intuitive and it
      puts further burden on the BPF developer who is not expecting such
      behavior. To make things worse, such programs are working just fine in all
      the kernel releases prior to the ja-1 fix.
      
      A possible approach to mitigate this behavior consists into noticing that
      for ja-1 instructions we don't really need to rely on the estimated size
      of the previous and current instructions, we know that a -1 BPF jump
      offset can be safely translated into a 0xEB instruction with a jump offset
      of -2.
      
      Such fix brings the BPF program in the previous example to complete again
      in ~9 passes.
      
      Fixes: 2a5418a1 ("bpf: improve dead code sanitizing")
      Signed-off-by: default avatarGianluca Borello <g.borello@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      1612a981
    • William Tu's avatar
      bpf: clear the ip_tunnel_info. · 5540fbf4
      William Tu authored
      The percpu metadata_dst might carry the stale ip_tunnel_info
      and cause incorrect behavior.  When mixing tests using ipv4/ipv6
      bpf vxlan and geneve tunnel, the ipv6 tunnel info incorrectly uses
      ipv4's src ip addr as its ipv6 src address, because the previous
      tunnel info does not clean up.  The patch zeros the fields in
      ip_tunnel_info.
      Signed-off-by: default avatarWilliam Tu <u9012063@gmail.com>
      Reported-by: default avatarYifeng Sun <pkusunyifeng@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      5540fbf4
    • Linus Torvalds's avatar
      Merge branch 'userns-linus' of... · 3be4aaf4
      Linus Torvalds authored
      Merge branch 'userns-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
      
      Pull userns bug fix from Eric Biederman:
       "Just a small fix to properly set the return code on error"
      
      * 'userns-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        commoncap: Handle memory allocation failure.
      3be4aaf4