1. 22 3月, 2018 14 次提交
    • K
      net: phy: realtek: Use the dummy stubs for MMD register access for rtl8211b · 0231b1a0
      Kevin Hao 提交于
      The Ethernet on mpc8315erdb is broken since commit b6b5e8a6
      ("gianfar: Disable EEE autoneg by default"). The reason is that
      even though the rtl8211b doesn't support the MMD extended registers
      access, it does return some random values if we trying to access
      the MMD register via indirect method. This makes it seem that the
      EEE is supported by this phy device. And the subsequent writing to
      the MMD registers does cause the phy malfunction. So use the dummy
      stubs for the MMD register access to fix this issue.
      
      Fixes: b6b5e8a6 ("gianfar: Disable EEE autoneg by default")
      Signed-off-by: NKevin Hao <haokexin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0231b1a0
    • K
      net: phy: Add general dummy stubs for MMD register access · 5df7af85
      Kevin Hao 提交于
      For some phy devices, even though they don't support the MMD extended
      register access, it does have some side effect if we are trying to
      read/write the MMD registers via indirect method. So introduce general
      dummy stubs for MMD register access which these devices can use to avoid
      such side effect.
      
      Fixes: b6b5e8a6 ("gianfar: Disable EEE autoneg by default")
      Signed-off-by: NKevin Hao <haokexin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5df7af85
    • D
      Merge tag 'batadv-net-for-davem-20180319' of git://git.open-mesh.org/linux-merge · ee54a9f9
      David S. Miller 提交于
      Simon Wunderlich says:
      
      ====================
      Here are some batman-adv bugfixes:
      
       - fix possible IPv6 packet loss when multicast extension is used, by Linus Luessing
      
       - fix SKB handling issues for TTVN and DAT, by Matthias Schiffer (two patches)
      
       - fix include for eventpoll, by Sven Eckelmann
      
       - fix skb checksum for ttvn reroutes, by Sven Eckelmann
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ee54a9f9
    • D
      Merge branch 'net-sched-action-idr-leak' · ba9a1908
      David S. Miller 提交于
      Davide Caratti says:
      
      ====================
      fix idr leak in actions
      
      This series fixes situations where a temporary failure to install a TC
      action results in the permanent impossibility to reuse the configured
      value of 'index'.
      
      Thanks to Cong Wang for the initial review.
      
      v2: fix build error in act_ipt.c, reported by kbuild test robot
      ====================
      Acked-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ba9a1908
    • D
      net/sched: fix idr leak in the error path of tcf_skbmod_init() · f29cdfbe
      Davide Caratti 提交于
      tcf_skbmod_init() can fail after the idr has been successfully reserved.
      When this happens, every subsequent attempt to configure skbmod rules
      using the same idr value will systematically fail with -ENOSPC, unless
      the first attempt was done using the 'replace' keyword:
      
       # tc action add action skbmod swap mac index 100
       RTNETLINK answers: Cannot allocate memory
       We have an error talking to the kernel
       # tc action add action skbmod swap mac index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       # tc action add action skbmod swap mac index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       ...
      
      Fix this in tcf_skbmod_init(), ensuring that tcf_idr_release() is called
      on the error path when the idr has been reserved, but not yet inserted.
      Also, don't test 'ovr' in the error path, to avoid a 'replace' failure
      implicitly become a 'delete' that leaks refcount in act_skbmod module:
      
       # rmmod act_skbmod; modprobe act_skbmod
       # tc action add action skbmod swap mac index 100
       # tc action add action skbmod swap mac continue index 100
       RTNETLINK answers: File exists
       We have an error talking to the kernel
       # tc action replace action skbmod swap mac continue index 100
       RTNETLINK answers: Cannot allocate memory
       We have an error talking to the kernel
       # tc action list action skbmod
       #
       # rmmod  act_skbmod
       rmmod: ERROR: Module act_skbmod is in use
      
      Fixes: 65a206c0 ("net/sched: Change act_api and act_xxx modules to use IDR")
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f29cdfbe
    • D
      net/sched: fix idr leak in the error path of tcf_vlan_init() · d7f20015
      Davide Caratti 提交于
      tcf_vlan_init() can fail after the idr has been successfully reserved.
      When this happens, every subsequent attempt to configure vlan rules using
      the same idr value will systematically fail with -ENOSPC, unless the first
      attempt was done using the 'replace' keyword.
      
       # tc action add action vlan pop index 100
       RTNETLINK answers: Cannot allocate memory
       We have an error talking to the kernel
       # tc action add action vlan pop index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       # tc action add action vlan pop index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       ...
      
      Fix this in tcf_vlan_init(), ensuring that tcf_idr_release() is called on
      the error path when the idr has been reserved, but not yet inserted. Also,
      don't test 'ovr' in the error path, to avoid a 'replace' failure implicitly
      become a 'delete' that leaks refcount in act_vlan module:
      
       # rmmod act_vlan; modprobe act_vlan
       # tc action add action vlan push id 5 index 100
       # tc action replace action vlan push id 7 index 100
       RTNETLINK answers: Cannot allocate memory
       We have an error talking to the kernel
       # tc action list action vlan
       #
       # rmmod act_vlan
       rmmod: ERROR: Module act_vlan is in use
      
      Fixes: 4c5b9d96 ("act_vlan: VLAN action rewrite to use RCU lock/unlock and update")
      Fixes: 65a206c0 ("net/sched: Change act_api and act_xxx modules to use IDR")
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d7f20015
    • D
      net/sched: fix idr leak in the error path of __tcf_ipt_init() · 1e46ef17
      Davide Caratti 提交于
      __tcf_ipt_init() can fail after the idr has been successfully reserved.
      When this happens, subsequent attempts to configure xt/ipt rules using
      the same idr value systematically fail with -ENOSPC:
      
       # tc action add action xt -j LOG --log-prefix test1 index 100
       tablename: mangle hook: NF_IP_POST_ROUTING
               target:  LOG level warning prefix "test1" index 100
       RTNETLINK answers: Cannot allocate memory
       We have an error talking to the kernel
       Command "(null)" is unknown, try "tc actions help".
       # tc action add action xt -j LOG --log-prefix test1 index 100
       tablename: mangle hook: NF_IP_POST_ROUTING
               target:  LOG level warning prefix "test1" index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       Command "(null)" is unknown, try "tc actions help".
       # tc action add action xt -j LOG --log-prefix test1 index 100
       tablename: mangle hook: NF_IP_POST_ROUTING
               target:  LOG level warning prefix "test1" index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       ...
      
      Fix this in the error path of __tcf_ipt_init(), calling tcf_idr_release()
      in place of tcf_idr_cleanup(). Since tcf_ipt_release() can now be called
      when tcfi_t is NULL, we also need to protect calls to ipt_destroy_target()
      to avoid NULL pointer dereference.
      
      Fixes: 65a206c0 ("net/sched: Change act_api and act_xxx modules to use IDR")
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1e46ef17
    • D
      net/sched: fix idr leak in the error path of tcp_pedit_init() · 94fa3f92
      Davide Caratti 提交于
      tcf_pedit_init() can fail to allocate 'keys' after the idr has been
      successfully reserved. When this happens, subsequent attempts to configure
      a pedit rule using the same idr value systematically fail with -ENOSPC:
      
       # tc action add action pedit munge ip ttl set 63 index 100
       RTNETLINK answers: Cannot allocate memory
       We have an error talking to the kernel
       # tc action add action pedit munge ip ttl set 63 index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       # tc action add action pedit munge ip ttl set 63 index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       ...
      
      Fix this in the error path of tcf_act_pedit_init(), calling
      tcf_idr_release() in place of tcf_idr_cleanup().
      
      Fixes: 65a206c0 ("net/sched: Change act_api and act_xxx modules to use IDR")
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      94fa3f92
    • D
      net/sched: fix idr leak in the error path of tcf_act_police_init() · 5bf7f818
      Davide Caratti 提交于
      tcf_act_police_init() can fail after the idr has been successfully
      reserved (e.g., qdisc_get_rtab() may return NULL). When this happens,
      subsequent attempts to configure a police rule using the same idr value
      systematiclly fail with -ENOSPC:
      
       # tc action add action police rate 1000 burst 1000 drop index 100
       RTNETLINK answers: Cannot allocate memory
       We have an error talking to the kernel
       # tc action add action police rate 1000 burst 1000 drop index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       # tc action add action police rate 1000 burst 1000 drop index 100
       RTNETLINK answers: No space left on device
       ...
      
      Fix this in the error path of tcf_act_police_init(), calling
      tcf_idr_release() in place of tcf_idr_cleanup().
      
      Fixes: 65a206c0 ("net/sched: Change act_api and act_xxx modules to use IDR")
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5bf7f818
    • D
      net/sched: fix idr leak in the error path of tcf_simp_init() · 60e10b3a
      Davide Caratti 提交于
      if the kernel fails to duplicate 'sdata', creation of a new action fails
      with -ENOMEM. However, subsequent attempts to install the same action
      using the same value of 'index' systematically fail with -ENOSPC, and
      that value of 'index' will no more be usable by act_simple, until rmmod /
      insmod of act_simple.ko is done:
      
       # tc actions add action simple sdata hello index 100
       # tc actions list action simple
      
              action order 0: Simple <hello>
               index 100 ref 1 bind 0
       # tc actions flush action simple
       # tc actions add action simple sdata hello index 100
       RTNETLINK answers: Cannot allocate memory
       We have an error talking to the kernel
       # tc actions flush action simple
       # tc actions add action simple sdata hello index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       # tc actions add action simple sdata hello index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
       ...
      
      Fix this in the error path of tcf_simp_init(), calling tcf_idr_release()
      in place of tcf_idr_cleanup().
      
      Fixes: 65a206c0 ("net/sched: Change act_api and act_xxx modules to use IDR")
      Suggested-by: NCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      60e10b3a
    • D
      net/sched: fix idr leak on the error path of tcf_bpf_init() · bbc09e78
      Davide Caratti 提交于
      when the following command sequence is entered
      
       # tc action add action bpf bytecode '4,40 0 0 12,31 0 1 2048,6 0 0 262144,6 0 0 0' index 100
       RTNETLINK answers: Invalid argument
       We have an error talking to the kernel
       # tc action add action bpf bytecode '4,40 0 0 12,21 0 1 2048,6 0 0 262144,6 0 0 0' index 100
       RTNETLINK answers: No space left on device
       We have an error talking to the kernel
      
      act_bpf correctly refuses to install the first TC rule, because 31 is not
      a valid instruction. However, it refuses to install the second TC rule,
      even if the BPF code is correct. Furthermore, it's no more possible to
      install any other rule having the same value of 'index' until act_bpf
      module is unloaded/inserted again. After the idr has been reserved, call
      tcf_idr_release() instead of tcf_idr_cleanup(), to fix this issue.
      
      Fixes: 65a206c0 ("net/sched: Change act_api and act_xxx modules to use IDR")
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bbc09e78
    • C
      qede: fix spelling mistake: "registeration" -> "registration" · 3f2176dd
      Colin Ian King 提交于
      Trivial fix to spelling mistakes in DP_ERR error message text and
      comments
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3f2176dd
    • C
      bnx2x: fix spelling mistake: "registeration" -> "registration" · 924613d3
      Colin Ian King 提交于
      Trivial fix to spelling mistake in BNX2X_ERR error message text
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Acked-by: NSudarsana Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      924613d3
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 3d27484e
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-03-21
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Follow-up fix to the fault injection framework to prevent jump
         optimization on the kprobe by installing a dummy post-handler,
         from Masami.
      
      2) Drop bpf_perf_prog_read_value helper from tracepoint type programs
         which was mistakenly added there and would otherwise crash due to
         wrong input context, from Yonghong.
      
      3) Fix a crash in BPF fs when compiled with clang. Code appears to
         be fine just that clang tries to overly aggressive optimize in
         non C conform ways, therefore fix the kernel's Makefile to
         generally prevent such issues, from Daniel.
      
      4) Skip unnecessary capability checks in bpf syscall, which is otherwise
         triggering unnecessary security hooks on capability checking and
         causing false alarms on unprivileged processes trying to access
         CAP_SYS_ADMIN restricted infra, from Chenbo.
      
      5) Fix the test_bpf.ko module when CONFIG_BPF_JIT_ALWAYS_ON is set
         with regards to a test case that is really just supposed to fail
         on x8_64 JIT but not others, from Thadeu.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3d27484e
  2. 21 3月, 2018 8 次提交
    • D
      kbuild: disable clang's default use of -fmerge-all-constants · 87e0d4f0
      Daniel Borkmann 提交于
      Prasad reported that he has seen crashes in BPF subsystem with netd
      on Android with arm64 in the form of (note, the taint is unrelated):
      
        [ 4134.721483] Unable to handle kernel paging request at virtual address 800000001
        [ 4134.820925] Mem abort info:
        [ 4134.901283]   Exception class = DABT (current EL), IL = 32 bits
        [ 4135.016736]   SET = 0, FnV = 0
        [ 4135.119820]   EA = 0, S1PTW = 0
        [ 4135.201431] Data abort info:
        [ 4135.301388]   ISV = 0, ISS = 0x00000021
        [ 4135.359599]   CM = 0, WnR = 0
        [ 4135.470873] user pgtable: 4k pages, 39-bit VAs, pgd = ffffffe39b946000
        [ 4135.499757] [0000000800000001] *pgd=0000000000000000, *pud=0000000000000000
        [ 4135.660725] Internal error: Oops: 96000021 [#1] PREEMPT SMP
        [ 4135.674610] Modules linked in:
        [ 4135.682883] CPU: 5 PID: 1260 Comm: netd Tainted: G S      W       4.14.19+ #1
        [ 4135.716188] task: ffffffe39f4aa380 task.stack: ffffff801d4e0000
        [ 4135.731599] PC is at bpf_prog_add+0x20/0x68
        [ 4135.741746] LR is at bpf_prog_inc+0x20/0x2c
        [ 4135.751788] pc : [<ffffff94ab7ad584>] lr : [<ffffff94ab7ad638>] pstate: 60400145
        [ 4135.769062] sp : ffffff801d4e3ce0
        [...]
        [ 4136.258315] Process netd (pid: 1260, stack limit = 0xffffff801d4e0000)
        [ 4136.273746] Call trace:
        [...]
        [ 4136.442494] 3ca0: ffffff94ab7ad584 0000000060400145 ffffffe3a01bf8f8 0000000000000006
        [ 4136.460936] 3cc0: 0000008000000000 ffffff94ab844204 ffffff801d4e3cf0 ffffff94ab7ad584
        [ 4136.479241] [<ffffff94ab7ad584>] bpf_prog_add+0x20/0x68
        [ 4136.491767] [<ffffff94ab7ad638>] bpf_prog_inc+0x20/0x2c
        [ 4136.504536] [<ffffff94ab7b5d08>] bpf_obj_get_user+0x204/0x22c
        [ 4136.518746] [<ffffff94ab7ade68>] SyS_bpf+0x5a8/0x1a88
      
      Android's netd was basically pinning the uid cookie BPF map in BPF
      fs (/sys/fs/bpf/traffic_cookie_uid_map) and later on retrieving it
      again resulting in above panic. Issue is that the map was wrongly
      identified as a prog! Above kernel was compiled with clang 4.0,
      and it turns out that clang decided to merge the bpf_prog_iops and
      bpf_map_iops into a single memory location, such that the two i_ops
      could then not be distinguished anymore.
      
      Reason for this miscompilation is that clang has the more aggressive
      -fmerge-all-constants enabled by default. In fact, clang source code
      has a comment about it in lib/AST/ExprConstant.cpp on why it is okay
      to do so:
      
        Pointers with different bases cannot represent the same object.
        (Note that clang defaults to -fmerge-all-constants, which can
        lead to inconsistent results for comparisons involving the address
        of a constant; this generally doesn't matter in practice.)
      
      The issue never appeared with gcc however, since gcc does not enable
      -fmerge-all-constants by default and even *explicitly* states in
      it's option description that using this flag results in non-conforming
      behavior, quote from man gcc:
      
        Languages like C or C++ require each variable, including multiple
        instances of the same variable in recursive calls, to have distinct
        locations, so using this option results in non-conforming behavior.
      
      There are also various clang bug reports open on that matter [1],
      where clang developers acknowledge the non-conforming behavior,
      and refer to disabling it with -fno-merge-all-constants. But even
      if this gets fixed in clang today, there are already users out there
      that triggered this. Thus, fix this issue by explicitly adding
      -fno-merge-all-constants to the kernel's Makefile to generically
      disable this optimization, since potentially other places in the
      kernel could subtly break as well.
      
      Note, there is also a flag called -fmerge-constants (not supported
      by clang), which is more conservative and only applies to strings
      and it's enabled in gcc's -O/-O2/-O3/-Os optimization levels. In
      gcc's code, the two flags -fmerge-{all-,}constants share the same
      variable internally, so when disabling it via -fno-merge-all-constants,
      then we really don't merge any const data (e.g. strings), and text
      size increases with gcc (14,927,214 -> 14,942,646 for vmlinux.o).
      
        $ gcc -fverbose-asm -O2 foo.c -S -o foo.S
          -> foo.S lists -fmerge-constants under options enabled
        $ gcc -fverbose-asm -O2 -fno-merge-all-constants foo.c -S -o foo.S
          -> foo.S doesn't list -fmerge-constants under options enabled
        $ gcc -fverbose-asm -O2 -fno-merge-all-constants -fmerge-constants foo.c -S -o foo.S
          -> foo.S lists -fmerge-constants under options enabled
      
      Thus, as a workaround we need to set both -fno-merge-all-constants
      *and* -fmerge-constants in the Makefile in order for text size to
      stay as is.
      
        [1] https://bugs.llvm.org/show_bug.cgi?id=18538Reported-by: NPrasad Sodagudi <psodagud@codeaurora.org>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Chenbo Feng <fengc@google.com>
      Cc: Richard Smith <richard-llvm@metafoo.co.uk>
      Cc: Chandler Carruth <chandlerc@gmail.com>
      Cc: linux-kernel@vger.kernel.org
      Tested-by: NPrasad Sodagudi <psodagud@codeaurora.org>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      87e0d4f0
    • C
      bpf: skip unnecessary capability check · 0fa4fe85
      Chenbo Feng 提交于
      The current check statement in BPF syscall will do a capability check
      for CAP_SYS_ADMIN before checking sysctl_unprivileged_bpf_disabled. This
      code path will trigger unnecessary security hooks on capability checking
      and cause false alarms on unprivileged process trying to get CAP_SYS_ADMIN
      access. This can be resolved by simply switch the order of the statement
      and CAP_SYS_ADMIN is not required anyway if unprivileged bpf syscall is
      allowed.
      Signed-off-by: NChenbo Feng <fengc@google.com>
      Acked-by: NLorenzo Colitti <lorenzo@google.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      0fa4fe85
    • Y
      trace/bpf: remove helper bpf_perf_prog_read_value from tracepoint type programs · f005afed
      Yonghong Song 提交于
      Commit 4bebdc7a ("bpf: add helper bpf_perf_prog_read_value")
      added helper bpf_perf_prog_read_value so that perf_event type program
      can read event counter and enabled/running time.
      This commit, however, introduced a bug which allows this helper
      for tracepoint type programs. This is incorrect as bpf_perf_prog_read_value
      needs to access perf_event through its bpf_perf_event_data_kern type context,
      which is not available for tracepoint type program.
      
      This patch fixed the issue by separating bpf_func_proto between tracepoint
      and perf_event type programs and removed bpf_perf_prog_read_value
      from tracepoint func prototype.
      
      Fixes: 4bebdc7a ("bpf: add helper bpf_perf_prog_read_value")
      Reported-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NYonghong Song <yhs@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      f005afed
    • T
      test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches · 52fda36d
      Thadeu Lima de Souza Cascardo 提交于
      Function bpf_fill_maxinsns11 is designed to not be able to be JITed on
      x86_64. So, it fails when CONFIG_BPF_JIT_ALWAYS_ON=y, and
      commit 09584b40 ("bpf: fix selftests/bpf test_kmod.sh failure when
      CONFIG_BPF_JIT_ALWAYS_ON=y") makes sure that failure is detected on that
      case.
      
      However, it does not fail on other architectures, which have a different
      JIT compiler design. So, test_bpf has started to fail to load on those.
      
      After this fix, test_bpf loads fine on both x86_64 and ppc64el.
      
      Fixes: 09584b40 ("bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y")
      Signed-off-by: NThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Reviewed-by: NYonghong Song <yhs@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      52fda36d
    • S
      ipv6: old_dport should be a __be16 in __ip6_datagram_connect() · 5f2fb802
      Stefano Brivio 提交于
      Fixes: 2f987a76 ("net: ipv6: keep sk status consistent after datagram connect failure")
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Acked-by: NPaolo Abeni <pabeni@redhat.com>
      Acked-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5f2fb802
    • D
      Merge tag 'linux-can-fixes-for-4.16-20180319' of... · 8220ce6d
      David S. Miller 提交于
      Merge tag 'linux-can-fixes-for-4.16-20180319' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2018-03-19
      
      this is a pull reqeust of one patch for net/master.
      
      The patch is by Andri Yngvason and fixes a potential use-after-free bug
      in the cc770 driver introduced in the previous pull-request.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8220ce6d
    • I
      net: gemini: fix memory leak · 44caebd3
      Igor Pylypiv 提交于
      cppcheck report:
      [drivers/net/ethernet/cortina/gemini.c:543]: (error) Memory leak: skb_tab
      Signed-off-by: NIgor Pylypiv <igor.pylypiv@gmail.com>
      Acked-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      44caebd3
    • C
      net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred · 00777fac
      Christophe JAILLET 提交于
      If the optional regulator is deferred, we must release some resources.
      They will be re-allocated when the probe function will be called again.
      
      Fixes: 6eacf311 ("ethernet: arc: Add support for Rockchip SoC layer device tree bindings")
      Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      00777fac
  3. 20 3月, 2018 6 次提交
  4. 19 3月, 2018 2 次提交
  5. 18 3月, 2018 10 次提交
    • S
      batman-adv: Fix skbuff rcsum on packet reroute · fc04fdb2
      Sven Eckelmann 提交于
      batadv_check_unicast_ttvn may redirect a packet to itself or another
      originator. This involves rewriting the ttvn and the destination address in
      the batadv unicast header. These field were not yet pulled (with skb rcsum
      update) and thus any change to them also requires a change in the receive
      checksum.
      Reported-by: NMatthias Schiffer <mschiffer@universe-factory.net>
      Fixes: a73105b8 ("batman-adv: improved client announcement mechanism")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      fc04fdb2
    • S
      batman-adv: Add missing include for EPOLL* constants · 48881ed5
      Sven Eckelmann 提交于
      Fixes: a9a08845 ("vfs: do bulk POLL* -> EPOLL* replacement")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      48881ed5
    • R
      vmxnet3: use correct flag to indicate LRO feature · 034f4057
      Ronak Doshi 提交于
      'Commit 45dac1d6 ("vmxnet3: Changes for vmxnet3 adapter version 2
      (fwd)")' introduced a flag "lro" in structure vmxnet3_adapter which is
      used to indicate whether LRO is enabled or not. However, the patch
      did not set the flag and hence it was never exercised.
      
      So, when LRO is enabled, it resulted in poor TCP performance due to
      delayed acks. This issue is seen with packets which are larger than
      the mss getting a delayed ack rather than an immediate ack, thus
      resulting in high latency.
      
      This patch removes the lro flag and directly uses device features
      against NETIF_F_LRO to check if lro is enabled.
      
      Fixes: 45dac1d6 ("vmxnet3: Changes for vmxnet3 adapter version 2 (fwd)")
      Reported-by: NRachel Lunnon <rachel_lunnon@stormagic.com>
      Signed-off-by: NRonak Doshi <doshir@vmware.com>
      Acked-by: NShrikrishna Khare <skhare@vmware.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      034f4057
    • R
      vmxnet3: avoid xmit reset due to a race in vmxnet3 · 7a4c003d
      Ronak Doshi 提交于
      The field txNumDeferred is used by the driver to keep track of the number
      of packets it has pushed to the emulation. The driver increments it on
      pushing the packet to the emulation and the emulation resets it to 0 at
      the end of the transmit.
      
      There is a possibility of a race either when (a) ESX is under heavy load or
      (b) workload inside VM is of low packet rate.
      
      This race results in xmit hangs when network coalescing is disabled. This
      change creates a local copy of txNumDeferred and uses it to perform ring
      arithmetic.
      Reported-by: NNoriho Tanaka <ntanaka@vmware.com>
      Signed-off-by: NRonak Doshi <doshir@vmware.com>
      Acked-by: NShrikrishna Khare <skhare@vmware.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7a4c003d
    • D
      Merge branch 'tcf_foo_init-NULL-deref' · 78f1b04f
      David S. Miller 提交于
      Davide Caratti says:
      
      ====================
      net/sched: fix NULL dereference in the error path of .init()
      
      with several TC actions it's possible to see NULL pointer dereference,
      when the .init() function calls tcf_idr_alloc(), fails at some point and
      then calls tcf_idr_release(): this series fixes all them introducing
      non-NULL tests in the .cleanup() function.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      78f1b04f
    • D
      net/sched: fix NULL dereference on the error path of tcf_skbmod_init() · 2d433610
      Davide Caratti 提交于
      when the following command
      
       # tc action replace action skbmod swap mac index 100
      
      is run for the first time, and tcf_skbmod_init() fails to allocate struct
      tcf_skbmod_params, tcf_skbmod_cleanup() calls kfree_rcu(NULL), thus
      causing the following error:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
       IP: __call_rcu+0x23/0x2b0
       PGD 8000000034057067 P4D 8000000034057067 PUD 74937067 PMD 0
       Oops: 0002 [#1] SMP PTI
       Modules linked in: act_skbmod(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec crct10dif_pclmul mbcache jbd2 crc32_pclmul snd_hda_core ghash_clmulni_intel snd_hwdep pcbc snd_seq snd_seq_device snd_pcm aesni_intel snd_timer crypto_simd glue_helper snd cryptd virtio_balloon joydev soundcore pcspkr i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_console virtio_net virtio_blk ata_piix libata crc32c_intel virtio_pci serio_raw virtio_ring virtio i2c_core floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_skbmod]
       CPU: 3 PID: 3144 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:__call_rcu+0x23/0x2b0
       RSP: 0018:ffffbd2e403e7798 EFLAGS: 00010246
       RAX: ffffffffc0872080 RBX: ffff981d34bff780 RCX: 00000000ffffffff
       RDX: ffffffff922a5f00 RSI: 0000000000000000 RDI: 0000000000000000
       RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000021f
       R10: 000000003d003000 R11: 0000000000aaaaaa R12: 0000000000000000
       R13: ffffffff922a5f00 R14: 0000000000000001 R15: ffff981d3b698c2c
       FS:  00007f3678292740(0000) GS:ffff981d3fd80000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000008 CR3: 000000007c57a006 CR4: 00000000001606e0
       Call Trace:
        __tcf_idr_release+0x79/0xf0
        tcf_skbmod_init+0x1d1/0x210 [act_skbmod]
        tcf_action_init_1+0x2cc/0x430
        tcf_action_init+0xd3/0x1b0
        tc_ctl_action+0x18b/0x240
        rtnetlink_rcv_msg+0x29c/0x310
        ? _cond_resched+0x15/0x30
        ? __kmalloc_node_track_caller+0x1b9/0x270
        ? rtnl_calcit.isra.28+0x100/0x100
        netlink_rcv_skb+0xd2/0x110
        netlink_unicast+0x17c/0x230
        netlink_sendmsg+0x2cd/0x3c0
        sock_sendmsg+0x30/0x40
        ___sys_sendmsg+0x27a/0x290
        ? filemap_map_pages+0x34a/0x3a0
        ? __handle_mm_fault+0xbfd/0xe20
        __sys_sendmsg+0x51/0x90
        do_syscall_64+0x6e/0x1a0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
       RIP: 0033:0x7f36776a3ba0
       RSP: 002b:00007fff4703b618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007fff4703b740 RCX: 00007f36776a3ba0
       RDX: 0000000000000000 RSI: 00007fff4703b690 RDI: 0000000000000003
       RBP: 000000005aaaba36 R08: 0000000000000002 R09: 0000000000000000
       R10: 00007fff4703b0a0 R11: 0000000000000246 R12: 0000000000000000
       R13: 00007fff4703b754 R14: 0000000000000001 R15: 0000000000669f60
       Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89
       RIP: __call_rcu+0x23/0x2b0 RSP: ffffbd2e403e7798
       CR2: 0000000000000008
      
      Fix it in tcf_skbmod_cleanup(), ensuring that kfree_rcu(p, ...) is called
      only when p is not NULL.
      
      Fixes: 86da71b5 ("net_sched: Introduce skbmod action")
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2d433610
    • D
      net/sched: fix NULL dereference in the error path of tcf_sample_init() · 1f110e7c
      Davide Caratti 提交于
      when the following command
      
       # tc action add action sample rate 100 group 100 index 100
      
      is run for the first time, and psample_group_get(100) fails to create a
      new group, tcf_sample_cleanup() calls psample_group_put(NULL), thus
      causing the following error:
      
       BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
       IP: psample_group_put+0x15/0x71 [psample]
       PGD 8000000075775067 P4D 8000000075775067 PUD 7453c067 PMD 0
       Oops: 0002 [#1] SMP PTI
       Modules linked in: act_sample(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core mbcache jbd2 crct10dif_pclmul snd_hwdep crc32_pclmul snd_seq ghash_clmulni_intel pcbc snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer glue_helper snd cryptd joydev pcspkr i2c_piix4 soundcore virtio_balloon nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_net ata_piix virtio_console virtio_blk libata serio_raw crc32c_intel virtio_pci i2c_core virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_tunnel_key]
       CPU: 2 PID: 5740 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:psample_group_put+0x15/0x71 [psample]
       RSP: 0018:ffffb8a80032f7d0 EFLAGS: 00010246
       RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000024
       RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffffc06d93c0
       RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
       R10: 00000000bd003000 R11: ffff979fba04aa59 R12: 0000000000000000
       R13: 0000000000000000 R14: 0000000000000000 R15: ffff979fbba3f22c
       FS:  00007f7638112740(0000) GS:ffff979fbfd00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 000000000000001c CR3: 00000000734ea001 CR4: 00000000001606e0
       Call Trace:
        __tcf_idr_release+0x79/0xf0
        tcf_sample_init+0x125/0x1d0 [act_sample]
        tcf_action_init_1+0x2cc/0x430
        tcf_action_init+0xd3/0x1b0
        tc_ctl_action+0x18b/0x240
        rtnetlink_rcv_msg+0x29c/0x310
        ? _cond_resched+0x15/0x30
        ? __kmalloc_node_track_caller+0x1b9/0x270
        ? rtnl_calcit.isra.28+0x100/0x100
        netlink_rcv_skb+0xd2/0x110
        netlink_unicast+0x17c/0x230
        netlink_sendmsg+0x2cd/0x3c0
        sock_sendmsg+0x30/0x40
        ___sys_sendmsg+0x27a/0x290
        ? filemap_map_pages+0x34a/0x3a0
        ? __handle_mm_fault+0xbfd/0xe20
        __sys_sendmsg+0x51/0x90
        do_syscall_64+0x6e/0x1a0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
       RIP: 0033:0x7f7637523ba0
       RSP: 002b:00007fff0473ef58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007fff0473f080 RCX: 00007f7637523ba0
       RDX: 0000000000000000 RSI: 00007fff0473efd0 RDI: 0000000000000003
       RBP: 000000005aaaac80 R08: 0000000000000002 R09: 0000000000000000
       R10: 00007fff0473e9e0 R11: 0000000000000246 R12: 0000000000000000
       R13: 00007fff0473f094 R14: 0000000000000001 R15: 0000000000669f60
       Code: be 02 00 00 00 48 89 df e8 a9 fe ff ff e9 7c ff ff ff 0f 1f 40 00 0f 1f 44 00 00 53 48 89 fb 48 c7 c7 c0 93 6d c0 e8 db 20 8c ef <83> 6b 1c 01 74 10 48 c7 c7 c0 93 6d c0 ff 14 25 e8 83 83 b0 5b
       RIP: psample_group_put+0x15/0x71 [psample] RSP: ffffb8a80032f7d0
       CR2: 000000000000001c
      
      Fix it in tcf_sample_cleanup(), ensuring that calls to psample_group_put(p)
      are done only when p is not NULL.
      
      Fixes: cadb9c9f ("net/sched: act_sample: Fix error path in init")
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1f110e7c
    • D
      net/sched: fix NULL dereference in the error path of tunnel_key_init() · abdadd3c
      Davide Caratti 提交于
      when the following command
      
       # tc action add action tunnel_key unset index 100
      
      is run for the first time, and tunnel_key_init() fails to allocate struct
      tcf_tunnel_key_params, tunnel_key_release() dereferences NULL pointers.
      This causes the following error:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
       IP: tunnel_key_release+0xd/0x40 [act_tunnel_key]
       PGD 8000000033787067 P4D 8000000033787067 PUD 74646067 PMD 0
       Oops: 0000 [#1] SMP PTI
       Modules linked in: act_tunnel_key(E) act_csum ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul snd_hda_codec_generic ghash_clmulni_intel snd_hda_intel pcbc snd_hda_codec snd_hda_core snd_hwdep snd_seq aesni_intel snd_seq_device crypto_simd glue_helper snd_pcm cryptd joydev snd_timer pcspkr virtio_balloon snd i2c_piix4 soundcore nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_net virtio_blk drm virtio_console crc32c_intel ata_piix serio_raw i2c_core virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod
       CPU: 2 PID: 3101 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:tunnel_key_release+0xd/0x40 [act_tunnel_key]
       RSP: 0018:ffffba46803b7768 EFLAGS: 00010286
       RAX: ffffffffc09010a0 RBX: 0000000000000000 RCX: 0000000000000024
       RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99ee336d7480
       RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
       R10: 0000000000000220 R11: ffff99ee79d73131 R12: 0000000000000000
       R13: ffff99ee32d67610 R14: ffff99ee7671dc38 R15: 00000000fffffff4
       FS:  00007febcb2cd740(0000) GS:ffff99ee7fd00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000010 CR3: 000000007c8e4005 CR4: 00000000001606e0
       Call Trace:
        __tcf_idr_release+0x79/0xf0
        tunnel_key_init+0xd9/0x460 [act_tunnel_key]
        tcf_action_init_1+0x2cc/0x430
        tcf_action_init+0xd3/0x1b0
        tc_ctl_action+0x18b/0x240
        rtnetlink_rcv_msg+0x29c/0x310
        ? _cond_resched+0x15/0x30
        ? __kmalloc_node_track_caller+0x1b9/0x270
        ? rtnl_calcit.isra.28+0x100/0x100
        netlink_rcv_skb+0xd2/0x110
        netlink_unicast+0x17c/0x230
        netlink_sendmsg+0x2cd/0x3c0
        sock_sendmsg+0x30/0x40
        ___sys_sendmsg+0x27a/0x290
        __sys_sendmsg+0x51/0x90
        do_syscall_64+0x6e/0x1a0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
       RIP: 0033:0x7febca6deba0
       RSP: 002b:00007ffe7b0dd128 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007ffe7b0dd250 RCX: 00007febca6deba0
       RDX: 0000000000000000 RSI: 00007ffe7b0dd1a0 RDI: 0000000000000003
       RBP: 000000005aaa90cb R08: 0000000000000002 R09: 0000000000000000
       R10: 00007ffe7b0dcba0 R11: 0000000000000246 R12: 0000000000000000
       R13: 00007ffe7b0dd264 R14: 0000000000000001 R15: 0000000000669f60
       Code: 44 00 00 8b 0d b5 23 00 00 48 8b 87 48 10 00 00 48 8b 3c c8 e9 a5 e5 d8 c3 0f 1f 44 00 00 0f 1f 44 00 00 53 48 8b 9f b0 00 00 00 <83> 7b 10 01 74 0b 48 89 df 31 f6 5b e9 f2 fa 7f c3 48 8b 7b 18
       RIP: tunnel_key_release+0xd/0x40 [act_tunnel_key] RSP: ffffba46803b7768
       CR2: 0000000000000010
      
      Fix this in tunnel_key_release(), ensuring 'param' is not NULL before
      dereferencing it.
      
      Fixes: d0f6dd8a ("net/sched: Introduce act_tunnel_key")
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      abdadd3c
    • D
      net/sched: fix NULL dereference in the error path of tcf_csum_init() · aab378a7
      Davide Caratti 提交于
      when the following command
      
       # tc action add action csum udp continue index 100
      
      is run for the first time, and tcf_csum_init() fails allocating struct
      tcf_csum, tcf_csum_cleanup() calls kfree_rcu(NULL,...). This causes the
      following error:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
       IP: __call_rcu+0x23/0x2b0
       PGD 80000000740b4067 P4D 80000000740b4067 PUD 32e7f067 PMD 0
       Oops: 0002 [#1] SMP PTI
       Modules linked in: act_csum(E) act_vlan ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer aesni_intel crypto_simd glue_helper cryptd snd joydev pcspkr virtio_balloon i2c_piix4 soundcore nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_blk drm virtio_net virtio_console ata_piix crc32c_intel libata virtio_pci serio_raw i2c_core virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_vlan]
       CPU: 2 PID: 5763 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:__call_rcu+0x23/0x2b0
       RSP: 0018:ffffb275803e77c0 EFLAGS: 00010246
       RAX: ffffffffc057b080 RBX: ffff9674bc6f5240 RCX: 00000000ffffffff
       RDX: ffffffff928a5f00 RSI: 0000000000000008 RDI: 0000000000000008
       RBP: 0000000000000008 R08: 0000000000000001 R09: 0000000000000044
       R10: 0000000000000220 R11: ffff9674b9ab4821 R12: 0000000000000000
       R13: ffffffff928a5f00 R14: 0000000000000000 R15: 0000000000000001
       FS:  00007fa6368d8740(0000) GS:ffff9674bfd00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000010 CR3: 0000000073dec001 CR4: 00000000001606e0
       Call Trace:
        __tcf_idr_release+0x79/0xf0
        tcf_csum_init+0xfb/0x180 [act_csum]
        tcf_action_init_1+0x2cc/0x430
        tcf_action_init+0xd3/0x1b0
        tc_ctl_action+0x18b/0x240
        rtnetlink_rcv_msg+0x29c/0x310
        ? _cond_resched+0x15/0x30
        ? __kmalloc_node_track_caller+0x1b9/0x270
        ? rtnl_calcit.isra.28+0x100/0x100
        netlink_rcv_skb+0xd2/0x110
        netlink_unicast+0x17c/0x230
        netlink_sendmsg+0x2cd/0x3c0
        sock_sendmsg+0x30/0x40
        ___sys_sendmsg+0x27a/0x290
        ? filemap_map_pages+0x34a/0x3a0
        ? __handle_mm_fault+0xbfd/0xe20
        __sys_sendmsg+0x51/0x90
        do_syscall_64+0x6e/0x1a0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
       RIP: 0033:0x7fa635ce9ba0
       RSP: 002b:00007ffc185b0fc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007ffc185b10f0 RCX: 00007fa635ce9ba0
       RDX: 0000000000000000 RSI: 00007ffc185b1040 RDI: 0000000000000003
       RBP: 000000005aaa85e0 R08: 0000000000000002 R09: 0000000000000000
       R10: 00007ffc185b0a20 R11: 0000000000000246 R12: 0000000000000000
       R13: 00007ffc185b1104 R14: 0000000000000001 R15: 0000000000669f60
       Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89
       RIP: __call_rcu+0x23/0x2b0 RSP: ffffb275803e77c0
       CR2: 0000000000000010
      
      fix this in tcf_csum_cleanup(), ensuring that kfree_rcu(param, ...) is
      called only when param is not NULL.
      
      Fixes: 9c5f69bb ("net/sched: act_csum: don't use spinlock in the fast path")
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aab378a7
    • D
      net/sched: fix NULL dereference in the error path of tcf_vlan_init() · 1edf8abe
      Davide Caratti 提交于
      when the following command
      
       # tc actions replace action vlan pop index 100
      
      is run for the first time, and tcf_vlan_init() fails allocating struct
      tcf_vlan_params, tcf_vlan_cleanup() calls kfree_rcu(NULL, ...). This causes
      the following error:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
       IP: __call_rcu+0x23/0x2b0
       PGD 80000000760a2067 P4D 80000000760a2067 PUD 742c1067 PMD 0
       Oops: 0002 [#1] SMP PTI
       Modules linked in: act_vlan(E) ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel mbcache snd_hda_codec jbd2 snd_hda_core crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer glue_helper snd cryptd joydev soundcore virtio_balloon pcspkr i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_console virtio_blk virtio_net ata_piix crc32c_intel libata virtio_pci i2c_core virtio_ring serio_raw virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_vlan]
       CPU: 3 PID: 3119 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:__call_rcu+0x23/0x2b0
       RSP: 0018:ffffaac3005fb798 EFLAGS: 00010246
       RAX: ffffffffc0704080 RBX: ffff97f2b4bbe900 RCX: 00000000ffffffff
       RDX: ffffffffabca5f00 RSI: 0000000000000010 RDI: 0000000000000010
       RBP: 0000000000000010 R08: 0000000000000001 R09: 0000000000000044
       R10: 00000000fd003000 R11: ffff97f2faab5b91 R12: 0000000000000000
       R13: ffffffffabca5f00 R14: ffff97f2fb80202c R15: 00000000fffffff4
       FS:  00007f68f75b4740(0000) GS:ffff97f2ffd80000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000018 CR3: 0000000072b52001 CR4: 00000000001606e0
       Call Trace:
        __tcf_idr_release+0x79/0xf0
        tcf_vlan_init+0x168/0x270 [act_vlan]
        tcf_action_init_1+0x2cc/0x430
        tcf_action_init+0xd3/0x1b0
        tc_ctl_action+0x18b/0x240
        rtnetlink_rcv_msg+0x29c/0x310
        ? _cond_resched+0x15/0x30
        ? __kmalloc_node_track_caller+0x1b9/0x270
        ? rtnl_calcit.isra.28+0x100/0x100
        netlink_rcv_skb+0xd2/0x110
        netlink_unicast+0x17c/0x230
        netlink_sendmsg+0x2cd/0x3c0
        sock_sendmsg+0x30/0x40
        ___sys_sendmsg+0x27a/0x290
        ? filemap_map_pages+0x34a/0x3a0
        ? __handle_mm_fault+0xbfd/0xe20
        __sys_sendmsg+0x51/0x90
        do_syscall_64+0x6e/0x1a0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
       RIP: 0033:0x7f68f69c5ba0
       RSP: 002b:00007fffd79c1118 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007fffd79c1240 RCX: 00007f68f69c5ba0
       RDX: 0000000000000000 RSI: 00007fffd79c1190 RDI: 0000000000000003
       RBP: 000000005aaa708e R08: 0000000000000002 R09: 0000000000000000
       R10: 00007fffd79c0ba0 R11: 0000000000000246 R12: 0000000000000000
       R13: 00007fffd79c1254 R14: 0000000000000001 R15: 0000000000669f60
       Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89
       RIP: __call_rcu+0x23/0x2b0 RSP: ffffaac3005fb798
       CR2: 0000000000000018
      
      fix this in tcf_vlan_cleanup(), ensuring that kfree_rcu(p, ...) is called
      only when p is not NULL.
      
      Fixes: 4c5b9d96 ("act_vlan: VLAN action rewrite to use RCU lock/unlock and update")
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Acked-by: NManish Kurup <manish.kurup@verizon.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1edf8abe