1. 04 6月, 2019 28 次提交
    • M
      compiler.h: give up __compiletime_assert_fallback() · 75332872
      Masahiro Yamada 提交于
      commit 81b45683487a51b0f4d3b29d37f20d6d078544e4 upstream.
      
      __compiletime_assert_fallback() is supposed to stop building earlier
      by using the negative-array-size method in case the compiler does not
      support "error" attribute, but has never worked like that.
      
      You can simply try:
      
          BUILD_BUG_ON(1);
      
      GCC immediately terminates the build, but Clang does not report
      anything because Clang does not support the "error" attribute now.
      It will later fail at link time, but __compiletime_assert_fallback()
      is not working at least.
      
      The root cause is commit 1d6a0d19 ("bug.h: prevent double evaluation
      of `condition' in BUILD_BUG_ON").  Prior to that commit, BUILD_BUG_ON()
      was checked by the negative-array-size method *and* the link-time trick.
      Since that commit, the negative-array-size is not effective because
      '__cond' is no longer constant.  As the comment in <linux/build_bug.h>
      says, GCC (and Clang as well) only emits the error for obvious cases.
      
      When '__cond' is a variable,
      
          ((void)sizeof(char[1 - 2 * __cond]))
      
      ... is not obvious for the compiler to know the array size is negative.
      
      Reverting that commit would break BUILD_BUG() because negative-size-array
      is evaluated before the code is optimized out.
      
      Let's give up __compiletime_assert_fallback().  This commit does not
      change the current behavior since it just rips off the useless code.
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Reviewed-by: NKees Cook <keescook@chromium.org>
      Reviewed-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      75332872
    • N
      include/linux/compiler*.h: define asm_volatile_goto · fd45cd45
      ndesaulniers@google.com 提交于
      commit 8bd66d147c88bd441178c7b4c774ae5a185f19b8 upstream.
      
      asm_volatile_goto should also be defined for other compilers that support
      asm goto.
      
      Fixes commit 815f0ddb ("include/linux/compiler*.h: make compiler-*.h
      mutually exclusive").
      Signed-off-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NMiguel Ojeda <miguel.ojeda.sandonis@gmail.com>
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd45cd45
    • D
      crypto: vmx - ghash: do nosimd fallback manually · 2bb9c7e4
      Daniel Axtens 提交于
      commit 357d065a44cdd77ed5ff35155a989f2a763e96ef upstream.
      
      VMX ghash was using a fallback that did not support interleaving simd
      and nosimd operations, leading to failures in the extended test suite.
      
      If I understood correctly, Eric's suggestion was to use the same
      data format that the generic code uses, allowing us to call into it
      with the same contexts. I wasn't able to get that to work - I think
      there's a very different key structure and data layout being used.
      
      So instead steal the arm64 approach and perform the fallback
      operations directly if required.
      
      Fixes: cc333cd6 ("crypto: vmx - Adding GHASH routines for VMX module")
      Cc: stable@vger.kernel.org # v4.1+
      Reported-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDaniel Axtens <dja@axtens.net>
      Acked-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Tested-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDaniel Axtens <dja@axtens.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2bb9c7e4
    • J
      net/tls: don't ignore netdev notifications if no TLS features · fb6cf4f3
      Jakub Kicinski 提交于
      [ Upstream commit c3f4a6c39cf269a40d45f813c05fa830318ad875 ]
      
      On device surprise removal path (the notifier) we can't
      bail just because the features are disabled.  They may
      have been enabled during the lifetime of the device.
      This bug leads to leaking netdev references and
      use-after-frees if there are active connections while
      device features are cleared.
      
      Fixes: e8f69799 ("net/tls: Add generic NIC offload infrastructure")
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: NDirk van der Merwe <dirk.vandermerwe@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fb6cf4f3
    • J
      net/tls: fix state removal with feature flags off · fb69403e
      Jakub Kicinski 提交于
      [ Upstream commit 3686637e507b48525fcea6fb91e1988bdbc14530 ]
      
      TLS offload drivers shouldn't (and currently don't) block
      the TLS offload feature changes based on whether there are
      active offloaded connections or not.
      
      This seems to be a good idea, because we want the admin to
      be able to disable the TLS offload at any time, and there
      is no clean way of disabling it for active connections
      (TX side is quite problematic).  So if features are cleared
      existing connections will stay offloaded until they close,
      and new connections will not attempt offload to a given
      device.
      
      However, the offload state removal handling is currently
      broken if feature flags get cleared while there are
      active TLS offloads.
      
      RX side will completely bail from cleanup, even on normal
      remove path, leaving device state dangling, potentially
      causing issues when the 5-tuple is reused.  It will also
      fail to release the netdev reference.
      
      Remove the RX-side warning message, in next release cycle
      it should be printed when features are disabled, rather
      than when connection dies, but for that we need a more
      efficient method of finding connection of a given netdev
      (a'la BPF offload code).
      
      Fixes: 4799ac81 ("tls: Add rx inline crypto offload")
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: NDirk van der Merwe <dirk.vandermerwe@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fb69403e
    • M
      bnxt_en: Fix aggregation buffer leak under OOM condition. · 27d8ad1d
      Michael Chan 提交于
      [ Upstream commit 296d5b54163964b7ae536b8b57dfbd21d4e868e1 ]
      
      For every RX packet, the driver replenishes all buffers used for that
      packet and puts them back into the RX ring and RX aggregation ring.
      In one code path where the RX packet has one RX buffer and one or more
      aggregation buffers, we missed recycling the aggregation buffer(s) if
      we are unable to allocate a new SKB buffer.  This leads to the
      aggregation ring slowly running out of buffers over time.  Fix it
      by properly recycling the aggregation buffers.
      
      Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.")
      Reported-by: NRakesh Hemnani <rhemnani@fb.com>
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27d8ad1d
    • W
      net: stmmac: dma channel control register need to be init first · a1a926fc
      Weifeng Voon 提交于
      stmmac_init_chan() needs to be called before stmmac_init_rx_chan() and
      stmmac_init_tx_chan(). This is because if PBLx8 is to be used,
      "DMA_CH(#i)_Control.PBLx8" needs to be set before programming
      "DMA_CH(#i)_TX_Control.TxPBL" and "DMA_CH(#i)_RX_Control.RxPBL".
      
      Fixes: 47f2a9ce ("net: stmmac: dma channel init prepared for multiple queues")
      Reviewed-by: NZhang, Baoli <baoli.zhang@intel.com>
      Signed-off-by: NOng Boon Leong <boon.leong.ong@intel.com>
      Signed-off-by: NWeifeng Voon <weifeng.voon@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1a926fc
    • S
      net/mlx5e: Disable rxhash when CQE compress is enabled · 1db0bcc2
      Saeed Mahameed 提交于
      [ Upstream commit c0194e2d0ef0e5ce5e21a35640d23a706827ae28 ]
      
      When CQE compression is enabled (Multi-host systems), compressed CQEs
      might arrive to the driver rx, compressed CQEs don't have a valid hash
      offload and the driver already reports a hash value of 0 and invalid hash
      type on the skb for compressed CQEs, but this is not good enough.
      
      On a congested PCIe, where CQE compression will kick in aggressively,
      gro will deliver lots of out of order packets due to the invalid hash
      and this might cause a serious performance drop.
      
      The only valid solution, is to disable rxhash offload at all when CQE
      compression is favorable (Multi-host systems).
      
      Fixes: 7219ab34 ("net/mlx5e: CQE compression")
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1db0bcc2
    • P
      net/mlx5: Allocate root ns memory using kzalloc to match kfree · e0d95806
      Parav Pandit 提交于
      [ Upstream commit 25fa506b70cadb580c1e9cbd836d6417276d4bcd ]
      
      root ns is yet another fs core node which is freed using kfree() by
      tree_put_node().
      Rest of the other fs core objects are also allocated using kmalloc
      variants.
      
      However, root ns memory is allocated using kvzalloc().
      Hence allocate root ns memory using kzalloc().
      
      Fixes: 25302363 ("net/mlx5_core: Flow steering tree initialization")
      Signed-off-by: NParav Pandit <parav@mellanox.com>
      Reviewed-by: NDaniel Jurgens <danielj@mellanox.com>
      Reviewed-by: NMark Bloch <markb@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0d95806
    • C
      tipc: Avoid copying bytes beyond the supplied data · 4421d317
      Chris Packham 提交于
      TLV_SET is called with a data pointer and a len parameter that tells us
      how many bytes are pointed to by data. When invoking memcpy() we need
      to careful to only copy len bytes.
      
      Previously we would copy TLV_LENGTH(len) bytes which would copy an extra
      4 bytes past the end of the data pointer which newer GCC versions
      complain about.
      
       In file included from test.c:17:
       In function 'TLV_SET',
           inlined from 'test' at test.c:186:5:
       /usr/include/linux/tipc_config.h:317:3:
       warning: 'memcpy' forming offset [33, 36] is out of the bounds [0, 32]
       of object 'bearer_name' with type 'char[32]' [-Warray-bounds]
           memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       test.c: In function 'test':
       test.c::161:10: note:
       'bearer_name' declared here
           char bearer_name[TIPC_MAX_BEARER_NAME];
                ^~~~~~~~~~~
      
      We still want to ensure any padding bytes at the end are initialised, do
      this with a explicit memset() rather than copy bytes past the end of
      data. Apply the same logic to TCM_SET.
      Signed-off-by: NChris Packham <chris.packham@alliedtelesis.co.nz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4421d317
    • P
      net/mlx5: Avoid double free in fs init error unwinding path · 06442f45
      Parav Pandit 提交于
      [ Upstream commit 9414277a5df3669c67e818708c0f881597e0118e ]
      
      In below code flow, for ingress acl table root ns memory leads
      to double free.
      
      mlx5_init_fs
        init_ingress_acls_root_ns()
          init_ingress_acl_root_ns
             kfree(steering->esw_ingress_root_ns);
             /* steering->esw_ingress_root_ns is not marked NULL */
        mlx5_cleanup_fs
          cleanup_ingress_acls_root_ns
             steering->esw_ingress_root_ns non NULL check passes.
             kfree(steering->esw_ingress_root_ns);
             /* double free */
      
      Similar issue exist for other tables.
      
      Hence zero out the pointers to not process the table again.
      
      Fixes: 9b93ab98 ("net/mlx5: Separate ingress/egress namespaces for each vport")
      Fixes: 40c3eebb49e51 ("net/mlx5: Add support in RDMA RX steering")
      Signed-off-by: NParav Pandit <parav@mellanox.com>
      Reviewed-by: NMark Bloch <markb@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      06442f45
    • K
      usbnet: fix kernel crash after disconnect · fb836d01
      Kloetzke Jan 提交于
      [ Upstream commit ad70411a978d1e6e97b1e341a7bde9a79af0c93d ]
      
      When disconnecting cdc_ncm the kernel sporadically crashes shortly
      after the disconnect:
      
        [   57.868812] Unable to handle kernel NULL pointer dereference at virtual address 00000000
        ...
        [   58.006653] PC is at 0x0
        [   58.009202] LR is at call_timer_fn+0xec/0x1b4
        [   58.013567] pc : [<0000000000000000>] lr : [<ffffff80080f5130>] pstate: 00000145
        [   58.020976] sp : ffffff8008003da0
        [   58.024295] x29: ffffff8008003da0 x28: 0000000000000001
        [   58.029618] x27: 000000000000000a x26: 0000000000000100
        [   58.034941] x25: 0000000000000000 x24: ffffff8008003e68
        [   58.040263] x23: 0000000000000000 x22: 0000000000000000
        [   58.045587] x21: 0000000000000000 x20: ffffffc68fac1808
        [   58.050910] x19: 0000000000000100 x18: 0000000000000000
        [   58.056232] x17: 0000007f885aff8c x16: 0000007f883a9f10
        [   58.061556] x15: 0000000000000001 x14: 000000000000006e
        [   58.066878] x13: 0000000000000000 x12: 00000000000000ba
        [   58.072201] x11: ffffffc69ff1db30 x10: 0000000000000020
        [   58.077524] x9 : 8000100008001000 x8 : 0000000000000001
        [   58.082847] x7 : 0000000000000800 x6 : ffffff8008003e70
        [   58.088169] x5 : ffffffc69ff17a28 x4 : 00000000ffff138b
        [   58.093492] x3 : 0000000000000000 x2 : 0000000000000000
        [   58.098814] x1 : 0000000000000000 x0 : 0000000000000000
        ...
        [   58.205800] [<          (null)>]           (null)
        [   58.210521] [<ffffff80080f5298>] expire_timers+0xa0/0x14c
        [   58.215937] [<ffffff80080f542c>] run_timer_softirq+0xe8/0x128
        [   58.221702] [<ffffff8008081120>] __do_softirq+0x298/0x348
        [   58.227118] [<ffffff80080a6304>] irq_exit+0x74/0xbc
        [   58.232009] [<ffffff80080e17dc>] __handle_domain_irq+0x78/0xac
        [   58.237857] [<ffffff8008080cf4>] gic_handle_irq+0x80/0xac
        ...
      
      The crash happens roughly 125..130ms after the disconnect. This
      correlates with the 'delay' timer that is started on certain USB tx/rx
      errors in the URB completion handler.
      
      The problem is a race of usbnet_stop() with usbnet_start_xmit(). In
      usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in
      flight. This only makes sense if no new URBs are submitted
      concurrently, though. But the usbnet_start_xmit() can run at the same
      time on another CPU which almost unconditionally submits an URB. The
      error callback of the new URB will then schedule the timer after it was
      already stopped.
      
      The fix adds a check if the tx queue is stopped after the tx list lock
      has been taken. This should reliably prevent the submission of new URBs
      while usbnet_terminate_urbs() does its job. The same thing is done on
      the rx side even though it might be safe due to other flags that are
      checked there.
      Signed-off-by: NJan Klötzke <Jan.Kloetzke@preh.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fb836d01
    • J
      net: stmmac: fix reset gpio free missing · 19198981
      Jisheng Zhang 提交于
      [ Upstream commit 49ce881c0d4c4a7a35358d9dccd5f26d0e56fc61 ]
      
      Commit 984203ce ("net: stmmac: mdio: remove reset gpio free")
      removed the reset gpio free, when the driver is unbinded or rmmod,
      we miss the gpio free.
      
      This patch uses managed API to request the reset gpio, so that the
      gpio could be freed properly.
      
      Fixes: 984203ce ("net: stmmac: mdio: remove reset gpio free")
      Signed-off-by: NJisheng Zhang <Jisheng.Zhang@synaptics.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19198981
    • V
      net: sched: don't use tc_action->order during action dump · 6ab96847
      Vlad Buslov 提交于
      [ Upstream commit 4097e9d250fb17958c1d9b94538386edd3f20144 ]
      
      Function tcf_action_dump() relies on tc_action->order field when starting
      nested nla to send action data to userspace. This approach breaks in
      several cases:
      
      - When multiple filters point to same shared action, tc_action->order field
        is overwritten each time it is attached to filter. This causes filter
        dump to output action with incorrect attribute for all filters that have
        the action in different position (different order) from the last set
        tc_action->order value.
      
      - When action data is displayed using tc action API (RTM_GETACTION), action
        order is overwritten by tca_action_gd() according to its position in
        resulting array of nl attributes, which will break filter dump for all
        filters attached to that shared action that expect it to have different
        order value.
      
      Don't rely on tc_action->order when dumping actions. Set nla according to
      action position in resulting array of actions instead.
      Signed-off-by: NVlad Buslov <vladbu@mellanox.com>
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ab96847
    • R
      net: phy: marvell10g: report if the PHY fails to boot firmware · 33f737a4
      Russell King 提交于
      [ Upstream commit 3d3ced2ec5d71b99d72ae6910fbdf890bc2eccf0 ]
      
      Some boards do not have the PHY firmware programmed in the 3310's flash,
      which leads to the PHY not working as expected.  Warn the user when the
      PHY fails to boot the firmware and refuse to initialise.
      
      Fixes: 20b2af32 ("net: phy: add Marvell Alaska X 88X3310 10Gigabit PHY support")
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Tested-by: NMaxime Chevallier <maxime.chevallier@bootlin.com>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      33f737a4
    • A
      net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value · c2d4b2fe
      Antoine Tenart 提交于
      [ Upstream commit 21808437214637952b61beaba6034d97880fbeb3 ]
      
      MVPP2_TXQ_SCHED_TOKEN_CNTR_REG() expects the logical queue id but
      the current code is passing the global tx queue offset, so it ends
      up writing to unknown registers (between 0x8280 and 0x82fc, which
      seemed to be unused by the hardware). This fixes the issue by using
      the logical queue id instead.
      
      Fixes: 3f518509 ("ethernet: Add new driver for Marvell Armada 375 network unit")
      Signed-off-by: NAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c2d4b2fe
    • J
      net: mvneta: Fix err code path of probe · de9d6a73
      Jisheng Zhang 提交于
      [ Upstream commit d484e06e25ebb937d841dac02ac1fe76ec7d4ddd ]
      
      Fix below issues in err code path of probe:
      1. we don't need to unregister_netdev() because the netdev isn't
      registered.
      2. when register_netdev() fails, we also need to destroy bm pool for
      HWBM case.
      
      Fixes: dc35a10f ("net: mvneta: bm: add support for hardware buffer management")
      Signed-off-by: NJisheng Zhang <Jisheng.Zhang@synaptics.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      de9d6a73
    • E
      net-gro: fix use-after-free read in napi_gro_frags() · 39fd0dc4
      Eric Dumazet 提交于
      [ Upstream commit a4270d6795b0580287453ea55974d948393e66ef ]
      
      If a network driver provides to napi_gro_frags() an
      skb with a page fragment of exactly 14 bytes, the call
      to gro_pull_from_frag0() will 'consume' the fragment
      by calling skb_frag_unref(skb, 0), and the page might
      be freed and reused.
      
      Reading eth->h_proto at the end of napi_frags_skb() might
      read mangled data, or crash under specific debugging features.
      
      BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline]
      BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
      Read of size 2 at addr ffff88809366840c by task syz-executor599/8957
      
      CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
       __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
       kasan_report+0x12/0x20 mm/kasan/common.c:614
       __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142
       napi_frags_skb net/core/dev.c:5833 [inline]
       napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
       tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991
       tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037
       call_write_iter include/linux/fs.h:1872 [inline]
       do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
       do_iter_write fs/read_write.c:970 [inline]
       do_iter_write+0x184/0x610 fs/read_write.c:951
       vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
       do_writev+0x15b/0x330 fs/read_write.c:1058
      
      Fixes: a50e233c ("net-gro: restore frag0 optimization")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39fd0dc4
    • A
      net: fec: fix the clk mismatch in failed_reset path · 4294c347
      Andy Duan 提交于
      [ Upstream commit ce8d24f9a5965a58c588f9342689702a1024433c ]
      
      Fix the clk mismatch in the error path "failed_reset" because
      below error path will disable clk_ahb and clk_ipg directly, it
      should use pm_runtime_put_noidle() instead of pm_runtime_put()
      to avoid to call runtime resume callback.
      Reported-by: NBaruch Siach <baruch@tkos.co.il>
      Signed-off-by: NFugang Duan <fugang.duan@nxp.com>
      Tested-by: NBaruch Siach <baruch@tkos.co.il>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4294c347
    • R
      net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT · 566dc17b
      Rasmus Villemoes 提交于
      [ Upstream commit 84b3fd1fc9592d431e23b077e692fa4e3fd0f086 ]
      
      Currently, the upper half of a 4-byte STATS_TYPE_PORT statistic ends
      up in bits 47:32 of the return value, instead of bits 31:16 as they
      should.
      
      Fixes: 6e46e2d821bb ("net: dsa: mv88e6xxx: Fix u64 statistics")
      Signed-off-by: NRasmus Villemoes <rasmus.villemoes@prevas.dk>
      Reviewed-by: NVivien Didelot <vivien.didelot@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      566dc17b
    • E
      llc: fix skb leak in llc_build_and_send_ui_pkt() · 2d04f32c
      Eric Dumazet 提交于
      [ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ]
      
      If llc_mac_hdr_init() returns an error, we must drop the skb
      since no llc_build_and_send_ui_pkt() caller will take care of this.
      
      BUG: memory leak
      unreferenced object 0xffff8881202b6800 (size 2048):
        comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
        backtrace:
          [<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
          [<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline]
          [<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline]
          [<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline]
          [<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
          [<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline]
          [<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608
          [<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662
          [<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
          [<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173
          [<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430
          [<000000008bdec225>] sock_create net/socket.c:1481 [inline]
          [<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523
          [<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline]
          [<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline]
          [<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530
          [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
          [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      BUG: memory leak
      unreferenced object 0xffff88811d750d00 (size 224):
        comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff  ...$.....h+ ....
        backtrace:
          [<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
          [<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline]
          [<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline]
          [<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
          [<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
          [<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline]
          [<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
          [<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
          [<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
          [<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
          [<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline]
          [<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671
          [<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
          [<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline]
          [<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline]
          [<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972
          [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
          [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2d04f32c
    • D
      ipv6: Fix redirect with VRF · 44217666
      David Ahern 提交于
      [ Upstream commit 31680ac265802397937d75461a2809a067b9fb93 ]
      
      IPv6 redirect is broken for VRF. __ip6_route_redirect walks the FIB
      entries looking for an exact match on ifindex. With VRF the flowi6_oif
      is updated by l3mdev_update_flow to the l3mdev index and the
      FLOWI_FLAG_SKIP_NH_OIF set in the flags to tell the lookup to skip the
      device match. For redirects the device match is requires so use that
      flag to know when the oif needs to be reset to the skb device index.
      
      Fixes: ca254490 ("net: Add VRF support to IPv6 stack")
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44217666
    • M
      ipv6: Consider sk_bound_dev_if when binding a raw socket to an address · ed753b39
      Mike Manning 提交于
      [ Upstream commit 72f7cfab6f93a8ea825fab8ccfb016d064269f7f ]
      
      IPv6 does not consider if the socket is bound to a device when binding
      to an address. The result is that a socket can be bound to eth0 and
      then bound to the address of eth1. If the device is a VRF, the result
      is that a socket can only be bound to an address in the default VRF.
      
      Resolve by considering the device if sk_bound_dev_if is set.
      Signed-off-by: NMike Manning <mmanning@vyatta.att-mail.com>
      Reviewed-by: NDavid Ahern <dsahern@gmail.com>
      Tested-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed753b39
    • E
      ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST · 46702dd5
      Eric Dumazet 提交于
      [ Upstream commit 903869bd10e6719b9df6718e785be7ec725df59f ]
      
      ip_sf_list_clear_all() needs to be defined even if !CONFIG_IP_MULTICAST
      
      Fixes: 3580d04aa674 ("ipv4/igmp: fix another memory leak in igmpv3_del_delrec()")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46702dd5
    • E
      ipv4/igmp: fix another memory leak in igmpv3_del_delrec() · e9f94e48
      Eric Dumazet 提交于
      [ Upstream commit 3580d04aa674383c42de7b635d28e52a1e5bc72c ]
      
      syzbot reported memory leaks [1] that I have back tracked to
      a missing cleanup from igmpv3_del_delrec() when
      (im->sfmode != MCAST_INCLUDE)
      
      Add ip_sf_list_clear_all() and kfree_pmc() helpers to explicitely
      handle the cleanups before freeing.
      
      [1]
      
      BUG: memory leak
      unreferenced object 0xffff888123e32b00 (size 64):
        comm "softirq", pid 0, jiffies 4294942968 (age 8.010s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 e0 00 00 01 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<000000006105011b>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
          [<000000006105011b>] slab_post_alloc_hook mm/slab.h:439 [inline]
          [<000000006105011b>] slab_alloc mm/slab.c:3326 [inline]
          [<000000006105011b>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
          [<000000004bba8073>] kmalloc include/linux/slab.h:547 [inline]
          [<000000004bba8073>] kzalloc include/linux/slab.h:742 [inline]
          [<000000004bba8073>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline]
          [<000000004bba8073>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085
          [<00000000a46a65a0>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475
          [<000000005956ca89>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:957
          [<00000000848e2d2f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246
          [<00000000b9db185c>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616
          [<000000003028e438>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130
          [<0000000015b65589>] __sys_setsockopt+0x98/0x120 net/socket.c:2078
          [<00000000ac198ef0>] __do_sys_setsockopt net/socket.c:2089 [inline]
          [<00000000ac198ef0>] __se_sys_setsockopt net/socket.c:2086 [inline]
          [<00000000ac198ef0>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086
          [<000000000a770437>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
          [<00000000d3adb93b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 9c8bb163 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Hangbin Liu <liuhangbin@gmail.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e9f94e48
    • E
      inet: switch IP ID generator to siphash · 07480da0
      Eric Dumazet 提交于
      [ Upstream commit df453700e8d81b1bdafdf684365ee2b9431fb702 ]
      
      According to Amit Klein and Benny Pinkas, IP ID generation is too weak
      and might be used by attackers.
      
      Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix())
      having 64bit key and Jenkins hash is risky.
      
      It is time to switch to siphash and its 128bit keys.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NAmit Klein <aksecurity@gmail.com>
      Reported-by: NBenny Pinkas <benny@pinkas.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      07480da0
    • R
      cxgb4: offload VLAN flows regardless of VLAN ethtype · 9c9144e7
      Raju Rangoju 提交于
      [ Upstream commit b5730061d1056abf317caea823b94d6e12b5b4f6 ]
      
      VLAN flows never get offloaded unless ivlan_vld is set in filter spec.
      It's not compulsory for vlan_ethtype to be set.
      
      So, always enable ivlan_vld bit for offloading VLAN flows regardless of
      vlan_ethtype is set or not.
      
      Fixes: ad9af3e0 (cxgb4: add tc flower match support for vlan)
      Signed-off-by: NRaju Rangoju <rajur@chelsio.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9c9144e7
    • J
      bonding/802.3ad: fix slave link initialization transition states · 3cde0a25
      Jarod Wilson 提交于
      [ Upstream commit 334031219a84b9994594015aab85ed7754c80176 ]
      
      Once in a while, with just the right timing, 802.3ad slaves will fail to
      properly initialize, winding up in a weird state, with a partner system
      mac address of 00:00:00:00:00:00. This started happening after a fix to
      properly track link_failure_count tracking, where an 802.3ad slave that
      reported itself as link up in the miimon code, but wasn't able to get a
      valid speed/duplex, started getting set to BOND_LINK_FAIL instead of
      BOND_LINK_DOWN. That was the proper thing to do for the general "my link
      went down" case, but has created a link initialization race that can put
      the interface in this odd state.
      
      The simple fix is to instead set the slave link to BOND_LINK_DOWN again,
      if the link has never been up (last_link_up == 0), so the link state
      doesn't bounce from BOND_LINK_DOWN to BOND_LINK_FAIL -- it hasn't failed
      in this case, it simply hasn't been up yet, and this prevents the
      unnecessary state change from DOWN to FAIL and getting stuck in an init
      failure w/o a partner mac.
      
      Fixes: ea53abfab960 ("bonding/802.3ad: fix link_failure_count tracking")
      CC: Jay Vosburgh <j.vosburgh@gmail.com>
      CC: Veaceslav Falico <vfalico@gmail.com>
      CC: Andy Gospodarek <andy@greyhouse.net>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: netdev@vger.kernel.org
      Tested-by: NHeesoon Kim <Heesoon.Kim@stratus.com>
      Signed-off-by: NJarod Wilson <jarod@redhat.com>
      Acked-by: NJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3cde0a25
  2. 31 5月, 2019 12 次提交