1. 17 4月, 2019 40 次提交
    • E
      ACPICA: Namespace: remove address node from global list after method termination · d4b4aeea
      Erik Schmauss 提交于
      commit c5781ffbbd4f742a58263458145fe7f0ac01d9e0 upstream.
      
      ACPICA commit b233720031a480abd438f2e9c643080929d144c3
      
      ASL operation_regions declare a range of addresses that it uses. In a
      perfect world, the range of addresses should be used exclusively by
      the AML interpreter. The OS can use this information to decide which
      drivers to load so that the AML interpreter and device drivers use
      different regions of memory.
      
      During table load, the address information is added to a global
      address range list. Each node in this list contains an address range
      as well as a namespace node of the operation_region. This list is
      deleted at ACPI shutdown.
      
      Unfortunately, ASL operation_regions can be declared inside of control
      methods. Although this is not recommended, modern firmware contains
      such code. New module level code changes unintentionally removed the
      functionality of adding and removing nodes to the global address
      range list.
      
      A few months ago, support for adding addresses has been re-
      implemented. However, the removal of the address range list was
      missed and resulted in some systems to crash due to the address list
      containing bogus namespace nodes from operation_regions declared in
      control methods. In order to fix the crash, this change removes
      dynamic operation_regions after control method termination.
      
      Link: https://github.com/acpica/acpica/commit/b2337200
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=202475
      Fixes: 4abb951b73ff ("ACPICA: AML interpreter: add region addresses in global list during initialization")
      Reported-by: NMichael J Gruber <mjg@fedoraproject.org>
      Signed-off-by: NErik Schmauss <erik.schmauss@intel.com>
      Signed-off-by: NBob Moore <robert.moore@intel.com>
      Cc: 4.20+ <stable@vger.kernel.org> # 4.20+
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d4b4aeea
    • F
      ACPICA: Clear status of GPEs before enabling them · ed52b07b
      Furquan Shaikh 提交于
      commit c8b1917c8987a6fa3695d479b4d60fbbbc3e537b upstream.
      
      Commit 18996f2d ("ACPICA: Events: Stop unconditionally clearing
      ACPI IRQs during suspend/resume") was added to stop clearing event
      status bits unconditionally in the system-wide suspend and resume
      paths. This was done because of an issue with a laptop lid appaering
      to be closed even when it was used to wake up the system from suspend
      (see https://bugzilla.kernel.org/show_bug.cgi?id=196249), which
      happened because event status bits were cleared unconditionally on
      system resume. Though this change fixed the issue in the resume path,
      it introduced regressions in a few suspend paths.
      
      First regression was reported and fixed in the S5 entry path by commit
      fa85015c ("ACPICA: Clear status of all events when entering S5").
      Next regression was reported and fixed for all legacy sleep paths by
      commit f317c7dc ("ACPICA: Clear status of all events when entering
      sleep states").  However, there still is a suspend-to-idle regression,
      since suspend-to-idle does not follow the legacy sleep paths.
      
      In the suspend-to-idle case, wakeup is enabled as part of device
      suspend.  If the status bits of wakeup GPEs are set when they are
      enabled, it causes a premature system wakeup to occur.
      
      To address that problem, partially revert commit 18996f2d to
      restore GPE status bits clearing before the GPE is enabled in
      acpi_ev_enable_gpe().
      
      Fixes: 18996f2d ("ACPICA: Events: Stop unconditionally clearing ACPI IRQs during suspend/resume")
      Signed-off-by: NFurquan Shaikh <furquan@google.com>
      Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
      [ rjw: Subject & changelog ]
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed52b07b
    • A
      hwmon: (w83773g) Select REGMAP_I2C to fix build error · 37000402
      Axel Lin 提交于
      commit a165dcc923ada2ffdee1d4f41f12f81b66d04c55 upstream.
      
      Select REGMAP_I2C to avoid below build error:
      ERROR: "__devm_regmap_init_i2c" [drivers/hwmon/w83773g.ko] undefined!
      
      Fixes: ee249f27 ("hwmon: Add W83773G driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: NAxel Lin <axel.lin@ingics.com>
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      37000402
    • G
      tty: ldisc: add sysctl to prevent autoloading of ldiscs · 4ebab60d
      Greg Kroah-Hartman 提交于
      commit 7c0cca7c847e6e019d67b7d793efbbe3b947d004 upstream.
      
      By default, the kernel will automatically load the module of any line
      dicipline that is asked for.  As this sometimes isn't the safest thing
      to do, provide a sysctl to disable this feature.
      
      By default, we set this to 'y' as that is the historical way that Linux
      has worked, and we do not want to break working systems.  But in the
      future, perhaps this can default to 'n' to prevent this functionality.
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ebab60d
    • G
      tty: mark Siemens R3964 line discipline as BROKEN · 894dc849
      Greg Kroah-Hartman 提交于
      commit c7084edc3f6d67750f50d4183134c4fb5712a5c8 upstream.
      
      The n_r3964 line discipline driver was written in a different time, when
      SMP machines were rare, and users were trusted to do the right thing.
      Since then, the world has moved on but not this code, it has stayed
      rooted in the past with its lovely hand-crafted list structures and
      loads of "interesting" race conditions all over the place.
      
      After attempting to clean up most of the issues, I just gave up and am
      now marking the driver as BROKEN so that hopefully someone who has this
      hardware will show up out of the woodwork (I know you are out there!)
      and will help with debugging a raft of changes that I had laying around
      for the code, but was too afraid to commit as odds are they would break
      things.
      
      Many thanks to Jann and Linus for pointing out the initial problems in
      this codebase, as well as many reviews of my attempts to fix the issues.
      It was a case of whack-a-mole, and as you can see, the mole won.
      Reported-by: NJann Horn <jannh@google.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      894dc849
    • Y
      arm64: kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region · 902eaef7
      Yueyi Li 提交于
      [ Upstream commit c8a43c18a97845e7f94ed7d181c11f41964976a2 ]
      
      When KASLR is enabled (CONFIG_RANDOMIZE_BASE=y), the top 4K of kernel
      virtual address space may be mapped to physical addresses despite being
      reserved for ERR_PTR values.
      
      Fix the randomization of the linear region so that we avoid mapping the
      last page of the virtual address space.
      
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: Nliyueyi <liyueyi@live.com>
      [will: rewrote commit message; merged in suggestion from Ard]
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NSasha Levin (Microsoft) <sashal@kernel.org>
      902eaef7
    • F
      netfilter: nfnetlink_cttimeout: fetch timeouts for udplite and gre, too · 40177a79
      Florian Westphal 提交于
      commit 89259088c1b7fecb43e8e245dc931909132a4e03 upstream
      
      syzbot was able to trigger the WARN in cttimeout_default_get() by
      passing UDPLITE as l4protocol.  Alias UDPLITE to UDP, both use
      same timeout values.
      
      Furthermore, also fetch GRE timeouts.  GRE is a bit more complicated,
      as it still can be a module and its netns_proto_gre struct layout isn't
      visible outside of the gre module. Can't move timeouts around, it
      appears conntrack sysctl unregister assumes net_generic() returns
      nf_proto_net, so we get crash. Expose layout of netns_proto_gre instead.
      
      A followup nf-next patch could make gre tracker be built-in as well
      if needed, its not that large.
      
      Last, make the WARN() mention the missing protocol value in case
      anything else is missing.
      
      Reported-by: syzbot+2fae8fa157dd92618cae@syzkaller.appspotmail.com
      Fixes: 8866df9264a3 ("netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NZubin Mithra <zsm@chromium.org>
      Signed-off-by: NSasha Levin (Microsoft) <sashal@kernel.org>
      40177a79
    • P
      netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr · c2d27b33
      Pablo Neira Ayuso 提交于
      commit 8866df9264a34e675b4ee8a151db819b87cce2d3 upstream
      
      Otherwise, we hit a NULL pointer deference since handlers always assume
      default timeout policy is passed.
      
        netlink: 24 bytes leftover after parsing attributes in process `syz-executor2'.
        kasan: CONFIG_KASAN_INLINE enabled
        kasan: GPF could be caused by NULL-ptr deref or user memory access
        general protection fault: 0000 [#1] PREEMPT SMP KASAN
        CPU: 0 PID: 9575 Comm: syz-executor1 Not tainted 4.19.0+ #312
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
        RIP: 0010:icmp_timeout_obj_to_nlattr+0x77/0x170 net/netfilter/nf_conntrack_proto_icmp.c:297
      
      Fixes: c779e849 ("netfilter: conntrack: remove get_timeout() indirection")
      Reported-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NZubin Mithra <zsm@chromium.org>
      Signed-off-by: NSasha Levin (Microsoft) <sashal@kernel.org>
      c2d27b33
    • N
      Revert "clk: meson: clean-up clock registration" · 564f0391
      Neil Armstrong 提交于
      This reverts commit c8e4f840.
      
      This patch was not initially a fix and is dependent on other
      changes which are not fixes eithers.
      
      With this change, multiple Amlogic based boards fails to boot,
      as reported by kernelci.
      
      Cc: stable@vger.kernel.org # 4.19.34
      Signed-off-by: NNeil Armstrong <narmstrong@baylibre.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      564f0391
    • N
      lib/string.c: implement a basic bcmp · 3412671a
      Nick Desaulniers 提交于
      [ Upstream commit 5f074f3e192f10c9fade898b9b3b8812e3d83342 ]
      
      A recent optimization in Clang (r355672) lowers comparisons of the
      return value of memcmp against zero to comparisons of the return value
      of bcmp against zero.  This helps some platforms that implement bcmp
      more efficiently than memcmp.  glibc simply aliases bcmp to memcmp, but
      an optimized implementation is in the works.
      
      This results in linkage failures for all targets with Clang due to the
      undefined symbol.  For now, just implement bcmp as a tailcail to memcmp
      to unbreak the build.  This routine can be further optimized in the
      future.
      
      Other ideas discussed:
      
       * A weak alias was discussed, but breaks for architectures that define
         their own implementations of memcmp since aliases to declarations are
         not permitted (only definitions). Arch-specific memcmp
         implementations typically declare memcmp in C headers, but implement
         them in assembly.
      
       * -ffreestanding also is used sporadically throughout the kernel.
      
       * -fno-builtin-bcmp doesn't work when doing LTO.
      
      Link: https://bugs.llvm.org/show_bug.cgi?id=41035
      Link: https://code.woboq.org/userspace/glibc/string/memcmp.c.html#bcmp
      Link: https://github.com/llvm/llvm-project/commit/8e16d73346f8091461319a7dfc4ddd18eedcff13
      Link: https://github.com/ClangBuiltLinux/linux/issues/416
      Link: http://lkml.kernel.org/r/20190313211335.165605-1-ndesaulniers@google.comSigned-off-by: NNick Desaulniers <ndesaulniers@google.com>
      Reported-by: NNathan Chancellor <natechancellor@gmail.com>
      Reported-by: NAdhemerval Zanella <adhemerval.zanella@linaro.org>
      Suggested-by: NArnd Bergmann <arnd@arndb.de>
      Suggested-by: NJames Y Knight <jyknight@google.com>
      Suggested-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Suggested-by: NNathan Chancellor <natechancellor@gmail.com>
      Suggested-by: NRasmus Villemoes <linux@rasmusvillemoes.dk>
      Acked-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Tested-by: NNathan Chancellor <natechancellor@gmail.com>
      Reviewed-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Reviewed-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: David Laight <David.Laight@ACULAB.COM>
      Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3412671a
    • N
      x86/vdso: Drop implicit common-page-size linker flag · c7415f2a
      Nick Desaulniers 提交于
      commit ac3e233d29f7f77f28243af0132057d378d3ea58 upstream.
      
      GNU linker's -z common-page-size's default value is based on the target
      architecture. arch/x86/entry/vdso/Makefile sets it to the architecture
      default, which is implicit and redundant. Drop it.
      
      Fixes: 2aae950b ("x86_64: Add vDSO for x86-64 with gettimeofday/clock_gettime/getcpu")
      Reported-by: NDmitry Golovin <dima@golovin.in>
      Reported-by: NBill Wendling <morbo@google.com>
      Suggested-by: NDmitry Golovin <dima@golovin.in>
      Suggested-by: NRui Ueyama <ruiu@google.com>
      Signed-off-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Acked-by: NAndy Lutomirski <luto@kernel.org>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Fangrui Song <maskray@google.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20181206191231.192355-1-ndesaulniers@google.com
      Link: https://bugs.llvm.org/show_bug.cgi?id=38774
      Link: https://github.com/ClangBuiltLinux/linux/issues/31Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c7415f2a
    • N
      kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD · f66a52d9
      Nick Desaulniers 提交于
      commit ad15006cc78459d059af56729c4d9bed7c7fd860 upstream.
      
      This causes an issue when trying to build with `make LD=ld.lld` if
      ld.lld and the rest of your cross tools aren't in the same directory
      (ex. /usr/local/bin) (as is the case for Android's build system), as the
      GCC_TOOLCHAIN_DIR then gets set based on `which $(LD)` which will point
      where LLVM tools are, not GCC/binutils tools are located.
      
      Instead, select the GCC_TOOLCHAIN_DIR based on another tool provided by
      binutils for which LLVM does not provide a substitute for, such as
      elfedit.
      
      Fixes: 785f11aa ("kbuild: Add better clang cross build support")
      Link: https://github.com/ClangBuiltLinux/linux/issues/341Suggested-by: NNathan Chancellor <natechancellor@gmail.com>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Tested-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f66a52d9
    • M
      kbuild: deb-pkg: fix bindeb-pkg breakage when O= is used · 23605a46
      Masahiro Yamada 提交于
      [ Upstream commit 02826a6ba301b72461c3706e1cc66d5571cd327e ]
      
      Ard Biesheuvel reports bindeb-pkg with O= option is broken in the
      following way:
      
        ...
          LD [M]  sound/soc/rockchip/snd-soc-rk3399-gru-sound.ko
          LD [M]  sound/soc/rockchip/snd-soc-rockchip-pcm.ko
          LD [M]  sound/soc/rockchip/snd-soc-rockchip-rt5645.ko
          LD [M]  sound/soc/rockchip/snd-soc-rockchip-spdif.ko
          LD [M]  sound/soc/sh/rcar/snd-soc-rcar.ko
         fakeroot -u debian/rules binary
        make KERNELRELEASE=4.19.0-12677-g19beffaf7a99-dirty ARCH=arm64 KBUILD_SRC= intdeb-pkg
        /bin/bash /home/ard/linux/scripts/package/builddeb
        Makefile:600: include/config/auto.conf: No such file or directory
        ***
        *** Configuration file ".config" not found!
        ***
        *** Please run some configurator (e.g. "make oldconfig" or
        *** "make menuconfig" or "make xconfig").
        ***
        make[12]: *** [syncconfig] Error 1
        make[11]: *** [syncconfig] Error 2
        make[10]: *** [include/config/auto.conf] Error 2
        make[9]: *** [__sub-make] Error 2
        ...
      
      Prior to commit 80463f1b7bf9 ("kbuild: add --include-dir flag only
      for out-of-tree build"), both srctree and objtree were added to
      --include-dir redundantly, and the wrong code '$MAKE image_name'
      was working by relying on that. Now, the potential issue that had
      previously been hidden just showed up.
      
      '$MAKE image_name' recurses to the generated $(objtree)/Makefile and
      ends up with running in srctree, which is incorrect. It should be
      invoked with '-f $srctree/Makefile' (or KBUILD_SRC=) to be executed
      in objtree.
      
      Fixes: 80463f1b7bf9 ("kbuild: add --include-dir flag only for out-of-tree build")
      Reported-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Tested-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      23605a46
    • H
      net/mlx5e: Update xon formula · da9b353c
      Huy Nguyen 提交于
      [ Upstream commit e28408e98bced123038857b6e3c81fa12a2e3e68 ]
      
      Set xon = xoff - netdev's max_mtu.
      netdev's max_mtu will give enough time for the pause frame to
      arrive at the sender.
      
      Fixes: 0696d608 ("net/mlx5e: Receive buffer configuration")
      Signed-off-by: NHuy Nguyen <huyn@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      da9b353c
    • H
      net/mlx5e: Update xoff formula · e2d92a74
      Huy Nguyen 提交于
      [ Upstream commit 5ec983e924c7978aaec3cf8679ece9436508bb20 ]
      
      Set minimum speed in xoff threshold formula to 40Gbps
      
      Fixes: 0696d608 ("net/mlx5e: Receive buffer configuration")
      Signed-off-by: NHuy Nguyen <huyn@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e2d92a74
    • A
      net: mlx5: Add a missing check on idr_find, free buf · eab86503
      Aditya Pakki 提交于
      [ Upstream commit 8e949363f017e2011464812a714fb29710fb95b4 ]
      
      idr_find() can return a NULL value to 'flow' which is used without a
      check. The patch adds a check to avoid potential NULL pointer dereference.
      
      In case of mlx5_fpga_sbu_conn_sendmsg() failure, free buf allocated
      using kzalloc.
      
      Fixes: ab412e1d ("net/mlx5: Accel, add TLS rx offload routines")
      Signed-off-by: NAditya Pakki <pakki001@umn.edu>
      Reviewed-by: NYuval Shaia <yuval.shaia@oracle.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      eab86503
    • H
      r8169: disable default rx interrupt coalescing on RTL8168 · b787544d
      Heiner Kallweit 提交于
      [ Upstream commit 288ac524cf70a8e7ed851a61ed2a9744039dae8d ]
      
      It was reported that re-introducing ASPM, in combination with RX
      interrupt coalescing, results in significantly increased packet
      latency, see [0]. Disabling ASPM or RX interrupt coalescing fixes
      the issue. Therefore change the driver's default to disable RX
      interrupt coalescing. Users still have the option to enable RX
      coalescing via ethtool.
      
      [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925496
      
      Fixes: a99790bf ("r8169: Reinstate ASPM Support")
      Reported-by: NMike Crowe <mac@mcrowe.com>
      Signed-off-by: NHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b787544d
    • A
      net: core: netif_receive_skb_list: unlist skb before passing to pt->func · 55a7f7b2
      Alexander Lobakin 提交于
      [ Upstream commit 9a5a90d167b0e5fe3d47af16b68fd09ce64085cd ]
      
      __netif_receive_skb_list_ptype() leaves skb->next poisoned before passing
      it to pt_prev->func handler, what may produce (in certain cases, e.g. DSA
      setup) crashes like:
      
      [ 88.606777] CPU 0 Unable to handle kernel paging request at virtual address 0000000e, epc == 80687078, ra == 8052cc7c
      [ 88.618666] Oops[#1]:
      [ 88.621196] CPU: 0 PID: 0 Comm: swapper Not tainted 5.1.0-rc2-dlink-00206-g4192a172-dirty #1473
      [ 88.630885] $ 0 : 00000000 10000400 00000002 864d7850
      [ 88.636709] $ 4 : 87c0ddf0 864d7800 87c0ddf0 00000000
      [ 88.642526] $ 8 : 00000000 49600000 00000001 00000001
      [ 88.648342] $12 : 00000000 c288617b dadbee27 25d17c41
      [ 88.654159] $16 : 87c0ddf0 85cff080 80790000 fffffffd
      [ 88.659975] $20 : 80797b20 ffffffff 00000001 864d7800
      [ 88.665793] $24 : 00000000 8011e658
      [ 88.671609] $28 : 80790000 87c0dbc0 87cabf00 8052cc7c
      [ 88.677427] Hi : 00000003
      [ 88.680622] Lo : 7b5b4220
      [ 88.683840] epc : 80687078 vlan_dev_hard_start_xmit+0x1c/0x1a0
      [ 88.690532] ra : 8052cc7c dev_hard_start_xmit+0xac/0x188
      [ 88.696734] Status: 10000404	IEp
      [ 88.700422] Cause : 50000008 (ExcCode 02)
      [ 88.704874] BadVA : 0000000e
      [ 88.708069] PrId : 0001a120 (MIPS interAptiv (multi))
      [ 88.713005] Modules linked in:
      [ 88.716407] Process swapper (pid: 0, threadinfo=(ptrval), task=(ptrval), tls=00000000)
      [ 88.725219] Stack : 85f61c28 00000000 0000000e 80780000 87c0ddf0 85cff080 80790000 8052cc7c
      [ 88.734529] 87cabf00 00000000 00000001 85f5fb40 807b0000 864d7850 87cabf00 807d0000
      [ 88.743839] 864d7800 8655f600 00000000 85cff080 87c1c000 0000006a 00000000 8052d96c
      [ 88.753149] 807a0000 8057adb8 87c0dcc8 87c0dc50 85cfff08 00000558 87cabf00 85f58c50
      [ 88.762460] 00000002 85f58c00 864d7800 80543308 fffffff4 00000001 85f58c00 864d7800
      [ 88.771770] ...
      [ 88.774483] Call Trace:
      [ 88.777199] [<80687078>] vlan_dev_hard_start_xmit+0x1c/0x1a0
      [ 88.783504] [<8052cc7c>] dev_hard_start_xmit+0xac/0x188
      [ 88.789326] [<8052d96c>] __dev_queue_xmit+0x6e8/0x7d4
      [ 88.794955] [<805a8640>] ip_finish_output2+0x238/0x4d0
      [ 88.800677] [<805ab6a0>] ip_output+0xc8/0x140
      [ 88.805526] [<805a68f4>] ip_forward+0x364/0x560
      [ 88.810567] [<805a4ff8>] ip_rcv+0x48/0xe4
      [ 88.815030] [<80528d44>] __netif_receive_skb_one_core+0x44/0x58
      [ 88.821635] [<8067f220>] dsa_switch_rcv+0x108/0x1ac
      [ 88.827067] [<80528f80>] __netif_receive_skb_list_core+0x228/0x26c
      [ 88.833951] [<8052ed84>] netif_receive_skb_list+0x1d4/0x394
      [ 88.840160] [<80355a88>] lunar_rx_poll+0x38c/0x828
      [ 88.845496] [<8052fa78>] net_rx_action+0x14c/0x3cc
      [ 88.850835] [<806ad300>] __do_softirq+0x178/0x338
      [ 88.856077] [<8012a2d4>] irq_exit+0xbc/0x100
      [ 88.860846] [<802f8b70>] plat_irq_dispatch+0xc0/0x144
      [ 88.866477] [<80105974>] handle_int+0x14c/0x158
      [ 88.871516] [<806acfb0>] r4k_wait+0x30/0x40
      [ 88.876462] Code: afb10014 8c8200a0 00803025 <9443000c> 94a20468 00000000 10620042 00a08025 9605046a
      [ 88.887332]
      [ 88.888982] ---[ end trace eb863d007da11cf1 ]---
      [ 88.894122] Kernel panic - not syncing: Fatal exception in interrupt
      [ 88.901202] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      Fix this by pulling skb off the sublist and zeroing skb->next pointer
      before calling ptype callback.
      
      Fixes: 88eb1944 ("net: core: propagate SKB lists through packet_type lookup")
      Reviewed-by: NEdward Cree <ecree@solarflare.com>
      Signed-off-by: NAlexander Lobakin <alobakin@dlink.ru>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      55a7f7b2
    • L
      net: ip6_gre: fix possible use-after-free in ip6erspan_rcv · a2ef7723
      Lorenzo Bianconi 提交于
      [ Upstream commit 2a3cabae4536edbcb21d344e7aa8be7a584d2afb ]
      
      erspan_v6 tunnels run __iptunnel_pull_header on received skbs to remove
      erspan header. This can determine a possible use-after-free accessing
      pkt_md pointer in ip6erspan_rcv since the packet will be 'uncloned'
      running pskb_expand_head if it is a cloned gso skb (e.g if the packet has
      been sent though a veth device). Fix it resetting pkt_md pointer after
      __iptunnel_pull_header
      
      Fixes: 1d7e2ed2 ("net: erspan: refactor existing erspan code")
      Signed-off-by: NLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a2ef7723
    • L
      net: ip_gre: fix possible use-after-free in erspan_rcv · 5c6f2f4c
      Lorenzo Bianconi 提交于
      [ Upstream commit 492b67e28ee5f2a2522fb72e3d3bcb990e461514 ]
      
      erspan tunnels run __iptunnel_pull_header on received skbs to remove
      gre and erspan headers. This can determine a possible use-after-free
      accessing pkt_md pointer in erspan_rcv since the packet will be 'uncloned'
      running pskb_expand_head if it is a cloned gso skb (e.g if the packet has
      been sent though a veth device). Fix it resetting pkt_md pointer after
      __iptunnel_pull_header
      
      Fixes: 1d7e2ed2 ("net: erspan: refactor existing erspan code")
      Signed-off-by: NLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5c6f2f4c
    • M
      bnxt_en: Reset device on RX buffer errors. · ecee513a
      Michael Chan 提交于
      [ Upstream commit 8e44e96c6c8e8fb80b84a2ca11798a8554f710f2 ]
      
      If the RX completion indicates RX buffers errors, the RX ring will be
      disabled by firmware and no packets will be received on that ring from
      that point on.  Recover by resetting the device.
      
      Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.")
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ecee513a
    • M
      bnxt_en: Improve RX consumer index validity check. · d2d055a5
      Michael Chan 提交于
      [ Upstream commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff ]
      
      There is logic to check that the RX/TPA consumer index is the expected
      index to work around a hardware problem.  However, the potentially bad
      consumer index is first used to index into an array to reference an entry.
      This can potentially crash if the bad consumer index is beyond legal
      range.  Improve the logic to use the consumer index for dereferencing
      after the validity check and log an error message.
      
      Fixes: fa7e2812 ("bnxt_en: Add workaround to detect bad opaque in rx completion (part 2)")
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d2d055a5
    • J
      nfp: disable netpoll on representors · a333fcc4
      Jakub Kicinski 提交于
      [ Upstream commit c3e1f7fff69c78169c8ac40cc74ac4307f74e36d ]
      
      NFP reprs are software device on top of the PF's vNIC.
      The comment above __dev_queue_xmit() sayeth:
      
       When calling this method, interrupts MUST be enabled.  This is because
       the BH enable code must have IRQs enabled so that it will not deadlock.
      
      For netconsole we can't guarantee IRQ state, let's just
      disable netpoll on representors to be on the safe side.
      
      When the initial implementation of NFP reprs was added by the
      commit 5de73ee4 ("nfp: general representor implementation")
      .ndo_poll_controller was required for netpoll to be enabled.
      
      Fixes: ac3d9dd0 ("netpoll: make ndo_poll_controller() optional")
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: NJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: NSimon Horman <simon.horman@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a333fcc4
    • J
      nfp: validate the return code from dev_queue_xmit() · 81da1314
      Jakub Kicinski 提交于
      [ Upstream commit c8ba5b91a04e3e2643e48501c114108802f21cda ]
      
      dev_queue_xmit() may return error codes as well as netdev_tx_t,
      and it always consumes the skb.  Make sure we always return a
      correct netdev_tx_t value.
      
      Fixes: eadfa4c3 ("nfp: add stats and xmit helpers for representors")
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: NJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: NSimon Horman <simon.horman@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      81da1314
    • Y
      net/mlx5e: Add a lock on tir list · c297e881
      Yuval Avnery 提交于
      [ Upstream commit 80a2a9026b24c6bd34b8d58256973e22270bedec ]
      
      Refresh tirs is looping over a global list of tirs while netdevs are
      adding and removing tirs from that list. That is why a lock is
      required.
      
      Fixes: 724b2aa1 ("net/mlx5e: TIRs management refactoring")
      Signed-off-by: NYuval Avnery <yuvalav@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c297e881
    • G
      net/mlx5e: Fix error handling when refreshing TIRs · 94413175
      Gavi Teitz 提交于
      [ Upstream commit bc87a0036826a37b43489b029af8143bd07c6cca ]
      
      Previously, a false positive would be caught if the TIRs list is
      empty, since the err value was initialized to -ENOMEM, and was only
      updated if a TIR is refreshed. This is resolved by initializing the
      err value to zero.
      
      Fixes: b676f653 ("net/mlx5e: Refactor refresh TIRs")
      Signed-off-by: NGavi Teitz <gavi@mellanox.com>
      Reviewed-by: NRoi Dayan <roid@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      94413175
    • S
      vrf: check accept_source_route on the original netdevice · 0516ef27
      Stephen Suryaputra 提交于
      [ Upstream commit 8c83f2df9c6578ea4c5b940d8238ad8a41b87e9e ]
      
      Configuration check to accept source route IP options should be made on
      the incoming netdevice when the skb->dev is an l3mdev master. The route
      lookup for the source route next hop also needs the incoming netdev.
      
      v2->v3:
      - Simplify by passing the original netdevice down the stack (per David
        Ahern).
      Signed-off-by: NStephen Suryaputra <ssuryaextr@gmail.com>
      Reviewed-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0516ef27
    • D
      tcp: fix a potential NULL pointer dereference in tcp_sk_exit · 7243e352
      Dust Li 提交于
      [ Upstream commit b506bc975f60f06e13e74adb35e708a23dc4e87c ]
      
       When tcp_sk_init() failed in inet_ctl_sock_create(),
       'net->ipv4.tcp_congestion_control' will be left
       uninitialized, but tcp_sk_exit() hasn't check for
       that.
      
       This patch add checking on 'net->ipv4.tcp_congestion_control'
       in tcp_sk_exit() to prevent NULL-ptr dereference.
      
      Fixes: 6670e152 ("tcp: Namespace-ify sysctl_tcp_default_congestion_control")
      Signed-off-by: NDust Li <dust.li@linux.alibaba.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7243e352
    • K
      tcp: Ensure DCTCP reacts to losses · 0e0afb06
      Koen De Schepper 提交于
      [ Upstream commit aecfde23108b8e637d9f5c5e523b24fb97035dc3 ]
      
      RFC8257 §3.5 explicitly states that "A DCTCP sender MUST react to
      loss episodes in the same way as conventional TCP".
      
      Currently, Linux DCTCP performs no cwnd reduction when losses
      are encountered. Optionally, the dctcp_clamp_alpha_on_loss resets
      alpha to its maximal value if a RTO happens. This behavior
      is sub-optimal for at least two reasons: i) it ignores losses
      triggering fast retransmissions; and ii) it causes unnecessary large
      cwnd reduction in the future if the loss was isolated as it resets
      the historical term of DCTCP's alpha EWMA to its maximal value (i.e.,
      denoting a total congestion). The second reason has an especially
      noticeable effect when using DCTCP in high BDP environments, where
      alpha normally stays at low values.
      
      This patch replace the clamping of alpha by setting ssthresh to
      half of cwnd for both fast retransmissions and RTOs, at most once
      per RTT. Consequently, the dctcp_clamp_alpha_on_loss module parameter
      has been removed.
      
      The table below shows experimental results where we measured the
      drop probability of a PIE AQM (not applying ECN marks) at a
      bottleneck in the presence of a single TCP flow with either the
      alpha-clamping option enabled or the cwnd halving proposed by this
      patch. Results using reno or cubic are given for comparison.
      
                                |  Link   |   RTT    |    Drop
                       TCP CC   |  speed  | base+AQM | probability
              ==================|=========|==========|============
                          CUBIC |  40Mbps |  7+20ms  |    0.21%
                           RENO |         |          |    0.19%
              DCTCP-CLAMP-ALPHA |         |          |   25.80%
               DCTCP-HALVE-CWND |         |          |    0.22%
              ------------------|---------|----------|------------
                          CUBIC | 100Mbps |  7+20ms  |    0.03%
                           RENO |         |          |    0.02%
              DCTCP-CLAMP-ALPHA |         |          |   23.30%
               DCTCP-HALVE-CWND |         |          |    0.04%
              ------------------|---------|----------|------------
                          CUBIC | 800Mbps |   1+1ms  |    0.04%
                           RENO |         |          |    0.05%
              DCTCP-CLAMP-ALPHA |         |          |   18.70%
               DCTCP-HALVE-CWND |         |          |    0.06%
      
      We see that, without halving its cwnd for all source of losses,
      DCTCP drives the AQM to large drop probabilities in order to keep
      the queue length under control (i.e., it repeatedly faces RTOs).
      Instead, if DCTCP reacts to all source of losses, it can then be
      controlled by the AQM using similar drop levels than cubic or reno.
      Signed-off-by: NKoen De Schepper <koen.de_schepper@nokia-bell-labs.com>
      Signed-off-by: NOlivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
      Cc: Bob Briscoe <research@bobbriscoe.net>
      Cc: Lawrence Brakmo <brakmo@fb.com>
      Cc: Florian Westphal <fw@strlen.de>
      Cc: Daniel Borkmann <borkmann@iogearbox.net>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Andrew Shewmaker <agshew@gmail.com>
      Cc: Glenn Judd <glenn.judd@morganstanley.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Acked-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0e0afb06
    • X
      sctp: initialize _pad of sockaddr_in before copying to user memory · 87349583
      Xin Long 提交于
      [ Upstream commit 09279e615c81ce55e04835970601ae286e3facbe ]
      
      Syzbot report a kernel-infoleak:
      
        BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
        Call Trace:
          _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
          copy_to_user include/linux/uaccess.h:174 [inline]
          sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
          sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
          ...
        Uninit was stored to memory at:
          sctp_transport_init net/sctp/transport.c:61 [inline]
          sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
          sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
          sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
          sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
          ...
        Bytes 8-15 of 16 are uninitialized
      
      It was caused by that th _pad field (the 8-15 bytes) of a v4 addr (saved in
      struct sockaddr_in) wasn't initialized, but directly copied to user memory
      in sctp_getsockopt_peer_addrs().
      
      So fix it by calling memset(addr->v4.sin_zero, 0, 8) to initialize _pad of
      sockaddr_in before copying it to user memory in sctp_v4_addr_to_user(), as
      sctp_v6_addr_to_user() does.
      
      Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Tested-by: NAlexander Potapenko <glider@google.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      87349583
    • H
      r8169: disable ASPM again · 1e4a7e78
      Heiner Kallweit 提交于
      [ Upstream commit b75bb8a5b755d0c7bf1ac071e4df2349a7644a1e ]
      
      There's a significant number of reports that re-enabling ASPM causes
      different issues, ranging from decreased performance to system not
      booting at all. This affects only a minority of users, but the number
      of affected users is big enough that we better switch off ASPM again.
      
      This will hurt notebook users who are not affected by the issues, they
      may see decreased battery runtime w/o ASPM. With the PCI core folks is
      being discussed to add generic sysfs attributes to control ASPM.
      Once this is in place brave enough users can re-enable ASPM on their
      system.
      
      Fixes: a99790bf ("r8169: Reinstate ASPM Support")
      Signed-off-by: NHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1e4a7e78
    • B
      qmi_wwan: add Olicard 600 · 84dc2f87
      Bjørn Mork 提交于
      [ Upstream commit 6289d0facd9ebce4cc83e5da39e15643ee998dc5 ]
      
      This is a Qualcomm based device with a QMI function on interface 4.
      It is mode switched from 2020:2030 using a standard eject message.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  6 Spd=480  MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2020 ProdID=2031 Rev= 2.32
      S:  Manufacturer=Mobile Connect
      S:  Product=Mobile Connect
      S:  SerialNumber=0123456789ABCDEF
      C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
      E:  Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
      Signed-off-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      84dc2f87
    • A
      openvswitch: fix flow actions reallocation · ec0e32da
      Andrea Righi 提交于
      [ Upstream commit f28cd2af22a0c134e4aa1c64a70f70d815d473fb ]
      
      The flow action buffer can be resized if it's not big enough to contain
      all the requested flow actions. However, this resize doesn't take into
      account the new requested size, the buffer is only increased by a factor
      of 2x. This might be not enough to contain the new data, causing a
      buffer overflow, for example:
      
      [   42.044472] =============================================================================
      [   42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten
      [   42.046415] -----------------------------------------------------------------------------
      
      [   42.047715] Disabling lock debugging due to kernel taint
      [   42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc
      [   42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101
      [   42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb
      
      [   42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc                          ........
      [   42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00  kkkkkkkk....l...
      [   42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6  l...........x...
      [   42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00   ...............
      [   42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   42.059061] Redzone 8bf2c4a5: 00 00 00 00                                      ....
      [   42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
      
      Fix by making sure the new buffer is properly resized to contain all the
      requested data.
      
      BugLink: https://bugs.launchpad.net/bugs/1813244Signed-off-by: NAndrea Righi <andrea.righi@canonical.com>
      Acked-by: NPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ec0e32da
    • N
      net/sched: fix ->get helper of the matchall cls · eeedfa94
      Nicolas Dichtel 提交于
      [ Upstream commit 0db6f8befc32c68bb13d7ffbb2e563c79e913e13 ]
      
      It returned always NULL, thus it was never possible to get the filter.
      
      Example:
      $ ip link add foo type dummy
      $ ip link add bar type dummy
      $ tc qdisc add dev foo clsact
      $ tc filter add dev foo protocol all pref 1 ingress handle 1234 \
      	matchall action mirred ingress mirror dev bar
      
      Before the patch:
      $ tc filter get dev foo protocol all pref 1 ingress handle 1234 matchall
      Error: Specified filter handle not found.
      We have an error talking to the kernel
      
      After:
      $ tc filter get dev foo protocol all pref 1 ingress handle 1234 matchall
      filter ingress protocol all pref 1 matchall chain 0 handle 0x4d2
        not_in_hw
              action order 1: mirred (Ingress Mirror to device bar) pipe
              index 1 ref 1 bind 1
      
      CC: Yotam Gigi <yotamg@mellanox.com>
      CC: Jiri Pirko <jiri@mellanox.com>
      Fixes: fd62d9f5 ("net/sched: matchall: Fix configuration race")
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      eeedfa94
    • D
      net/sched: act_sample: fix divide by zero in the traffic path · 15c0770e
      Davide Caratti 提交于
      [ Upstream commit fae2708174ae95d98d19f194e03d6e8f688ae195 ]
      
      the control path of 'sample' action does not validate the value of 'rate'
      provided by the user, but then it uses it as divisor in the traffic path.
      Validate it in tcf_sample_init(), and return -EINVAL with a proper extack
      message in case that value is zero, to fix a splat with the script below:
      
       # tc f a dev test0 egress matchall action sample rate 0 group 1 index 2
       # tc -s a s action sample
       total acts 1
      
               action order 0: sample rate 1/0 group 1 pipe
                index 2 ref 1 bind 1 installed 19 sec used 19 sec
               Action statistics:
               Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
               backlog 0b 0p requeues 0
       # ping 192.0.2.1 -I test0 -c1 -q
      
       divide error: 0000 [#1] SMP PTI
       CPU: 1 PID: 6192 Comm: ping Not tainted 5.1.0-rc2.diag2+ #591
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:tcf_sample_act+0x9e/0x1e0 [act_sample]
       Code: 6a f1 85 c0 74 0d 80 3d 83 1a 00 00 00 0f 84 9c 00 00 00 4d 85 e4 0f 84 85 00 00 00 e8 9b d7 9c f1 44 8b 8b e0 00 00 00 31 d2 <41> f7 f1 85 d2 75 70 f6 85 83 00 00 00 10 48 8b 45 10 8b 88 08 01
       RSP: 0018:ffffae320190ba30 EFLAGS: 00010246
       RAX: 00000000b0677d21 RBX: ffff8af1ed9ec000 RCX: 0000000059a9fe49
       RDX: 0000000000000000 RSI: 000000000c7e33b7 RDI: ffff8af23daa0af0
       RBP: ffff8af1ee11b200 R08: 0000000074fcaf7e R09: 0000000000000000
       R10: 0000000000000050 R11: ffffffffb3088680 R12: ffff8af232307f80
       R13: 0000000000000003 R14: ffff8af1ed9ec000 R15: 0000000000000000
       FS:  00007fe9c6d2f740(0000) GS:ffff8af23da80000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00007fff6772f000 CR3: 00000000746a2004 CR4: 00000000001606e0
       Call Trace:
        tcf_action_exec+0x7c/0x1c0
        tcf_classify+0x57/0x160
        __dev_queue_xmit+0x3dc/0xd10
        ip_finish_output2+0x257/0x6d0
        ip_output+0x75/0x280
        ip_send_skb+0x15/0x40
        raw_sendmsg+0xae3/0x1410
        sock_sendmsg+0x36/0x40
        __sys_sendto+0x10e/0x140
        __x64_sys_sendto+0x24/0x30
        do_syscall_64+0x60/0x210
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
        [...]
        Kernel panic - not syncing: Fatal exception in interrupt
      
      Add a TDC selftest to document that 'rate' is now being validated.
      Reported-by: NMatteo Croce <mcroce@redhat.com>
      Fixes: 5c5670fa ("net/sched: Introduce sample tc action")
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Acked-by: NYotam Gigi <yotam.gi@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      15c0770e
    • M
      net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock(). · 78b4bf26
      Mao Wenan 提交于
      [ Upstream commit cb66ddd156203daefb8d71158036b27b0e2caf63 ]
      
      When it is to cleanup net namespace, rds_tcp_exit_net() will call
      rds_tcp_kill_sock(), if t_sock is NULL, it will not call
      rds_conn_destroy(), rds_conn_path_destroy() and rds_tcp_conn_free() to free
      connection, and the worker cp_conn_w is not stopped, afterwards the net is freed in
      net_drop_ns(); While cp_conn_w rds_connect_worker() will call rds_tcp_conn_path_connect()
      and reference 'net' which has already been freed.
      
      In rds_tcp_conn_path_connect(), rds_tcp_set_callbacks() will set t_sock = sock before
      sock->ops->connect, but if connect() is failed, it will call
      rds_tcp_restore_callbacks() and set t_sock = NULL, if connect is always
      failed, rds_connect_worker() will try to reconnect all the time, so
      rds_tcp_kill_sock() will never to cancel worker cp_conn_w and free the
      connections.
      
      Therefore, the condition !tc->t_sock is not needed if it is going to do
      cleanup_net->rds_tcp_exit_net->rds_tcp_kill_sock, because tc->t_sock is always
      NULL, and there is on other path to cancel cp_conn_w and free
      connection. So this patch is to fix this.
      
      rds_tcp_kill_sock():
      ...
      if (net != c_net || !tc->t_sock)
      ...
      Acked-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      
      ==================================================================
      BUG: KASAN: use-after-free in inet_create+0xbcc/0xd28
      net/ipv4/af_inet.c:340
      Read of size 4 at addr ffff8003496a4684 by task kworker/u8:4/3721
      
      CPU: 3 PID: 3721 Comm: kworker/u8:4 Not tainted 5.1.0 #11
      Hardware name: linux,dummy-virt (DT)
      Workqueue: krdsd rds_connect_worker
      Call trace:
       dump_backtrace+0x0/0x3c0 arch/arm64/kernel/time.c:53
       show_stack+0x28/0x38 arch/arm64/kernel/traps.c:152
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x120/0x188 lib/dump_stack.c:113
       print_address_description+0x68/0x278 mm/kasan/report.c:253
       kasan_report_error mm/kasan/report.c:351 [inline]
       kasan_report+0x21c/0x348 mm/kasan/report.c:409
       __asan_report_load4_noabort+0x30/0x40 mm/kasan/report.c:429
       inet_create+0xbcc/0xd28 net/ipv4/af_inet.c:340
       __sock_create+0x4f8/0x770 net/socket.c:1276
       sock_create_kern+0x50/0x68 net/socket.c:1322
       rds_tcp_conn_path_connect+0x2b4/0x690 net/rds/tcp_connect.c:114
       rds_connect_worker+0x108/0x1d0 net/rds/threads.c:175
       process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
       worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
       kthread+0x2f0/0x378 kernel/kthread.c:255
       ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
      
      Allocated by task 687:
       save_stack mm/kasan/kasan.c:448 [inline]
       set_track mm/kasan/kasan.c:460 [inline]
       kasan_kmalloc+0xd4/0x180 mm/kasan/kasan.c:553
       kasan_slab_alloc+0x14/0x20 mm/kasan/kasan.c:490
       slab_post_alloc_hook mm/slab.h:444 [inline]
       slab_alloc_node mm/slub.c:2705 [inline]
       slab_alloc mm/slub.c:2713 [inline]
       kmem_cache_alloc+0x14c/0x388 mm/slub.c:2718
       kmem_cache_zalloc include/linux/slab.h:697 [inline]
       net_alloc net/core/net_namespace.c:384 [inline]
       copy_net_ns+0xc4/0x2d0 net/core/net_namespace.c:424
       create_new_namespaces+0x300/0x658 kernel/nsproxy.c:107
       unshare_nsproxy_namespaces+0xa0/0x198 kernel/nsproxy.c:206
       ksys_unshare+0x340/0x628 kernel/fork.c:2577
       __do_sys_unshare kernel/fork.c:2645 [inline]
       __se_sys_unshare kernel/fork.c:2643 [inline]
       __arm64_sys_unshare+0x38/0x58 kernel/fork.c:2643
       __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
       invoke_syscall arch/arm64/kernel/syscall.c:47 [inline]
       el0_svc_common+0x168/0x390 arch/arm64/kernel/syscall.c:83
       el0_svc_handler+0x60/0xd0 arch/arm64/kernel/syscall.c:129
       el0_svc+0x8/0xc arch/arm64/kernel/entry.S:960
      
      Freed by task 264:
       save_stack mm/kasan/kasan.c:448 [inline]
       set_track mm/kasan/kasan.c:460 [inline]
       __kasan_slab_free+0x114/0x220 mm/kasan/kasan.c:521
       kasan_slab_free+0x10/0x18 mm/kasan/kasan.c:528
       slab_free_hook mm/slub.c:1370 [inline]
       slab_free_freelist_hook mm/slub.c:1397 [inline]
       slab_free mm/slub.c:2952 [inline]
       kmem_cache_free+0xb8/0x3a8 mm/slub.c:2968
       net_free net/core/net_namespace.c:400 [inline]
       net_drop_ns.part.6+0x78/0x90 net/core/net_namespace.c:407
       net_drop_ns net/core/net_namespace.c:406 [inline]
       cleanup_net+0x53c/0x6d8 net/core/net_namespace.c:569
       process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
       worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
       kthread+0x2f0/0x378 kernel/kthread.c:255
       ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
      
      The buggy address belongs to the object at ffff8003496a3f80
       which belongs to the cache net_namespace of size 7872
      The buggy address is located 1796 bytes inside of
       7872-byte region [ffff8003496a3f80, ffff8003496a5e40)
      The buggy address belongs to the page:
      page:ffff7e000d25a800 count:1 mapcount:0 mapping:ffff80036ce4b000
      index:0x0 compound_mapcount: 0
      flags: 0xffffe0000008100(slab|head)
      raw: 0ffffe0000008100 dead000000000100 dead000000000200 ffff80036ce4b000
      raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8003496a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8003496a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff8003496a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
       ffff8003496a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8003496a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Fixes: 467fa153("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Signed-off-by: NMao Wenan <maowenan@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      78b4bf26
    • E
      netns: provide pure entropy for net_hash_mix() · a1c2f322
      Eric Dumazet 提交于
      [ Upstream commit 355b98553789b646ed97ad801a619ff898471b92 ]
      
      net_hash_mix() currently uses kernel address of a struct net,
      and is used in many places that could be used to reveal this
      address to a patient attacker, thus defeating KASLR, for
      the typical case (initial net namespace, &init_net is
      not dynamically allocated)
      
      I believe the original implementation tried to avoid spending
      too many cycles in this function, but security comes first.
      
      Also provide entropy regardless of CONFIG_NET_NS.
      
      Fixes: 0b441916 ("netns: introduce the net_hash_mix "salt" for hashes")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NAmit Klein <aksecurity@gmail.com>
      Reported-by: NBenny Pinkas <benny@pinkas.net>
      Cc: Pavel Emelyanov <xemul@openvz.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a1c2f322
    • A
      net/mlx5: Decrease default mr cache size · 53a19068
      Artemy Kovalyov 提交于
      [ Upstream commit e8b26b2135dedc0284490bfeac06dfc4418d0105 ]
      
      Delete initialization of high order entries in mr cache to decrease initial
      memory footprint. When required, the administrator can populate the
      entries with memory keys via the /sys interface.
      
      This approach is very helpful to significantly reduce the per HW function
      memory footprint in virtualization environments such as SRIOV.
      
      Fixes: 9603b61d ("mlx5: Move pci device handling from mlx5_ib to mlx5_core")
      Signed-off-by: NArtemy Kovalyov <artemyko@mellanox.com>
      Signed-off-by: NMoni Shoua <monis@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Reported-by: NShalom Toledo <shalomt@mellanox.com>
      Acked-by: NOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      53a19068
    • S
      net-gro: Fix GRO flush when receiving a GSO packet. · b87ec813
      Steffen Klassert 提交于
      [ Upstream commit 0ab03f353d3613ea49d1f924faf98559003670a8 ]
      
      Currently we may merge incorrectly a received GSO packet
      or a packet with frag_list into a packet sitting in the
      gro_hash list. skb_segment() may crash case because
      the assumptions on the skb layout are not met.
      The correct behaviour would be to flush the packet in the
      gro_hash list and send the received GSO packet directly
      afterwards. Commit d61d072e ("net-gro: avoid reorders")
      sets NAPI_GRO_CB(skb)->flush in this case, but this is not
      checked before merging. This patch makes sure to check this
      flag and to not merge in that case.
      
      Fixes: d61d072e ("net-gro: avoid reorders")
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b87ec813
    • L
      net: ethtool: not call vzalloc for zero sized memory request · 80c20581
      Li RongQing 提交于
      [ Upstream commit 3d8830266ffc28c16032b859e38a0252e014b631 ]
      
      NULL or ZERO_SIZE_PTR will be returned for zero sized memory
      request, and derefencing them will lead to a segfault
      
      so it is unnecessory to call vzalloc for zero sized memory
      request and not call functions which maybe derefence the
      NULL allocated memory
      
      this also fixes a possible memory leak if phy_ethtool_get_stats
      returns error, memory should be freed before exit
      Signed-off-by: NLi RongQing <lirongqing@baidu.com>
      Reviewed-by: NWang Li <wangli39@baidu.com>
      Reviewed-by: NMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      80c20581