1. 24 5月, 2018 8 次提交
  2. 23 5月, 2018 12 次提交
  3. 22 5月, 2018 1 次提交
    • D
      nl80211: Fix compilation · ba8f566a
      Denis Kenzior 提交于
      Commit 7ea3e110 seems to have
      introduced:
      
      net/wireless/nl80211.c: In function ‘nl80211_get_station’:
      net/wireless/nl80211.c:4802:34: error: incompatible type for argument 1 of ‘cfg80211_sinfo_release_content’
         cfg80211_sinfo_release_content(sinfo);
                                        ^~~~~
      In file included from net/wireless/nl80211.c:24:0:
      ./include/net/cfg80211.h:5721:20: note: expected ‘struct station_info *’ but argument is of type ‘struct station_info’
       static inline void cfg80211_sinfo_release_content(struct station_info *sinfo)
                          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Fixes: 7ea3e110 ("cfg80211: release station info tidstats where needed")
      Signed-off-by: NDenis Kenzior <denkenz@gmail.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      ba8f566a
  4. 20 5月, 2018 5 次提交
  5. 19 5月, 2018 14 次提交
    • P
      net: sched: red: avoid hashing NULL child · 44a63b13
      Paolo Abeni 提交于
      Hangbin reported an Oops triggered by the syzkaller qdisc rules:
      
       kasan: GPF could be caused by NULL-ptr deref or user memory access
       general protection fault: 0000 [#1] SMP KASAN PTI
       Modules linked in: sch_red
       CPU: 0 PID: 28699 Comm: syz-executor5 Not tainted 4.17.0-rc4.kcov #1
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:qdisc_hash_add+0x26/0xa0
       RSP: 0018:ffff8800589cf470 EFLAGS: 00010203
       RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff824ad971
       RDX: 0000000000000007 RSI: ffffc9000ce9f000 RDI: 000000000000003c
       RBP: 0000000000000001 R08: ffffed000b139ea2 R09: ffff8800589cf4f0
       R10: ffff8800589cf50f R11: ffffed000b139ea2 R12: ffff880054019fc0
       R13: ffff880054019fb4 R14: ffff88005c0af600 R15: ffff880054019fb0
       FS:  00007fa6edcb1700(0000) GS:ffff88005ce00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000020000740 CR3: 000000000fc16000 CR4: 00000000000006f0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       Call Trace:
        red_change+0x2d2/0xed0 [sch_red]
        qdisc_create+0x57e/0xef0
        tc_modify_qdisc+0x47f/0x14e0
        rtnetlink_rcv_msg+0x6a8/0x920
        netlink_rcv_skb+0x2a2/0x3c0
        netlink_unicast+0x511/0x740
        netlink_sendmsg+0x825/0xc30
        sock_sendmsg+0xc5/0x100
        ___sys_sendmsg+0x778/0x8e0
        __sys_sendmsg+0xf5/0x1b0
        do_syscall_64+0xbd/0x3b0
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x450869
       RSP: 002b:00007fa6edcb0c48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007fa6edcb16b4 RCX: 0000000000450869
       RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000013
       RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
       R13: 0000000000008778 R14: 0000000000702838 R15: 00007fa6edcb1700
       Code: e9 0b fe ff ff 0f 1f 44 00 00 55 53 48 89 fb 89 f5 e8 3f 07 f3 fe 48 8d 7b 3c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 51
       RIP: qdisc_hash_add+0x26/0xa0 RSP: ffff8800589cf470
      
      When a red qdisc is updated with a 0 limit, the child qdisc is left
      unmodified, no additional scheduler is created in red_change(),
      the 'child' local variable is rightfully NULL and must not add it
      to the hash table.
      
      This change addresses the above issue moving qdisc_hash_add() right
      after the child qdisc creation. It additionally removes unneeded checks
      for noop_qdisc.
      Reported-by: NHangbin Liu <liuhangbin@gmail.com>
      Fixes: 49b49971 ("net: sched: make default fifo qdiscs appear in the dump")
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Acked-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      44a63b13
    • E
      sock_diag: fix use-after-free read in __sk_free · 9709020c
      Eric Dumazet 提交于
      We must not call sock_diag_has_destroy_listeners(sk) on a socket
      that has no reference on net structure.
      
      BUG: KASAN: use-after-free in sock_diag_has_destroy_listeners include/linux/sock_diag.h:75 [inline]
      BUG: KASAN: use-after-free in __sk_free+0x329/0x340 net/core/sock.c:1609
      Read of size 8 at addr ffff88018a02e3a0 by task swapper/1/0
      
      CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.17.0-rc5+ #54
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1b9/0x294 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
       sock_diag_has_destroy_listeners include/linux/sock_diag.h:75 [inline]
       __sk_free+0x329/0x340 net/core/sock.c:1609
       sk_free+0x42/0x50 net/core/sock.c:1623
       sock_put include/net/sock.h:1664 [inline]
       reqsk_free include/net/request_sock.h:116 [inline]
       reqsk_put include/net/request_sock.h:124 [inline]
       inet_csk_reqsk_queue_drop_and_put net/ipv4/inet_connection_sock.c:672 [inline]
       reqsk_timer_handler+0xe27/0x10e0 net/ipv4/inet_connection_sock.c:739
       call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
       expire_timers kernel/time/timer.c:1363 [inline]
       __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
       run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
       __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
       invoke_softirq kernel/softirq.c:365 [inline]
       irq_exit+0x1d1/0x200 kernel/softirq.c:405
       exiting_irq arch/x86/include/asm/apic.h:525 [inline]
       smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
       </IRQ>
      RIP: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:54
      RSP: 0018:ffff8801d9ae7c38 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
      RAX: dffffc0000000000 RBX: 1ffff1003b35cf8a RCX: 0000000000000000
      RDX: 1ffffffff11a30d0 RSI: 0000000000000001 RDI: ffffffff88d18680
      RBP: ffff8801d9ae7c38 R08: ffffed003b5e46c3 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
      R13: ffff8801d9ae7cf0 R14: ffffffff897bef20 R15: 0000000000000000
       arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
       default_idle+0xc2/0x440 arch/x86/kernel/process.c:354
       arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:345
       default_idle_call+0x6d/0x90 kernel/sched/idle.c:93
       cpuidle_idle_call kernel/sched/idle.c:153 [inline]
       do_idle+0x395/0x560 kernel/sched/idle.c:262
       cpu_startup_entry+0x104/0x120 kernel/sched/idle.c:368
       start_secondary+0x426/0x5b0 arch/x86/kernel/smpboot.c:269
       secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242
      
      Allocated by task 4557:
       save_stack+0x43/0xd0 mm/kasan/kasan.c:448
       set_track mm/kasan/kasan.c:460 [inline]
       kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
       kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
       kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
       kmem_cache_zalloc include/linux/slab.h:691 [inline]
       net_alloc net/core/net_namespace.c:383 [inline]
       copy_net_ns+0x159/0x4c0 net/core/net_namespace.c:423
       create_new_namespaces+0x69d/0x8f0 kernel/nsproxy.c:107
       unshare_nsproxy_namespaces+0xc3/0x1f0 kernel/nsproxy.c:206
       ksys_unshare+0x708/0xf90 kernel/fork.c:2408
       __do_sys_unshare kernel/fork.c:2476 [inline]
       __se_sys_unshare kernel/fork.c:2474 [inline]
       __x64_sys_unshare+0x31/0x40 kernel/fork.c:2474
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 69:
       save_stack+0x43/0xd0 mm/kasan/kasan.c:448
       set_track mm/kasan/kasan.c:460 [inline]
       __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
       kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
       __cache_free mm/slab.c:3498 [inline]
       kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
       net_free net/core/net_namespace.c:399 [inline]
       net_drop_ns.part.14+0x11a/0x130 net/core/net_namespace.c:406
       net_drop_ns net/core/net_namespace.c:405 [inline]
       cleanup_net+0x6a1/0xb20 net/core/net_namespace.c:541
       process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
       worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
       kthread+0x345/0x410 kernel/kthread.c:240
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
      
      The buggy address belongs to the object at ffff88018a02c140
       which belongs to the cache net_namespace of size 8832
      The buggy address is located 8800 bytes inside of
       8832-byte region [ffff88018a02c140, ffff88018a02e3c0)
      The buggy address belongs to the page:
      page:ffffea0006280b00 count:1 mapcount:0 mapping:ffff88018a02c140 index:0x0 compound_mapcount: 0
      flags: 0x2fffc0000008100(slab|head)
      raw: 02fffc0000008100 ffff88018a02c140 0000000000000000 0000000100000001
      raw: ffffea00062a1320 ffffea0006268020 ffff8801d9bdde40 0000000000000000
      page dumped because: kasan: bad access detected
      
      Fixes: b922622e ("sock_diag: don't broadcast kernel sockets")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Craig Gallek <kraig@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9709020c
    • K
      tcp: tcp_rack_reo_wnd() can be static · 1f7455c3
      kbuild test robot 提交于
      Fixes: 20b654df ("tcp: support DUPACK threshold in RACK")
      Signed-off-by: Nkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1f7455c3
    • H
      net/smc: restructure client and server code in af_smc · 3b2dec26
      Hans Wippel 提交于
      This patch splits up the functions smc_connect_rdma and smc_listen_work
      into smaller functions.
      Signed-off-by: NHans Wippel <hwippel@linux.ibm.com>
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3b2dec26
    • H
      net/smc: change smc_buf_free function parameters · 6511aad3
      Hans Wippel 提交于
      This patch changes the function smc_buf_free to use the SMC link group
      instead of the link as function parameter. Also, it changes the order of
      the other two parameters.
      Signed-off-by: NHans Wippel <hwippel@linux.ibm.com>
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6511aad3
    • H
      net/smc: do a few smc_core.c cleanups · 8437bda0
      Hans Wippel 提交于
      This patch consists of Christmas tree fixes and removal of an unneeded
      function parameter.
      Signed-off-by: NHans Wippel <hwippel@linux.ibm.com>
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8437bda0
    • H
      net/smc: restructure CDC message reception · d7b0e37c
      Hans Wippel 提交于
      This patch moves a CDC sanity check from smc_cdc_msg_recv_action() to
      the other sanity checks in smc_cdc_rx_handler(). While doing this, it
      simplifies smc_cdc_msg_recv() and removes unneeded function parameters.
      Signed-off-by: NHans Wippel <hwippel@linux.ibm.com>
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d7b0e37c
    • H
      net/smc: move smc_core specific code from smc.h to smc_core · 2f6becaf
      Hans Wippel 提交于
      SMC connection and buffer handling belong to smc_core. So, this patch
      moves this code from smc.h to smc_core.
      Signed-off-by: NHans Wippel <hwippel@linux.ibm.com>
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2f6becaf
    • H
      net/smc: calculate write offset in RMB only once per connection · 95d8d263
      Hans Wippel 提交于
      Currently, the write offset within the RMB is calculated on each write
      operation although it is fixed for each connection. With this patch, the
      offset is calculated once and stored in a connection specific variable.
      Signed-off-by: NHans Wippel <hwippel@linux.ibm.com>
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      95d8d263
    • H
      net/smc: rename connection index to RMBE index · 92a138e3
      Hans Wippel 提交于
      The connection index is actually a RMBE index. So, this patch changes
      the name accordingly.
      Signed-off-by: NHans Wippel <hwippel@linux.ibm.com>
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      92a138e3
    • H
      net/smc: move link group list to smc_core · 9fda3510
      Hans Wippel 提交于
      This patch moves the global link group list to smc_core where the link
      group functions are. To make this work, it moves code in af_smc and
      smc_ib that operates on the link group list to smc_core as well.
      
      While at it, the link group counter is integrated into the list
      structure and initialized to zero.
      Signed-off-by: NHans Wippel <hwippel@linux.ibm.com>
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9fda3510
    • H
      net/smc: add common buffer size in send and receive buffer descriptors · 69cb7dc0
      Hans Wippel 提交于
      In addition to the buffer references, SMC currently stores the sizes of
      the receive and send buffers in each connection as separate variables.
      This patch introduces a buffer length variable in the common buffer
      descriptor and uses this length instead.
      Signed-off-by: NHans Wippel <hwippel@linux.ibm.com>
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      69cb7dc0
    • F
      net: dsa: Do not register devlink for unused ports · 5447d786
      Florian Fainelli 提交于
      Even if commit 1d27732f ("net: dsa: setup and teardown ports") indicated
      that registering a devlink instance for unused ports is not a problem, and this
      is true, this can be confusing nonetheless, so let's not do it.
      
      Fixes: 1d27732f ("net: dsa: setup and teardown ports")
      Reported-by: NJiri Pirko <jiri@resnulli.us>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5447d786
    • A
      net: Fix a bug in removing queues from XPS map · 6358d49a
      Amritha Nambiar 提交于
      While removing queues from the XPS map, the individual CPU ID
      alone was used to index the CPUs map, this should be changed to also
      factor in the traffic class mapping for the CPU-to-queue lookup.
      
      Fixes: 184c449f ("net: Add support for XPS with QoS via traffic classes")
      Signed-off-by: NAmritha Nambiar <amritha.nambiar@intel.com>
      Acked-by: NAlexander Duyck <alexander.h.duyck@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6358d49a