1. 20 4月, 2018 11 次提交
    • D
      net: hns: Avoid action name truncation · f4ea8911
      dann frazier 提交于
      When longer interface names are used, the action names exposed in
      /proc/interrupts and /proc/irq/* maybe truncated. For example, when
      using the predictable name algorithm in systemd on a HiSilicon D05,
      I see:
      
        ubuntu@d05-3:~$  grep enahisic2i0-tx /proc/interrupts | sed 's/.* //'
        enahisic2i0-tx0
        enahisic2i0-tx1
        [...]
        enahisic2i0-tx8
        enahisic2i0-tx9
        enahisic2i0-tx1
        enahisic2i0-tx1
        enahisic2i0-tx1
        enahisic2i0-tx1
        enahisic2i0-tx1
        enahisic2i0-tx1
      
      Increase the max ring name length to allow for an interface name
      of IFNAMSIZE. After this change, I now see:
      
        $ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //'
        enahisic2i0-tx0
        enahisic2i0-tx1
        enahisic2i0-tx2
        [...]
        enahisic2i0-tx8
        enahisic2i0-tx9
        enahisic2i0-tx10
        enahisic2i0-tx11
        enahisic2i0-tx12
        enahisic2i0-tx13
        enahisic2i0-tx14
        enahisic2i0-tx15
      Signed-off-by: Ndann frazier <dann.frazier@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f4ea8911
    • O
      docs: ip-sysctl.txt: fix name of some ipv6 variables · ab913455
      Olivier Gayot 提交于
      The name of the following proc/sysctl entries were incorrectly
      documented:
      
          /proc/sys/net/ipv6/conf/<interface>/max_dst_opts_number
          /proc/sys/net/ipv6/conf/<interface>/max_hbt_opts_number
          /proc/sys/net/ipv6/conf/<interface>/max_dst_opts_length
          /proc/sys/net/ipv6/conf/<interface>/max_hbt_length
      
      Their name was set to the name of the symbol in the .data field of the
      control table instead of their .proc name.
      Signed-off-by: NOlivier Gayot <olivier.gayot@sigexec.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ab913455
    • R
      vmxnet3: fix incorrect dereference when rxvlan is disabled · 65ec0bd1
      Ronak Doshi 提交于
      vmxnet3_get_hdr_len() is used to calculate the header length which in
      turn is used to calculate the gso_size for skb. When rxvlan offload is
      disabled, vlan tag is present in the header and the function references
      ip header from sizeof(ethhdr) and leads to incorrect pointer reference.
      
      This patch fixes this issue by taking sizeof(vlan_ethhdr) into account
      if vlan tag is present and correctly references the ip hdr.
      Signed-off-by: NRonak Doshi <doshir@vmware.com>
      Acked-by: NGuolin Yang <gyang@vmware.com>
      Acked-by: NLouis Luo <llouis@vmware.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      65ec0bd1
    • C
      llc: hold llc_sap before release_sock() · f7e43672
      Cong Wang 提交于
      syzbot reported we still access llc->sap in llc_backlog_rcv()
      after it is freed in llc_sap_remove_socket():
      
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1b9/0x294 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
       __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
       llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
       llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
       llc_conn_service net/llc/llc_conn.c:400 [inline]
       llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
       llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
       sk_backlog_rcv include/net/sock.h:909 [inline]
       __release_sock+0x12f/0x3a0 net/core/sock.c:2335
       release_sock+0xa4/0x2b0 net/core/sock.c:2850
       llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
      
      llc->sap is refcount'ed and llc_sap_remove_socket() is paired
      with llc_sap_add_socket(). This can be amended by holding its refcount
      before llc_sap_remove_socket() and releasing it after release_sock().
      
      Reported-by: <syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f7e43672
    • J
      MAINTAINERS: Direct networking documentation changes to netdev · 02b94fc7
      Jonathan Corbet 提交于
      Networking docs changes go through the networking tree, so patch the
      MAINTAINERS file to direct authors to the right place.
      Signed-off-by: NJonathan Corbet <corbet@lwn.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      02b94fc7
    • C
      atm: iphase: fix spelling mistake: "Tansmit" -> "Transmit" · f3335545
      Colin Ian King 提交于
      Trivial fix to spelling mistake in message text.
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f3335545
    • P
      net: qmi_wwan: add Wistron Neweb D19Q1 · 4ec7eb3f
      Pawel Dembicki 提交于
      This modem is embedded on dlink dwr-960 router.
      The oem configuration states:
      
      T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
      D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
      P: Vendor=1435 ProdID=d191 Rev=ff.ff
      S: Manufacturer=Android
      S: Product=Android
      S: SerialNumber=0123456789ABCDEF
      C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
      E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
      E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
      E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
      E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
      E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
      
      Tested on openwrt distribution
      Signed-off-by: NPawel Dembicki <paweldembicki@gmail.com>
      Acked-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4ec7eb3f
    • C
      net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN" · 5e84b38b
      Colin Ian King 提交于
      Trivial fix to spelling mistake
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5e84b38b
    • J
      net: stmmac: Disable ACS Feature for GMAC >= 4 · 565020aa
      Jose Abreu 提交于
      ACS Feature is currently enabled for GMAC >= 4 but the llc_snap status
      is never checked in descriptor rx_status callback. This will cause
      stmmac to always strip packets even that ACS feature is already
      stripping them.
      
      Lets be safe and disable the ACS feature for GMAC >= 4 and always strip
      the packets for this GMAC version.
      
      Fixes: 477286b5 ("stmmac: add GMAC4 core support")
      Signed-off-by: NJose Abreu <joabreu@synopsys.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Joao Pinto <jpinto@synopsys.com>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      565020aa
    • M
      net: mvpp2: Fix DMA address mask size · da42bb27
      Maxime Chevallier 提交于
      PPv2 TX/RX descriptors uses 40bits DMA addresses, but 41 bits masks were
      used (GENMASK_ULL(40, 0)).
      
      This commit fixes that by using the correct mask.
      
      Fixes: e7c5359f ("net: mvpp2: introduce PPv2.2 HW descriptors and adapt accessors")
      Signed-off-by: NMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      da42bb27
    • S
      net: change the comment of dev_mc_init · bb9aaaa1
      sunlianwen 提交于
      The comment of dev_mc_init() is wrong. which use dev_mc_flush
      instead of dev_mc_init.
      
      Signed-off-by: Lianwen Sun <sunlw.fnst@cn.fujitsu.com
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bb9aaaa1
  2. 19 4月, 2018 4 次提交
    • S
      net: qualcomm: rmnet: Fix warning seen with fill_info · 64e86fec
      Subash Abhinov Kasiviswanathan 提交于
      When the last rmnet device attached to a real device is removed, the
      real device is unregistered from rmnet. As a result, the real device
      lookup fails resulting in a warning when the fill_info handler is
      called as part of the rmnet device unregistration.
      
      Fix this by returning the rmnet flags as 0 when no real device is
      present.
      
      WARNING: CPU: 0 PID: 1779 at net/core/rtnetlink.c:3254
      rtmsg_ifinfo_build_skb+0xca/0x10d
      Modules linked in:
      CPU: 0 PID: 1779 Comm: ip Not tainted 4.16.0-11872-g7ce23672 #1
      Stack:
       7fe655f0 60371ea3 00000000 00000000
       60282bc6 6006b116 7fe65600 60371ee8
       7fe65660 6003a68c 00000000 900000000
      Call Trace:
       [<6006b116>] ? printk+0x0/0x94
       [<6001f375>] show_stack+0xfe/0x158
       [<60371ea3>] ? dump_stack_print_info+0xe8/0xf1
       [<60282bc6>] ? rtmsg_ifinfo_build_skb+0xca/0x10d
       [<6006b116>] ? printk+0x0/0x94
       [<60371ee8>] dump_stack+0x2a/0x2c
       [<6003a68c>] __warn+0x10e/0x13e
       [<6003a82c>] warn_slowpath_null+0x48/0x4f
       [<60282bc6>] rtmsg_ifinfo_build_skb+0xca/0x10d
       [<60282c4d>] rtmsg_ifinfo_event.part.37+0x1e/0x43
       [<60282c2f>] ? rtmsg_ifinfo_event.part.37+0x0/0x43
       [<60282d03>] rtmsg_ifinfo+0x24/0x28
       [<60264e86>] dev_close_many+0xba/0x119
       [<60282cdf>] ? rtmsg_ifinfo+0x0/0x28
       [<6027c225>] ? rtnl_is_locked+0x0/0x1c
       [<6026ca67>] rollback_registered_many+0x1ae/0x4ae
       [<600314be>] ? unblock_signals+0x0/0xae
       [<6026cdc0>] ? unregister_netdevice_queue+0x19/0xec
       [<6026ceec>] unregister_netdevice_many+0x21/0xa1
       [<6027c765>] rtnl_delete_link+0x3e/0x4e
       [<60280ecb>] rtnl_dellink+0x262/0x29c
       [<6027c241>] ? rtnl_get_link+0x0/0x3e
       [<6027f867>] rtnetlink_rcv_msg+0x235/0x274
      
      Fixes: be81a85f ("net: qualcomm: rmnet: Implement fill_info")
      Signed-off-by: NSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      64e86fec
    • B
      tun: fix vlan packet truncation · 81c89507
      Bjørn Mork 提交于
      Bogus trimming in tun_net_xmit() causes truncated vlan packets.
      
      skb->len is correct whether or not skb_vlan_tag_present() is true. There
      is no more reason to adjust the skb length on xmit in this driver than
      any other driver. tun_put_user() adds 4 bytes to the total for tagged
      packets because it transmits the tag inline to userspace.  This is
      similar to a nic transmitting the tag inline on the wire.
      
      Reproducing the bug by sending any tagged packet through back-to-back
      connected tap interfaces:
      
       socat TUN,tun-type=tap,iff-up,tun-name=in TUN,tun-type=tap,iff-up,tun-name=out &
       ip link add link in name in.20 type vlan id 20
       ip addr add 10.9.9.9/24 dev in.20
       ip link set in.20 up
       tshark -nxxi in -f arp -c1 2>/dev/null &
       tshark -nxxi out -f arp -c1 2>/dev/null &
       ping -c 1 10.9.9.5 >/dev/null 2>&1
      
      The output from the 'in' and 'out' interfaces are different when the
      bug is present:
      
       Capturing on 'in'
       0000  ff ff ff ff ff ff 76 cf 76 37 d5 0a 81 00 00 14   ......v.v7......
       0010  08 06 00 01 08 00 06 04 00 01 76 cf 76 37 d5 0a   ..........v.v7..
       0020  0a 09 09 09 00 00 00 00 00 00 0a 09 09 05         ..............
      
       Capturing on 'out'
       0000  ff ff ff ff ff ff 76 cf 76 37 d5 0a 81 00 00 14   ......v.v7......
       0010  08 06 00 01 08 00 06 04 00 01 76 cf 76 37 d5 0a   ..........v.v7..
       0020  0a 09 09 09 00 00 00 00 00 00                     ..........
      
      Fixes: aff3d70a ("tun: allow to attach ebpf socket filter")
      Cc: Jason Wang <jasowang@redhat.com>
      Signed-off-by: NBjørn Mork <bjorn@mork.no>
      Acked-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      81c89507
    • T
      tipc: fix infinite loop when dumping link monitor summary · 36a50a98
      Tung Nguyen 提交于
      When configuring the number of used bearers to MAX_BEARER and issuing
      command "tipc link monitor summary", the command enters infinite loop
      in user space.
      
      This issue happens because function tipc_nl_node_dump_monitor() returns
      the wrong 'prev_bearer' value when all potential monitors have been
      scanned.
      
      The correct behavior is to always try to scan all monitors until either
      the netlink message is full, in which case we return the bearer identity
      of the affected monitor, or we continue through the whole bearer array
      until we can return MAX_BEARERS. This solution also caters for the case
      where there may be gaps in the bearer array.
      Signed-off-by: NTung Nguyen <tung.q.nguyen@dektech.com.au>
      Signed-off-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      36a50a98
    • J
      tipc: fix use-after-free in tipc_nametbl_stop · be47e41d
      Jon Maloy 提交于
      When we delete a service item in tipc_nametbl_stop() we loop over
      all service ranges in the service's RB tree, and for each service
      range we loop over its pertaining publications while calling
      tipc_service_remove_publ() for each of them.
      
      However, tipc_service_remove_publ() has the side effect that it also
      removes the comprising service range item when there are no publications
      left. This leads to a "use-after-free" access when the inner loop
      continues to the next iteration, since the range item holding the list
      we are looping no longer exists.
      
      We fix this by moving the delete of the service range item outside
      the said function. Instead, we now let the two functions calling it
      test if the list is empty and perform the removal when that is the
      case.
      
      Reported-by: syzbot+d64b64afc55660106556@syzkaller.appspotmail.com
      Signed-off-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      be47e41d
  3. 18 4月, 2018 3 次提交
    • E
      KEYS: DNS: limit the length of option strings · 9c438d7a
      Eric Biggers 提交于
      Adding a dns_resolver key whose payload contains a very long option name
      resulted in that string being printed in full.  This hit the WARN_ONCE()
      in set_precision() during the printk(), because printk() only supports a
      precision of up to 32767 bytes:
      
          precision 1000000 too large
          WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0
      
      Fix it by limiting option strings (combined name + value) to a much more
      reasonable 128 bytes.  The exact limit is arbitrary, but currently the
      only recognized option is formatted as "dnserror=%lu" which fits well
      within this limit.
      
      Also ratelimit the printks.
      
      Reproducer:
      
          perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s
      
      This bug was found using syzkaller.
      Reported-by: NMark Rutland <mark.rutland@arm.com>
      Fixes: 4a2d7892 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9c438d7a
    • B
      sfc: check RSS is active for filter insert · 89bda97b
      Bert Kenward 提交于
      For some firmware variants - specifically 'capture packed stream' - RSS
      filters are not valid. We must check if RSS is actually active rather
      than merely enabled.
      
      Fixes: 42356d9a ("sfc: support RSS spreading of ethtool ntuple filters")
      Signed-off-by: NBert Kenward <bkenward@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      89bda97b
    • T
      vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi · 7ce23672
      Toshiaki Makita 提交于
      Syzkaller spotted an old bug which leads to reading skb beyond tail by 4
      bytes on vlan tagged packets.
      This is caused because skb_vlan_tagged_multi() did not check
      skb_headlen.
      
      BUG: KMSAN: uninit-value in eth_type_vlan include/linux/if_vlan.h:283 [inline]
      BUG: KMSAN: uninit-value in skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline]
      BUG: KMSAN: uninit-value in vlan_features_check include/linux/if_vlan.h:672 [inline]
      BUG: KMSAN: uninit-value in dflt_features_check net/core/dev.c:2949 [inline]
      BUG: KMSAN: uninit-value in netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009
      CPU: 1 PID: 3582 Comm: syzkaller435149 Not tainted 4.16.0+ #82
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:17 [inline]
        dump_stack+0x185/0x1d0 lib/dump_stack.c:53
        kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
        __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
        eth_type_vlan include/linux/if_vlan.h:283 [inline]
        skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline]
        vlan_features_check include/linux/if_vlan.h:672 [inline]
        dflt_features_check net/core/dev.c:2949 [inline]
        netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009
        validate_xmit_skb+0x89/0x1320 net/core/dev.c:3084
        __dev_queue_xmit+0x1cb2/0x2b60 net/core/dev.c:3549
        dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
        packet_snd net/packet/af_packet.c:2944 [inline]
        packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969
        sock_sendmsg_nosec net/socket.c:630 [inline]
        sock_sendmsg net/socket.c:640 [inline]
        sock_write_iter+0x3b9/0x470 net/socket.c:909
        do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
        do_iter_write+0x30d/0xd40 fs/read_write.c:932
        vfs_writev fs/read_write.c:977 [inline]
        do_writev+0x3c9/0x830 fs/read_write.c:1012
        SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
        SyS_writev+0x56/0x80 fs/read_write.c:1082
        do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x43ffa9
      RSP: 002b:00007fff2cff3948 EFLAGS: 00000217 ORIG_RAX: 0000000000000014
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
      RDX: 0000000000000001 RSI: 0000000020000080 RDI: 0000000000000003
      RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018d0
      R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
        kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
        kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
        kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
        kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
        slab_post_alloc_hook mm/slab.h:445 [inline]
        slab_alloc_node mm/slub.c:2737 [inline]
        __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
        __kmalloc_reserve net/core/skbuff.c:138 [inline]
        __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
        alloc_skb include/linux/skbuff.h:984 [inline]
        alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
        sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
        packet_alloc_skb net/packet/af_packet.c:2803 [inline]
        packet_snd net/packet/af_packet.c:2894 [inline]
        packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969
        sock_sendmsg_nosec net/socket.c:630 [inline]
        sock_sendmsg net/socket.c:640 [inline]
        sock_write_iter+0x3b9/0x470 net/socket.c:909
        do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
        do_iter_write+0x30d/0xd40 fs/read_write.c:932
        vfs_writev fs/read_write.c:977 [inline]
        do_writev+0x3c9/0x830 fs/read_write.c:1012
        SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
        SyS_writev+0x56/0x80 fs/read_write.c:1082
        do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Fixes: 58e998c6 ("offloading: Force software GSO for multiple vlan tags.")
      Reported-and-tested-by: syzbot+0bbe42c764feafa82c5a@syzkaller.appspotmail.com
      Signed-off-by: NToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7ce23672
  4. 17 4月, 2018 7 次提交
  5. 16 4月, 2018 7 次提交
    • E
      net: af_packet: fix race in PACKET_{R|T}X_RING · 5171b37d
      Eric Dumazet 提交于
      In order to remove the race caught by syzbot [1], we need
      to lock the socket before using po->tp_version as this could
      change under us otherwise.
      
      This means lock_sock() and release_sock() must be done by
      packet_set_ring() callers.
      
      [1] :
      BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
      CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
       packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
       packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662
       SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
       SyS_setsockopt+0x76/0xa0 net/socket.c:1828
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x449099
      RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099
      RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003
      RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000
      R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
      R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001
      
      Local variable description: ----req_u@packet_setsockopt
      Variable was created at:
       packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612
       SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
      
      Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5171b37d
    • T
      ibmvnic: Clear pending interrupt after device reset · f23e0643
      Thomas Falcon 提交于
      Due to a firmware bug, the hypervisor can send an interrupt to a
      transmit or receive queue just prior to a partition migration, not
      allowing the device enough time to handle it and send an EOI. When
      the partition migrates, the interrupt is lost but an "EOI-pending"
      flag for the interrupt line is still set in firmware. No further
      interrupts will be sent until that flag is cleared, effectively
      freezing that queue. To workaround this, the driver will disable the
      hardware interrupt and send an H_EOI signal prior to re-enabling it.
      This will flush the pending EOI and allow the driver to continue
      operation.
      Signed-off-by: NThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f23e0643
    • S
      tcp: clear tp->packets_out when purging write queue · bffd168c
      Soheil Hassas Yeganeh 提交于
      Clear tp->packets_out when purging the write queue, otherwise
      tcp_rearm_rto() mistakenly assumes TCP write queue is not empty.
      This results in NULL pointer dereference.
      
      Also, remove the redundant `tp->packets_out = 0` from
      tcp_disconnect(), since tcp_disconnect() calls
      tcp_write_queue_purge().
      
      Fixes: a27fd7a8 (tcp: purge write queue upon RST)
      Reported-by: NSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Reported-by: NSami Farin <hvtaifwkbgefbaei@gmail.com>
      Tested-by: NSami Farin <hvtaifwkbgefbaei@gmail.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: NYuchung Cheng <ycheng@google.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bffd168c
    • P
      team: avoid adding twice the same option to the event list · 4fb0534f
      Paolo Abeni 提交于
      When parsing the options provided by the user space,
      team_nl_cmd_options_set() insert them in a temporary list to send
      multiple events with a single message.
      While each option's attribute is correctly validated, the code does
      not check for duplicate entries before inserting into the event
      list.
      
      Exploiting the above, the syzbot was able to trigger the following
      splat:
      
      kernel BUG at lib/list_debug.c:31!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
          (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29
      RSP: 0018:ffff8801b04bf248 EFLAGS: 00010286
      RAX: 0000000000000058 RBX: ffff8801c8fc7a90 RCX: 0000000000000000
      RDX: 0000000000000058 RSI: ffffffff815fbf41 RDI: ffffed0036097e3f
      RBP: ffff8801b04bf260 R08: ffff8801b0b2a700 R09: ffffed003b604f90
      R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffff8801c8fc7a90
      R13: ffff8801c8fc7a90 R14: dffffc0000000000 R15: 0000000000000000
      FS:  0000000000b98880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000000000043fc30 CR3: 00000001afe8e000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        __list_add include/linux/list.h:60 [inline]
        list_add include/linux/list.h:79 [inline]
        team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571
        genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599
        genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624
        netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
        genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
        netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
        netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
        netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
        sock_sendmsg_nosec net/socket.c:629 [inline]
        sock_sendmsg+0xd5/0x120 net/socket.c:639
        ___sys_sendmsg+0x805/0x940 net/socket.c:2117
        __sys_sendmsg+0x115/0x270 net/socket.c:2155
        SYSC_sendmsg net/socket.c:2164 [inline]
        SyS_sendmsg+0x29/0x30 net/socket.c:2162
        do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x4458b9
      RSP: 002b:00007ffd1d4a7278 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004458b9
      RDX: 0000000000000010 RSI: 0000000020000d00 RDI: 0000000000000004
      RBP: 00000000004a74ed R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000213 R12: 00007ffd1d4a7348
      R13: 0000000000402a60 R14: 0000000000000000 R15: 0000000000000000
      Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48
      89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f
      40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41
      RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: ffff8801b04bf248
      
      This changeset addresses the avoiding list_add() if the current
      option is already present in the event list.
      
      Reported-and-tested-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Fixes: 2fcdb2c9 ("team: allow to send multiple set events in one message")
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4fb0534f
    • M
      net: mvpp2: Fix TCAM filter reserved range · 982e0500
      Maxime Chevallier 提交于
      Marvell's PPv2 controller has a Packet Header parser, which uses a
      fixed-size TCAM array of filter entries.
      
      The mvpp2 driver reserves some ranges among the 256 TCAM entries to
      perform MAC and VID filtering. The rest of the TCAM ids are freely usable
      for other features, such as IPv4 proto matching.
      
      This commit fixes the MVPP2_PE_LAST_FREE_TID define that sets the end of
      the "free range", which included the MAC range. This could therefore allow
      some other features to use entries dedicated to MAC filtering,
      lowering the number of unicast/multicast addresses that could be allowed
      before switching to promiscuous mode.
      
      Fixes: 10fea26c ("net: mvpp2: Add support for unicast filtering")
      Signed-off-by: NMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      982e0500
    • D
      Revert "macsec: missing dev_put() on error in macsec_newlink()" · bd28899d
      Dan Carpenter 提交于
      This patch is just wrong, sorry.  I was trying to fix a static checker
      warning and misread the code.  The reference taken in macsec_newlink()
      is released in macsec_free_netdev() when the netdevice is destroyed.
      
      This reverts commit 5dcd8400.
      Reported-by: NLaura Abbott <labbott@redhat.com>
      Fixes: 5dcd8400 ("macsec: missing dev_put() on error in macsec_newlink()")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bd28899d
    • W
      filter.txt: update 'tools/net/' to 'tools/bpf/' · c246fd33
      Wang Sheng-Hui 提交于
      The tools are located at tootls/bpf/ instead of tools/net/.
      Update the filter.txt doc.
      Signed-off-by: NWang Sheng-Hui <shhuiw@foxmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c246fd33
  6. 15 4月, 2018 4 次提交
    • D
      Merge branch 'sfc-ARFS-fixes' · d6606bcc
      David S. Miller 提交于
      Edward Cree says:
      
      ====================
      sfc: ARFS fixes
      
      Three issues introduced by my recent asynchronous filter handling changes:
      1. The old filter_rfs_insert would replace a matching filter of equal
         priority; we need to pass the appropriate argument to filter_insert to
         make it do the same.
      2. We're lying to the kernel with our return value from ndo_rx_flow_steer,
         so we need to lie consistently when calling rps_may_expire_flow.  This
         is only a partial fix, as the lie still prevents us from steering
         multiple flows with the same ID to different queues; a proper fix that
         stops us lying at all will hopefully follow later.
      3. It's possible to cause the kernel to hammer ndo_rx_flow_steer very
         hard, so make sure we don't build up too huge a backlog of workitems.
      
      Possibly it would be better to fix #3 on the kernel side; I have a patch
       which I think does that but it's not a regression in 4.17 so isn't 'net'
       material.
      There's also the issue that we come up in the bad configuration that
       triggers #3 by default, but that too is a problem for another time.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d6606bcc
    • E
      sfc: limit ARFS workitems in flight per channel · f993740e
      Edward Cree 提交于
      A misconfigured system (e.g. with all interrupts affinitised to all CPUs)
       may produce a storm of ARFS steering events.  With the existing sfc ARFS
       implementation, that could create a backlog of workitems that grinds the
       system to a halt.  To prevent this, limit the number of workitems that
       may be in flight for a given SFC device to 8 (EFX_RPS_MAX_IN_FLIGHT), and
       return EBUSY from our ndo_rx_flow_steer method if the limit is reached.
      Given this limit, also store the workitems in an array of slots within the
       struct efx_nic, rather than dynamically allocating for each request.
      The limit should not negatively impact performance, because it is only
       likely to be hit in cases where ARFS will be ineffective anyway.
      Signed-off-by: NEdward Cree <ecree@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f993740e
    • E
      sfc: pass the correctly bogus filter_id to rps_may_expire_flow() · a7f80189
      Edward Cree 提交于
      When we inserted an ARFS filter for ndo_rx_flow_steer(), we didn't know
       what the filter ID would be, so we just returned 0.  Thus, we must also
       pass 0 as the filter ID when calling rps_may_expire_flow() for it, and
       rely on the flow_id to identify what we're talking about.
      
      Fixes: 3af0f342 ("sfc: replace asynchronous filter operations")
      Signed-off-by: NEdward Cree <ecree@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a7f80189
    • E
      sfc: insert ARFS filters with replace_equal=true · 494bef4c
      Edward Cree 提交于
      Necessary to allow redirecting a flow when the application moves.
      
      Fixes: 3af0f342 ("sfc: replace asynchronous filter operations")
      Signed-off-by: NEdward Cree <ecree@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      494bef4c
  7. 14 4月, 2018 4 次提交