1. 01 7月, 2020 3 次提交
  2. 30 6月, 2020 2 次提交
    • C
      genetlink: get rid of family->attrbuf · bf64ff4c
      Cong Wang 提交于
      genl_family_rcv_msg_attrs_parse() reuses the global family->attrbuf
      when family->parallel_ops is false. However, family->attrbuf is not
      protected by any lock on the genl_family_rcv_msg_doit() code path.
      
      This leads to several different consequences, one of them is UAF,
      like the following:
      
      genl_family_rcv_msg_doit():		genl_start():
      					  genl_family_rcv_msg_attrs_parse()
      					    attrbuf = family->attrbuf
      					    __nlmsg_parse(attrbuf);
        genl_family_rcv_msg_attrs_parse()
          attrbuf = family->attrbuf
          __nlmsg_parse(attrbuf);
      					  info->attrs = attrs;
      					  cb->data = info;
      
      netlink_unicast_kernel():
       consume_skb()
      					genl_lock_dumpit():
      					  genl_dumpit_info(cb)->attrs
      
      Note family->attrbuf is an array of pointers to the skb data, once
      the skb is freed, any dereference of family->attrbuf will be a UAF.
      
      Maybe we could serialize the family->attrbuf with genl_mutex too, but
      that would make the locking more complicated. Instead, we can just get
      rid of family->attrbuf and always allocate attrbuf from heap like the
      family->parallel_ops==true code path. This may add some performance
      overhead but comparing with taking the global genl_mutex, it still
      looks better.
      
      Fixes: 75cdbdd0 ("net: ieee802154: have genetlink code to parse the attrs during dumpit")
      Fixes: 057af707 ("net: tipc: have genetlink code to parse the attrs during dumpit")
      Reported-and-tested-by: syzbot+3039ddf6d7b13daf3787@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+80cad1e3cb4c41cde6ff@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+736bcbcb11b60d0c0792@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+520f8704db2b68091d44@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+c96e4dfb32f8987fdeed@syzkaller.appspotmail.com
      Cc: Jiri Pirko <jiri@mellanox.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bf64ff4c
    • D
      Merge tag 'mac80211-for-net-2020-06-29' of... · 33c568ba
      David S. Miller 提交于
      Merge tag 'mac80211-for-net-2020-06-29' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Couple of fixes/small things:
       * TX control port status check fixed to not assume frame format
       * mesh control port fixes
       * error handling/leak fixes when starting AP, with HE attributes
       * fix broadcast packet handling with encapsulation offload
       * add new AKM suites
       * and a small code cleanup
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      33c568ba
  3. 29 6月, 2020 5 次提交
    • E
      llc: make sure applications use ARPHRD_ETHER · a9b11101
      Eric Dumazet 提交于
      syzbot was to trigger a bug by tricking AF_LLC with
      non sensible addr->sllc_arphrd
      
      It seems clear LLC requires an Ethernet device.
      
      Back in commit abf9d537 ("llc: add support for SO_BINDTODEVICE")
      Octavian Purdila added possibility for application to use a zero
      value for sllc_arphrd, convert it to ARPHRD_ETHER to not cause
      regressions on existing applications.
      
      BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:199 [inline]
      BUG: KASAN: use-after-free in list_empty include/linux/list.h:268 [inline]
      BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:126 [inline]
      BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:160 [inline]
      BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2092 [inline]
      BUG: KASAN: use-after-free in sock_def_write_space+0x642/0x670 net/core/sock.c:2813
      Read of size 8 at addr ffff88801e0b4078 by task ksoftirqd/3/27
      
      CPU: 3 PID: 27 Comm: ksoftirqd/3 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
       __read_once_size include/linux/compiler.h:199 [inline]
       list_empty include/linux/list.h:268 [inline]
       waitqueue_active include/linux/wait.h:126 [inline]
       wq_has_sleeper include/linux/wait.h:160 [inline]
       skwq_has_sleeper include/net/sock.h:2092 [inline]
       sock_def_write_space+0x642/0x670 net/core/sock.c:2813
       sock_wfree+0x1e1/0x260 net/core/sock.c:1958
       skb_release_head_state+0xeb/0x260 net/core/skbuff.c:652
       skb_release_all+0x16/0x60 net/core/skbuff.c:663
       __kfree_skb net/core/skbuff.c:679 [inline]
       consume_skb net/core/skbuff.c:838 [inline]
       consume_skb+0xfb/0x410 net/core/skbuff.c:832
       __dev_kfree_skb_any+0xa4/0xd0 net/core/dev.c:2967
       dev_kfree_skb_any include/linux/netdevice.h:3650 [inline]
       e1000_unmap_and_free_tx_resource.isra.0+0x21b/0x3a0 drivers/net/ethernet/intel/e1000/e1000_main.c:1963
       e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3854 [inline]
       e1000_clean+0x4cc/0x1d10 drivers/net/ethernet/intel/e1000/e1000_main.c:3796
       napi_poll net/core/dev.c:6532 [inline]
       net_rx_action+0x508/0x1120 net/core/dev.c:6600
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       run_ksoftirqd kernel/softirq.c:603 [inline]
       run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595
       smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165
       kthread+0x361/0x430 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Allocated by task 8247:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       __kasan_kmalloc mm/kasan/common.c:513 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
       kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521
       slab_post_alloc_hook mm/slab.h:584 [inline]
       slab_alloc mm/slab.c:3320 [inline]
       kmem_cache_alloc+0x121/0x710 mm/slab.c:3484
       sock_alloc_inode+0x1c/0x1d0 net/socket.c:240
       alloc_inode+0x68/0x1e0 fs/inode.c:230
       new_inode_pseudo+0x19/0xf0 fs/inode.c:919
       sock_alloc+0x41/0x270 net/socket.c:560
       __sock_create+0xc2/0x730 net/socket.c:1384
       sock_create net/socket.c:1471 [inline]
       __sys_socket+0x103/0x220 net/socket.c:1513
       __do_sys_socket net/socket.c:1522 [inline]
       __se_sys_socket net/socket.c:1520 [inline]
       __ia32_sys_socket+0x73/0xb0 net/socket.c:1520
       do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
       do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408
       entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      
      Freed by task 17:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       kasan_set_free_info mm/kasan/common.c:335 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
       __cache_free mm/slab.c:3426 [inline]
       kmem_cache_free+0x86/0x320 mm/slab.c:3694
       sock_free_inode+0x20/0x30 net/socket.c:261
       i_callback+0x44/0x80 fs/inode.c:219
       __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
       rcu_do_batch kernel/rcu/tree.c:2183 [inline]
       rcu_core+0x570/0x1540 kernel/rcu/tree.c:2408
       rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2417
       __do_softirq+0x262/0x98c kernel/softirq.c:292
      
      The buggy address belongs to the object at ffff88801e0b4000
       which belongs to the cache sock_inode_cache of size 1152
      The buggy address is located 120 bytes inside of
       1152-byte region [ffff88801e0b4000, ffff88801e0b4480)
      The buggy address belongs to the page:
      page:ffffea0000782d00 refcount:1 mapcount:0 mapping:ffff88807aa59c40 index:0xffff88801e0b4ffd
      raw: 00fffe0000000200 ffffea00008e6c88 ffffea0000782d48 ffff88807aa59c40
      raw: ffff88801e0b4ffd ffff88801e0b4000 0000000100000003 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88801e0b3f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       ffff88801e0b3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88801e0b4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                      ^
       ffff88801e0b4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff88801e0b4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: abf9d537 ("llc: add support for SO_BINDTODEVICE")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a9b11101
    • C
      net: explain the lockdep annotations for dev_uc_unsync() · e8280338
      Cong Wang 提交于
      The lockdep annotations for dev_uc_unsync() and dev_mc_unsync()
      are not easy to understand, so add some comments to explain
      why they are correct.
      
      Similar for the rest netif_addr_lock_bh() cases, they don't
      need nested version.
      
      Cc: Taehee Yoo <ap420073@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e8280338
    • C
      net: get rid of lockdep_set_class_and_subclass() · be74294f
      Cong Wang 提交于
      lockdep_set_class_and_subclass() is meant to reduce
      the _nested() annotations by assigning a default subclass.
      For addr_list_lock, we have to compute the subclass at
      run-time as the netdevice topology changes after creation.
      
      So, we should just get rid of these
      lockdep_set_class_and_subclass() and stick with our _nested()
      annotations.
      
      Fixes: 845e0ebb ("net: change addr_list_lock back to static key")
      Suggested-by: NTaehee Yoo <ap420073@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      be74294f
    • V
      lib: packing: add documentation for pbuflen argument · 7dea927f
      Vladimir Oltean 提交于
      Fixes sparse warning:
      
      Function parameter or member 'pbuflen' not described in 'packing'
      
      Fixes: 554aae35 ("lib: Add support for generic packing operations")
      Signed-off-by: NVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7dea927f
    • H
      bridge: mrp: Fix endian conversion and some other warnings · 9b14d1f8
      Horatiu Vultur 提交于
      The following sparse warnings are fixed:
      net/bridge/br_mrp.c:106:18: warning: incorrect type in assignment (different base types)
      net/bridge/br_mrp.c:106:18:    expected unsigned short [usertype]
      net/bridge/br_mrp.c:106:18:    got restricted __be16 [usertype]
      net/bridge/br_mrp.c:281:23: warning: incorrect type in argument 1 (different modifiers)
      net/bridge/br_mrp.c:281:23:    expected struct list_head *entry
      net/bridge/br_mrp.c:281:23:    got struct list_head [noderef] *
      net/bridge/br_mrp.c:332:28: warning: incorrect type in argument 1 (different modifiers)
      net/bridge/br_mrp.c:332:28:    expected struct list_head *new
      net/bridge/br_mrp.c:332:28:    got struct list_head [noderef] *
      net/bridge/br_mrp.c:332:40: warning: incorrect type in argument 2 (different modifiers)
      net/bridge/br_mrp.c:332:40:    expected struct list_head *head
      net/bridge/br_mrp.c:332:40:    got struct list_head [noderef] *
      net/bridge/br_mrp.c:682:29: warning: incorrect type in argument 1 (different modifiers)
      net/bridge/br_mrp.c:682:29:    expected struct list_head const *head
      net/bridge/br_mrp.c:682:29:    got struct list_head [noderef] *
      Reported-by: Nkernel test robot <lkp@intel.com>
      Fixes: 2f1a11ae ("bridge: mrp: Add MRP interface.")
      Fixes: 4b8d7d4c ("bridge: mrp: Extend bridge interface")
      Fixes: 9a9f26e8 ("bridge: mrp: Connect MRP API with the switchdev API")
      Signed-off-by: NHoratiu Vultur <horatiu.vultur@microchip.com>
      Acked-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9b14d1f8
  4. 28 6月, 2020 1 次提交
  5. 27 6月, 2020 2 次提交
  6. 26 6月, 2020 27 次提交
    • L
      nl80211: fix memory leak when parsing NL80211_ATTR_HE_BSS_COLOR · 60a0121f
      Luca Coelho 提交于
      If there is an error when parsing the NL80211_ATTR_HE_BSS_COLOR
      attribute, we return immediately without freeing param.acl.  Fit it by
      using goto out instead of returning immediately.
      
      Fixes: 5c5e52d1 ("nl80211: add handling for BSS color")
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Link: https://lore.kernel.org/r/iwlwifi.20200626124931.7ad2a3eb894f.I60905fb70bd20389a3b170db515a07275e31845e@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>
      60a0121f
    • L
      nl80211: don't return err unconditionally in nl80211_start_ap() · bc7a39b4
      Luca Coelho 提交于
      When a memory leak was fixed, a return err was changed to goto err,
      but, accidentally, the if (err) was removed, so now we always exit at
      this point.
      
      Fix it by adding if (err) back.
      
      Fixes: 9951ebfc ("nl80211: fix potential leak in AP start")
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Link: https://lore.kernel.org/r/iwlwifi.20200626124931.871ba5b31eee.I97340172d92164ee92f3c803fe20a8a6e97714e1@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>
      bc7a39b4
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 4a21185c
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Don't insert ESP trailer twice in IPSEC code, from Huy Nguyen.
      
       2) The default crypto algorithm selection in Kconfig for IPSEC is out
          of touch with modern reality, fix this up. From Eric Biggers.
      
       3) bpftool is missing an entry for BPF_MAP_TYPE_RINGBUF, from Andrii
          Nakryiko.
      
       4) Missing init of ->frame_sz in xdp_convert_zc_to_xdp_frame(), from
          Hangbin Liu.
      
       5) Adjust packet alignment handling in ax88179_178a driver to match
          what the hardware actually does. From Jeremy Kerr.
      
       6) register_netdevice can leak in the case one of the notifiers fail,
          from Yang Yingliang.
      
       7) Use after free in ip_tunnel_lookup(), from Taehee Yoo.
      
       8) VLAN checks in sja1105 DSA driver need adjustments, from Vladimir
          Oltean.
      
       9) tg3 driver can sleep forever when we get enough EEH errors, fix from
          David Christensen.
      
      10) Missing {READ,WRITE}_ONCE() annotations in various Intel ethernet
          drivers, from Ciara Loftus.
      
      11) Fix scanning loop break condition in of_mdiobus_register(), from
          Florian Fainelli.
      
      12) MTU limit is incorrect in ibmveth driver, from Thomas Falcon.
      
      13) Endianness fix in mlxsw, from Ido Schimmel.
      
      14) Use after free in smsc95xx usbnet driver, from Tuomas Tynkkynen.
      
      15) Missing bridge mrp configuration validation, from Horatiu Vultur.
      
      16) Fix circular netns references in wireguard, from Jason A. Donenfeld.
      
      17) PTP initialization on recovery is not done properly in qed driver,
          from Alexander Lobakin.
      
      18) Endian conversion of L4 ports in filters of cxgb4 driver is wrong,
          from Rahul Lakkireddy.
      
      19) Don't clear bound device TX queue of socket prematurely otherwise we
          get problems with ktls hw offloading, from Tariq Toukan.
      
      20) ipset can do atomics on unaligned memory, fix from Russell King.
      
      21) Align ethernet addresses properly in bridging code, from Thomas
          Martitz.
      
      22) Don't advertise ipv4 addresses on SCTP sockets having ipv6only set,
          from Marcelo Ricardo Leitner.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (149 commits)
        rds: transport module should be auto loaded when transport is set
        sch_cake: fix a few style nits
        sch_cake: don't call diffserv parsing code when it is not needed
        sch_cake: don't try to reallocate or unshare skb unconditionally
        ethtool: fix error handling in linkstate_prepare_data()
        wil6210: account for napi_gro_receive never returning GRO_DROP
        hns: do not cast return value of napi_gro_receive to null
        socionext: account for napi_gro_receive never returning GRO_DROP
        wireguard: receive: account for napi_gro_receive never returning GRO_DROP
        vxlan: fix last fdb index during dump of fdb with nhid
        sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
        tc-testing: avoid action cookies with odd length.
        bpf: tcp: bpf_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
        tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
        net: dsa: sja1105: fix tc-gate schedule with single element
        net: dsa: sja1105: recalculate gating subschedule after deleting tc-gate rules
        net: dsa: sja1105: unconditionally free old gating config
        net: dsa: sja1105: move sja1105_compose_gating_subschedule at the top
        net: macb: free resources on failure path of at91ether_open()
        net: macb: call pm_runtime_put_sync on failure path
        ...
      4a21185c
    • R
      rds: transport module should be auto loaded when transport is set · 4c342f77
      Rao Shoaib 提交于
      This enhancement auto loads transport module when the transport
      is set via SO_RDS_TRANSPORT socket option.
      Reviewed-by: NKa-Cheong Poon <ka-cheong.poon@oracle.com>
      Reviewed-by: NHåkon Bugge <haakon.bugge@oracle.com>
      Signed-off-by: NRao Shoaib <rao.shoaib@oracle.com>
      Signed-off-by: NSomasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4c342f77
    • D
      Merge branch 'sched-A-couple-of-fixes-for-sch_cake' · 6aeaf262
      David S. Miller 提交于
      Toke Høiland-Jørgensen says:
      
      ====================
      sched: A couple of fixes for sch_cake
      
      This series contains a couple of fixes for diffserv handling in sch_cake that
      provide a nice speedup (with a somewhat pedantic nit fix tacked on to the end).
      
      Not quite sure about whether this should go to stable; it does provide a nice
      speedup, but it's not strictly a fix in the "correctness" sense. I lean towards
      including this in stable as well, since our most important consumer of that
      (OpenWrt) is likely to backport the series anyway.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6aeaf262
    • T
      sch_cake: fix a few style nits · 3f608f0c
      Toke Høiland-Jørgensen 提交于
      I spotted a few nits when comparing the in-tree version of sch_cake with
      the out-of-tree one: A redundant error variable declaration shadowing an
      outer declaration, and an indentation alignment issue. Fix both of these.
      
      Fixes: 046f6fd5 ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
      Signed-off-by: NToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3f608f0c
    • T
      sch_cake: don't call diffserv parsing code when it is not needed · 8c95eca0
      Toke Høiland-Jørgensen 提交于
      As a further optimisation of the diffserv parsing codepath, we can skip it
      entirely if CAKE is configured to neither use diffserv-based
      classification, nor to zero out the diffserv bits.
      
      Fixes: c87b4ecd ("sch_cake: Make sure we can write the IP header before changing DSCP bits")
      Signed-off-by: NToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8c95eca0
    • I
      sch_cake: don't try to reallocate or unshare skb unconditionally · 9208d286
      Ilya Ponetayev 提交于
      cake_handle_diffserv() tries to linearize mac and network header parts of
      skb and to make it writable unconditionally. In some cases it leads to full
      skb reallocation, which reduces throughput and increases CPU load. Some
      measurements of IPv4 forward + NAPT on MIPS router with 580 MHz single-core
      CPU was conducted. It appears that on kernel 4.9 skb_try_make_writable()
      reallocates skb, if skb was allocated in ethernet driver via so-called
      'build skb' method from page cache (it was discovered by strange increase
      of kmalloc-2048 slab at first).
      
      Obtain DSCP value via read-only skb_header_pointer() call, and leave
      linearization only for DSCP bleaching or ECN CE setting. And, as an
      additional optimisation, skip diffserv parsing entirely if it is not needed
      by the current configuration.
      
      Fixes: c87b4ecd ("sch_cake: Make sure we can write the IP header before changing DSCP bits")
      Signed-off-by: NIlya Ponetayev <i.ponetaev@ndmsystems.com>
      [ fix a few style issues, reflow commit message ]
      Signed-off-by: NToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9208d286
    • M
      ethtool: fix error handling in linkstate_prepare_data() · 1ae71d99
      Michal Kubecek 提交于
      When getting SQI or maximum SQI value fails in linkstate_prepare_data(), we
      must not return without calling ethnl_ops_complete(dev) as that could
      result in imbalance between ethtool_ops ->begin() and ->complete() calls.
      
      Fixes: 80660219 ("ethtool: provide UAPI for PHY Signal Quality Index (SQI)")
      Signed-off-by: NMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1ae71d99
    • L
      Merge tag 'trace-v5.8-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 42e9c85f
      Linus Torvalds 提交于
      Pull tracing fixes from Steven Rostedt:
       "Four small fixes:
      
         - Fix a ringbuffer bug for nested events having time go backwards
      
         - Fix a config dependency for boot time tracing to depend on
           synthetic events instead of histograms.
      
         - Fix trigger format parsing to handle multiple spaces
      
         - Fix bootconfig to handle failures in multiple events"
      
      * tag 'trace-v5.8-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing/boottime: Fix kprobe multiple events
        tracing: Fix event trigger to accept redundant spaces
        tracing/boot: Fix config dependency for synthedic event
        ring-buffer: Zero out time extend if it is nested and not absolute
      42e9c85f
    • D
      Merge branch 'napi_gro_receive-caller-return-value-cleanups' · 0e00c05f
      David S. Miller 提交于
      Jason A. Donenfeld says:
      
      ====================
      napi_gro_receive caller return value cleanups
      
      In 6570bc79 ("net: core: use listified Rx for GRO_NORMAL in
      napi_gro_receive()"), the GRO_NORMAL case stopped calling
      netif_receive_skb_internal, checking its return value, and returning
      GRO_DROP in case it failed. Instead, it calls into
      netif_receive_skb_list_internal (after a bit of indirection), which
      doesn't return any error. Therefore, napi_gro_receive will never return
      GRO_DROP, making handling GRO_DROP dead code.
      
      I emailed the author of 6570bc79 on netdev [1] to see if this change
      was intentional, but the dlink.ru email address has been disconnected,
      and looking a bit further myself, it seems somewhat infeasible to start
      propagating return values backwards from the internal machinations of
      netif_receive_skb_list_internal.
      
      Taking a look at all the callers of napi_gro_receive, it appears that
      three are checking the return value for the purpose of comparing it to
      the now never-happening GRO_DROP, and one just casts it to (void), a
      likely historical leftover. Every other of the 120 callers does not
      bother checking the return value.
      
      And it seems like these remaining 116 callers are doing the right thing:
      after calling napi_gro_receive, the packet is now in the hands of the
      upper layers of the newtworking, and the device driver itself has no
      business now making decisions based on what the upper layers choose to
      do. Incrementing stats counters on GRO_DROP seems like a mistake, made
      by these three drivers, but not by the remaining 117.
      
      It would seem, therefore, that after rectifying these four callers of
      napi_gro_receive, that I should go ahead and just remove returning the
      value from napi_gro_receive all together. However, napi_gro_receive has
      a function event tracer, and being able to introspect into the
      networking stack to see how often napi_gro_receive is returning whatever
      interesting GRO status (aside from _DROP) remains an interesting
      data point worth keeping for debugging.
      
      So, this series simply gets rid of the return value checking for the
      four useless places where that check never evaluates to anything
      meaningful.
      
      [1] https://lore.kernel.org/netdev/20200624210606.GA1362687@zx2c4.com/
      ====================
      Acked-by: NEdward Cree <ecree@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0e00c05f
    • J
      wil6210: account for napi_gro_receive never returning GRO_DROP · 045790b7
      Jason A. Donenfeld 提交于
      The napi_gro_receive function no longer returns GRO_DROP ever, making
      handling GRO_DROP dead code. This commit removes that dead code.
      Further, it's not even clear that device drivers have any business in
      taking action after passing off received packets; that's arguably out of
      their hands. In this case, too, the non-gro path didn't bother checking
      the return value. Plus, this had some clunky debugging functions that
      duplicated code from elsewhere and was generally pretty messy. So, this
      commit cleans that all up too.
      
      Fixes: 6570bc79 ("net: core: use listified Rx for GRO_NORMAL in napi_gro_receive()")
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      045790b7
    • J
      hns: do not cast return value of napi_gro_receive to null · 93ab48a9
      Jason A. Donenfeld 提交于
      Basically no drivers care about the return value here, and there's no
      __must_check that would make casting to void sensible, so remove it.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      93ab48a9
    • J
      socionext: account for napi_gro_receive never returning GRO_DROP · e5e7d805
      Jason A. Donenfeld 提交于
      The napi_gro_receive function no longer returns GRO_DROP ever, making
      handling GRO_DROP dead code. This commit removes that dead code.
      Further, it's not even clear that device drivers have any business in
      taking action after passing off received packets; that's arguably out of
      their hands.
      
      Fixes: 6570bc79 ("net: core: use listified Rx for GRO_NORMAL in napi_gro_receive()")
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e5e7d805
    • J
      wireguard: receive: account for napi_gro_receive never returning GRO_DROP · df08126e
      Jason A. Donenfeld 提交于
      The napi_gro_receive function no longer returns GRO_DROP ever, making
      handling GRO_DROP dead code. This commit removes that dead code.
      Further, it's not even clear that device drivers have any business in
      taking action after passing off received packets; that's arguably out of
      their hands.
      
      Fixes: e7096c13 ("net: WireGuard secure network tunnel")
      Fixes: 6570bc79 ("net: core: use listified Rx for GRO_NORMAL in napi_gro_receive()")
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df08126e
    • R
      vxlan: fix last fdb index during dump of fdb with nhid · b18e9834
      Roopa Prabhu 提交于
      This patch fixes last saved fdb index in fdb dump handler when
      handling fdb's with nhid.
      
      Fixes: 1274e1cc ("vxlan: ecmp support for mac fdb entries")
      Signed-off-by: NRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b18e9834
    • M
      sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket · 471e39df
      Marcelo Ricardo Leitner 提交于
      If a socket is set ipv6only, it will still send IPv4 addresses in the
      INIT and INIT_ACK packets. This potentially misleads the peer into using
      them, which then would cause association termination.
      
      The fix is to not add IPv4 addresses to ipv6only sockets.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: NCorey Minyard <cminyard@mvista.com>
      Signed-off-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Tested-by: NCorey Minyard <cminyard@mvista.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      471e39df
    • B
      tc-testing: avoid action cookies with odd length. · b6186d41
      Briana Oursler 提交于
      Update odd length cookie hexstrings in csum.json, tunnel_key.json and
      bpf.json to be even length to comply with check enforced in commit
      0149dabf2a1b ("tc: m_actions: check cookie hexstring len") in iproute2.
      Signed-off-by: NBriana Oursler <briana.oursler@gmail.com>
      Reviewed-by: NStefano Brivio <sbrivio@redhat.com>
      Reviewed-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b6186d41
    • D
      Merge branch 'tcp_cubic-fix-spurious-HYSTART_DELAY-on-RTT-decrease' · 3b0e7dc0
      David S. Miller 提交于
      Neal Cardwell says:
      
      ====================
      tcp_cubic: fix spurious HYSTART_DELAY on RTT decrease
      
      This series fixes a long-standing bug in the TCP CUBIC
      HYSTART_DELAY mechanim recently reported by Mirja Kuehlewind. The
      code can cause a spurious exit of slow start in some particular
      cases: upon an RTT decrease that happens on the 9th or later ACK
      in a round trip. This series fixes the original Hystart code and
      also the recent BPF implementation.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3b0e7dc0
    • N
      bpf: tcp: bpf_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT · 7d21d54d
      Neal Cardwell 提交于
      Apply the fix from:
       "tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT"
      to the BPF implementation of TCP CUBIC congestion control.
      
      Repeating the commit description here for completeness:
      
      Mirja Kuehlewind reported a bug in Linux TCP CUBIC Hystart, where
      Hystart HYSTART_DELAY mechanism can exit Slow Start spuriously on an
      ACK when the minimum rtt of a connection goes down. From inspection it
      is clear from the existing code that this could happen in an example
      like the following:
      
      o The first 8 RTT samples in a round trip are 150ms, resulting in a
        curr_rtt of 150ms and a delay_min of 150ms.
      
      o The 9th RTT sample is 100ms. The curr_rtt does not change after the
        first 8 samples, so curr_rtt remains 150ms. But delay_min can be
        lowered at any time, so delay_min falls to 100ms. The code executes
        the HYSTART_DELAY comparison between curr_rtt of 150ms and delay_min
        of 100ms, and the curr_rtt is declared far enough above delay_min to
        force a (spurious) exit of Slow start.
      
      The fix here is simple: allow every RTT sample in a round trip to
      lower the curr_rtt.
      
      Fixes: 6de4a9c4 ("bpf: tcp: Add bpf_cubic example")
      Reported-by: NMirja Kuehlewind <mirja.kuehlewind@ericsson.com>
      Signed-off-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7d21d54d
    • N
      tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT · b344579c
      Neal Cardwell 提交于
      Mirja Kuehlewind reported a bug in Linux TCP CUBIC Hystart, where
      Hystart HYSTART_DELAY mechanism can exit Slow Start spuriously on an
      ACK when the minimum rtt of a connection goes down. From inspection it
      is clear from the existing code that this could happen in an example
      like the following:
      
      o The first 8 RTT samples in a round trip are 150ms, resulting in a
        curr_rtt of 150ms and a delay_min of 150ms.
      
      o The 9th RTT sample is 100ms. The curr_rtt does not change after the
        first 8 samples, so curr_rtt remains 150ms. But delay_min can be
        lowered at any time, so delay_min falls to 100ms. The code executes
        the HYSTART_DELAY comparison between curr_rtt of 150ms and delay_min
        of 100ms, and the curr_rtt is declared far enough above delay_min to
        force a (spurious) exit of Slow start.
      
      The fix here is simple: allow every RTT sample in a round trip to
      lower the curr_rtt.
      
      Fixes: ae27e98a ("[TCP] CUBIC v2.3")
      Reported-by: NMirja Kuehlewind <mirja.kuehlewind@ericsson.com>
      Signed-off-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b344579c
    • D
      Merge branch 'Fixes-for-SJA1105-DSA-tc-gate-action' · 29a30bac
      David S. Miller 提交于
      Vladimir Oltean says:
      
      ====================
      Fixes for SJA1105 DSA tc-gate action
      
      This small series fixes 2 bugs in the tc-gate implementation:
      1. The TAS state machine keeps getting rescheduled even after removing
         tc-gate actions on all ports.
      2. tc-gate actions with only one gate control list entry are installed
         to hardware with an incorrect interval of zero, which makes the
         switch erroneously drop those packets (since the configuration is
         invalid).
      
      To keep the code palatable, a forward-declaration was avoided by moving
      some code around in patch 1/4. I hope that isn't too much of an issue.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      29a30bac
    • V
      net: dsa: sja1105: fix tc-gate schedule with single element · 43ce887c
      Vladimir Oltean 提交于
      The sja1105_gating_cfg_time_to_interval function does this, as per the
      comments:
      
      /* The gate entries contain absolute times in their e->interval field. Convert
       * that to proper intervals (i.e. "0, 5, 10, 15" to "5, 5, 5, 5").
       */
      
      To perform that task, it iterates over gating_cfg->entries, at each step
      updating the interval of the _previous_ entry. So one interval remains
      to be updated at the end of the loop: the last one (since it isn't
      "prev" for anyone else).
      
      But there was an erroneous check, that the last element's interval
      should not be updated if it's also the only element. I'm not quite sure
      why that check was there, but it's clearly incorrect, as a tc-gate
      schedule with a single element would get an e->interval of zero,
      regardless of the duration requested by the user. The switch wouldn't
      even consider this configuration as valid: it will just drop all traffic
      that matches the rule.
      
      Fixes: 834f8933 ("net: dsa: sja1105: implement tc-gate using time-triggered virtual links")
      Reported-by: NXiaoliang Yang <xiaoliang.yang_1@nxp.com>
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      43ce887c
    • V
      net: dsa: sja1105: recalculate gating subschedule after deleting tc-gate rules · 82f6896a
      Vladimir Oltean 提交于
      Currently, tas_data->enabled would remain true even after deleting all
      tc-gate rules from the switch ports, which would cause the
      sja1105_tas_state_machine to get unnecessarily scheduled.
      
      Also, if there were any errors which would prevent the hardware from
      enabling the gating schedule, the sja1105_tas_state_machine would
      continuously detect and print that, spamming the kernel log, even if the
      rules were subsequently deleted.
      
      The rules themselves are _not_ active, because sja1105_init_scheduling
      does enough of a job to not install the gating schedule in the static
      config. But the virtual link rules themselves are still present.
      
      So call the functions that remove the tc-gate configuration from
      priv->tas_data.gating_cfg, so that tas_data->enabled can be set to
      false, and sja1105_tas_state_machine will stop from being scheduled.
      
      Fixes: 834f8933 ("net: dsa: sja1105: implement tc-gate using time-triggered virtual links")
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      82f6896a
    • V
      net: dsa: sja1105: unconditionally free old gating config · 026bdb2b
      Vladimir Oltean 提交于
      Currently sja1105_compose_gating_subschedule is not prepared to be
      called for the case where we want to recompute the global tc-gate
      configuration after we've deleted those actions on a port.
      
      After deleting the tc-gate actions on the last port, max_cycle_time
      would become zero, and that would incorrectly prevent
      sja1105_free_gating_config from getting called.
      
      So move the freeing function above the check for the need to apply a new
      configuration.
      
      Fixes: 834f8933 ("net: dsa: sja1105: implement tc-gate using time-triggered virtual links")
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      026bdb2b
    • V
      net: dsa: sja1105: move sja1105_compose_gating_subschedule at the top · e39109f5
      Vladimir Oltean 提交于
      It turns out that sja1105_compose_gating_subschedule must also be called
      from sja1105_vl_delete, to recalculate the overall tc-gate
      configuration. Currently this is not possible without introducing a
      forward declaration. So move the function at the top of the file, along
      with its dependencies.
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e39109f5
    • C
      net: macb: free resources on failure path of at91ether_open() · 33fdef24
      Claudiu Beznea 提交于
      DMA buffers were not freed on failure path of at91ether_open().
      Along with changes for freeing the DMA buffers the enable/disable
      interrupt instructions were moved to at91ether_start()/at91ether_stop()
      functions and the operations on at91ether_stop() were done in
      their reverse order (compared with how is done in at91ether_start()):
      before this patch the operation order on interface open path
      was as follows:
      1/ alloc DMA buffers
      2/ enable tx, rx
      3/ enable interrupts
      and the order on interface close path was as follows:
      1/ disable tx, rx
      2/ disable interrupts
      3/ free dma buffers.
      
      Fixes: 7897b071 ("net: macb: convert to phylink")
      Signed-off-by: NClaudiu Beznea <claudiu.beznea@microchip.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      33fdef24