1. 10 2月, 2017 6 次提交
    • D
      Merge branch 'sierra_net-fixes' · 1b5805c2
      David S. Miller 提交于
      Stefan Brüns says:
      
      ====================
      Fixes for sierra_net driver
      
      When trying to initiate a dual-stack (ipv4v6) connection, a MC7710, FW
      version SWI9200X_03.05.24.00ap answers with an unsupported LSI. Add support
      for this LSI.
      Also the link_type should be ignored when going idle, otherwise the modem
      is stuck in a bad link state.
      Tested on MC7710, T-Mobile DE, APN internet.telekom, IPv4v6 PDP type. Both
      IPv4 and IPv6 connections work.
      
      v2: Do not overwrite protocol field in rx_fixup
      v3: Remove leftover struct ethhdr *eth declaration
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1b5805c2
    • S
      sierra_net: Skip validating irrelevant fields for IDLE LSIs · 764895d3
      Stefan Brüns 提交于
      When the context is deactivated, the link_type is set to 0xff, which
      triggers a warning message, and results in a wrong link status, as
      the LSI is ignored.
      Signed-off-by: NStefan Brüns <stefan.bruens@rwth-aachen.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      764895d3
    • S
      sierra_net: Add support for IPv6 and Dual-Stack Link Sense Indications · 5a70348e
      Stefan Brüns 提交于
      If a context is configured as dualstack ("IPv4v6"), the modem indicates
      the context activation with a slightly different indication message.
      The dual-stack indication omits the link_type (IPv4/v6) and adds
      additional address fields.
      IPv6 LSIs are identical to IPv4 LSIs, but have a different link type.
      Signed-off-by: NStefan Brüns <stefan.bruens@rwth-aachen.de>
      Reviewed-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5a70348e
    • W
      kcm: fix 0-length case for kcm_sendmsg() · 98e3862c
      WANG Cong 提交于
      Dmitry reported a kernel warning:
      
       WARNING: CPU: 3 PID: 2936 at net/kcm/kcmsock.c:627
       kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627
       CPU: 3 PID: 2936 Comm: a.out Not tainted 4.10.0-rc6+ #209
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
       Call Trace:
        __dump_stack lib/dump_stack.c:15 [inline]
        dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
        panic+0x1fb/0x412 kernel/panic.c:179
        __warn+0x1c4/0x1e0 kernel/panic.c:539
        warn_slowpath_null+0x2c/0x40 kernel/panic.c:582
        kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627
        kcm_sendmsg+0x163a/0x2200 net/kcm/kcmsock.c:1029
        sock_sendmsg_nosec net/socket.c:635 [inline]
        sock_sendmsg+0xca/0x110 net/socket.c:645
        sock_write_iter+0x326/0x600 net/socket.c:848
        new_sync_write fs/read_write.c:499 [inline]
        __vfs_write+0x483/0x740 fs/read_write.c:512
        vfs_write+0x187/0x530 fs/read_write.c:560
        SYSC_write fs/read_write.c:607 [inline]
        SyS_write+0xfb/0x230 fs/read_write.c:599
        entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      when calling syscall(__NR_write, sock2, 0x208aaf27ul, 0x0ul) on a KCM
      seqpacket socket. It appears that kcm_sendmsg() does not handle len==0
      case correctly, which causes an empty skb is allocated and queued.
      Fix this by skipping the skb allocation for len==0 case.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Tom Herbert <tom@herbertland.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      98e3862c
    • V
      xen-netfront: Rework the fix for Rx stall during OOM and network stress · 538d9291
      Vineeth Remanan Pillai 提交于
      The commit 90c311b0 ("xen-netfront: Fix Rx stall during network
      stress and OOM") caused the refill timer to be triggerred almost on
      all invocations of xennet_alloc_rx_buffers for certain workloads.
      This reworks the fix by reverting to the old behaviour and taking into
      consideration the skb allocation failure. Refill timer is now triggered
      on insufficient requests or skb allocation failure.
      Signed-off-by: NVineeth Remanan Pillai <vineethp@amazon.com>
      Fixes: 90c311b0 (xen-netfront: Fix Rx stall during network stress and OOM)
      Reported-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Reviewed-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      538d9291
    • F
      net: phy: Fix PHY module checks and NULL deref in phy_attach_direct() · 6d9f66ac
      Florian Fainelli 提交于
      The Generic PHY drivers gets assigned after we checked that the current
      PHY driver is NULL, so we need to check a few things before we can
      safely dereference d->driver. This would be causing a NULL deference to
      occur when a system binds to the Generic PHY driver. Update
      phy_attach_direct() to do the following:
      
      - grab the driver module reference after we have assigned the Generic
        PHY drivers accordingly, and remember we came from the generic PHY
        path
      
      - update the error path to clean up the module reference in case the
        Generic PHY probe function fails
      
      - split the error path involving phy_detacht() to avoid double free/put
        since phy_detach() does all the clean up
      
      - finally, have phy_detach() drop the module reference count before we
        call device_release_driver() for the Generic PHY driver case
      
      Fixes: cafe8df8 ("net: phy: Fix lack of reference count on PHY driver")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6d9f66ac
  2. 09 2月, 2017 9 次提交
    • T
      net: thunderx: Fix PHY autoneg for SGMII QLM mode · 075ad765
      Thanneeru Srinivasulu 提交于
      This patch fixes the case where there is no phydev attached
      to a LMAC in DT due to non-existance of a PHY driver or due
      to usage of non-stanadard PHY which doesn't support autoneg.
      Changes dependeds on firmware to send correct info w.r.t
      PHY and autoneg capability.
      
      This patch also covers a case where a 10G/40G interface is used
      as a 1G with convertors with Cortina PHY in between.
      Signed-off-by: NThanneeru Srinivasulu <tsrinivasulu@cavium.com>
      Signed-off-by: NSunil Goutham <sgoutham@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      075ad765
    • F
      net: dsa: Do not destroy invalid network devices · 382e1eea
      Florian Fainelli 提交于
      dsa_slave_create() can fail, and dsa_user_port_unapply() will properly check
      for the network device not being NULL before attempting to destroy it. We were
      not setting the slave network device as NULL if dsa_slave_create() failed, so
      we would later on be calling dsa_slave_destroy() on a now free'd and
      unitialized network device, causing crashes in dsa_slave_destroy().
      
      Fixes: 83c0afae ("net: dsa: Add new binding implementation")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      382e1eea
    • W
      ping: fix a null pointer dereference · 73d2c667
      WANG Cong 提交于
      Andrey reported a kernel crash:
      
        general protection fault: 0000 [#1] SMP KASAN
        Dumping ftrace buffer:
           (ftrace buffer empty)
        Modules linked in:
        CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        task: ffff880060048040 task.stack: ffff880069be8000
        RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline]
        RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837
        RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206
        RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000
        RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2
        RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000
        R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0
        R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000
        FS:  00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0
        Call Trace:
         inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
         sock_sendmsg_nosec net/socket.c:635 [inline]
         sock_sendmsg+0xca/0x110 net/socket.c:645
         SYSC_sendto+0x660/0x810 net/socket.c:1687
         SyS_sendto+0x40/0x50 net/socket.c:1655
         entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      This is because we miss a check for NULL pointer for skb_peek() when
      the queue is empty. Other places already have the same check.
      
      Fixes: c319b4d7 ("net: ipv4: add IPPROTO_ICMP socket kind")
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      73d2c667
    • D
      Merge branch 'net-header-length-truncation' · 9538132a
      David S. Miller 提交于
      Willem de Bruijn says:
      
      ====================
      net: Fixes for header length truncation
      
      Packets should not enter the stack with truncated link layer headers
      and link layer headers should always be stored in the skb linear
      segment.
      
      Patch 1 ensures the first for PF_PACKET sockets
      Patch 2 ensures the second for PF_PACKET GSO sockets without tx_ring
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9538132a
    • W
      packet: round up linear to header len · 57031eb7
      Willem de Bruijn 提交于
      Link layer protocols may unconditionally pull headers, as Ethernet
      does in eth_type_trans. Ensure that the entire link layer header
      always lies in the skb linear segment. tpacket_snd has such a check.
      Extend this to packet_snd.
      
      Variable length link layer headers complicate the computation
      somewhat. Here skb->len may be smaller than dev->hard_header_len.
      
      Round up the linear length to be at least as long as the smallest of
      the two.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      57031eb7
    • W
      net: introduce device min_header_len · 217e6fa2
      Willem de Bruijn 提交于
      The stack must not pass packets to device drivers that are shorter
      than the minimum link layer header length.
      
      Previously, packet sockets would drop packets smaller than or equal
      to dev->hard_header_len, but this has false positives. Zero length
      payload is used over Ethernet. Other link layer protocols support
      variable length headers. Support for validation of these protocols
      removed the min length check for all protocols.
      
      Introduce an explicit dev->min_header_len parameter and drop all
      packets below this value. Initially, set it to non-zero only for
      Ethernet and loopback. Other protocols can follow in a patch to
      net-next.
      
      Fixes: 9ed988cd ("packet: validate variable length ll headers")
      Reported-by: NSowmini Varadhan <sowmini.varadhan@oracle.com>
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NSowmini Varadhan <sowmini.varadhan@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      217e6fa2
    • W
      sit: fix a double free on error path · d7426c69
      WANG Cong 提交于
      Dmitry reported a double free in sit_init_net():
      
        kernel BUG at mm/percpu.c:689!
        invalid opcode: 0000 [#1] SMP KASAN
        Dumping ftrace buffer:
           (ftrace buffer empty)
        Modules linked in:
        CPU: 0 PID: 15692 Comm: syz-executor1 Not tainted 4.10.0-rc6-next-20170206 #1
        Hardware name: Google Google Compute Engine/Google Compute Engine,
        BIOS Google 01/01/2011
        task: ffff8801c9cc27c0 task.stack: ffff88017d1d8000
        RIP: 0010:pcpu_free_area+0x68b/0x810 mm/percpu.c:689
        RSP: 0018:ffff88017d1df488 EFLAGS: 00010046
        RAX: 0000000000010000 RBX: 00000000000007c0 RCX: ffffc90002829000
        RDX: 0000000000010000 RSI: ffffffff81940efb RDI: ffff8801db841d94
        RBP: ffff88017d1df590 R08: dffffc0000000000 R09: 1ffffffff0bb3bdd
        R10: dffffc0000000000 R11: 00000000000135dd R12: ffff8801db841d80
        R13: 0000000000038e40 R14: 00000000000007c0 R15: 00000000000007c0
        FS:  00007f6ea608f700(0000) GS:ffff8801dbe00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 000000002000aff8 CR3: 00000001c8d44000 CR4: 00000000001426f0
        DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
        Call Trace:
         free_percpu+0x212/0x520 mm/percpu.c:1264
         ipip6_dev_free+0x43/0x60 net/ipv6/sit.c:1335
         sit_init_net+0x3cb/0xa10 net/ipv6/sit.c:1831
         ops_init+0x10a/0x530 net/core/net_namespace.c:115
         setup_net+0x2ed/0x690 net/core/net_namespace.c:291
         copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
         create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
         unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
         SYSC_unshare kernel/fork.c:2281 [inline]
         SyS_unshare+0x64e/0xfc0 kernel/fork.c:2231
         entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      This is because when tunnel->dst_cache init fails, we free dev->tstats
      once in ipip6_tunnel_init() and twice in sit_init_net(). This looks
      redundant but its ndo_uinit() does not seem enough to clean up everything
      here. So avoid this by setting dev->tstats to NULL after the first free,
      at least for -net.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d7426c69
    • D
      lwtunnel: valid encap attr check should return 0 when lwtunnel is disabled · 2bd137de
      David Ahern 提交于
      An error was reported upgrading to 4.9.8:
          root@Typhoon:~# ip route add default table 210 nexthop dev eth0 via 10.68.64.1
          weight 1 nexthop dev eth0 via 10.68.64.2 weight 1
          RTNETLINK answers: Operation not supported
      
      The problem occurs when CONFIG_LWTUNNEL is not enabled and a multipath
      route is submitted.
      
      The point of lwtunnel_valid_encap_type_attr is catch modules that
      need to be loaded before any references are taken with rntl held. With
      CONFIG_LWTUNNEL disabled, there will be no modules to load so the
      lwtunnel_valid_encap_type_attr stub should just return 0.
      
      Fixes: 9ed59592 ("lwtunnel: fix autoload of lwt modules")
      Reported-by: pupilla@libero.it
      Signed-off-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2bd137de
    • M
      ipv6: addrconf: fix generation of new temporary addresses · a11a7f71
      Marcus Huewe 提交于
      Under some circumstances it is possible that no new temporary addresses
      will be generated.
      
      For instance, addrconf_prefix_rcv_add_addr() indirectly calls
      ipv6_create_tempaddr(), which creates a tentative temporary address and
      starts dad. Next, addrconf_prefix_rcv_add_addr() indirectly calls
      addrconf_verify_rtnl(). Now, assume that the previously created temporary
      address has the least preferred lifetime among all existing addresses and
      is still tentative (that is, dad is still running). Hence, the next run of
      addrconf_verify_rtnl() is performed when the preferred lifetime of the
      temporary address ends. If dad succeeds before the next run, the temporary
      address becomes deprecated during the next run, but no new temporary
      address is generated.
      
      In order to fix this, schedule the next addrconf_verify_rtnl() run slightly
      before the temporary address becomes deprecated, if dad succeeded.
      Signed-off-by: NMarcus Huewe <suse-tux@gmx.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a11a7f71
  3. 08 2月, 2017 7 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 926af627
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Load correct firmware in rtl8192ce wireless driver, from Jurij
          Smakov.
      
       2) Fix leak of tx_ring and tx_cq due to overwriting in mlx4 driver,
          from Martin KaFai Lau.
      
       3) Need to reference count PHY driver module when it is attached, from
          Mao Wenan.
      
       4) Don't do zero length vzalloc() in ethtool register dump, from
          Stanislaw Gruszka.
      
       5) Defer net_disable_timestamp() to a workqueue to get out of locking
          issues, from Eric Dumazet.
      
       6) We cannot drop the SKB dst when IP options refer to them, fix also
          from Eric Dumazet.
      
       7) Incorrect packet header offset calculations in ip6_gre, again from
          Eric Dumazet.
      
       8) Missing tcp_v6_restore_cb() causes use-after-free, from Eric too.
      
       9) tcp_splice_read() can get into an infinite loop with URG, and hey
          it's from Eric once more.
      
      10) vnet_hdr_sz can change asynchronously, so read it once during
          decision making in macvtap and tun, from Willem de Bruijn.
      
      11) Can't use kernel stack for DMA transfers in USB networking drivers,
          from Ben Hutchings.
      
      12) Handle csum errors properly in UDP by calling the proper destructor,
          from Eric Dumazet.
      
      13) For non-deterministic softirq run when scheduling NAPI from a
          workqueue in mlx4, from Benjamin Poirier.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (28 commits)
        sctp: check af before verify address in sctp_addr_id2transport
        sctp: avoid BUG_ON on sctp_wait_for_sndbuf
        mlx4: Invoke softirqs after napi_reschedule
        udp: properly cope with csum errors
        catc: Use heap buffer for memory size test
        catc: Combine failure cleanup code in catc_probe()
        rtl8150: Use heap buffers for all register access
        pegasus: Use heap buffers for all register access
        macvtap: read vnet_hdr_size once
        tun: read vnet_hdr_sz once
        tcp: avoid infinite loop in tcp_splice_read()
        hns: avoid stack overflow with CONFIG_KASAN
        ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches
        ipv6: tcp: add a missing tcp_v6_restore_cb()
        nl80211: Fix mesh HT operation check
        mac80211: Fix adding of mesh vendor IEs
        mac80211: Allocate a sync skcipher explicitly for FILS AEAD
        mac80211: Fix FILS AEAD protection in Association Request frame
        ip6_gre: fix ip6gre_err() invalid reads
        netlabel: out of bound access in cipso_v4_validate()
        ...
      926af627
    • H
      mm: fix KPF_SWAPCACHE in /proc/kpageflags · b6789123
      Hugh Dickins 提交于
      Commit 6326fec1 ("mm: Use owner_priv bit for PageSwapCache, valid
      when PageSwapBacked") aliased PG_swapcache to PG_owner_priv_1 (and
      depending on PageSwapBacked being true).
      
      As a result, the KPF_SWAPCACHE bit in '/proc/kpageflags' should now be
      synthesized, instead of being shown on unrelated pages which just happen
      to have PG_owner_priv_1 set.
      Signed-off-by: NHugh Dickins <hughd@google.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b6789123
    • X
      sctp: check af before verify address in sctp_addr_id2transport · 912964ea
      Xin Long 提交于
      Commit 6f29a130 ("sctp: sctp_addr_id2transport should verify the
      addr before looking up assoc") invoked sctp_verify_addr to verify the
      addr.
      
      But it didn't check af variable beforehand, once users pass an address
      with family = 0 through sockopt, sctp_get_af_specific will return NULL
      and NULL pointer dereference will be caused by af->sockaddr_len.
      
      This patch is to fix it by returning NULL if af variable is NULL.
      
      Fixes: 6f29a130 ("sctp: sctp_addr_id2transport should verify the addr before looking up assoc")
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      912964ea
    • V
      ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup · a524c218
      Vineet Gupta 提交于
      Reported-by: NJo-Philipp Wich <jo@mein.io>
      Fixes: 9aed02fe ("ARC: [arcompact] handle unaligned access delay slot")
      Cc: linux-kernel@vger.kernel.org
      Cc: linux-snps-arc@lists.infradead.org
      Cc: stable@vger.kernel.org
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a524c218
    • M
      sctp: avoid BUG_ON on sctp_wait_for_sndbuf · 2dcab598
      Marcelo Ricardo Leitner 提交于
      Alexander Popov reported that an application may trigger a BUG_ON in
      sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
      waiting on it to queue more data and meanwhile another thread peels off
      the association being used by the first thread.
      
      This patch replaces the BUG_ON call with a proper error handling. It
      will return -EPIPE to the original sendmsg call, similarly to what would
      have been done if the association wasn't found in the first place.
      Acked-by: NAlexander Popov <alex.popov@linux.com>
      Signed-off-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2dcab598
    • B
      mlx4: Invoke softirqs after napi_reschedule · bd4ce941
      Benjamin Poirier 提交于
      mlx4 may schedule napi from a workqueue. Afterwards, softirqs are not run
      in a deterministic time frame and the following message may be logged:
      NOHZ: local_softirq_pending 08
      
      The problem is the same as what was described in commit ec13ee80
      ("virtio_net: invoke softirqs after __napi_schedule") and this patch
      applies the same fix to mlx4.
      
      Fixes: 07841f9d ("net/mlx4_en: Schedule napi when RX buffers allocation fails")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NBenjamin Poirier <bpoirier@suse.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bd4ce941
    • E
      udp: properly cope with csum errors · 69629464
      Eric Dumazet 提交于
      Dmitry reported that UDP sockets being destroyed would trigger the
      WARN_ON(atomic_read(&sk->sk_rmem_alloc)); in inet_sock_destruct()
      
      It turns out we do not properly destroy skb(s) that have wrong UDP
      checksum.
      
      Thanks again to syzkaller team.
      
      Fixes : 7c13f97f ("udp: do fwd memory scheduling on dequeue")
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      69629464
  4. 07 2月, 2017 17 次提交
    • D
      Merge branch 'net-Fix-on-stack-USB-buffers' · 6a413e26
      David S. Miller 提交于
      Ben Hutchings says:
      
      ====================
      net: Fix on-stack USB buffers
      
      Allocating USB buffers on the stack is not portable, and no longer
      works on x86_64 (with VMAP_STACK enabled as per default).  This
      series fixes all the instances I could find where USB networking
      drivers do that.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6a413e26
    • B
      catc: Use heap buffer for memory size test · 2d6a0e9d
      Ben Hutchings 提交于
      Allocating USB buffers on the stack is not portable, and no longer
      works on x86_64 (with VMAP_STACK enabled as per default).
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2d6a0e9d
    • B
      d4114914
    • B
      rtl8150: Use heap buffers for all register access · 7926aff5
      Ben Hutchings 提交于
      Allocating USB buffers on the stack is not portable, and no longer
      works on x86_64 (with VMAP_STACK enabled as per default).
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7926aff5
    • B
      pegasus: Use heap buffers for all register access · 5593523f
      Ben Hutchings 提交于
      Allocating USB buffers on the stack is not portable, and no longer
      works on x86_64 (with VMAP_STACK enabled as per default).
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      References: https://bugs.debian.org/852556Reported-by: NLisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
      Tested-by: NLisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
      Signed-off-by: NBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5593523f
    • D
      Merge branch 'read-vnet_hdr_sz-once' · 432d4f8a
      David S. Miller 提交于
      Willem de Bruijn says:
      
      ====================
      read vnet_hdr_sz once
      
      Tuntap devices allow concurrent use and update of field vnet_hdr_sz.
      Read the field once to avoid TOCTOU.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      432d4f8a
    • W
      macvtap: read vnet_hdr_size once · 837585a5
      Willem de Bruijn 提交于
      When IFF_VNET_HDR is enabled, a virtio_net header must precede data.
      Data length is verified to be greater than or equal to expected header
      length tun->vnet_hdr_sz before copying.
      
      Macvtap functions read the value once, but unless READ_ONCE is used,
      the compiler may ignore this and read multiple times. Enforce a single
      read and locally cached value to avoid updates between test and use.
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Suggested-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      837585a5
    • W
      tun: read vnet_hdr_sz once · e1edab87
      Willem de Bruijn 提交于
      When IFF_VNET_HDR is enabled, a virtio_net header must precede data.
      Data length is verified to be greater than or equal to expected header
      length tun->vnet_hdr_sz before copying.
      
      Read this value once and cache locally, as it can be updated between
      the test and use (TOCTOU).
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      CC: Eric Dumazet <edumazet@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e1edab87
    • E
      tcp: avoid infinite loop in tcp_splice_read() · ccf7abb9
      Eric Dumazet 提交于
      Splicing from TCP socket is vulnerable when a packet with URG flag is
      received and stored into receive queue.
      
      __tcp_splice_read() returns 0, and sk_wait_data() immediately
      returns since there is the problematic skb in queue.
      
      This is a nice way to burn cpu (aka infinite loop) and trigger
      soft lockups.
      
      Again, this gem was found by syzkaller tool.
      
      Fixes: 9c55e01c ("[TCP]: Splice receive support.")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NDmitry Vyukov  <dvyukov@google.com>
      Cc: Willy Tarreau <w@1wt.eu>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ccf7abb9
    • L
      Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 8b1b41ee
      Linus Torvalds 提交于
      Pull libnvdimm fixes from Dan Williams:
       "None of these are showstoppers for 4.10 and could wait for 4.11 merge
        window, but they are low enough risk for this late in the cycle and
        the fixes have waiting users . They have received a build success
        notification from the 0day robot, pass the latest ndctl unit tests,
        and appeared in next:
      
         - Fix a crash that can result when SIGINT is sent to a process that
           is awaiting completion of an address range scrub command. We were
           not properly cleaning up the workqueue after
           wait_event_interruptible().
      
         - Fix a memory hotplug failure condition that results from not
           reserving enough space out of persistent memory for the memmap. By
           default we align to 2M allocations that the memory hotplug code
           assumes, but if the administrator specifies a non-default
           4K-alignment then we can fail to correctly size the reservation.
      
         - A one line fix to improve the predictability of libnvdimm block
           device names. A common operation is to reconfigure /dev/pmem0 into
           a different mode. For example, a reconfiguration might set a new
           mode that reserves some of the capacity for a struct page memmap
           array. It surprises users if the device name changes to
           "/dev/pmem0.1" after the mode change and then back to /dev/pmem0
           after a reboot.
      
         - Add 'const' to some function pointer tables"
      
      * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        libnvdimm, pfn: fix memmap reservation size versus 4K alignment
        acpi, nfit: fix acpi_nfit_flush_probe() crash
        libnvdimm, namespace: do not delete namespace-id 0
        nvdimm: constify device_type structures
      8b1b41ee
    • L
      Merge tag 'pm-4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · f7d6040a
      Linus Torvalds 提交于
      Pull power management fixes from Rafael Wysocki:
       "These add a quirk to intel_pstate to work around a firmware setting
        that leads to frequency scaling issues (discovered recently) on some
        Intel Kaby Lake processors, fix up the recently added brcmstb-avs
        cpufreq driver and avoid false-positive warnings from the runtime PM
        framework triggered by recent changes in i915.
      
        Specifics:
      
         - Add an intel_pstate driver quirk to work around a firmware setting
           that leads to frequency scaling issues on desktop Intel Kaby Lake
           processors in some configurations if the hardware-managed P-states
           (HWP) feature is in use (Srinivas Pandruvada)
      
         - Fix up the recently added brcmstb-avs cpufreq driver: fix a bug
           related to system suspend and change the sysfs interface to match
           the user space expectations (Markus Mayer)
      
         - Modify the runtime PM framework to avoid false-positive warnings
           from the might_sleep_if() assertions in it (Rafael Wysocki)"
      
      * tag 'pm-4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM / runtime: Avoid false-positive warnings from might_sleep_if()
        cpufreq: intel_pstate: Disable energy efficiency optimization
        cpufreq: brcmstb-avs-cpufreq: properly retrieve P-state upon suspend
        cpufreq: brcmstb-avs-cpufreq: extend sysfs entry brcm_avs_pmap
      f7d6040a
    • L
      Merge tag 'dm-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm · 50dcb6cd
      Linus Torvalds 提交于
      Pull device mapper fixes from Mike Snitzer:
      
       - a fix for a race in .request_fn request-based DM request handling vs
         DM device destruction
      
       - an RCU fix for dm-crypt's kernel keyring support that was included in
         4.10-rc1
      
       - a -Wbool-operation warning fix for DM multipath
      
      * tag 'dm-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm crypt: replace RCU read-side section with rwsem
        dm rq: cope with DM device destruction while in dm_old_request_fn()
        dm mpath: cleanup -Wbool-operation warning in choose_pgpath()
      50dcb6cd
    • L
      Merge tag 'media/v4.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 72df5eba
      Linus Torvalds 提交于
      Pull media fixes from Mauro Carvalho Chehab:
       "A few documentation fixes at CEC (with got promoted from staging for
        4.10), and one fix on its core."
      
      * tag 'media/v4.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        [media] cec: fix wrong last_la determination
        [media] cec-intro.rst: mention the v4l-utils package and CEC utilities
        [media] cec rst: remove "This API is not yet finalized" notice
      72df5eba
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 396bf4cd
      Linus Torvalds 提交于
      Pull crypto fixes from Herbert Xu:
      
       - use-after-free in algif_aead
      
       - modular aesni regression when pcbc is modular but absent
      
       - bug causing IO page faults in ccp
      
       - double list add in ccp
      
       - NULL pointer dereference in qat (two patches)
      
       - panic in chcr
      
       - NULL pointer dereference in chcr
      
       - out-of-bound access in chcr
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: chcr - Fix key length for RFC4106
        crypto: algif_aead - Fix kernel panic on list_del
        crypto: aesni - Fix failure when pcbc module is absent
        crypto: ccp - Fix double add when creating new DMA command
        crypto: ccp - Fix DMA operations when IOMMU is enabled
        crypto: chcr - Check device is allocated before use
        crypto: chcr - Fix panic on dma_unmap_sg
        crypto: qat - zero esram only for DH85x devices
        crypto: qat - fix bar discovery for c62x
      396bf4cd
    • A
      hns: avoid stack overflow with CONFIG_KASAN · b3f2d07f
      Arnd Bergmann 提交于
      The use of ACCESS_ONCE() looks like a micro-optimization to force gcc to use
      an indexed load for the register address, but it has an absolutely detrimental
      effect on builds with gcc-5 and CONFIG_KASAN=y, leading to a very likely
      kernel stack overflow aside from very complex object code:
      
      hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_update_stats':
      hisilicon/hns/hns_dsaf_gmac.c:419:1: error: the frame size of 2912 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_reset_common':
      hisilicon/hns/hns_dsaf_ppe.c:390:1: error: the frame size of 1184 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_get_regs':
      hisilicon/hns/hns_dsaf_ppe.c:621:1: error: the frame size of 3632 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_common_regs':
      hisilicon/hns/hns_dsaf_rcb.c:970:1: error: the frame size of 2784 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_get_regs':
      hisilicon/hns/hns_dsaf_gmac.c:641:1: error: the frame size of 5728 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_ring_regs':
      hisilicon/hns/hns_dsaf_rcb.c:1021:1: error: the frame size of 2208 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_comm_init':
      hisilicon/hns/hns_dsaf_main.c:1209:1: error: the frame size of 1904 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_xgmac.c: In function 'hns_xgmac_get_regs':
      hisilicon/hns/hns_dsaf_xgmac.c:748:1: error: the frame size of 4704 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_update_stats':
      hisilicon/hns/hns_dsaf_main.c:2420:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_get_regs':
      hisilicon/hns/hns_dsaf_main.c:2753:1: error: the frame size of 10768 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      
      This does not seem to happen any more with gcc-7, but removing the ACCESS_ONCE
      seems safe anyway and it avoids a serious issue for some people. I have verified
      that with gcc-5.3.1, the object code we get is better in the new version
      both with and without CONFIG_KASAN, as we no longer allocate a 1344 byte
      stack frame for hns_dsaf_get_regs() but otherwise have practically identical
      object code.
      
      With gcc-7.0.0, removing ACCESS_ONCE has no effect, the object code is already
      good either way.
      
      This patch is probably not urgent to get into 4.11 as only KASAN=y builds
      with certain compilers are affected, but I still think it makes sense to
      backport into older kernels.
      
      Cc: stable@vger.kernel.org
      Fixes: 511e6bc0 ("net: add Hisilicon Network Subsystem DSAF support")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b3f2d07f
    • L
      ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches · a088d1d7
      Linus Lüssing 提交于
      When for instance a mobile Linux device roams from one access point to
      another with both APs sharing the same broadcast domain and a
      multicast snooping switch in between:
      
      1)    (c) <~~~> (AP1) <--[SSW]--> (AP2)
      
      2)              (AP1) <--[SSW]--> (AP2) <~~~> (c)
      
      Then currently IPv6 multicast packets will get lost for (c) until an
      MLD Querier sends its next query message. The packet loss occurs
      because upon roaming the Linux host so far stayed silent regarding
      MLD and the snooping switch will therefore be unaware of the
      multicast topology change for a while.
      
      This patch fixes this by always resending MLD reports when an interface
      change happens, for instance from NO-CARRIER to CARRIER state.
      Signed-off-by: NLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a088d1d7
    • D
      Merge tag 'wireless-drivers-for-davem-2017-02-06' of... · 62f01db9
      David S. Miller 提交于
      Merge tag 'wireless-drivers-for-davem-2017-02-06' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.10
      
      Only one important fix for rtlwifi which fixes a regression introduced
      in 4.9 and which caused problems for many users.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      62f01db9
  5. 06 2月, 2017 1 次提交