1. 29 3月, 2019 13 次提交
    • F
      mac80211: fix unaligned access in mesh table hash function · 40586e3f
      Felix Fietkau 提交于
      The pointer to the last four bytes of the address is not guaranteed to be
      aligned, so we need to use __get_unaligned_cpu32 here
      Signed-off-by: NFelix Fietkau <nbd@nbd.name>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      40586e3f
    • F
      mac80211: un-schedule TXQs on powersave start · b49c15e1
      Felix Fietkau 提交于
      Once a station enters powersave, its queues should not be returned by
      ieee80211_next_txq() anymore. They will be re-scheduled again after the
      station has woken up again
      
      Fixes: 18667600 ("mac80211: Add TXQ scheduling API")
      Signed-off-by: NFelix Fietkau <nbd@nbd.name>
      Acked-by: NToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      b49c15e1
    • A
      net: core: netif_receive_skb_list: unlist skb before passing to pt->func · 9a5a90d1
      Alexander Lobakin 提交于
      __netif_receive_skb_list_ptype() leaves skb->next poisoned before passing
      it to pt_prev->func handler, what may produce (in certain cases, e.g. DSA
      setup) crashes like:
      
      [ 88.606777] CPU 0 Unable to handle kernel paging request at virtual address 0000000e, epc == 80687078, ra == 8052cc7c
      [ 88.618666] Oops[#1]:
      [ 88.621196] CPU: 0 PID: 0 Comm: swapper Not tainted 5.1.0-rc2-dlink-00206-g4192a172-dirty #1473
      [ 88.630885] $ 0 : 00000000 10000400 00000002 864d7850
      [ 88.636709] $ 4 : 87c0ddf0 864d7800 87c0ddf0 00000000
      [ 88.642526] $ 8 : 00000000 49600000 00000001 00000001
      [ 88.648342] $12 : 00000000 c288617b dadbee27 25d17c41
      [ 88.654159] $16 : 87c0ddf0 85cff080 80790000 fffffffd
      [ 88.659975] $20 : 80797b20 ffffffff 00000001 864d7800
      [ 88.665793] $24 : 00000000 8011e658
      [ 88.671609] $28 : 80790000 87c0dbc0 87cabf00 8052cc7c
      [ 88.677427] Hi : 00000003
      [ 88.680622] Lo : 7b5b4220
      [ 88.683840] epc : 80687078 vlan_dev_hard_start_xmit+0x1c/0x1a0
      [ 88.690532] ra : 8052cc7c dev_hard_start_xmit+0xac/0x188
      [ 88.696734] Status: 10000404	IEp
      [ 88.700422] Cause : 50000008 (ExcCode 02)
      [ 88.704874] BadVA : 0000000e
      [ 88.708069] PrId : 0001a120 (MIPS interAptiv (multi))
      [ 88.713005] Modules linked in:
      [ 88.716407] Process swapper (pid: 0, threadinfo=(ptrval), task=(ptrval), tls=00000000)
      [ 88.725219] Stack : 85f61c28 00000000 0000000e 80780000 87c0ddf0 85cff080 80790000 8052cc7c
      [ 88.734529] 87cabf00 00000000 00000001 85f5fb40 807b0000 864d7850 87cabf00 807d0000
      [ 88.743839] 864d7800 8655f600 00000000 85cff080 87c1c000 0000006a 00000000 8052d96c
      [ 88.753149] 807a0000 8057adb8 87c0dcc8 87c0dc50 85cfff08 00000558 87cabf00 85f58c50
      [ 88.762460] 00000002 85f58c00 864d7800 80543308 fffffff4 00000001 85f58c00 864d7800
      [ 88.771770] ...
      [ 88.774483] Call Trace:
      [ 88.777199] [<80687078>] vlan_dev_hard_start_xmit+0x1c/0x1a0
      [ 88.783504] [<8052cc7c>] dev_hard_start_xmit+0xac/0x188
      [ 88.789326] [<8052d96c>] __dev_queue_xmit+0x6e8/0x7d4
      [ 88.794955] [<805a8640>] ip_finish_output2+0x238/0x4d0
      [ 88.800677] [<805ab6a0>] ip_output+0xc8/0x140
      [ 88.805526] [<805a68f4>] ip_forward+0x364/0x560
      [ 88.810567] [<805a4ff8>] ip_rcv+0x48/0xe4
      [ 88.815030] [<80528d44>] __netif_receive_skb_one_core+0x44/0x58
      [ 88.821635] [<8067f220>] dsa_switch_rcv+0x108/0x1ac
      [ 88.827067] [<80528f80>] __netif_receive_skb_list_core+0x228/0x26c
      [ 88.833951] [<8052ed84>] netif_receive_skb_list+0x1d4/0x394
      [ 88.840160] [<80355a88>] lunar_rx_poll+0x38c/0x828
      [ 88.845496] [<8052fa78>] net_rx_action+0x14c/0x3cc
      [ 88.850835] [<806ad300>] __do_softirq+0x178/0x338
      [ 88.856077] [<8012a2d4>] irq_exit+0xbc/0x100
      [ 88.860846] [<802f8b70>] plat_irq_dispatch+0xc0/0x144
      [ 88.866477] [<80105974>] handle_int+0x14c/0x158
      [ 88.871516] [<806acfb0>] r4k_wait+0x30/0x40
      [ 88.876462] Code: afb10014 8c8200a0 00803025 <9443000c> 94a20468 00000000 10620042 00a08025 9605046a
      [ 88.887332]
      [ 88.888982] ---[ end trace eb863d007da11cf1 ]---
      [ 88.894122] Kernel panic - not syncing: Fatal exception in interrupt
      [ 88.901202] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      Fix this by pulling skb off the sublist and zeroing skb->next pointer
      before calling ptype callback.
      
      Fixes: 88eb1944 ("net: core: propagate SKB lists through packet_type lookup")
      Reviewed-by: NEdward Cree <ecree@solarflare.com>
      Signed-off-by: NAlexander Lobakin <alobakin@dlink.ru>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9a5a90d1
    • M
      net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock(). · cb66ddd1
      Mao Wenan 提交于
      When it is to cleanup net namespace, rds_tcp_exit_net() will call
      rds_tcp_kill_sock(), if t_sock is NULL, it will not call
      rds_conn_destroy(), rds_conn_path_destroy() and rds_tcp_conn_free() to free
      connection, and the worker cp_conn_w is not stopped, afterwards the net is freed in
      net_drop_ns(); While cp_conn_w rds_connect_worker() will call rds_tcp_conn_path_connect()
      and reference 'net' which has already been freed.
      
      In rds_tcp_conn_path_connect(), rds_tcp_set_callbacks() will set t_sock = sock before
      sock->ops->connect, but if connect() is failed, it will call
      rds_tcp_restore_callbacks() and set t_sock = NULL, if connect is always
      failed, rds_connect_worker() will try to reconnect all the time, so
      rds_tcp_kill_sock() will never to cancel worker cp_conn_w and free the
      connections.
      
      Therefore, the condition !tc->t_sock is not needed if it is going to do
      cleanup_net->rds_tcp_exit_net->rds_tcp_kill_sock, because tc->t_sock is always
      NULL, and there is on other path to cancel cp_conn_w and free
      connection. So this patch is to fix this.
      
      rds_tcp_kill_sock():
      ...
      if (net != c_net || !tc->t_sock)
      ...
      Acked-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      
      ==================================================================
      BUG: KASAN: use-after-free in inet_create+0xbcc/0xd28
      net/ipv4/af_inet.c:340
      Read of size 4 at addr ffff8003496a4684 by task kworker/u8:4/3721
      
      CPU: 3 PID: 3721 Comm: kworker/u8:4 Not tainted 5.1.0 #11
      Hardware name: linux,dummy-virt (DT)
      Workqueue: krdsd rds_connect_worker
      Call trace:
       dump_backtrace+0x0/0x3c0 arch/arm64/kernel/time.c:53
       show_stack+0x28/0x38 arch/arm64/kernel/traps.c:152
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x120/0x188 lib/dump_stack.c:113
       print_address_description+0x68/0x278 mm/kasan/report.c:253
       kasan_report_error mm/kasan/report.c:351 [inline]
       kasan_report+0x21c/0x348 mm/kasan/report.c:409
       __asan_report_load4_noabort+0x30/0x40 mm/kasan/report.c:429
       inet_create+0xbcc/0xd28 net/ipv4/af_inet.c:340
       __sock_create+0x4f8/0x770 net/socket.c:1276
       sock_create_kern+0x50/0x68 net/socket.c:1322
       rds_tcp_conn_path_connect+0x2b4/0x690 net/rds/tcp_connect.c:114
       rds_connect_worker+0x108/0x1d0 net/rds/threads.c:175
       process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
       worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
       kthread+0x2f0/0x378 kernel/kthread.c:255
       ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
      
      Allocated by task 687:
       save_stack mm/kasan/kasan.c:448 [inline]
       set_track mm/kasan/kasan.c:460 [inline]
       kasan_kmalloc+0xd4/0x180 mm/kasan/kasan.c:553
       kasan_slab_alloc+0x14/0x20 mm/kasan/kasan.c:490
       slab_post_alloc_hook mm/slab.h:444 [inline]
       slab_alloc_node mm/slub.c:2705 [inline]
       slab_alloc mm/slub.c:2713 [inline]
       kmem_cache_alloc+0x14c/0x388 mm/slub.c:2718
       kmem_cache_zalloc include/linux/slab.h:697 [inline]
       net_alloc net/core/net_namespace.c:384 [inline]
       copy_net_ns+0xc4/0x2d0 net/core/net_namespace.c:424
       create_new_namespaces+0x300/0x658 kernel/nsproxy.c:107
       unshare_nsproxy_namespaces+0xa0/0x198 kernel/nsproxy.c:206
       ksys_unshare+0x340/0x628 kernel/fork.c:2577
       __do_sys_unshare kernel/fork.c:2645 [inline]
       __se_sys_unshare kernel/fork.c:2643 [inline]
       __arm64_sys_unshare+0x38/0x58 kernel/fork.c:2643
       __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
       invoke_syscall arch/arm64/kernel/syscall.c:47 [inline]
       el0_svc_common+0x168/0x390 arch/arm64/kernel/syscall.c:83
       el0_svc_handler+0x60/0xd0 arch/arm64/kernel/syscall.c:129
       el0_svc+0x8/0xc arch/arm64/kernel/entry.S:960
      
      Freed by task 264:
       save_stack mm/kasan/kasan.c:448 [inline]
       set_track mm/kasan/kasan.c:460 [inline]
       __kasan_slab_free+0x114/0x220 mm/kasan/kasan.c:521
       kasan_slab_free+0x10/0x18 mm/kasan/kasan.c:528
       slab_free_hook mm/slub.c:1370 [inline]
       slab_free_freelist_hook mm/slub.c:1397 [inline]
       slab_free mm/slub.c:2952 [inline]
       kmem_cache_free+0xb8/0x3a8 mm/slub.c:2968
       net_free net/core/net_namespace.c:400 [inline]
       net_drop_ns.part.6+0x78/0x90 net/core/net_namespace.c:407
       net_drop_ns net/core/net_namespace.c:406 [inline]
       cleanup_net+0x53c/0x6d8 net/core/net_namespace.c:569
       process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
       worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
       kthread+0x2f0/0x378 kernel/kthread.c:255
       ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
      
      The buggy address belongs to the object at ffff8003496a3f80
       which belongs to the cache net_namespace of size 7872
      The buggy address is located 1796 bytes inside of
       7872-byte region [ffff8003496a3f80, ffff8003496a5e40)
      The buggy address belongs to the page:
      page:ffff7e000d25a800 count:1 mapcount:0 mapping:ffff80036ce4b000
      index:0x0 compound_mapcount: 0
      flags: 0xffffe0000008100(slab|head)
      raw: 0ffffe0000008100 dead000000000100 dead000000000200 ffff80036ce4b000
      raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8003496a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8003496a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff8003496a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
       ffff8003496a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8003496a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Fixes: 467fa153("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Signed-off-by: NMao Wenan <maowenan@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cb66ddd1
    • A
      openvswitch: fix flow actions reallocation · f28cd2af
      Andrea Righi 提交于
      The flow action buffer can be resized if it's not big enough to contain
      all the requested flow actions. However, this resize doesn't take into
      account the new requested size, the buffer is only increased by a factor
      of 2x. This might be not enough to contain the new data, causing a
      buffer overflow, for example:
      
      [   42.044472] =============================================================================
      [   42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten
      [   42.046415] -----------------------------------------------------------------------------
      
      [   42.047715] Disabling lock debugging due to kernel taint
      [   42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc
      [   42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101
      [   42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb
      
      [   42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc                          ........
      [   42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00  kkkkkkkk....l...
      [   42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6  l...........x...
      [   42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00   ...............
      [   42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   42.059061] Redzone 8bf2c4a5: 00 00 00 00                                      ....
      [   42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
      
      Fix by making sure the new buffer is properly resized to contain all the
      requested data.
      
      BugLink: https://bugs.launchpad.net/bugs/1813244Signed-off-by: NAndrea Righi <andrea.righi@canonical.com>
      Acked-by: NPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f28cd2af
    • D
      Merge branch 'nfp-fix-retcode-and-disable-netpoll-on-representors' · 577dd43a
      David S. Miller 提交于
      Jakub Kicinski says:
      
      ====================
      nfp: fix retcode and disable netpoll on representors
      
      This series avoids a potential crash on nfp representor devices
      when netpoll is in use.  If transmitting the frame through underlying
      vNIC fails we'd return an error code (by passing on error code from
      __dev_queue_xmit()) and cause double free in netpoll code.
      
      Fix the error code and disable netpoll on reprs altogether.
      IRQ-safety of locking the queues and calling __dev_queue_xmit()
      is questionable.
      
      Big thanks to John Hurley for debugging and narrowing down
      the trace log after I gave up! :)
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      577dd43a
    • J
      nfp: disable netpoll on representors · c3e1f7ff
      Jakub Kicinski 提交于
      NFP reprs are software device on top of the PF's vNIC.
      The comment above __dev_queue_xmit() sayeth:
      
       When calling this method, interrupts MUST be enabled.  This is because
       the BH enable code must have IRQs enabled so that it will not deadlock.
      
      For netconsole we can't guarantee IRQ state, let's just
      disable netpoll on representors to be on the safe side.
      
      When the initial implementation of NFP reprs was added by the
      commit 5de73ee4 ("nfp: general representor implementation")
      .ndo_poll_controller was required for netpoll to be enabled.
      
      Fixes: ac3d9dd0 ("netpoll: make ndo_poll_controller() optional")
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: NJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: NSimon Horman <simon.horman@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c3e1f7ff
    • J
      nfp: validate the return code from dev_queue_xmit() · c8ba5b91
      Jakub Kicinski 提交于
      dev_queue_xmit() may return error codes as well as netdev_tx_t,
      and it always consumes the skb.  Make sure we always return a
      correct netdev_tx_t value.
      
      Fixes: eadfa4c3 ("nfp: add stats and xmit helpers for representors")
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: NJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: NSimon Horman <simon.horman@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c8ba5b91
    • E
      netns: provide pure entropy for net_hash_mix() · 355b9855
      Eric Dumazet 提交于
      net_hash_mix() currently uses kernel address of a struct net,
      and is used in many places that could be used to reveal this
      address to a patient attacker, thus defeating KASLR, for
      the typical case (initial net namespace, &init_net is
      not dynamically allocated)
      
      I believe the original implementation tried to avoid spending
      too many cycles in this function, but security comes first.
      
      Also provide entropy regardless of CONFIG_NET_NS.
      
      Fixes: 0b441916 ("netns: introduce the net_hash_mix "salt" for hashes")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NAmit Klein <aksecurity@gmail.com>
      Reported-by: NBenny Pinkas <benny@pinkas.net>
      Cc: Pavel Emelyanov <xemul@openvz.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      355b9855
    • B
      qmi_wwan: add Olicard 600 · 6289d0fa
      Bjørn Mork 提交于
      This is a Qualcomm based device with a QMI function on interface 4.
      It is mode switched from 2020:2030 using a standard eject message.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  6 Spd=480  MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2020 ProdID=2031 Rev= 2.32
      S:  Manufacturer=Mobile Connect
      S:  Product=Mobile Connect
      S:  SerialNumber=0123456789ABCDEF
      C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
      E:  Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
      Signed-off-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6289d0fa
    • X
      net: dsa: Implement flow_dissect callback for tag_qca · 6e57d72a
      xiaofeis 提交于
      Add flow_dissect for qca tagged packet to get the right hash.
      Signed-off-by: NXiaofei Shen <xiaofeis@codeaurora.org>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: NVinod Koul <vkoul@kernel.org>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6e57d72a
    • D
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue · 5ac4b47d
      David S. Miller 提交于
      Jeff Kirsher says:
      
      ====================
      Intel Wired LAN Driver Fixes 2019-03-26
      
      This series contains updates to igb, ixgbe, i40e and fm10k.
      
      Jake fixes an issue with PTP in i40e where a previous commit resulted
      in a regression where the driver would interpret small negative
      adjustments as large positive additions, resulting in incorrect
      behavior.
      
      Arvind Sankar fixes an issue in igb where a previous commit would cause
      a warning in the PCI pm core and resulted in pci_pm_runtime_suspend
      would not call pci_save_state or pci_finish_runtime_suspend.
      
      Ivan Vecera fixes MDIO bus registration with ixgbe, where the driver was
      ignoring errors returned when registering and would leave the pointer in
      a NULL state which triggered a BUG when un-registering.
      
      Stefan Assmann fixes the check for Wake-On-LAN for i40e, which only
      supports magic packet.
      
      Yue Haibing fixes a potential NULL pointer de-reference in fm10k by
      adding a simple check if the value is NULL.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5ac4b47d
    • D
      Merge tag 'batadv-net-for-davem-20190328' of git://git.open-mesh.org/linux-merge · d3332184
      David S. Miller 提交于
      Simon Wunderlich says:
      
      ====================
      Here are some batman-adv bugfixes:
      
       - Fix refcount underflows in bridge loop avoidance code,
         by Sven Eckelmann (3 patches)
      
       - Fix warning when CFG80211 isn't enabled, by Anders Roxell
      
       - Fix genl notification for throughput override, by Sven Eckelmann
      
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d3332184
  2. 28 3月, 2019 11 次提交
    • S
      vrf: prevent adding upper devices · 1017e098
      Sabrina Dubroca 提交于
      VRF devices don't work with upper devices. Currently, it's possible to
      add a VRF device to a bridge or team, and to create macvlan, macsec, or
      ipvlan devices on top of a VRF (bond and vlan are prevented respectively
      by the lack of an ndo_set_mac_address op and the NETIF_F_VLAN_CHALLENGED
      feature flag).
      
      Fix this by setting the IFF_NO_RX_HANDLER flag (introduced in commit
      f5426250 ("net: introduce IFF_NO_RX_HANDLER")).
      
      Cc: David Ahern <dsahern@gmail.com>
      Fixes: 193125db ("net: Introduce VRF device driver")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Acked-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1017e098
    • D
      Merge branch 'thunderx-fix-receive-buffer-page-recycling' · 23da1021
      David S. Miller 提交于
      Dean Nelson says:
      
      ====================
      thunderx: fix receive buffer page recycling
      
      In attempting to optimize receive buffer page recycling for XDP, commit
      77322538 ("net: thunderx: Optimize page recycling for XDP")
      inadvertently introduced two problems for the non-XDP case, that will be
      addressed by this patch series.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      23da1021
    • D
      thunderx: eliminate extra calls to put_page() for pages held for recycling · cd35ef91
      Dean Nelson 提交于
      For the non-XDP case, commit 77322538 ("net: thunderx: Optimize
      page recycling for XDP") added code to nicvf_free_rbdr() that, when releasing
      the additional receive buffer page reference held for recycling, repeatedly
      calls put_page() until the page's _refcount goes to zero. Which results in
      the page being freed.
      
      This is not okay if the page's _refcount was greater than 1 (in the non-XDP
      case), because nicvf_free_rbdr() should not be subtracting more than what
      nicvf_alloc_page() had previously added to the page's _refcount, which was
      only 1 (in the non-XDP case).
      
      This can arise if a received packet is still being processed and the receive
      buffer (i.e., skb->head) has not yet been freed via skb_free_head() when
      nicvf_free_rbdr() is spinning through the aforementioned put_page() loop.
      
      If this should occur, when the received packet finishes processing and
      skb_free_head() is called, various problems can ensue. Exactly what, depends on
      whether the page has already been reallocated or not, anything from "BUG: Bad
      page state ... ", to "Unable to handle kernel NULL pointer dereference ..." or
      "Unable to handle kernel paging request...".
      
      So this patch changes nicvf_free_rbdr() to only call put_page() once for pages
      held for recycling (in the non-XDP case).
      
      Fixes: 77322538 ("net: thunderx: Optimize page recycling for XDP")
      Signed-off-by: NDean Nelson <dnelson@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cd35ef91
    • D
      thunderx: enable page recycling for non-XDP case · b3e20806
      Dean Nelson 提交于
      Commit 77322538 ("net: thunderx: Optimize page recycling for XDP")
      added code to nicvf_alloc_page() that inadvertently disables receive buffer
      page recycling for the non-XDP case by always NULL'ng the page pointer.
      
      This patch corrects two if-conditionals to allow for the recycling of non-XDP
      mode pages by only setting the page pointer to NULL when the page is not ready
      for recycling.
      
      Fixes: 77322538 ("net: thunderx: Optimize page recycling for XDP")
      Signed-off-by: NDean Nelson <dnelson@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b3e20806
    • C
      net: mii: Fix PAUSE cap advertisement from linkmode_adv_to_lcl_adv_t() helper · 7f07e5f1
      Claudiu Manoil 提交于
      With a recent link mode advertisement code update this helper
      providing local pause capability translation used for flow
      control link mode negotiation got broken.
      For eth drivers using this helper, the issue is apparent only
      if either PAUSE or ASYM_PAUSE is being advertised.
      
      Fixes: 3c1bcc86 ("net: ethernet: Convert phydev advertize and supported from u32 to link mode")
      Signed-off-by: NClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7f07e5f1
    • X
      net: hns3: fix compile error · 669efc76
      Xi Wang 提交于
      Currently, the rules for configuring search paths in Kbuild have
      changed, this will lead some erros when compiling hns3 with the
      following command:
      
      make O=DIR M=drivers/net/ethernet/hisilicon/hns3
      
      drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c:11:10:
      fatal error: hnae3.h: No such file or directory
      
      This patch fix it by adding $(srctree)/ prefix to the serach paths.
      Signed-off-by: NXi Wang <wangxi11@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      669efc76
    • H
      ila: Fix rhashtable walker list corruption · b5f9bd15
      Herbert Xu 提交于
      ila_xlat_nl_cmd_flush uses rhashtable walkers allocated from the
      stack but it never frees them.  This corrupts the walker list of
      the hash table.
      
      This patch fixes it.
      
      Reported-by: syzbot+dae72a112334aa65a159@syzkaller.appspotmail.com
      Fixes: b6e71bde ("ila: Flush netlink command to clear xlat...")
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b5f9bd15
    • F
      MAINTAINERS: Fix documentation file name for PHY Library · 79706ced
      Florian Fainelli 提交于
      MAINTAINERS still pointed to phy.txt after moving this file into the rst
      format, fix this.
      Reported-by: NJoe Perches <joe@perches.com>
      Fixes: 25fe02d0 ("Documentation: net: phy: switch documentation to rst format")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      79706ced
    • P
      net: datagram: fix unbounded loop in __skb_try_recv_datagram() · 0b91bce1
      Paolo Abeni 提交于
      Christoph reported a stall while peeking datagram with an offset when
      busy polling is enabled. __skb_try_recv_datagram() uses as the loop
      termination condition 'queue empty'. When peeking, the socket
      queue can be not empty, even when no additional packets are received.
      
      Address the issue explicitly checking for receive queue changes,
      as currently done by __skb_wait_for_more_packets().
      
      Fixes: 2b5cd0df ("net: Change return type of sk_busy_loop from bool to void")
      Reported-and-tested-by: NChristoph Paasch <cpaasch@apple.com>
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0b91bce1
    • H
      net: dsa: mv88e6xxx: fix few issues in mv88e6390x_port_set_cmode · 5ceaeb99
      Heiner Kallweit 提交于
      This patches fixes few issues in mv88e6390x_port_set_cmode().
      
      1. When entering the function the old cmode may be 0, in this case
         mv88e6390x_serdes_get_lane() returns -ENODEV. As result we bail
         out and have no chance to set a new mode. Therefore deal properly
         with -ENODEV.
      
      2. Once we have disabled power and irq, let's set the cached cmode to 0.
         This reflects the actual status and is cleaner if we bail out with an
         error in the following function calls.
      
      3. The cached cmode is used by mv88e6390x_serdes_get_lane(),
         mv88e6390_serdes_power_lane() and mv88e6390_serdes_irq_enable().
         Currently we set the cached mode to the new one at the very end of
         the function only, means until then we use the old one what may be
         wrong.
      
      4. When calling mv88e6390_serdes_irq_enable() we use the lane value
         belonging to the old cmode. Get the lane belonging to the new cmode
         before calling this function.
      
      It's hard to provide a good "Fixes" tag because quite a few smaller
      changes have been done to the code in question recently.
      
      Fixes: d235c48b ("net: dsa: mv88e6xxx: power serdes on/off for 10G interfaces on 6390X")
      Signed-off-by: NHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5ceaeb99
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 1a9df9e2
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
       "Fixes here and there, a couple new device IDs, as usual:
      
         1) Fix BQL race in dpaa2-eth driver, from Ioana Ciornei.
      
         2) Fix 64-bit division in iwlwifi, from Arnd Bergmann.
      
         3) Fix documentation for some eBPF helpers, from Quentin Monnet.
      
         4) Some UAPI bpf header sync with tools, also from Quentin Monnet.
      
         5) Set descriptor ownership bit at the right time for jumbo frames in
            stmmac driver, from Aaro Koskinen.
      
         6) Set IFF_UP properly in tun driver, from Eric Dumazet.
      
         7) Fix load/store doubleword instruction generation in powerpc eBPF
            JIT, from Naveen N. Rao.
      
         8) nla_nest_start() return value checks all over, from Kangjie Lu.
      
         9) Fix asoc_id handling in SCTP after the SCTP_*_ASSOC changes this
            merge window. From Marcelo Ricardo Leitner and Xin Long.
      
        10) Fix memory corruption with large MTUs in stmmac, from Aaro
            Koskinen.
      
        11) Do not use ipv4 header for ipv6 flows in TCP and DCCP, from Eric
            Dumazet.
      
        12) Fix topology subscription cancellation in tipc, from Erik Hugne.
      
        13) Memory leak in genetlink error path, from Yue Haibing.
      
        14) Valid control actions properly in packet scheduler, from Davide
            Caratti.
      
        15) Even if we get EEXIST, we still need to rehash if a shrink was
            delayed. From Herbert Xu.
      
        16) Fix interrupt mask handling in interrupt handler of r8169, from
            Heiner Kallweit.
      
        17) Fix leak in ehea driver, from Wen Yang"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (168 commits)
        dpaa2-eth: fix race condition with bql frame accounting
        chelsio: use BUG() instead of BUG_ON(1)
        net: devlink: skip info_get op call if it is not defined in dumpit
        net: phy: bcm54xx: Encode link speed and activity into LEDs
        tipc: change to check tipc_own_id to return in tipc_net_stop
        net: usb: aqc111: Extend HWID table by QNAP device
        net: sched: Kconfig: update reference link for PIE
        net: dsa: qca8k: extend slave-bus implementations
        net: dsa: qca8k: remove leftover phy accessors
        dt-bindings: net: dsa: qca8k: support internal mdio-bus
        dt-bindings: net: dsa: qca8k: fix example
        net: phy: don't clear BMCR in genphy_soft_reset
        bpf, libbpf: clarify bump in libbpf version info
        bpf, libbpf: fix version info and add it to shared object
        rxrpc: avoid clang -Wuninitialized warning
        tipc: tipc clang warning
        net: sched: fix cleanup NULL pointer exception in act_mirr
        r8169: fix cable re-plugging issue
        net: ethernet: ti: fix possible object reference leak
        net: ibm: fix possible object reference leak
        ...
      1a9df9e2
  3. 27 3月, 2019 16 次提交
    • Y
      fm10k: Fix a potential NULL pointer dereference · 01ca6671
      Yue Haibing 提交于
      Syzkaller report this:
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      CPU: 0 PID: 4378 Comm: syz-executor.0 Tainted: G         C        5.0.0+ #5
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      RIP: 0010:__lock_acquire+0x95b/0x3200 kernel/locking/lockdep.c:3573
      Code: 00 0f 85 28 1e 00 00 48 81 c4 08 01 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 24 00 00 49 81 7d 00 e0 de 03 a6 41 bc 00 00
      RSP: 0018:ffff8881e3c07a40 EFLAGS: 00010002
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000080
      RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
      R10: ffff8881e3c07d98 R11: ffff8881c7f21f80 R12: 0000000000000001
      R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000001
      FS:  00007fce2252e700(0000) GS:ffff8881f2400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fffc7eb0228 CR3: 00000001e5bea002 CR4: 00000000007606f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       lock_acquire+0xff/0x2c0 kernel/locking/lockdep.c:4211
       __mutex_lock_common kernel/locking/mutex.c:925 [inline]
       __mutex_lock+0xdf/0x1050 kernel/locking/mutex.c:1072
       drain_workqueue+0x24/0x3f0 kernel/workqueue.c:2934
       destroy_workqueue+0x23/0x630 kernel/workqueue.c:4319
       __do_sys_delete_module kernel/module.c:1018 [inline]
       __se_sys_delete_module kernel/module.c:961 [inline]
       __x64_sys_delete_module+0x30c/0x480 kernel/module.c:961
       do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fce2252dc58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
      RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140
      RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fce2252e6bc
      R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff
      
      If alloc_workqueue fails, it should return -ENOMEM, otherwise may
      trigger this NULL pointer dereference while unloading drivers.
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Fixes: 0a38c17a ("fm10k: Remove create_workqueue")
      Signed-off-by: NYue Haibing <yuehaibing@huawei.com>
      Tested-by: NAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      01ca6671
    • S
      i40e: fix WoL support check · f669d24f
      Stefan Assmann 提交于
      The current check for WoL on i40e is broken. Code comment says only
      magic packet is supported, so only check for that.
      
      Fixes: 540a152d (i40e/ixgbe/igb: fail on new WoL flag setting WAKE_MAGICSECURE)
      Signed-off-by: NStefan Assmann <sassmann@kpanic.de>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      f669d24f
    • I
      ixgbe: fix mdio bus registration · 7ec52b9d
      Ivan Vecera 提交于
      The ixgbe ignores errors returned from mdiobus_register() and leaves
      adapter->mii_bus non-NULL and MDIO bus state as MDIOBUS_ALLOCATED.
      This triggers a BUG from mdiobus_unregister() during ixgbe_remove() call.
      
      Fixes: 8fa10ef0 ("ixgbe: register a mdiobus")
      Signed-off-by: NIvan Vecera <ivecera@redhat.com>
      Tested-by: NAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      7ec52b9d
    • A
      igb: Fix WARN_ONCE on runtime suspend · dabb8338
      Arvind Sankar 提交于
      The runtime_suspend device callbacks are not supposed to save
      configuration state or change the power state. Commit fb29f76cc566
      ("igb: Fix an issue that PME is not enabled during runtime suspend")
      changed the driver to not save configuration state during runtime
      suspend, however the driver callback still put the device into a
      low-power state. This causes a warning in the pci pm core and results in
      pci_pm_runtime_suspend not calling pci_save_state or pci_finish_runtime_suspend.
      
      Fix this by not changing the power state either, leaving that to pci pm
      core, and make the same change for suspend callback as well.
      
      Also move a couple of defines into the appropriate header file instead
      of inline in the .c file.
      
      Fixes: fb29f76cc566 ("igb: Fix an issue that PME is not enabled during runtime suspend")
      Signed-off-by: NArvind Sankar <niveditas98@gmail.com>
      Reviewed-by: NKai-Heng Feng <kai.heng.feng@canonical.com>
      Tested-by: NAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      dabb8338
    • J
      i40e: fix i40e_ptp_adjtime when given a negative delta · b3ccbbce
      Jacob Keller 提交于
      Commit 0ac30ce4 ("i40e: fix up 32 bit timespec references",
      2017-07-26) claims to be cleaning up references to 32-bit timespecs.
      
      The actual contents of the commit make no sense, as it converts a call
      to timespec64_add into timespec64_add_ns. This would seem ok, if (a) the
      change was documented in the commit message, and (b) timespec64_add_ns
      supported negative numbers.
      
      timespec64_add_ns doesn't work with signed deltas, because the
      implementation is based around iter_div_u64_rem. This change resulted in
      a regression where i40e_ptp_adjtime would interpret small negative
      adjustments as large positive additions, resulting in incorrect
      behavior.
      
      This commit doesn't appear to fix anything, is not well explained, and
      introduces a bug, so lets just revert it.
      
      Reverts: 0ac30ce4 ("i40e: fix up 32 bit timespec references", 2017-07-26)
      Signed-off-by: NJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: NArnd Bergmann <arnd@arndb.de>
      Tested-by: NAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      b3ccbbce
    • L
      Merge tag 'nfs-for-5.1-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 14c741de
      Linus Torvalds 提交于
      Pull NFS client bugfixes from Trond Myklebust:
       "Highlights include:
      
        Stable fixes:
         - Fix nfs4_lock_state refcounting in nfs4_alloc_{lock,unlock}data()
         - fix mount/umount race in nlmclnt.
         - NFSv4.1 don't free interrupted slot on open
      
        Bugfixes:
         - Don't let RPC_SOFTCONN tasks time out if the transport is connected
         - Fix a typo in nfs_init_timeout_values()
         - Fix layoutstats handling during read failovers
         - fix uninitialized variable warning"
      
      * tag 'nfs-for-5.1-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        SUNRPC: fix uninitialized variable warning
        pNFS/flexfiles: Fix layoutstats handling during read failovers
        NFS: Fix a typo in nfs_init_timeout_values()
        SUNRPC: Don't let RPC_SOFTCONN tasks time out if the transport is connected
        NFSv4.1 don't free interrupted slot on open
        NFS: fix mount/umount race in nlmclnt.
        NFS: Fix nfs4_lock_state refcounting in nfs4_alloc_{lock,unlock}data()
      14c741de
    • A
      SUNRPC: fix uninitialized variable warning · 01f2f5b8
      Alakesh Haloi 提交于
      Avoid following compiler warning on uninitialized variable
      
      net/sunrpc/xprtsock.c: In function ‘xs_read_stream_request.constprop’:
      net/sunrpc/xprtsock.c:525:10: warning: ‘read’ may be used uninitialized in this function [-Wmaybe-uninitialized]
         return read;
                ^~~~
      net/sunrpc/xprtsock.c:529:23: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized]
        return ret < 0 ? ret : read;
               ~~~~~~~~~~~~~~^~~~~~
      Signed-off-by: NAlakesh Haloi <alakesh.haloi@gmail.com>
      Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com>
      01f2f5b8
    • I
      dpaa2-eth: fix race condition with bql frame accounting · 8c838f53
      Ioana Ciornei 提交于
      It might happen that Tx conf acknowledges a frame before it was
      subscribed in bql, as subscribing was previously done after the enqueue
      operation.
      
      This patch moves the netdev_tx_sent_queue call before the actual frame
      enqueue, so that this can never happen.
      
      Fixes: 569dac6a ("dpaa2-eth: bql support")
      Signed-off-by: NIoana Ciornei <ioana.ciornei@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8c838f53
    • A
      chelsio: use BUG() instead of BUG_ON(1) · 047a013f
      Arnd Bergmann 提交于
      clang warns about possible bugs in a dead code branch after
      BUG_ON(1) when CONFIG_PROFILE_ALL_BRANCHES is enabled:
      
       drivers/net/ethernet/chelsio/cxgb4/sge.c:479:3: error: variable 'buf_size' is used uninitialized whenever 'if'
            condition is false [-Werror,-Wsometimes-uninitialized]
                      BUG_ON(1);
                      ^~~~~~~~~
       include/asm-generic/bug.h:61:36: note: expanded from macro 'BUG_ON'
       #define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0)
                                         ^~~~~~~~~~~~~~~~~~~
       include/linux/compiler.h:48:23: note: expanded from macro 'unlikely'
       #  define unlikely(x)   (__branch_check__(x, 0, __builtin_constant_p(x)))
                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       drivers/net/ethernet/chelsio/cxgb4/sge.c:482:9: note: uninitialized use occurs here
              return buf_size;
                     ^~~~~~~~
       drivers/net/ethernet/chelsio/cxgb4/sge.c:479:3: note: remove the 'if' if its condition is always true
                      BUG_ON(1);
                      ^
       include/asm-generic/bug.h:61:32: note: expanded from macro 'BUG_ON'
       #define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0)
                                     ^
       drivers/net/ethernet/chelsio/cxgb4/sge.c:459:14: note: initialize the variable 'buf_size' to silence this warning
              int buf_size;
                          ^
                           = 0
      
      Use BUG() here to create simpler code that clang understands
      correctly.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      047a013f
    • J
      net: devlink: skip info_get op call if it is not defined in dumpit · c493b09b
      Jiri Pirko 提交于
      In dumpit, unlike doit, the check for info_get op being defined
      is missing. Add it and avoid null pointer dereference in case driver
      does not define this op.
      
      Fixes: f9cf2288 ("devlink: add device information API")
      Reported-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NJiri Pirko <jiri@mellanox.com>
      Acked-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c493b09b
    • V
      net: phy: bcm54xx: Encode link speed and activity into LEDs · 450895d0
      Vladimir Oltean 提交于
      Previously the green and amber LEDs on this quad PHY were solid, to
      indicate an encoding of the link speed (10/100/1000).
      
      This keeps the LEDs always on just as before, but now they flash on
      Rx/Tx activity.
      Signed-off-by: NVladimir Oltean <olteanv@gmail.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      450895d0
    • X
      tipc: change to check tipc_own_id to return in tipc_net_stop · 9926cb5f
      Xin Long 提交于
      When running a syz script, a panic occurred:
      
      [  156.088228] BUG: KASAN: use-after-free in tipc_disc_timeout+0x9c9/0xb20 [tipc]
      [  156.094315] Call Trace:
      [  156.094844]  <IRQ>
      [  156.095306]  dump_stack+0x7c/0xc0
      [  156.097346]  print_address_description+0x65/0x22e
      [  156.100445]  kasan_report.cold.3+0x37/0x7a
      [  156.102402]  tipc_disc_timeout+0x9c9/0xb20 [tipc]
      [  156.106517]  call_timer_fn+0x19a/0x610
      [  156.112749]  run_timer_softirq+0xb51/0x1090
      
      It was caused by the netns freed without deleting the discoverer timer,
      while later on the netns would be accessed in the timer handler.
      
      The timer should have been deleted by tipc_net_stop() when cleaning up a
      netns. However, tipc has been able to enable a bearer and start d->timer
      without the local node_addr set since Commit 52dfae5c ("tipc: obtain
      node identity from interface by default"), which caused the timer not to
      be deleted in tipc_net_stop() then.
      
      So fix it in tipc_net_stop() by changing to check local node_id instead
      of local node_addr, as Jon suggested.
      
      While at it, remove the calling of tipc_nametbl_withdraw() there, since
      tipc_nametbl_stop() will take of the nametbl's freeing after.
      
      Fixes: 52dfae5c ("tipc: obtain node identity from interface by default")
      Reported-by: syzbot+a25307ad099309f1c2b9@syzkaller.appspotmail.com
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NYing Xue <ying.xue@windriver.com>
      Acked-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9926cb5f
    • D
      net: usb: aqc111: Extend HWID table by QNAP device · b7ebee2f
      Dmitry Bezrukov 提交于
      New device of QNAP based on aqc111u
      Add this ID to blacklist of cdc_ether driver as well
      Signed-off-by: NDmitry Bezrukov <dmitry.bezrukov@aquantia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b7ebee2f
    • L
      net: sched: Kconfig: update reference link for PIE · 1f8389bf
      Leslie Monis 提交于
      RFC 8033 replaces the IETF draft for PIE
      Signed-off-by: NLeslie Monis <lesliemonis@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1f8389bf
    • C
      net: dsa: qca8k: extend slave-bus implementations · db460c54
      Christian Lamparter 提交于
      This patch implements accessors for the QCA8337 MDIO access
      through the MDIO_MASTER register, which makes it possible to
      access the PHYs on slave-bus through the switch. In cases
      where the switch ports are already mapped via external
      "phy-phandles", the internal mdio-bus is disabled in order to
      prevent a duplicated discovery and enumeration of the same
      PHYs. Don't use mixed external and internal mdio-bus
      configurations, as this is not supported by the hardware.
      Signed-off-by: NChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      db460c54
    • C
      net: dsa: qca8k: remove leftover phy accessors · 1eec7151
      Christian Lamparter 提交于
      This belated patch implements Andrew Lunn's request of
      "remove the phy_read() and phy_write() functions."
      <https://lore.kernel.org/patchwork/comment/902734/>
      
      While seemingly harmless, this causes the switch's user
      port PHYs to get registered twice. This is because the
      DSA subsystem will create a slave mdio-bus not knowing
      that the qca8k_phy_(read|write) accessors operate on
      the external mdio-bus. So the same "bus" gets effectively
      duplicated.
      
      Cc: stable@vger.kernel.org
      Fixes: 6b93fb46 ("net-next: dsa: add new driver for qca8xxx family")
      Signed-off-by: NChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1eec7151