1. 07 12月, 2019 1 次提交
  2. 06 12月, 2019 13 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · ae72555b
      David S. Miller 提交于
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2019-12-05
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 6 non-merge commits during the last 1 day(s) which contain
      a total of 14 files changed, 116 insertions(+), 37 deletions(-).
      
      The main changes are:
      
      1) three selftests fixes, from Stanislav.
      
      2) one samples fix, from Jesper.
      
      3) one verifier fix, from Yonghong.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ae72555b
    • E
      ppp: fix out-of-bounds access in bpf_prog_create() · 0033b34a
      Eric Biggers 提交于
      sock_fprog_kern::len is in units of struct sock_filter, not bytes.
      
      Fixes: 3e859adf ("compat_ioctl: unify copy-in of ppp filters")
      Reported-by: syzbot+eb853b51b10f1befa0b7@syzkaller.appspotmail.com
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0033b34a
    • D
      Merge branch 'hns3-fixes' · a116f4e2
      David S. Miller 提交于
      Huazhong Tan says:
      
      ====================
      net: hns3: fixes for -net
      
      This patchset includes misc fixes for the HNS3 ethernet driver.
      
      [patch 1/3] fixes a TX queue not restarted problem.
      
      [patch 2/3] fixes a use-after-free issue.
      
      [patch 3/3] fixes a VF ID issue for setting VF VLAN.
      
      change log:
      V1->V2: keeps 'ring' as parameter in hns3_nic_maybe_stop_tx()
      	in [patch 1/3], suggestted by David.
      	rewrites [patch 2/3]'s commit log to make it be easier
      	to understand, suggestted by David.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a116f4e2
    • J
      net: hns3: fix VF ID issue for setting VF VLAN · 1c985508
      Jian Shen 提交于
      Previously, when set VF VLAN with command "ip link set <pf name>
      vf <vf id> vlan <vlan id>", the VF ID 0 is handled as PF incorrectly,
      which should be the first VF. This patch fixes it.
      
      Fixes: 21e043cd ("net: hns3: fix set port based VLAN for PF")
      Signed-off-by: NJian Shen <shenjian15@huawei.com>
      Signed-off-by: NHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1c985508
    • Y
      net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx() · d1a37ded
      Yunsheng Lin 提交于
      Currently, hns3_nic_maybe_stop_tx() uses skb_copy() to linearize a
      SKB if the BD num required by the SKB does not meet the hardware
      limitation, and it linearizes the SKB by allocating a new linearized SKB
      and freeing the old SKB, if hns3_nic_maybe_stop_tx() returns -EBUSY
      because there are no enough space in the ring to send the linearized
      skb to hardware, the sch_direct_xmit() still hold reference to old SKB
      and try to retransmit the old SKB when dev_hard_start_xmit() return
      TX_BUSY, which may cause use after freed problem.
      
      This patch fixes it by using __skb_linearize() to linearize the
      SKB in hns3_nic_maybe_stop_tx().
      
      Fixes: 51e8439f ("net: hns3: add 8 BD limit for tx flow")
      Signed-off-by: NYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: NHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d1a37ded
    • Y
      net: hns3: fix for TX queue not restarted problem · 2a597eff
      Yunsheng Lin 提交于
      There is timing window between ring_space checking and
      netif_stop_subqueue when transmiting a SKB, and the TX BD
      cleaning may be executed during the time window, which may
      caused TX queue not restarted problem.
      
      This patch fixes it by rechecking the ring_space after
      netif_stop_subqueue to make sure TX queue is restarted.
      
      Also, the ring->next_to_clean is updated even when pkts is
      zero, because all the TX BD cleaned may be non-SKB, so it
      needs to check if TX queue need to be restarted.
      
      Fixes: 76ad4f0e ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
      Signed-off-by: NYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: NHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2a597eff
    • G
      net: ethernet: ti: cpsw_switchdev: fix unmet direct dependencies detected for NET_SWITCHDEV · aacf6578
      Grygorii Strashko 提交于
      Replace "select NET_SWITCHDEV" vs "depends on NET_SWITCHDEV" to fix Kconfig
      warning with CONFIG_COMPILE_TEST=y
      
      WARNING: unmet direct dependencies detected for NET_SWITCHDEV
        Depends on [n]: NET [=y] && INET [=n]
        Selected by [y]:
        - TI_CPSW_SWITCHDEV [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_TI [=y] && (ARCH_DAVINCI || ARCH_OMAP2PLUS || COMPILE_TEST [=y])
      
      because TI_CPSW_SWITCHDEV blindly selects NET_SWITCHDEV even though
      INET is not set/enabled, while NET_SWITCHDEV depends on INET.
      Reported-by: NRandy Dunlap <rdunlap@infradead.org>
      Fixes: ed3525ed ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
      Signed-off-by: NGrygorii Strashko <grygorii.strashko@ti.com>
      Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aacf6578
    • D
      Merge branch 's390-fixes' · b8744052
      David S. Miller 提交于
      Julian Wiedmann says:
      
      ====================
      s390/qeth: fixes 2019-12-05
      
      please apply the following fixes to your net tree.
      
      The first two patches target the RX data path, the third fixes a memory
      leak when shutting down a qeth device.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b8744052
    • J
      s390/qeth: fix dangling IO buffers after halt/clear · f9e50b02
      Julian Wiedmann 提交于
      The cio layer's intparm logic does not align itself well with how qeth
      manages cmd IOs. When an active IO gets terminated via halt/clear, the
      corresponding IRQ's intparm does not reflect the cmd buffer but rather
      the intparm that was passed to ccw_device_halt() / ccw_device_clear().
      This behaviour was recently clarified in
      commit b91d9e67 ("s390/cio: fix intparm documentation").
      
      As a result, qeth_irq() currently doesn't cancel a cmd that was
      terminated via halt/clear. This primarily causes us to leak
      card->read_cmd after the qeth device is removed, since our IO path still
      holds a refcount for this cmd.
      
      For qeth this means that we need to keep track of which IO is pending on
      a device ('active_cmd'), and use this as the intparm when calling
      halt/clear. Otherwise qeth_irq() can't match the subsequent IRQ to its
      cmd buffer.
      Since we now keep track of the _expected_ intparm, we can also detect
      any mismatch; this would constitute a bug somewhere in the lower layers.
      In this case cancel the active cmd - we effectively "lost" the IRQ and
      should not expect any further notification for this IO.
      
      Fixes: 40554895 ("s390/qeth: add support for dynamically allocated cmds")
      Signed-off-by: NJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f9e50b02
    • J
      s390/qeth: ensure linear access to packet headers · f677fcb9
      Julian Wiedmann 提交于
      When the RX path builds non-linear skbs, the packet headers can
      currently spill over into page fragments. Depending on the packet type
      and what fields we need to access in the headers, this could cause us
      to go past the end of skb->data.
      
      So for non-linear packets, copy precisely the length of the necessary
      headers ('linear_len') into skb->data.
      And don't copy more, upper-level protocols will peel whatever additional
      packet headers they need.
      
      Fixes: 4a71df50 ("qeth: new qeth device driver")
      Signed-off-by: NJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f677fcb9
    • J
      s390/qeth: guard against runt packets · 5b55633f
      Julian Wiedmann 提交于
      Depending on a packet's type, the RX path needs to access fields in the
      packet headers and thus requires a minimum packet length.
      Enforce this length when building the skb.
      
      On the other hand a single runt packet is no reason to drop the whole
      RX buffer. So just skip it, and continue processing on the next packet.
      
      Fixes: 4a71df50 ("qeth: new qeth device driver")
      Signed-off-by: NJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5b55633f
    • M
      net: thunderx: start phy before starting autonegotiation · a350d2e7
      Mian Yousaf Kaukab 提交于
      Since commit 2b3e88ea ("net: phy: improve phy state checking")
      phy_start_aneg() expects phy state to be >= PHY_UP. Call phy_start()
      before calling phy_start_aneg() during probe so that autonegotiation
      is initiated.
      
      As phy_start() takes care of calling phy_start_aneg(), drop the explicit
      call to phy_start_aneg().
      
      Network fails without this patch on Octeon TX.
      
      Fixes: 2b3e88ea ("net: phy: improve phy state checking")
      Signed-off-by: NMian Yousaf Kaukab <ykaukab@suse.de>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a350d2e7
    • T
      hsr: fix a NULL pointer dereference in hsr_dev_xmit() · df95467b
      Taehee Yoo 提交于
      hsr_dev_xmit() calls hsr_port_get_hsr() to find master node and that would
      return NULL if master node is not existing in the list.
      But hsr_dev_xmit() doesn't check return pointer so a NULL dereference
      could occur.
      
      Test commands:
          ip netns add nst
          ip link add veth0 type veth peer name veth1
          ip link add veth2 type veth peer name veth3
          ip link set veth1 netns nst
          ip link set veth3 netns nst
          ip link set veth0 up
          ip link set veth2 up
          ip link add hsr0 type hsr slave1 veth0 slave2 veth2
          ip a a 192.168.100.1/24 dev hsr0
          ip link set hsr0 up
          ip netns exec nst ip link set veth1 up
          ip netns exec nst ip link set veth3 up
          ip netns exec nst ip link add hsr1 type hsr slave1 veth1 slave2 veth3
          ip netns exec nst ip a a 192.168.100.2/24 dev hsr1
          ip netns exec nst ip link set hsr1 up
          hping3 192.168.100.2 -2 --flood &
          modprobe -rv hsr
      
      Splat looks like:
      [  217.351122][ T1635] kasan: CONFIG_KASAN_INLINE enabled
      [  217.352969][ T1635] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  217.354297][ T1635] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  217.355507][ T1635] CPU: 1 PID: 1635 Comm: hping3 Not tainted 5.4.0+ #192
      [  217.356472][ T1635] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [  217.357804][ T1635] RIP: 0010:hsr_dev_xmit+0x34/0x90 [hsr]
      [  217.373010][ T1635] Code: 48 8d be 00 0c 00 00 be 04 00 00 00 48 83 ec 08 e8 21 be ff ff 48 8d 78 10 48 ba 00 b
      [  217.376919][ T1635] RSP: 0018:ffff8880cd8af058 EFLAGS: 00010202
      [  217.377571][ T1635] RAX: 0000000000000000 RBX: ffff8880acde6840 RCX: 0000000000000002
      [  217.379465][ T1635] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000010
      [  217.380274][ T1635] RBP: ffff8880acde6840 R08: ffffed101b440d5d R09: 0000000000000001
      [  217.381078][ T1635] R10: 0000000000000001 R11: ffffed101b440d5c R12: ffff8880bffcc000
      [  217.382023][ T1635] R13: ffff8880bffcc088 R14: 0000000000000000 R15: ffff8880ca675c00
      [  217.383094][ T1635] FS:  00007f060d9d1740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
      [  217.384289][ T1635] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  217.385009][ T1635] CR2: 00007faf15381dd0 CR3: 00000000d523c001 CR4: 00000000000606e0
      [  217.385940][ T1635] Call Trace:
      [  217.386544][ T1635]  dev_hard_start_xmit+0x160/0x740
      [  217.387114][ T1635]  __dev_queue_xmit+0x1961/0x2e10
      [  217.388118][ T1635]  ? check_object+0xaf/0x260
      [  217.391466][ T1635]  ? __alloc_skb+0xb9/0x500
      [  217.392017][ T1635]  ? init_object+0x6b/0x80
      [  217.392629][ T1635]  ? netdev_core_pick_tx+0x2e0/0x2e0
      [  217.393175][ T1635]  ? __alloc_skb+0xb9/0x500
      [  217.393727][ T1635]  ? rcu_read_lock_sched_held+0x90/0xc0
      [  217.394331][ T1635]  ? rcu_read_lock_bh_held+0xa0/0xa0
      [  217.395013][ T1635]  ? kasan_unpoison_shadow+0x30/0x40
      [  217.395668][ T1635]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
      [  217.396280][ T1635]  ? __kmalloc_node_track_caller+0x3a8/0x3f0
      [  217.399007][ T1635]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
      [  217.400093][ T1635]  ? __kmalloc_reserve.isra.46+0x2e/0xb0
      [  217.401118][ T1635]  ? memset+0x1f/0x40
      [  217.402529][ T1635]  ? __alloc_skb+0x317/0x500
      [  217.404915][ T1635]  ? arp_xmit+0xca/0x2c0
      [ ... ]
      
      Fixes: 311633b6 ("hsr: switch ->dellink() to ->ndo_uninit()")
      Acked-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df95467b
  3. 05 12月, 2019 17 次提交
  4. 04 12月, 2019 8 次提交
    • Y
      cls_flower: Fix the behavior using port ranges with hw-offload · 8ffb055b
      Yoshiki Komachi 提交于
      The recent commit 5c72299f ("net: sched: cls_flower: Classify
      packets using port ranges") had added filtering based on port ranges
      to tc flower. However the commit missed necessary changes in hw-offload
      code, so the feature gave rise to generating incorrect offloaded flow
      keys in NIC.
      
      One more detailed example is below:
      
      $ tc qdisc add dev eth0 ingress
      $ tc filter add dev eth0 ingress protocol ip flower ip_proto tcp \
        dst_port 100-200 action drop
      
      With the setup above, an exact match filter with dst_port == 0 will be
      installed in NIC by hw-offload. IOW, the NIC will have a rule which is
      equivalent to the following one.
      
      $ tc qdisc add dev eth0 ingress
      $ tc filter add dev eth0 ingress protocol ip flower ip_proto tcp \
        dst_port 0 action drop
      
      The behavior was caused by the flow dissector which extracts packet
      data into the flow key in the tc flower. More specifically, regardless
      of exact match or specified port ranges, fl_init_dissector() set the
      FLOW_DISSECTOR_KEY_PORTS flag in struct flow_dissector to extract port
      numbers from skb in skb_flow_dissect() called by fl_classify(). Note
      that device drivers received the same struct flow_dissector object as
      used in skb_flow_dissect(). Thus, offloaded drivers could not identify
      which of these is used because the FLOW_DISSECTOR_KEY_PORTS flag was
      set to struct flow_dissector in either case.
      
      This patch adds the new FLOW_DISSECTOR_KEY_PORTS_RANGE flag and the new
      tp_range field in struct fl_flow_key to recognize which filters are applied
      to offloaded drivers. At this point, when filters based on port ranges
      passed to drivers, drivers return the EOPNOTSUPP error because they do
      not support the feature (the newly created FLOW_DISSECTOR_KEY_PORTS_RANGE
      flag).
      
      Fixes: 5c72299f ("net: sched: cls_flower: Classify packets using port ranges")
      Signed-off-by: NYoshiki Komachi <komachi.yoshiki@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8ffb055b
    • D
      net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues · 2f23cd42
      Dust Li 提交于
      sch->q.len hasn't been set if the subqueue is a NOLOCK qdisc
       in mq_dump() and mqprio_dump().
      
      Fixes: ce679e8d ("net: sched: add support for TCQ_F_NOLOCK subqueues to sch_mqprio")
      Signed-off-by: NDust Li <dust.li@linux.alibaba.com>
      Signed-off-by: NTony Lu <tonylu@linux.alibaba.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2f23cd42
    • E
      tcp: refactor tcp_retransmit_timer() · 0d580fbd
      Eric Dumazet 提交于
      It appears linux-4.14 stable needs a backport of commit
      88f8598d ("tcp: exit if nothing to retransmit on RTO timeout")
      
      Since tcp_rtx_queue_empty() is not in pre 4.15 kernels,
      let's refactor tcp_retransmit_timer() to only use tcp_rtx_queue_head()
      
      I will provide to stable teams the squashed patches.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0d580fbd
    • V
      net: mscc: ocelot: unregister the PTP clock on deinit · 9385973f
      Vladimir Oltean 提交于
      Currently a switch driver deinit frees the regmaps, but the PTP clock is
      still out there, available to user space via /dev/ptpN. Any PTP
      operation is a ticking time bomb, since it will attempt to use the freed
      regmaps and thus trigger kernel panics:
      
      [    4.291746] fsl_enetc 0000:00:00.2 eth1: error -22 setting up slave phy
      [    4.291871] mscc_felix 0000:00:00.5: Failed to register DSA switch: -22
      [    4.308666] mscc_felix: probe of 0000:00:00.5 failed with error -22
      [    6.358270] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088
      [    6.367090] Mem abort info:
      [    6.369888]   ESR = 0x96000046
      [    6.369891]   EC = 0x25: DABT (current EL), IL = 32 bits
      [    6.369892]   SET = 0, FnV = 0
      [    6.369894]   EA = 0, S1PTW = 0
      [    6.369895] Data abort info:
      [    6.369897]   ISV = 0, ISS = 0x00000046
      [    6.369899]   CM = 0, WnR = 1
      [    6.369902] user pgtable: 4k pages, 48-bit VAs, pgdp=00000020d58c7000
      [    6.369904] [0000000000000088] pgd=00000020d5912003, pud=00000020d5915003, pmd=0000000000000000
      [    6.369914] Internal error: Oops: 96000046 [#1] PREEMPT SMP
      [    6.420443] Modules linked in:
      [    6.423506] CPU: 1 PID: 262 Comm: phc_ctl Not tainted 5.4.0-03625-gb7b2a5dadd7f #204
      [    6.431273] Hardware name: LS1028A RDB Board (DT)
      [    6.435989] pstate: 40000085 (nZcv daIf -PAN -UAO)
      [    6.440802] pc : css_release+0x24/0x58
      [    6.444561] lr : regmap_read+0x40/0x78
      [    6.448316] sp : ffff800010513cc0
      [    6.451636] x29: ffff800010513cc0 x28: ffff002055873040
      [    6.456963] x27: 0000000000000000 x26: 0000000000000000
      [    6.462289] x25: 0000000000000000 x24: 0000000000000000
      [    6.467617] x23: 0000000000000000 x22: 0000000000000080
      [    6.472944] x21: ffff800010513d44 x20: 0000000000000080
      [    6.478270] x19: 0000000000000000 x18: 0000000000000000
      [    6.483596] x17: 0000000000000000 x16: 0000000000000000
      [    6.488921] x15: 0000000000000000 x14: 0000000000000000
      [    6.494247] x13: 0000000000000000 x12: 0000000000000000
      [    6.499573] x11: 0000000000000000 x10: 0000000000000000
      [    6.504899] x9 : 0000000000000000 x8 : 0000000000000000
      [    6.510225] x7 : 0000000000000000 x6 : ffff800010513cf0
      [    6.515550] x5 : 0000000000000000 x4 : 0000000fffffffe0
      [    6.520876] x3 : 0000000000000088 x2 : ffff800010513d44
      [    6.526202] x1 : ffffcada668ea000 x0 : ffffcada64d8b0c0
      [    6.531528] Call trace:
      [    6.533977]  css_release+0x24/0x58
      [    6.537385]  regmap_read+0x40/0x78
      [    6.540795]  __ocelot_read_ix+0x6c/0xa0
      [    6.544641]  ocelot_ptp_gettime64+0x4c/0x110
      [    6.548921]  ptp_clock_gettime+0x4c/0x58
      [    6.552853]  pc_clock_gettime+0x5c/0xa8
      [    6.556699]  __arm64_sys_clock_gettime+0x68/0xc8
      [    6.561331]  el0_svc_common.constprop.2+0x7c/0x178
      [    6.566133]  el0_svc_handler+0x34/0xa0
      [    6.569891]  el0_sync_handler+0x114/0x1d0
      [    6.573908]  el0_sync+0x140/0x180
      [    6.577232] Code: d503201f b00119a1 91022263 b27b7be4 (f9004663)
      [    6.583349] ---[ end trace d196b9b14cdae2da ]---
      [    6.587977] Kernel panic - not syncing: Fatal exception
      [    6.593216] SMP: stopping secondary CPUs
      [    6.597151] Kernel Offset: 0x4ada54400000 from 0xffff800010000000
      [    6.603261] PHYS_OFFSET: 0xffffd0a7c0000000
      [    6.607454] CPU features: 0x10002,21806008
      [    6.611558] Memory Limit: none
      
      And now that ocelot->ptp_clock is checked at exit, prevent a potential
      error where ptp_clock_register returned a pointer-encoded error, which
      we are keeping in the ocelot private data structure. So now,
      ocelot->ptp_clock is now either NULL or a valid pointer.
      
      Fixes: 4e3b0468 ("net: mscc: PTP Hardware Clock (PHC) support")
      Cc: Antoine Tenart <antoine.tenart@bootlin.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9385973f
    • D
      net/core: Populate VF index in struct ifla_vf_guid · 9aed6ae0
      Danit Goldberg 提交于
      In addition to filling the node_guid and port_guid attributes,
      there is a need to populate VF index too, otherwise users of netlink
      interface will see same VF index for all VFs.
      
      Fixes: 30aad417 ("net/core: Add support for getting VF GUIDs")
      Signed-off-by: NDanit Goldberg <danitg@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9aed6ae0
    • N
      net: bridge: deny dev_set_mac_address() when unregistering · c4b4c421
      Nikolay Aleksandrov 提交于
      We have an interesting memory leak in the bridge when it is being
      unregistered and is a slave to a master device which would change the
      mac of its slaves on unregister (e.g. bond, team). This is a very
      unusual setup but we do end up leaking 1 fdb entry because
      dev_set_mac_address() would cause the bridge to insert the new mac address
      into its table after all fdbs are flushed, i.e. after dellink() on the
      bridge has finished and we call NETDEV_UNREGISTER the bond/team would
      release it and will call dev_set_mac_address() to restore its original
      address and that in turn will add an fdb in the bridge.
      One fix is to check for the bridge dev's reg_state in its
      ndo_set_mac_address callback and return an error if the bridge is not in
      NETREG_REGISTERED.
      
      Easy steps to reproduce:
       1. add bond in mode != A/B
       2. add any slave to the bond
       3. add bridge dev as a slave to the bond
       4. destroy the bridge device
      
      Trace:
       unreferenced object 0xffff888035c4d080 (size 128):
         comm "ip", pid 4068, jiffies 4296209429 (age 1413.753s)
         hex dump (first 32 bytes):
           41 1d c9 36 80 88 ff ff 00 00 00 00 00 00 00 00  A..6............
           d2 19 c9 5e 3f d7 00 00 00 00 00 00 00 00 00 00  ...^?...........
         backtrace:
           [<00000000ddb525dc>] kmem_cache_alloc+0x155/0x26f
           [<00000000633ff1e0>] fdb_create+0x21/0x486 [bridge]
           [<0000000092b17e9c>] fdb_insert+0x91/0xdc [bridge]
           [<00000000f2a0f0ff>] br_fdb_change_mac_address+0xb3/0x175 [bridge]
           [<000000001de02dbd>] br_stp_change_bridge_id+0xf/0xff [bridge]
           [<00000000ac0e32b1>] br_set_mac_address+0x76/0x99 [bridge]
           [<000000006846a77f>] dev_set_mac_address+0x63/0x9b
           [<00000000d30738fc>] __bond_release_one+0x3f6/0x455 [bonding]
           [<00000000fc7ec01d>] bond_netdev_event+0x2f2/0x400 [bonding]
           [<00000000305d7795>] notifier_call_chain+0x38/0x56
           [<0000000028885d4a>] call_netdevice_notifiers+0x1e/0x23
           [<000000008279477b>] rollback_registered_many+0x353/0x6a4
           [<0000000018ef753a>] unregister_netdevice_many+0x17/0x6f
           [<00000000ba854b7a>] rtnl_delete_link+0x3c/0x43
           [<00000000adf8618d>] rtnl_dellink+0x1dc/0x20a
           [<000000009b6395fd>] rtnetlink_rcv_msg+0x23d/0x268
      
      Fixes: 43598813 ("bridge: add local MAC address to forwarding table (v2)")
      Reported-by: syzbot+2add91c08eb181fea1bf@syzkaller.appspotmail.com
      Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c4b4c421
    • D
      net: fix a leak in register_netdevice() · 42c17fa6
      Dan Carpenter 提交于
      We have to free "dev->name_node" on this error path.
      
      Fixes: ff927412 ("net: introduce name_node struct to be used in hashlist")
      Reported-by: syzbot+6e13e65ffbaa33757bcb@syzkaller.appspotmail.com
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      42c17fa6
    • D
      Merge tag 'linux-can-fixes-for-5.5-20191203' of... · 56e7a2f8
      David S. Miller 提交于
      Merge tag 'linux-can-fixes-for-5.5-20191203' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-12-03
      
      this is a pull request of 6 patches for net/master.
      
      The first two patches are against the MAINTAINERS file and adds Appana
      Durga Kedareswara rao as maintainer for the xilinx-can driver and Sriram
      Dash for the m_can (mmio) driver.
      
      The next patch is by Jouni Hogander and fixes a use-after-free in the
      slcan driver.
      
      Johan Hovold's patch for the ucan driver fixes the non-atomic allocation
      in the completion handler.
      
      The last two patches target the xilinx-can driver. The first one is by
      Venkatesh Yadav Abbarapu and skips the error message on deferred probe,
      the second one is by Srinivas Neeli and fixes the usage of the skb after
      can_put_echo_skb().
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      56e7a2f8
  5. 03 12月, 2019 1 次提交