1. 23 12月, 2019 3 次提交
    • J
      iwlwifi: pcie: allocate smaller dev_cmd for TX headers · a89c72ff
      Johannes Berg 提交于
      As noted in the previous commit, due to the way we allocate the
      dev_cmd headers with 324 byte size, and 4/8 byte alignment, the
      part we use of them (bytes 20..40-68) could still cross a page
      and thus 2^32 boundary.
      
      Address this by using alignment to ensure that the allocation
      cannot cross a page boundary, on hardware that's affected. To
      make that not cause more memory consumption, reduce the size of
      the allocations to the necessary size - we go from 324 bytes in
      each allocation to 60/68 on gen2 depending on family, and ~120
      or so on gen1 (so on gen1 it's a pure reduction in size, since
      we don't need alignment there).
      
      To avoid size and clearing issues, add a new structure that's
      just the header, and use kmem_cache_zalloc().
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      a89c72ff
    • J
      iwlwifi: pcie: detect the DMA bug and warn if it happens · c5a4e8eb
      Johannes Berg 提交于
      Warn if the DMA bug is going to happen. We don't have a good
      way of actually aborting in this case and we have workarounds
      in place for the cases where it happens, but in order to not
      be surprised add a safety-check and warn.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      c5a4e8eb
    • J
      iwlwifi: pcie: work around DMA hardware bug · c4a786b3
      Johannes Berg 提交于
      There's a hardware bug in the flow handler (DMA engine), if the
      address + len of some TB wraps around a 2^32 boundary, the carry
      bit is then carried over into the next TB.
      
      Work around this by copying the data to a new page when we find
      this situation, and then copy it in a way that we cannot hit the
      very end of the page.
      
      To be able to free the new page again later we need to chain it
      to the TSO page, use the last pointer there to make sure we can
      never use the page fully for DMA, and thus cannot cause the same
      overflow situation on this page.
      
      This leaves a few potential places (where we didn't observe the
      problem) unaddressed:
       * The second TB could reach or cross the end of a page (and thus
         2^32) due to the way we allocate the dev_cmd for the header
       * For host commands, a similar thing could happen since they're
         just kmalloc().
      We'll address these in further commits.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      c4a786b3
  2. 20 12月, 2019 2 次提交
  3. 19 12月, 2019 4 次提交
  4. 18 12月, 2019 10 次提交
    • J
      net-sysfs: Call dev_hold always in rx_queue_add_kobject · ddd9b5e3
      Jouni Hogander 提交于
      Dev_hold has to be called always in rx_queue_add_kobject.
      Otherwise usage count drops below 0 in case of failure in
      kobject_init_and_add.
      
      Fixes: b8eb7183 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
      Reported-by: Nsyzbot <syzbot+30209ea299c09d8785c9@syzkaller.appspotmail.com>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: David Miller <davem@davemloft.net>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: NJouni Hogander <jouni.hogander@unikie.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ddd9b5e3
    • J
      nfp: flower: fix stats id allocation · 39f14c00
      John Hurley 提交于
      As flower rules are added, they are given a stats ID based on the number
      of rules that can be supported in firmware. Only after the initial
      allocation of all available IDs does the driver begin to reuse those that
      have been released.
      
      The initial allocation of IDs was modified to account for multiple memory
      units on the offloaded device. However, this introduced a bug whereby the
      counter that controls the IDs could be decremented before the ID was
      assigned (where it is further decremented). This means that the stats ID
      could be assigned as -1/0xfffffff which is out of range.
      
      Fix this by only decrementing the main counter after the current ID has
      been assigned.
      
      Fixes: 467322e2 ("nfp: flower: support multiple memory units for filter offloads")
      Signed-off-by: NJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      39f14c00
    • B
      net: dsa: make unexported dsa_link_touch() static · 4e2ce6e5
      Ben Dooks (Codethink) 提交于
      dsa_link_touch() is not exported, or defined outside of the
      file it is in so make it static to avoid the following warning:
      
      net/dsa/dsa2.c:127:17: warning: symbol 'dsa_link_touch' was not declared. Should it be static?
      Signed-off-by: NBen Dooks (Codethink) <ben.dooks@codethink.co.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4e2ce6e5
    • O
      net: ag71xx: fix compile warnings · 9d4b98af
      Oleksij Rempel 提交于
      drivers/net/ethernet/atheros/ag71xx.c: In function 'ag71xx_probe':
      drivers/net/ethernet/atheros/ag71xx.c:1776:30: warning: passing argument 2 of
       'of_get_phy_mode' makes pointer from integer without a cast [-Wint-conversion]
      In file included from drivers/net/ethernet/atheros/ag71xx.c:33:
      ./include/linux/of_net.h:15:69: note: expected 'phy_interface_t *'
       {aka 'enum <anonymous> *'} but argument is of type 'int'
      
      Fixes: 0c65b2b9 ("net: of_get_phy_mode: Change API to solve int/unit warnings")
      Signed-off-by: NOleksij Rempel <o.rempel@pengutronix.de>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9d4b98af
    • R
      net: fix kernel-doc warning in <linux/netdevice.h> · 1f26c0d3
      Randy Dunlap 提交于
      Fix missing '*' kernel-doc notation that causes this warning:
      
      ../include/linux/netdevice.h:1779: warning: bad line:                                 spinlock
      
      Fixes: ab92d68f ("net: core: add generic lockdep keys")
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Cc: Taehee Yoo <ap420073@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1f26c0d3
    • E
      net: annotate lockless accesses to sk->sk_pacing_shift · 7c68fa2b
      Eric Dumazet 提交于
      sk->sk_pacing_shift can be read and written without lock
      synchronization. This patch adds annotations to
      document this fact and avoid future syzbot complains.
      
      This might also avoid unexpected false sharing
      in sk_pacing_shift_update(), as the compiler
      could remove the conditional check and always
      write over sk->sk_pacing_shift :
      
      if (sk->sk_pacing_shift != val)
      	sk->sk_pacing_shift = val;
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7c68fa2b
    • B
      net: qlogic: Fix error paths in ql_alloc_large_buffers() · cad46039
      Ben Hutchings 提交于
      ql_alloc_large_buffers() has the usual RX buffer allocation
      loop where it allocates skbs and maps them for DMA.  It also
      treats failure as a fatal error.
      
      There are (at least) three bugs in the error paths:
      
      1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the
      first buffer that couldn't be allocated will have .skb == NULL.
      But the qla_buf[] array is not zero-initialised.
      
      2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[].  This is
      incorrect for the last allocated skb, if DMA mapping failed.
      
      3. Commit 1acb8f2a ("net: qlogic: Fix memory leak in
      ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any()
      after the skb is recorded in lrg_buf[], so ql_free_large_buffers()
      will double-free it.
      
      The bugs are somewhat inter-twined, so fix them all at once:
      
      * Clear each entry in qla_buf[] before attempting to allocate
        an skb for it.  This goes half-way to fixing bug 1.
      * Set the .skb field only after the skb is DMA-mapped.  This
        fixes the rest.
      
      Fixes: 1357bfcf ("qla3xxx: Dynamically size the rx buffer queue ...")
      Fixes: 0f8ab89e ("qla3xxx: Check return code from pci_map_single() ...")
      Fixes: 1acb8f2a ("net: qlogic: Fix memory leak in ql_alloc_large_buffers")
      Signed-off-by: NBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cad46039
    • M
      sctp: fix memleak on err handling of stream initialization · 951c6db9
      Marcelo Ricardo Leitner 提交于
      syzbot reported a memory leak when an allocation fails within
      genradix_prealloc() for output streams. That's because
      genradix_prealloc() leaves initialized members initialized when the
      issue happens and SCTP stack will abort the current initialization but
      without cleaning up such members.
      
      The fix here is to always call genradix_free() when genradix_prealloc()
      fails, for output and also input streams, as it suffers from the same
      issue.
      
      Reported-by: syzbot+772d9e36c490b18d51d1@syzkaller.appspotmail.com
      Fixes: 2075e50c ("sctp: convert to genradix")
      Signed-off-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Tested-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      951c6db9
    • D
      Merge tag 'wireless-drivers-2019-12-17' of... · 040cda8a
      David S. Miller 提交于
      Merge tag 'wireless-drivers-2019-12-17' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.5
      
      First set of fixes for v5.5. Fixing security issues, some regressions
      and few major bugs.
      
      mwifiex
      
      * security fix for handling country Information Elements (CVE-2019-14895)
      
      * security fix for handling TDLS Information Elements
      
      ath9k
      
      * fix endian issue with ath9k_pci_owl_loader
      
      mt76
      
      * fix default mac address handling
      
      iwlwifi
      
      * fix merge damage which lead to firmware crashing during boot on some devices
      
      * fix device initialisation regression on some devices
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      040cda8a
    • I
      dpaa2-ptp: fix double free of the ptp_qoriq IRQ · daa6eb5a
      Ioana Ciornei 提交于
      Upon reusing the ptp_qoriq driver, the ptp_qoriq_free() function was
      used on the remove path to free any allocated resources.
      The ptp_qoriq IRQ is among these resources that are freed in
      ptp_qoriq_free() even though it is also a managed one (allocated using
      devm_request_threaded_irq).
      
      Drop the resource managed version of requesting the IRQ in order to not
      trigger a double free of the interrupt as below:
      
      [  226.731005] Trying to free already-free IRQ 126
      [  226.735533] WARNING: CPU: 6 PID: 749 at kernel/irq/manage.c:1707
      __free_irq+0x9c/0x2b8
      [  226.743435] Modules linked in:
      [  226.746480] CPU: 6 PID: 749 Comm: bash Tainted: G        W
      5.4.0-03629-gfd7102c32b2c-dirty #912
      [  226.755857] Hardware name: NXP Layerscape LX2160ARDB (DT)
      [  226.761244] pstate: 40000085 (nZcv daIf -PAN -UAO)
      [  226.766022] pc : __free_irq+0x9c/0x2b8
      [  226.769758] lr : __free_irq+0x9c/0x2b8
      [  226.773493] sp : ffff8000125039f0
      (...)
      [  226.856275] Call trace:
      [  226.858710]  __free_irq+0x9c/0x2b8
      [  226.862098]  free_irq+0x30/0x70
      [  226.865229]  devm_irq_release+0x14/0x20
      [  226.869054]  release_nodes+0x1b0/0x220
      [  226.872790]  devres_release_all+0x34/0x50
      [  226.876790]  device_release_driver_internal+0x100/0x1c0
      
      Fixes: d346c9e8 ("dpaa2-ptp: reuse ptp_qoriq driver")
      Cc: Yangbo Lu <yangbo.lu@nxp.com>
      Signed-off-by: NIoana Ciornei <ioana.ciornei@nxp.com>
      Reviewed-by: NYangbo Lu <yangbo.lu@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      daa6eb5a
  5. 17 12月, 2019 7 次提交
    • D
      Merge tag 'mac80211-for-net-2019-10-16' of... · ad125c6c
      David S. Miller 提交于
      Merge tag 'mac80211-for-net-2019-10-16' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      A handful of fixes:
       * disable AQL on most drivers, addressing the iwlwifi issues
       * fix double-free on network namespace changes
       * fix TID field in frames injected through monitor interfaces
       * fix ieee80211_calc_rx_airtime()
       * fix NULL pointer dereference in rfkill (and remove BUG_ON)
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ad125c6c
    • A
      net: dsa: ocelot: add NET_VENDOR_MICROSEMI dependency · 95bed1a9
      Arnd Bergmann 提交于
      Selecting MSCC_OCELOT_SWITCH is not possible when NET_VENDOR_MICROSEMI
      is disabled:
      
      WARNING: unmet direct dependencies detected for MSCC_OCELOT_SWITCH
        Depends on [n]: NETDEVICES [=y] && ETHERNET [=n] && NET_VENDOR_MICROSEMI [=n] && NET_SWITCHDEV [=y] && HAS_IOMEM [=y]
        Selected by [m]:
        - NET_DSA_MSCC_FELIX [=m] && NETDEVICES [=y] && HAVE_NET_DSA [=y] && NET_DSA [=y] && PCI [=y]
      
      Add a Kconfig dependency on NET_VENDOR_MICROSEMI, which also implies
      CONFIG_NETDEVICES.
      
      Depending on a vendor config violates menuconfig locality for the DSA
      driver, but is the smallest compromise since all other solutions are
      much more complicated (see [0]).
      
      https://www.spinics.net/lists/netdev/msg618808.html
      
      Fixes: 56051948 ("net: dsa: ocelot: add driver for Felix switch family")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NMao Wenan <maowenan@huawei.com>
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      95bed1a9
    • N
      net: gemini: Fix memory leak in gmac_setup_txqs · f37f7103
      Navid Emamdoost 提交于
      In the implementation of gmac_setup_txqs() the allocated desc_ring is
      leaked if TX queue base is not aligned. Release it via
      dma_free_coherent.
      
      Fixes: 4d5ae32f ("net: ethernet: Add a driver for Gemini gigabit ethernet")
      Signed-off-by: NNavid Emamdoost <navid.emamdoost@gmail.com>
      Reviewed-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f37f7103
    • F
      net: dsa: b53: Fix egress flooding settings · 63cc54a6
      Florian Fainelli 提交于
      There were several issues with 53568438 ("net: dsa: b53: Add support for port_egress_floods callback") that resulted in breaking connectivity for standalone ports:
      
      - both user and CPU ports must allow unicast and multicast forwarding by
        default otherwise this just flat out breaks connectivity for
        standalone DSA ports
      - IP multicast is treated similarly as multicast, but has separate
        control registers
      - the UC, MC and IPMC lookup failure register offsets were wrong, and
        instead used bit values that are meaningful for the
        B53_IP_MULTICAST_CTRL register
      
      Fixes: 53568438 ("net: dsa: b53: Add support for port_egress_floods callback")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: NVivien Didelot <vivien.didelot@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      63cc54a6
    • D
      Merge branch 'vsock-fixes' · 1865a7b3
      David S. Miller 提交于
      Stefano Garzarella says:
      
      ====================
      vsock/virtio: fix null-pointer dereference and related precautions
      
      This series mainly solves a possible null-pointer dereference in
      virtio_transport_recv_listen() introduced with the multi-transport
      support [PATCH 1].
      
      PATCH 2 adds a WARN_ON check for the same potential issue
      and a returned error in the virtio_transport_send_pkt_info() function
      to avoid crashing the kernel.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1865a7b3
    • S
      vsock/virtio: add WARN_ON check on virtio_transport_get_ops() · 4aaf5961
      Stefano Garzarella 提交于
      virtio_transport_get_ops() and virtio_transport_send_pkt_info()
      can only be used on connecting/connected sockets, since a socket
      assigned to a transport is required.
      
      This patch adds a WARN_ON() on virtio_transport_get_ops() to check
      this requirement, a comment and a returned error on
      virtio_transport_send_pkt_info(),
      Signed-off-by: NStefano Garzarella <sgarzare@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4aaf5961
    • S
      vsock/virtio: fix null-pointer dereference in virtio_transport_recv_listen() · df18fa14
      Stefano Garzarella 提交于
      With multi-transport support, listener sockets are not bound to any
      transport. So, calling virtio_transport_reset(), when an error
      occurs, on a listener socket produces the following null-pointer
      dereference:
      
        BUG: kernel NULL pointer dereference, address: 00000000000000e8
        #PF: supervisor read access in kernel mode
        #PF: error_code(0x0000) - not-present page
        PGD 0 P4D 0
        Oops: 0000 [#1] SMP PTI
        CPU: 0 PID: 20 Comm: kworker/0:1 Not tainted 5.5.0-rc1-ste-00003-gb4be21f316ac-dirty #56
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
        Workqueue: virtio_vsock virtio_transport_rx_work [vmw_vsock_virtio_transport]
        RIP: 0010:virtio_transport_send_pkt_info+0x20/0x130 [vmw_vsock_virtio_transport_common]
        Code: 1f 84 00 00 00 00 00 0f 1f 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 fc 53 48 83 ec 10 44 8b 76 20 e8 c0 ba fe ff <48> 8b 80 e8 00 00 00 e8 64 e3 7d c1 45 8b 45 00 41 8b 8c 24 d4 02
        RSP: 0018:ffffc900000b7d08 EFLAGS: 00010282
        RAX: 0000000000000000 RBX: ffff88807bf12728 RCX: 0000000000000000
        RDX: ffff88807bf12700 RSI: ffffc900000b7d50 RDI: ffff888035c84000
        RBP: ffffc900000b7d40 R08: ffff888035c84000 R09: ffffc900000b7d08
        R10: ffff8880781de800 R11: 0000000000000018 R12: ffff888035c84000
        R13: ffffc900000b7d50 R14: 0000000000000000 R15: ffff88807bf12724
        FS:  0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000000000e8 CR3: 00000000790f4004 CR4: 0000000000160ef0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         virtio_transport_reset+0x59/0x70 [vmw_vsock_virtio_transport_common]
         virtio_transport_recv_pkt+0x5bb/0xe50 [vmw_vsock_virtio_transport_common]
         ? detach_buf_split+0xf1/0x130
         virtio_transport_rx_work+0xba/0x130 [vmw_vsock_virtio_transport]
         process_one_work+0x1c0/0x300
         worker_thread+0x45/0x3c0
         kthread+0xfc/0x130
         ? current_work+0x40/0x40
         ? kthread_park+0x90/0x90
         ret_from_fork+0x35/0x40
        Modules linked in: sunrpc kvm_intel kvm vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common irqbypass vsock virtio_rng rng_core
        CR2: 00000000000000e8
        ---[ end trace e75400e2ea2fa824 ]---
      
      This happens because virtio_transport_reset() calls
      virtio_transport_send_pkt_info() that can be used only on
      connecting/connected sockets.
      
      This patch fixes the issue, using virtio_transport_reset_no_sock()
      instead of virtio_transport_reset() when we are handling a listener
      socket.
      
      Fixes: c0cfa2d8 ("vsock: add multi-transports support")
      Signed-off-by: NStefano Garzarella <sgarzare@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df18fa14
  6. 16 12月, 2019 5 次提交
  7. 15 12月, 2019 9 次提交
    • R
      net: phylink: fix interface passed to mac_link_up · 9b2079c0
      Russell King 提交于
      A mismerge between the following two commits:
      
      c6787263 ("net: phylink: ensure consistent phy interface mode")
      27755ff8 ("net: phylink: Add phylink_mac_link_{up, down} wrapper functions")
      
      resulted in the wrong interface being passed to the mac_link_up()
      function. Fix this up.
      
      Fixes: b4b12b0d ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net")
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      9b2079c0
    • T
      selftests: net: tls: remove recv_rcvbuf test · 6dd504b0
      Thadeu Lima de Souza Cascardo 提交于
      This test only works when [1] is applied, which was rejected.
      
      Basically, the errors are reported and cleared. In this particular case of
      tls sockets, following reads will block.
      
      The test case was originally submitted with the rejected patch, but, then,
      was included as part of a different patchset, possibly by mistake.
      
      [1] https://lore.kernel.org/netdev/20191007035323.4360-2-jakub.kicinski@netronome.com/#t
      
      Thanks Paolo Pisati for pointing out the original patchset where this
      appeared.
      
      Fixes: 65190f77 (selftests/tls: add a test for fragmented messages)
      Reported-by: NPaolo Pisati <paolo.pisati@canonical.com>
      Signed-off-by: NThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      6dd504b0
    • J
      Merge branch 'gtp-fix-several-bugs-in-gtp-module' · 8ed001c9
      Jakub Kicinski 提交于
      Taehee Yoo says:
      
      ====================
      gtp: fix several bugs in gtp module
      
      This patchset fixes several bugs in the GTP module.
      
      1. Do not allow adding duplicate TID and ms_addr pdp context.
      In the current code, duplicate TID and ms_addr pdp context could be added.
      So, RX and TX path could find correct pdp context.
      
      2. Fix wrong condition in ->dumpit() callback.
      ->dumpit() callback is re-called if dump packet size is too big.
      So, before return, it saves last position and then restart from
      last dump position.
      TID value is used to find last dump position.
      GTP module allows adding zero TID value. But ->dumpit() callback ignores
      zero TID value.
      So, dump would not work correctly if dump packet size too big.
      
      3. Fix use-after-free in ipv4_pdp_find().
      RX and TX patch always uses gtp->tid_hash and gtp->addr_hash.
      but while packet processing, these hash pointer would be freed.
      So, use-after-free would occur.
      
      4. Fix panic because of zero size hashtable
      GTP hashtable size could be set by user-space.
      If hashsize is set to 0, hashtable will not work and panic will occur.
      ====================
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      8ed001c9
    • T
      gtp: avoid zero size hashtable · 6a902c0f
      Taehee Yoo 提交于
      GTP default hashtable size is 1024 and userspace could set specific
      hashtable size with IFLA_GTP_PDP_HASHSIZE. If hashtable size is set to 0
      from userspace,  hashtable will not work and panic will occur.
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      6a902c0f
    • T
      gtp: fix an use-after-free in ipv4_pdp_find() · 94dc550a
      Taehee Yoo 提交于
      ipv4_pdp_find() is called in TX packet path of GTP.
      ipv4_pdp_find() internally uses gtp->tid_hash to lookup pdp context.
      In the current code, gtp->tid_hash and gtp->addr_hash are freed by
      ->dellink(), which is gtp_dellink().
      But gtp_dellink() would be called while packets are processing.
      So, gtp_dellink() should not free gtp->tid_hash and gtp->addr_hash.
      Instead, dev->priv_destructor() would be used because this callback
      is called after all packet processing safely.
      
      Test commands:
          ip link add veth1 type veth peer name veth2
          ip a a 172.0.0.1/24 dev veth1
          ip link set veth1 up
          ip a a 172.99.0.1/32 dev lo
      
          gtp-link add gtp1 &
      
          gtp-tunnel add gtp1 v1 200 100 172.99.0.2 172.0.0.2
          ip r a  172.99.0.2/32 dev gtp1
          ip link set gtp1 mtu 1500
      
          ip netns add ns2
          ip link set veth2 netns ns2
          ip netns exec ns2 ip a a 172.0.0.2/24 dev veth2
          ip netns exec ns2 ip link set veth2 up
          ip netns exec ns2 ip a a 172.99.0.2/32 dev lo
          ip netns exec ns2 ip link set lo up
      
          ip netns exec ns2 gtp-link add gtp2 &
          ip netns exec ns2 gtp-tunnel add gtp2 v1 100 200 172.99.0.1 172.0.0.1
          ip netns exec ns2 ip r a 172.99.0.1/32 dev gtp2
          ip netns exec ns2 ip link set gtp2 mtu 1500
      
          hping3 172.99.0.2 -2 --flood &
          ip link del gtp1
      
      Splat looks like:
      [   72.568081][ T1195] BUG: KASAN: use-after-free in ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.568916][ T1195] Read of size 8 at addr ffff8880b9a35d28 by task hping3/1195
      [   72.569631][ T1195]
      [   72.569861][ T1195] CPU: 2 PID: 1195 Comm: hping3 Not tainted 5.5.0-rc1 #199
      [   72.570547][ T1195] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   72.571438][ T1195] Call Trace:
      [   72.571764][ T1195]  dump_stack+0x96/0xdb
      [   72.572171][ T1195]  ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.572761][ T1195]  print_address_description.constprop.5+0x1be/0x360
      [   72.573400][ T1195]  ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.573971][ T1195]  ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.574544][ T1195]  __kasan_report+0x12a/0x16f
      [   72.575014][ T1195]  ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.575593][ T1195]  kasan_report+0xe/0x20
      [   72.576004][ T1195]  ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.576577][ T1195]  gtp_build_skb_ip4+0x199/0x1420 [gtp]
      [ ... ]
      [   72.647671][ T1195] BUG: unable to handle page fault for address: ffff8880b9a35d28
      [   72.648512][ T1195] #PF: supervisor read access in kernel mode
      [   72.649158][ T1195] #PF: error_code(0x0000) - not-present page
      [   72.649849][ T1195] PGD a6c01067 P4D a6c01067 PUD 11fb07067 PMD 11f939067 PTE 800fffff465ca060
      [   72.652958][ T1195] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [   72.653834][ T1195] CPU: 2 PID: 1195 Comm: hping3 Tainted: G    B             5.5.0-rc1 #199
      [   72.668062][ T1195] RIP: 0010:ipv4_pdp_find.isra.12+0x86/0x170 [gtp]
      [ ... ]
      [   72.679168][ T1195] Call Trace:
      [   72.679603][ T1195]  gtp_build_skb_ip4+0x199/0x1420 [gtp]
      [   72.681915][ T1195]  ? ipv4_pdp_find.isra.12+0x170/0x170 [gtp]
      [   72.682513][ T1195]  ? lock_acquire+0x164/0x3b0
      [   72.682966][ T1195]  ? gtp_dev_xmit+0x35e/0x890 [gtp]
      [   72.683481][ T1195]  gtp_dev_xmit+0x3c2/0x890 [gtp]
      [ ... ]
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      94dc550a
    • T
      gtp: fix wrong condition in gtp_genl_dump_pdp() · 94a6d9fb
      Taehee Yoo 提交于
      gtp_genl_dump_pdp() is ->dumpit() callback of GTP module and it is used
      to dump pdp contexts. it would be re-executed because of dump packet size.
      
      If dump packet size is too big, it saves current dump pointer
      (gtp interface pointer, bucket, TID value) then it restarts dump from
      last pointer.
      Current GTP code allows adding zero TID pdp context but dump code
      ignores zero TID value. So, last dump pointer will not be found.
      
      In addition, this patch adds missing rcu_read_lock() in
      gtp_genl_dump_pdp().
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      94a6d9fb
    • T
      gtp: do not allow adding duplicate tid and ms_addr pdp context · 6b01b1d9
      Taehee Yoo 提交于
      GTP RX packet path lookups pdp context with TID. If duplicate TID pdp
      contexts are existing in the list, it couldn't select correct pdp context.
      So, TID value  should be unique.
      GTP TX packet path lookups pdp context with ms_addr. If duplicate ms_addr pdp
      contexts are existing in the list, it couldn't select correct pdp context.
      So, ms_addr value should be unique.
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      6b01b1d9
    • M
      bonding: fix active-backup transition after link failure · 5d485ed8
      Mahesh Bandewar 提交于
      After the recent fix in commit 1899bb32 ("bonding: fix state
      transition issue in link monitoring"), the active-backup mode with
      miimon initially come-up fine but after a link-failure, both members
      transition into backup state.
      
      Following steps to reproduce the scenario (eth1 and eth2 are the
      slaves of the bond):
      
          ip link set eth1 up
          ip link set eth2 down
          sleep 1
          ip link set eth2 up
          ip link set eth1 down
          cat /sys/class/net/eth1/bonding_slave/state
          cat /sys/class/net/eth2/bonding_slave/state
      
      Fixes: 1899bb32 ("bonding: fix state transition issue in link monitoring")
      CC: Jay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: NMahesh Bandewar <maheshb@google.com>
      Acked-by: NJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      5d485ed8
    • J
      Merge branch 'bnx2x-bug-fixes' · 7ae1629d
      Jakub Kicinski 提交于
      Manish Chopra says:
      
      ====================
      bnx2x: bug fixes
      
      This series has two driver changes, one to fix some unexpected
      hardware behaviour casued during the parity error recovery in
      presence of SR-IOV VFs and another one related for fixing resource
      management in the driver among the PFs configured on an engine.
      
      Please consider applying it to "net".
      
      V1->V2:
      =======
      Fix the compilation errors reported by kbuild test robot
      on the patch #1 with CONFIG_BNX2X_SRIOV=n
      ====================
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      7ae1629d