1. 29 7月, 2018 10 次提交
    • J
      net: socket: fix potential spectre v1 gadget in socketcall · c8e8cd57
      Jeremy Cline 提交于
      'call' is a user-controlled value, so sanitize the array index after the
      bounds check to avoid speculating past the bounds of the 'nargs' array.
      
      Found with the help of Smatch:
      
      net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
      'nargs' [r] (local cap)
      
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJeremy Cline <jcline@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c8e8cd57
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 958b4cd8
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-07-28
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) API fixes for libbpf's BTF mapping of map key/value types in order
         to make them compatible with iproute2's BPF_ANNOTATE_KV_PAIR()
         markings, from Martin.
      
      2) Fix AF_XDP to not report POLLIN prematurely by using the non-cached
         consumer pointer of the RX queue, from Björn.
      
      3) Fix __xdp_return() to check for NULL pointer after the rhashtable
         lookup that retrieves the allocator object, from Taehee.
      
      4) Fix x86-32 JIT to adjust ebp register in prologue and epilogue
         by 4 bytes which got removed from overall stack usage, from Wang.
      
      5) Fix bpf_skb_load_bytes_relative() length check to use actual
         packet length, from Daniel.
      
      6) Fix uninitialized return code in libbpf bpf_perf_event_read_simple()
         handler, from Thomas.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      958b4cd8
    • A
      net: mdio-mux: bcm-iproc: fix wrong getter and setter pair · b0753408
      Anton Vasilyev 提交于
      mdio_mux_iproc_probe() uses platform_set_drvdata() to store md pointer
      in device, whereas mdio_mux_iproc_remove() restores md pointer by
      dev_get_platdata(&pdev->dev). This leads to wrong resources release.
      
      The patch replaces getter to platform_get_drvdata.
      
      Fixes: 98bc865a ("net: mdio-mux: Add MDIO mux driver for iProc SoCs")
      Signed-off-by: NAnton Vasilyev <vasilyev@ispras.ru>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b0753408
    • L
      ipv4: remove BUG_ON() from fib_compute_spec_dst · 9fc12023
      Lorenzo Bianconi 提交于
      Remove BUG_ON() from fib_compute_spec_dst routine and check
      in_dev pointer during flowi4 data structure initialization.
      fib_compute_spec_dst routine can be run concurrently with device removal
      where ip_ptr net_device pointer is set to NULL. This can happen
      if userspace enables pkt info on UDP rx socket and the device
      is removed while traffic is flowing
      
      Fixes: 35ebf65e ("ipv4: Create and use fib_compute_spec_dst() helper")
      Signed-off-by: NLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9fc12023
    • G
      enic: handle mtu change for vf properly · ab123fe0
      Govindarajulu Varadarajan 提交于
      When driver gets notification for mtu change, driver does not handle it for
      all RQs. It handles only RQ[0].
      
      Fix is to use enic_change_mtu() interface to change mtu for vf.
      Signed-off-by: NGovindarajulu Varadarajan <gvaradar@cisco.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ab123fe0
    • S
      net: lan78xx: fix rx handling before first packet is send · 136f55f6
      Stefan Wahren 提交于
      As long the bh tasklet isn't scheduled once, no packet from the rx path
      will be handled. Since the tx path also schedule the same tasklet
      this situation only persits until the first packet transmission.
      So fix this issue by scheduling the tasklet after link reset.
      
      Link: https://github.com/raspberrypi/linux/issues/2617
      Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet")
      Suggested-by: NFloris Bos <bos@je-eigen-domein.nl>
      Signed-off-by: NStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      136f55f6
    • J
      nfp: flower: fix port metadata conversion bug · ee614c87
      John Hurley 提交于
      Function nfp_flower_repr_get_type_and_port expects an enum nfp_repr_type
      return value but, if the repr type is unknown, returns a value of type
      enum nfp_flower_cmsg_port_type.  This means that if FW encodes the port
      ID in a way the driver does not understand instead of dropping the frame
      driver may attribute it to a physical port (uplink) provided the port
      number is less than physical port count.
      
      Fix this and ensure a net_device of NULL is returned if the repr can not
      be determined.
      
      Fixes: 1025351a ("nfp: add flower app")
      Signed-off-by: NJohn Hurley <john.hurley@netronome.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ee614c87
    • T
      bpf: use GFP_ATOMIC instead of GFP_KERNEL in bpf_parse_prog() · 71eb5255
      Taehee Yoo 提交于
      bpf_parse_prog() is protected by rcu_read_lock().
      so that GFP_KERNEL is not allowed in the bpf_parse_prog().
      
      [51015.579396] =============================
      [51015.579418] WARNING: suspicious RCU usage
      [51015.579444] 4.18.0-rc6+ #208 Not tainted
      [51015.579464] -----------------------------
      [51015.579488] ./include/linux/rcupdate.h:303 Illegal context switch in RCU read-side critical section!
      [51015.579510] other info that might help us debug this:
      [51015.579532] rcu_scheduler_active = 2, debug_locks = 1
      [51015.579556] 2 locks held by ip/1861:
      [51015.579577]  #0: 00000000a8c12fd1 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x2e0/0x910
      [51015.579711]  #1: 00000000bf815f8e (rcu_read_lock){....}, at: lwtunnel_build_state+0x96/0x390
      [51015.579842] stack backtrace:
      [51015.579869] CPU: 0 PID: 1861 Comm: ip Not tainted 4.18.0-rc6+ #208
      [51015.579891] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
      [51015.579911] Call Trace:
      [51015.579950]  dump_stack+0x74/0xbb
      [51015.580000]  ___might_sleep+0x16b/0x3a0
      [51015.580047]  __kmalloc_track_caller+0x220/0x380
      [51015.580077]  kmemdup+0x1c/0x40
      [51015.580077]  bpf_parse_prog+0x10e/0x230
      [51015.580164]  ? kasan_kmalloc+0xa0/0xd0
      [51015.580164]  ? bpf_destroy_state+0x30/0x30
      [51015.580164]  ? bpf_build_state+0xe2/0x3e0
      [51015.580164]  bpf_build_state+0x1bb/0x3e0
      [51015.580164]  ? bpf_parse_prog+0x230/0x230
      [51015.580164]  ? lock_is_held_type+0x123/0x1a0
      [51015.580164]  lwtunnel_build_state+0x1aa/0x390
      [51015.580164]  fib_create_info+0x1579/0x33d0
      [51015.580164]  ? sched_clock_local+0xe2/0x150
      [51015.580164]  ? fib_info_update_nh_saddr+0x1f0/0x1f0
      [51015.580164]  ? sched_clock_local+0xe2/0x150
      [51015.580164]  fib_table_insert+0x201/0x1990
      [51015.580164]  ? lock_downgrade+0x610/0x610
      [51015.580164]  ? fib_table_lookup+0x1920/0x1920
      [51015.580164]  ? lwtunnel_valid_encap_type.part.6+0xcb/0x3a0
      [51015.580164]  ? rtm_to_fib_config+0x637/0xbd0
      [51015.580164]  inet_rtm_newroute+0xed/0x1b0
      [51015.580164]  ? rtm_to_fib_config+0xbd0/0xbd0
      [51015.580164]  rtnetlink_rcv_msg+0x331/0x910
      [ ... ]
      
      Fixes: 3a0af8fd ("bpf: BPF for lightweight tunnel infrastructure")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      71eb5255
    • D
      bpf: fix bpf_skb_load_bytes_relative pkt length check · 3eee1f75
      Daniel Borkmann 提交于
      The len > skb_headlen(skb) cannot be used as a maximum upper bound
      for the packet length since it does not have any relation to the full
      linear packet length when filtering is used from upper layers (e.g.
      in case of reuseport BPF programs) as by then skb->data, skb->len
      already got mangled through __skb_pull() and others.
      
      Fixes: 4e1ec56c ("bpf: add skb_load_bytes_relative helper")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NMartin KaFai Lau <kafai@fb.com>
      3eee1f75
    • T
      perf build: Build error in libbpf missing initialization · b611da43
      Thomas Richter 提交于
      In linux-next tree compiling the perf tool with additional make flags
      EXTRA_CFLAGS="-Wp,-D_FORTIFY_SOURCE=2 -O2" causes a compiler error.
      It is the warning 'variable may be used uninitialized' which is treated
      as error: I compile it using a FEDORA 28 installation, my gcc compiler
      version: gcc (GCC) 8.0.1 20180324 (Red Hat 8.0.1-0.20). The file that
      causes the error is tools/lib/bpf/libbpf.c.
      
        [root@p23lp27] # make V=1 EXTRA_CFLAGS="-Wp,-D_FORTIFY_SOURCE=2 -O2"
        [...]
        Makefile.config:849: No openjdk development package found, please
           install JDK package, e.g. openjdk-8-jdk, java-1.8.0-openjdk-devel
        Warning: Kernel ABI header at 'tools/include/uapi/linux/if_link.h'
                differs from latest version at 'include/uapi/linux/if_link.h'
          CC       libbpf.o
        libbpf.c: In function ‘bpf_perf_event_read_simple’:
        libbpf.c:2342:6: error: ‘ret’ may be used uninitialized in this
        			function [-Werror=maybe-uninitialized]
          int ret;
              ^
        cc1: all warnings being treated as errors
        mv: cannot stat './.libbpf.o.tmp': No such file or directory
        /home6/tmricht/linux-next/tools/build/Makefile.build:96: recipe for target 'libbpf.o' failed
      Suggested-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NThomas Richter <tmricht@linux.ibm.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      b611da43
  2. 28 7月, 2018 1 次提交
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · d0fdb366
      David S. Miller 提交于
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2018-07-27
      
      1) Fix PMTU handling of vti6. We update the PMTU on
         the xfrm dst_entry which is not cached anymore
         after the flowchache removal. So update the
         PMTU of the original dst_entry instead.
         From Eyal Birger.
      
      2) Fix a leak of kernel memory to userspace.
         From Eric Dumazet.
      
      3) Fix a possible dst_entry memleak in xfrm_lookup_route.
         From Tommi Rantala.
      
      4) Fix a skb leak in case we can't call nlmsg_multicast
         from xfrm_nlmsg_multicast. From Florian Westphal.
      
      5) Fix a leak of a temporary buffer in the error path of
         esp6_input. From Zhen Lei.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d0fdb366
  3. 27 7月, 2018 6 次提交
    • G
      net: ena: Fix use of uninitialized DMA address bits field · 101f0cd4
      Gal Pressman 提交于
      UBSAN triggers the following undefined behaviour warnings:
      [...]
      [   13.236124] UBSAN: Undefined behaviour in drivers/net/ethernet/amazon/ena/ena_eth_com.c:468:22
      [   13.240043] shift exponent 64 is too large for 64-bit type 'long long unsigned int'
      [...]
      [   13.744769] UBSAN: Undefined behaviour in drivers/net/ethernet/amazon/ena/ena_eth_com.c:373:4
      [   13.748694] shift exponent 64 is too large for 64-bit type 'long long unsigned int'
      [...]
      
      When splitting the address to high and low, GENMASK_ULL is used to generate
      a bitmask with dma_addr_bits field from io_sq (in ena_com_prepare_tx and
      ena_com_add_single_rx_desc).
      The problem is that dma_addr_bits is not initialized with a proper value
      (besides being cleared in ena_com_create_io_queue).
      Assign dma_addr_bits the correct value that is stored in ena_dev when
      initializing the SQ.
      
      Fixes: 1738cd3e ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
      Signed-off-by: NGal Pressman <pressmangal@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      101f0cd4
    • M
      bpf: btf: Use exact btf value_size match in map_check_btf() · 5f300e80
      Martin KaFai Lau 提交于
      The current map_check_btf() in BPF_MAP_TYPE_ARRAY rejects
      '> map->value_size' to ensure map_seq_show_elem() will not
      access things beyond an array element.
      
      Yonghong suggested that using '!=' is a more correct
      check.  The 8 bytes round_up on value_size is stored
      in array->elem_size.  Hence, using '!=' on map->value_size
      is a proper check.
      
      This patch also adds new tests to check the btf array
      key type and value type.  Two of these new tests verify
      the btf's value_size (the change in this patch).
      
      It also fixes two existing tests that wrongly encoded
      a btf's type size (pprint_test) and the value_type_id (in one
      of the raw_tests[]).  However, that do not affect these two
      BTF verification tests before or after this test changes.
      These two tests mainly failed at array creation time after
      this patch.
      
      Fixes: a26ca7c9 ("bpf: btf: Add pretty print support to the basic arraymap")
      Suggested-by: NYonghong Song <yhs@fb.com>
      Acked-by: NYonghong Song <yhs@fb.com>
      Signed-off-by: NMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      5f300e80
    • T
      xdp: add NULL pointer check in __xdp_return() · 36e0f12b
      Taehee Yoo 提交于
      rhashtable_lookup() can return NULL. so that NULL pointer
      check routine should be added.
      
      Fixes: 02b55e56 ("xdp: add MEM_TYPE_ZERO_COPY")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Acked-by: NMartin KaFai Lau <kafai@fb.com>
      Acked-by: NBjörn Töpel <bjorn.topel@intel.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      36e0f12b
    • A
      RDS: RDMA: Fix the NULL-ptr deref in rds_ib_get_mr · 9e630bcb
      Avinash Repaka 提交于
      Registration of a memory region(MR) through FRMR/fastreg(unlike FMR)
      needs a connection/qp. With a proxy qp, this dependency on connection
      will be removed, but that needs more infrastructure patches, which is a
      work in progress.
      
      As an intermediate fix, the get_mr returns EOPNOTSUPP when connection
      details are not populated. The MR registration through sendmsg() will
      continue to work even with fast registration, since connection in this
      case is formed upfront.
      
      This patch fixes the following crash:
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Modules linked in:
      CPU: 1 PID: 4244 Comm: syzkaller468044 Not tainted 4.16.0-rc6+ #361
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:rds_ib_get_mr+0x5c/0x230 net/rds/ib_rdma.c:544
      RSP: 0018:ffff8801b059f890 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff8801b07e1300 RCX: ffffffff8562d96e
      RDX: 000000000000000d RSI: 0000000000000001 RDI: 0000000000000068
      RBP: ffff8801b059f8b8 R08: ffffed0036274244 R09: ffff8801b13a1200
      R10: 0000000000000004 R11: ffffed0036274243 R12: ffff8801b13a1200
      R13: 0000000000000001 R14: ffff8801ca09fa9c R15: 0000000000000000
      FS:  00007f4d050af700(0000) GS:ffff8801db300000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f4d050aee78 CR3: 00000001b0d9b006 CR4: 00000000001606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       __rds_rdma_map+0x710/0x1050 net/rds/rdma.c:271
       rds_get_mr_for_dest+0x1d4/0x2c0 net/rds/rdma.c:357
       rds_setsockopt+0x6cc/0x980 net/rds/af_rds.c:347
       SYSC_setsockopt net/socket.c:1849 [inline]
       SyS_setsockopt+0x189/0x360 net/socket.c:1828
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x4456d9
      RSP: 002b:00007f4d050aedb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 00000000004456d9
      RDX: 0000000000000007 RSI: 0000000000000114 RDI: 0000000000000004
      RBP: 00000000006dac38 R08: 00000000000000a0 R09: 0000000000000000
      R10: 0000000020000380 R11: 0000000000000246 R12: 0000000000000000
      R13: 00007fffbfb36d6f R14: 00007f4d050af9c0 R15: 0000000000000005
      Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 cc 01 00 00 4c 8b bb 80 04 00 00
      48
      b8 00 00 00 00 00 fc ff df 49 8d 7f 68 48 89 fa 48 c1 ea 03 <80> 3c 02
      00 0f
      85 9c 01 00 00 4d 8b 7f 68 48 b8 00 00 00 00 00
      RIP: rds_ib_get_mr+0x5c/0x230 net/rds/ib_rdma.c:544 RSP:
      ffff8801b059f890
      ---[ end trace 7e1cea13b85473b0 ]---
      
      Reported-by: syzbot+b51c77ef956678a65834@syzkaller.appspotmail.com
      Signed-off-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: NAvinash Repaka <avinash.repaka@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9e630bcb
    • T
      net: rollback orig value on failure of dev_qdisc_change_tx_queue_len · 7effaf06
      Tariq Toukan 提交于
      Fix dev_change_tx_queue_len so it rolls back original value
      upon a failure in dev_qdisc_change_tx_queue_len.
      This is already done for notifirers' failures, share the code.
      
      In case of failure in dev_qdisc_change_tx_queue_len, some tx queues
      would still be of the new length, while they should be reverted.
      Currently, the revert is not done, and is marked with a TODO label
      in dev_qdisc_change_tx_queue_len, and should find some nice solution
      to do it.
      Yet it is still better to not apply the newly requested value.
      
      Fixes: 48bfd55e ("net_sched: plug in qdisc ops change_tx_queue_len")
      Signed-off-by: NTariq Toukan <tariqt@mellanox.com>
      Reviewed-by: NEran Ben Elisha <eranbe@mellanox.com>
      Reported-by: NRan Rozenstein <ranro@mellanox.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7effaf06
    • T
      net: fix amd-xgbe flow-control issue · 7f3fc7dd
      tangpengpeng 提交于
      If we enable or disable xgbe flow-control by ethtool ,
      it does't work.Because the parameter is not properly
      assigned,so we need to adjust the assignment order
      of the parameters.
      
      Fixes: c1ce2f77 ("amd-xgbe: Fix flow control setting logic")
      Signed-off-by: Ntangpengpeng <tangpengpeng@higon.com>
      Acked-by: NTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7f3fc7dd
  4. 26 7月, 2018 8 次提交
  5. 25 7月, 2018 15 次提交
    • D
      Merge branch 'bpf-annotate-kv-pair' · 684cce1c
      Daniel Borkmann 提交于
      Martin KaFai Lau says:
      
      ====================
      The series allows the BPF loader to figure out the btf_key_id
      and btf_value_id from a map's name by using BPF_ANNOTATE_KV_PAIR()
      similarly as in iproute2 commit f823f36012fb ("bpf: implement
      btf handling and map annotation").
      
      It also removes the old 'typedef' way which requires two separate
      typedefs (one for the key and one for the value).
      
      By doing this, iproute2 and libbpf have one consistent way to
      figure out the btf_key_type_id and btf_value_type_id for a map.
      
      The first two patches are some prep/cleanup works. The last patch
      introduces BPF_ANNOTATE_KV_PAIR.
      
      v3:
      - Replace some more *int*_t and u* usages with the
        equivalent __[su]* in btf.c
      
      v2:
      - Fix the incorrect '&&' check on container_type
        in bpf_map_find_btf_info().
      - Expose the existing static btf_type_by_id() instead of
        creating a new one.
      ====================
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      684cce1c
    • M
      bpf: Introduce BPF_ANNOTATE_KV_PAIR · 38d5d3b3
      Martin KaFai Lau 提交于
      This patch introduces BPF_ANNOTATE_KV_PAIR to signal the
      bpf loader about the btf key_type and value_type of a bpf map.
      Please refer to the changes in test_btf_haskv.c for its usage.
      Both iproute2 and libbpf loader will then have the same
      convention to find out the map's btf_key_type_id and
      btf_value_type_id from a map's name.
      
      Fixes: 8a138aed ("bpf: btf: Add BTF support to libbpf")
      Suggested-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NMartin KaFai Lau <kafai@fb.com>
      Acked-by: NYonghong Song <yhs@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      38d5d3b3
    • M
      bpf: Replace [u]int32_t and [u]int64_t in libbpf · 5b891af7
      Martin KaFai Lau 提交于
      This patch replaces [u]int32_t and [u]int64_t usage with
      __[su]32 and __[su]64.  The same change goes for [u]int16_t
      and [u]int8_t.
      
      Fixes: 8a138aed ("bpf: btf: Add BTF support to libbpf")
      Signed-off-by: NMartin KaFai Lau <kafai@fb.com>
      Acked-by: NYonghong Song <yhs@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      5b891af7
    • M
      bpf: btf: Sync uapi btf.h to tools · 64bb5684
      Martin KaFai Lau 提交于
      This patch sync the uapi btf.h to tools/
      
      Fixes: 36fc3c8c bpf: btf: Clean up BTF_INT_BITS() in uapi btf.h
      Signed-off-by: NMartin KaFai Lau <kafai@fb.com>
      Acked-by: NYonghong Song <yhs@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      64bb5684
    • L
      Merge tag 'mips_fixes_4.18_4' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 9981b4fb
      Linus Torvalds 提交于
      Pull MIPS fixes from Paul Burton:
       "A couple more MIPS fixes for 4.18:
      
         - Fix an off-by-one in reporting PCI resource sizes to userland which
           regressed in v3.12.
      
         - Fix writes to DDR controller registers used to flush write buffers,
           which regressed with some refactoring in v4.2"
      
      * tag 'mips_fixes_4.18_4' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: ath79: fix register address in ath79_ddr_wb_flush()
        MIPS: Fix off-by-one in pci_resource_to_user()
      9981b4fb
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 07230906
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Handle stations tied to AP_VLANs properly during mac80211 hw
          reconfig. From Manikanta Pubbisetty.
      
       2) Fix jump stack depth validation in nf_tables, from Taehee Yoo.
      
       3) Fix quota handling in aRFS flow expiration of mlx5 driver, from Eran
          Ben Elisha.
      
       4) Exit path handling fix in powerpc64 BPF JIT, from Daniel Borkmann.
      
       5) Use ptr_ring_consume_bh() in page pool code, from Tariq Toukan.
      
       6) Fix cached netdev name leak in nf_tables, from Florian Westphal.
      
       7) Fix memory leaks on chain rename, also from Florian Westphal.
      
       8) Several fixes to DCTCP congestion control ACK handling, from Yuchunk
          Cheng.
      
       9) Missing rcu_read_unlock() in CAIF protocol code, from Yue Haibing.
      
      10) Fix link local address handling with VRF, from David Ahern.
      
      11) Don't clobber 'err' on a successful call to __skb_linearize() in
          skb_segment(). From Eric Dumazet.
      
      12) Fix vxlan fdb notification races, from Roopa Prabhu.
      
      13) Hash UDP fragments consistently, from Paolo Abeni.
      
      14) If TCP receives lots of out of order tiny packets, we do really
          silly stuff. Make the out-of-order queue ending more robust to this
          kind of behavior, from Eric Dumazet.
      
      15) Don't leak netlink dump state in nf_tables, from Florian Westphal.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (76 commits)
        net: axienet: Fix double deregister of mdio
        qmi_wwan: fix interface number for DW5821e production firmware
        ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull
        bnx2x: Fix invalid memory access in rss hash config path.
        net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper
        r8169: restore previous behavior to accept BIOS WoL settings
        cfg80211: never ignore user regulatory hint
        sock: fix sg page frag coalescing in sk_alloc_sg
        netfilter: nf_tables: move dumper state allocation into ->start
        tcp: add tcp_ooo_try_coalesce() helper
        tcp: call tcp_drop() from tcp_data_queue_ofo()
        tcp: detect malicious patterns in tcp_collapse_ofo_queue()
        tcp: avoid collapses in tcp_prune_queue() if possible
        tcp: free batches of packets in tcp_prune_ofo_queue()
        ip: hash fragments consistently
        ipv6: use fib6_info_hold_safe() when necessary
        can: xilinx_can: fix power management handling
        can: xilinx_can: fix incorrect clear of non-processed interrupts
        can: xilinx_can: fix RX overflow interrupt not being enabled
        can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting
        ...
      07230906
    • S
      net: axienet: Fix double deregister of mdio · 03bc7cab
      Shubhrajyoti Datta 提交于
      If the registration fails then mdio_unregister is called.
      However at unbind the unregister ia attempted again resulting
      in the below crash
      
      [   73.544038] kernel BUG at drivers/net/phy/mdio_bus.c:415!
      [   73.549362] Internal error: Oops - BUG: 0 [#1] SMP
      [   73.554127] Modules linked in:
      [   73.557168] CPU: 0 PID: 2249 Comm: sh Not tainted 4.14.0 #183
      [   73.562895] Hardware name: xlnx,zynqmp (DT)
      [   73.567062] task: ffffffc879e41180 task.stack: ffffff800cbe0000
      [   73.572973] PC is at mdiobus_unregister+0x84/0x88
      [   73.577656] LR is at axienet_mdio_teardown+0x18/0x30
      [   73.582601] pc : [<ffffff80085fa4cc>] lr : [<ffffff8008616858>]
      pstate: 20000145
      [   73.589981] sp : ffffff800cbe3c30
      [   73.593277] x29: ffffff800cbe3c30 x28: ffffffc879e41180
      [   73.598573] x27: ffffff8008a21000 x26: 0000000000000040
      [   73.603868] x25: 0000000000000124 x24: ffffffc879efe920
      [   73.609164] x23: 0000000000000060 x22: ffffffc879e02000
      [   73.614459] x21: ffffffc879e02800 x20: ffffffc87b0b8870
      [   73.619754] x19: ffffffc879e02800 x18: 000000000000025d
      [   73.625050] x17: 0000007f9a719ad0 x16: ffffff8008195bd8
      [   73.630345] x15: 0000007f9a6b3d00 x14: 0000000000000010
      [   73.635640] x13: 74656e7265687465 x12: 0000000000000030
      [   73.640935] x11: 0000000000000030 x10: 0101010101010101
      [   73.646231] x9 : 241f394f42533300 x8 : ffffffc8799f6e98
      [   73.651526] x7 : ffffffc8799f6f18 x6 : ffffffc87b0ba318
      [   73.656822] x5 : ffffffc87b0ba498 x4 : 0000000000000000
      [   73.662117] x3 : 0000000000000000 x2 : 0000000000000008
      [   73.667412] x1 : 0000000000000004 x0 : ffffffc8799f4000
      [   73.672708] Process sh (pid: 2249, stack limit = 0xffffff800cbe0000)
      
      Fix the same by making the bus NULL on unregister.
      Signed-off-by: NShubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      03bc7cab
    • A
      qmi_wwan: fix interface number for DW5821e production firmware · f25e1392
      Aleksander Morgado 提交于
      The original mapping for the DW5821e was done using a development
      version of the firmware. Confirmed with the vendor that the final
      USB layout ends up exposing the QMI control/data ports in USB
      config #1, interface #0, not in interface #1 (which is now a HID
      interface).
      
      T:  Bus=01 Lev=03 Prnt=04 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  2
      P:  Vendor=413c ProdID=81d7 Rev=03.18
      S:  Manufacturer=DELL
      S:  Product=DW5821e Snapdragon X20 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      
      Fixes: e7e197ed ("qmi_wwan: add support for the Dell Wireless 5821e module")
      Signed-off-by: NAleksander Morgado <aleksander@aleksander.es>
      Acked-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f25e1392
    • W
      ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull · 2efd4fca
      Willem de Bruijn 提交于
      Syzbot reported a read beyond the end of the skb head when returning
      IPV6_ORIGDSTADDR:
      
        BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
        CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
        Google 01/01/2011
        Call Trace:
          __dump_stack lib/dump_stack.c:77 [inline]
          dump_stack+0x185/0x1d0 lib/dump_stack.c:113
          kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
          kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219
          kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261
          copy_to_user include/linux/uaccess.h:184 [inline]
          put_cmsg+0x5ef/0x860 net/core/scm.c:242
          ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719
          ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
          rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
          [..]
      
      This logic and its ipv4 counterpart read the destination port from
      the packet at skb_transport_offset(skb) + 4.
      
      With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a
      packet that stores headers exactly up to skb_transport_offset(skb) in
      the head and the remainder in a frag.
      
      Call pskb_may_pull before accessing the pointer to ensure that it lies
      in skb head.
      
      Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com
      Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2efd4fca
    • S
      bnx2x: Fix invalid memory access in rss hash config path. · ae2dcb28
      Sudarsana Reddy Kalluru 提交于
      Rx hash/filter table configuration uses rss_conf_obj to configure filters
      in the hardware. This object is initialized only when the interface is
      brought up.
      This patch adds driver changes to configure rss params only when the device
      is in opened state. In port disabled case, the config will be cached in the
      driver structure which will be applied in the successive load path.
      
      Please consider applying it to 'net' branch.
      Signed-off-by: NSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ae2dcb28
    • J
      net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper · 958c696f
      Jack Morgenstein 提交于
      Function mlx4_RST2INIT_QP_wrapper saved the qp number passed in the qp
      context, rather than the one passed in the input modifier.
      
      However, the qp number in the qp context is not defined as a
      required parameter by the FW. Therefore, drivers may choose to not
      specify the qp number in the qp context for the reset-to-init transition.
      
      Thus, we must save the qp number passed in the command input modifier --
      which is always present. (This saved qp number is used as the input
      modifier for command 2RST_QP when a slave's qp's are destroyed).
      
      Fixes: c82e9aa0 ("mlx4_core: resource tracking for HCA resources used by guests")
      Signed-off-by: NJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      958c696f
    • H
      r8169: restore previous behavior to accept BIOS WoL settings · 18041b52
      Heiner Kallweit 提交于
      Commit 7edf6d31 tried to resolve an inconsistency (BIOS WoL
      settings are accepted, but device isn't wakeup-enabled) resulting
      from a previous broken-BIOS workaround by making disabled WoL the
      default.
      This however had some side effects, most likely due to a broken BIOS
      some systems don't properly resume from suspend when the MagicPacket
      WoL bit isn't set in the chip, see
      https://bugzilla.kernel.org/show_bug.cgi?id=200195
      Therefore restore the WoL behavior from 4.16.
      Reported-by: NAlbert Astals Cid <aacid@kde.org>
      Fixes: 7edf6d31 ("r8169: disable WOL per default")
      Signed-off-by: NHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      18041b52
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · f89ed2f8
      Linus Torvalds 提交于
      Pull s390 fix from Martin Schwidefsky.
      
      Guenter Roeck reports that the s390 allmodconfig build fails because of
      a gcc plugin problem.  The fix won't be in-tree until 4.19, so for now
      disable the gcc plugins on s390.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: disable gcc plugins
      f89ed2f8
    • G
      media: staging: omap4iss: Include asm/cacheflush.h after generic includes · 0894da84
      Guenter Roeck 提交于
      Including asm/cacheflush.h first results in the following build error
      when trying to build sparc32:allmodconfig, because 'struct page' has not
      been declared, and the function declaration ends up creating a separate
      (private) declaration of struct page (as a result of function arguments
      being in the scope of the function declaration and definition, not in
      global scope).
      
      The C scoping rules do not just affect variable visibility, they also
      affect type declaration visibility.
      
      The end result is that when the actual call site is seen in
      <linux/highmem.h>, the 'struct page' type in the caller is not the same
      'struct page' that the function was declared with, resulting in:
      
        In file included from arch/sparc/include/asm/page.h:10:0,
                         ...
                         from drivers/staging/media/omap4iss/iss_video.c:15:
        include/linux/highmem.h: In function 'clear_user_highpage':
        include/linux/highmem.h:137:31: error:
      	passing argument 1 of 'sparc_flush_page_to_ram' from incompatible
      	pointer type
      
      Include generic includes files first to fix the problem.
      
      Fixes: fc96d58c ("[media] v4l: omap4iss: Add support for OMAP4 camera interface - Video devices")
      Suggested-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      [ Added explanation of C scope rules - Linus ]
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      0894da84
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 049f5604
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Make sure we don't go over the maximum jump stack boundary,
         from Taehee Yoo.
      
      2) Missing rcu_barrier() in hash and rbtree sets, also from Taehee.
      
      3) Missing check to nul-node in rbtree timeout routine, from Taehee.
      
      4) Use dev->name from flowtable to fix a memleak, from Florian.
      
      5) Oneliner to free flowtable object on removal, from Florian.
      
      6) Memleak in chain rename transaction, again from Florian.
      
      7) Don't allow two chains to use the same name in the same
         transaction, from Florian.
      
      8) handle DCCP SYNC/SYNCACK as invalid, this triggers an
         uninitialized timer in conntrack reported by syzbot, from Florian.
      
      9) Fix leak in case netlink_dump_start() fails, from Florian.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      049f5604