1. 20 11月, 2018 13 次提交
    • D
      Merge branch 'qed-Fix-Queue-Manager-getters' · db9a0bae
      David S. Miller 提交于
      Denis Bolotin says:
      
      ====================
      qed: Fix Queue Manager getters
      
      This patch series fixes various queue manager getter functions. It is
      important to make sure the getter's caller will receive a valid queue even
      in error case to prevent more serious bugs.
      Please consider applying to net.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      db9a0bae
    • D
      qed: Fix QM getters to always return a valid pq · eb62cca9
      Denis Bolotin 提交于
      The getter callers doesn't know the valid Physical Queues (PQ) values.
      This patch makes sure that a valid PQ will always be returned.
      
      The patch consists of 3 fixes:
      
       - When qed_init_qm_get_idx_from_flags() receives a disabled flag, it
         returned PQ 0, which can potentially be another function's pq. Verify
         that flag is enabled, otherwise return default start_pq.
      
       - When qed_init_qm_get_idx_from_flags() receives an unknown flag, it
         returned NULL and could lead to a segmentation fault. Return default
         start_pq instead.
      
       - A modulo operation was added to MCOS/VFS PQ getters to make sure the
         PQ returned is in range of the required flag.
      
      Fixes: b5a9ee7c ("qed: Revise QM cofiguration")
      Signed-off-by: NDenis Bolotin <denis.bolotin@cavium.com>
      Signed-off-by: NMichal Kalderon <michal.kalderon@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      eb62cca9
    • D
      qed: Fix bitmap_weight() check · 276d43f0
      Denis Bolotin 提交于
      Fix the condition which verifies that only one flag is set. The API
      bitmap_weight() should receive size in bits instead of bytes.
      
      Fixes: b5a9ee7c ("qed: Revise QM cofiguration")
      Signed-off-by: NDenis Bolotin <denis.bolotin@cavium.com>
      Signed-off-by: NMichal Kalderon <michal.kalderon@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      276d43f0
    • D
      Merge branch 'ena-hibernation-and-rmmod-bug-fixes' · d7c60210
      David S. Miller 提交于
      Arthur Kiyanovski says:
      
      ====================
      net: ena: hibernation and rmmod bug fixes
      
      This patchset includes 2 bug fixes:
      1. A fix to a crash during resume from hibernation.
      2. A fix to an illegal memory access during driver removal (e.g. during rmmod)
         which might cause a crash in certain systems.
      
      The subminor number in the driver version is also promoted to indicate driver
      was changed.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d7c60210
    • A
      net: ena: update driver version from 2.0.1 to 2.0.2 · 4c23738a
      Arthur Kiyanovski 提交于
      Update driver version due to critical bug fixes.
      Signed-off-by: NArthur Kiyanovski <akiyano@amazon.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4c23738a
    • A
      net: ena: fix crash during ena_remove() · 58a54b9c
      Arthur Kiyanovski 提交于
      In ena_remove() we have the following stack call:
      ena_remove()
        unregister_netdev()
        ena_destroy_device()
          netif_carrier_off()
      
      Calling netif_carrier_off() causes linkwatch to try to handle the
      link change event on the already unregistered netdev, which leads
      to a read from an unreadable memory address.
      
      This patch switches the order of the two functions, so that
      netif_carrier_off() is called on a regiestered netdev.
      
      To accomplish this fix we also had to:
      1. Remove the set bit ENA_FLAG_TRIGGER_RESET
      2. Add a sanitiy check in ena_close()
      both to prevent double device reset (when calling unregister_netdev()
      ena_close is called, but the device was already deleted in
      ena_destroy_device()).
      3. Set the admin_queue running state to false to avoid using it after
      device was reset (for example when calling ena_destroy_all_io_queues()
      right after ena_com_dev_reset() in ena_down)
      
      Fixes: 944b28aa ("net: ena: fix missing lock during device destruction")
      Signed-off-by: NArthur Kiyanovski <akiyano@amazon.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      58a54b9c
    • A
      net: ena: fix crash during failed resume from hibernation · e76ad21d
      Arthur Kiyanovski 提交于
      During resume from hibernation if ena_restore_device fails,
      ena_com_dev_reset() is called, and uses the readless read mechanism,
      which was already destroyed by the call to
      ena_com_mmio_reg_read_request_destroy(). This causes a NULL pointer
      reference.
      
      In this commit we switch the call order of the above two functions
      to avoid this crash.
      
      Fixes: d7703ddb ("net: ena: fix rare bug when failed restart/resume is followed by driver removal")
      Signed-off-by: NArthur Kiyanovski <akiyano@amazon.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e76ad21d
    • X
      sctp: not increase stream's incnt before sending addstrm_in request · e1e46479
      Xin Long 提交于
      Different from processing the addstrm_out request, The receiver handles
      an addstrm_in request by sending back an addstrm_out request to the
      sender who will increase its stream's in and incnt later.
      
      Now stream->incnt has been increased since it sent out the addstrm_in
      request in sctp_send_add_streams(), with the wrong stream->incnt will
      even cause crash when copying stream info from the old stream's in to
      the new one's in sctp_process_strreset_addstrm_out().
      
      This patch is to fix it by simply removing the stream->incnt change
      from sctp_send_add_streams().
      
      Fixes: 242bd2d5 ("sctp: implement sender-side procedures for Add Incoming/Outgoing Streams Request Parameter")
      Reported-by: NJianwen Ji <jiji@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e1e46479
    • X
      Revert "sctp: remove sctp_transport_pmtu_check" · 69fec325
      Xin Long 提交于
      This reverts commit 22d7be26.
      
      The dst's mtu in transport can be updated by a non sctp place like
      in xfrm where the MTU information didn't get synced between asoc,
      transport and dst, so it is still needed to do the pmtu check
      in sctp_packet_config.
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      69fec325
    • X
      sctp: not allow to set asoc prsctp_enable by sockopt · cc3ccf26
      Xin Long 提交于
      As rfc7496#section4.5 says about SCTP_PR_SUPPORTED:
      
         This socket option allows the enabling or disabling of the
         negotiation of PR-SCTP support for future associations.  For existing
         associations, it allows one to query whether or not PR-SCTP support
         was negotiated on a particular association.
      
      It means only sctp sock's prsctp_enable can be set.
      
      Note that for the limitation of SCTP_{CURRENT|ALL}_ASSOC, we will
      add it when introducing SCTP_{FUTURE|CURRENT|ALL}_ASSOC for linux
      sctp in another patchset.
      
      v1->v2:
        - drop the params.assoc_id check as Neil suggested.
      
      Fixes: 28aa4c26 ("sctp: add SCTP_PR_SUPPORTED on sctp sockopt")
      Reported-by: NYing Xu <yinxu@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cc3ccf26
    • X
      sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit · 02968ccf
      Xin Long 提交于
      Now sctp increases sk_wmem_alloc by 1 when doing set_owner_w for the
      skb allocked in sctp_packet_transmit and decreases by 1 when freeing
      this skb.
      
      But when this skb goes through networking stack, some subcomponents
      might change skb->truesize and add the same amount on sk_wmem_alloc.
      However sctp doesn't know the amount to decrease by, it would cause
      a leak on sk->sk_wmem_alloc and the sock can never be freed.
      
      Xiumei found this issue when it hit esp_output_head() by using sctp
      over ipsec, where skb->truesize is added and so is sk->sk_wmem_alloc.
      
      Since sctp has used sk_wmem_queued to count for writable space since
      Commit cd305c74 ("sctp: use sk_wmem_queued to check for writable
      space"), it's ok to fix it by counting sk_wmem_alloc by skb truesize
      in sctp_packet_transmit.
      
      Fixes: cac2661c ("esp4: Avoid skb_cow_data whenever possible")
      Reported-by: NXiumei Mu <xmu@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      02968ccf
    • H
      MAINTAINERS: Add myself as third phylib maintainer · a36b5444
      Heiner Kallweit 提交于
      Add myself as third phylib maintainer.
      Signed-off-by: NHeiner Kallweit <hkallweit1@gmail.com>
      Acked-by: NAndrew Lunn <andrew@lunn.ch>
      Acked-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a36b5444
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · f2ce1065
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix some potentially uninitialized variables and use-after-free in
          kvaser_usb can drier, from Jimmy Assarsson.
      
       2) Fix leaks in qed driver, from Denis Bolotin.
      
       3) Socket leak in l2tp, from Xin Long.
      
       4) RSS context allocation fix in bnxt_en from Michael Chan.
      
       5) Fix cxgb4 build errors, from Ganesh Goudar.
      
       6) Route leaks in ipv6 when removing exceptions, from Xin Long.
      
       7) Memory leak in IDR allocation handling of act_pedit, from Davide
          Caratti.
      
       8) Use-after-free of bridge vlan stats, from Nikolay Aleksandrov.
      
       9) When MTU is locked, do not force DF bit on ipv4 tunnels. From
          Sabrina Dubroca.
      
      10) When NAPI cached skb is reused, we must set it to the proper initial
          state which includes skb->pkt_type. From Eric Dumazet.
      
      11) Lockdep and non-linear SKB handling fix in tipc from Jon Maloy.
      
      12) Set RX queue properly in various tuntap receive paths, from Matthew
          Cover.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (61 commits)
        tuntap: fix multiqueue rx
        ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF
        tipc: don't assume linear buffer when reading ancillary data
        tipc: fix lockdep warning when reinitilaizing sockets
        net-gro: reset skb->pkt_type in napi_reuse_skb()
        tc-testing: tdc.py: Guard against lack of returncode in executed command
        tc-testing: tdc.py: ignore errors when decoding stdout/stderr
        ip_tunnel: don't force DF when MTU is locked
        MAINTAINERS: Add entry for CAKE qdisc
        net: bridge: fix vlan stats use-after-free on destruction
        socket: do a generic_file_splice_read when proto_ops has no splice_read
        net: phy: mdio-gpio: Fix working over slow can_sleep GPIOs
        Revert "net: phy: mdio-gpio: Fix working over slow can_sleep GPIOs"
        net: phy: mdio-gpio: Fix working over slow can_sleep GPIOs
        net/sched: act_pedit: fix memory leak when IDR allocation fails
        net: lantiq: Fix returned value in case of error in 'xrx200_probe()'
        ipv6: fix a dst leak when removing its exception
        net: mvneta: Don't advertise 2.5G modes
        drivers/net/ethernet/qlogic/qed/qed_rdma.h: fix typo
        net/mlx4: Fix UBSAN warning of signed integer overflow
        ...
      f2ce1065
  2. 19 11月, 2018 25 次提交
  3. 18 11月, 2018 2 次提交
    • J
      tipc: don't assume linear buffer when reading ancillary data · 1c1274a5
      Jon Maloy 提交于
      The code for reading ancillary data from a received buffer is assuming
      the buffer is linear. To make this assumption true we have to linearize
      the buffer before message data is read.
      Signed-off-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1c1274a5
    • J
      tipc: fix lockdep warning when reinitilaizing sockets · adba75be
      Jon Maloy 提交于
      We get the following warning:
      
      [   47.926140] 32-bit node address hash set to 2010a0a
      [   47.927202]
      [   47.927433] ================================
      [   47.928050] WARNING: inconsistent lock state
      [   47.928661] 4.19.0+ #37 Tainted: G            E
      [   47.929346] --------------------------------
      [   47.929954] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
      [   47.930116] swapper/3/0 [HC0[0]:SC1[3]:HE1:SE0] takes:
      [   47.930116] 00000000af8bc31e (&(&ht->lock)->rlock){+.?.}, at: rhashtable_walk_enter+0x36/0xb0
      [   47.930116] {SOFTIRQ-ON-W} state was registered at:
      [   47.930116]   _raw_spin_lock+0x29/0x60
      [   47.930116]   rht_deferred_worker+0x556/0x810
      [   47.930116]   process_one_work+0x1f5/0x540
      [   47.930116]   worker_thread+0x64/0x3e0
      [   47.930116]   kthread+0x112/0x150
      [   47.930116]   ret_from_fork+0x3a/0x50
      [   47.930116] irq event stamp: 14044
      [   47.930116] hardirqs last  enabled at (14044): [<ffffffff9a07fbba>] __local_bh_enable_ip+0x7a/0xf0
      [   47.938117] hardirqs last disabled at (14043): [<ffffffff9a07fb81>] __local_bh_enable_ip+0x41/0xf0
      [   47.938117] softirqs last  enabled at (14028): [<ffffffff9a0803ee>] irq_enter+0x5e/0x60
      [   47.938117] softirqs last disabled at (14029): [<ffffffff9a0804a5>] irq_exit+0xb5/0xc0
      [   47.938117]
      [   47.938117] other info that might help us debug this:
      [   47.938117]  Possible unsafe locking scenario:
      [   47.938117]
      [   47.938117]        CPU0
      [   47.938117]        ----
      [   47.938117]   lock(&(&ht->lock)->rlock);
      [   47.938117]   <Interrupt>
      [   47.938117]     lock(&(&ht->lock)->rlock);
      [   47.938117]
      [   47.938117]  *** DEADLOCK ***
      [   47.938117]
      [   47.938117] 2 locks held by swapper/3/0:
      [   47.938117]  #0: 0000000062c64f90 ((&d->timer)){+.-.}, at: call_timer_fn+0x5/0x280
      [   47.938117]  #1: 00000000ee39619c (&(&d->lock)->rlock){+.-.}, at: tipc_disc_timeout+0xc8/0x540 [tipc]
      [   47.938117]
      [   47.938117] stack backtrace:
      [   47.938117] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G            E     4.19.0+ #37
      [   47.938117] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [   47.938117] Call Trace:
      [   47.938117]  <IRQ>
      [   47.938117]  dump_stack+0x5e/0x8b
      [   47.938117]  print_usage_bug+0x1ed/0x1ff
      [   47.938117]  mark_lock+0x5b5/0x630
      [   47.938117]  __lock_acquire+0x4c0/0x18f0
      [   47.938117]  ? lock_acquire+0xa6/0x180
      [   47.938117]  lock_acquire+0xa6/0x180
      [   47.938117]  ? rhashtable_walk_enter+0x36/0xb0
      [   47.938117]  _raw_spin_lock+0x29/0x60
      [   47.938117]  ? rhashtable_walk_enter+0x36/0xb0
      [   47.938117]  rhashtable_walk_enter+0x36/0xb0
      [   47.938117]  tipc_sk_reinit+0xb0/0x410 [tipc]
      [   47.938117]  ? mark_held_locks+0x6f/0x90
      [   47.938117]  ? __local_bh_enable_ip+0x7a/0xf0
      [   47.938117]  ? lockdep_hardirqs_on+0x20/0x1a0
      [   47.938117]  tipc_net_finalize+0xbf/0x180 [tipc]
      [   47.938117]  tipc_disc_timeout+0x509/0x540 [tipc]
      [   47.938117]  ? call_timer_fn+0x5/0x280
      [   47.938117]  ? tipc_disc_msg_xmit.isra.19+0xa0/0xa0 [tipc]
      [   47.938117]  ? tipc_disc_msg_xmit.isra.19+0xa0/0xa0 [tipc]
      [   47.938117]  call_timer_fn+0xa1/0x280
      [   47.938117]  ? tipc_disc_msg_xmit.isra.19+0xa0/0xa0 [tipc]
      [   47.938117]  run_timer_softirq+0x1f2/0x4d0
      [   47.938117]  __do_softirq+0xfc/0x413
      [   47.938117]  irq_exit+0xb5/0xc0
      [   47.938117]  smp_apic_timer_interrupt+0xac/0x210
      [   47.938117]  apic_timer_interrupt+0xf/0x20
      [   47.938117]  </IRQ>
      [   47.938117] RIP: 0010:default_idle+0x1c/0x140
      [   47.938117] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 41 54 55 53 65 8b 2d d8 2b 74 65 0f 1f 44 00 00 e8 c6 2c 8b ff fb f4 <65> 8b 2d c5 2b 74 65 0f 1f 44 00 00 5b 5d 41 5c c3 65 8b 05 b4 2b
      [   47.938117] RSP: 0018:ffffaf6ac0207ec8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
      [   47.938117] RAX: ffff8f5b3735e200 RBX: 0000000000000003 RCX: 0000000000000001
      [   47.938117] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8f5b3735e200
      [   47.938117] RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000
      [   47.938117] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      [   47.938117] R13: 0000000000000000 R14: ffff8f5b3735e200 R15: ffff8f5b3735e200
      [   47.938117]  ? default_idle+0x1a/0x140
      [   47.938117]  do_idle+0x1bc/0x280
      [   47.938117]  cpu_startup_entry+0x19/0x20
      [   47.938117]  start_secondary+0x187/0x1c0
      [   47.938117]  secondary_startup_64+0xa4/0xb0
      
      The reason seems to be that tipc_net_finalize()->tipc_sk_reinit() is
      calling the function rhashtable_walk_enter() within a timer interrupt.
      We fix this by executing tipc_net_finalize() in work queue context.
      Acked-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      adba75be