1. 07 2月, 2019 23 次提交
  2. 06 2月, 2019 7 次提交
    • E
      mISDN: fix a race in dev_expire_timer() · bdcc5bc2
      Eric Dumazet 提交于
      Since mISDN_close() uses dev->pending to iterate over active
      timers, there is a chance that one timer got removed from the
      ->pending list in dev_expire_timer() but that the thread
      has not called yet wake_up_interruptible()
      
      So mISDN_close() could miss this and free dev before
      completion of at least one dev_expire_timer()
      
      syzbot was able to catch this race :
      
      BUG: KASAN: use-after-free in register_lock_class+0x140c/0x1bf0 kernel/locking/lockdep.c:827
      Write of size 8 at addr ffff88809fc18948 by task syz-executor1/24769
      
      CPU: 1 PID: 24769 Comm: syz-executor1 Not tainted 5.0.0-rc5 #60
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
       kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
       __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:140
       register_lock_class+0x140c/0x1bf0 kernel/locking/lockdep.c:827
       __lock_acquire+0x11f/0x4700 kernel/locking/lockdep.c:3224
       lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3841
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
       __wake_up_common_lock+0xc7/0x190 kernel/sched/wait.c:120
       __wake_up+0xe/0x10 kernel/sched/wait.c:145
       dev_expire_timer+0xe4/0x3b0 drivers/isdn/mISDN/timerdev.c:174
       call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
      protocol 88fb is buggy, dev hsr_slave_0
      protocol 88fb is buggy, dev hsr_slave_1
       expire_timers kernel/time/timer.c:1362 [inline]
       __run_timers kernel/time/timer.c:1681 [inline]
       __run_timers kernel/time/timer.c:1649 [inline]
       run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
       __do_softirq+0x266/0x95a kernel/softirq.c:292
       invoke_softirq kernel/softirq.c:373 [inline]
       irq_exit+0x180/0x1d0 kernel/softirq.c:413
       exiting_irq arch/x86/include/asm/apic.h:536 [inline]
       smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
       </IRQ>
      RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:101
      Code: 90 90 90 90 55 48 89 e5 48 8b 75 08 65 48 8b 04 25 40 ee 01 00 65 8b 15 98 12 92 7e 81 e2 00 01 1f 00 75 2b 8b 90 d8 12 00 00 <83> fa 02 75 20 48 8b 88 e0 12 00 00 8b 80 dc 12 00 00 48 8b 11 48
      RSP: 0018:ffff8880589b7a60 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
      RAX: ffff888087ce25c0 RBX: 0000000000000001 RCX: ffffffff818f8ca3
      RDX: 0000000000000000 RSI: ffffffff818f8b48 RDI: 0000000000000001
      RBP: ffff8880589b7a60 R08: ffff888087ce25c0 R09: ffffed1015d25bd0
      R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffffea0001ae4680
      R13: ffffea0001ae4688 R14: 0000000000000000 R15: ffffea0001b41648
       PageIdle include/linux/page-flags.h:398 [inline]
       page_is_idle include/linux/page_idle.h:29 [inline]
       mark_page_accessed+0x618/0x1140 mm/swap.c:398
       touch_buffer fs/buffer.c:59 [inline]
       __find_get_block+0x312/0xcc0 fs/buffer.c:1298
       sb_find_get_block include/linux/buffer_head.h:338 [inline]
       recently_deleted fs/ext4/ialloc.c:682 [inline]
       find_inode_bit.isra.0+0x202/0x510 fs/ext4/ialloc.c:722
       __ext4_new_inode+0x14ad/0x52c0 fs/ext4/ialloc.c:914
       ext4_symlink+0x3f8/0xbe0 fs/ext4/namei.c:3096
       vfs_symlink fs/namei.c:4126 [inline]
       vfs_symlink+0x378/0x5d0 fs/namei.c:4112
       do_symlinkat+0x22b/0x290 fs/namei.c:4153
       __do_sys_symlink fs/namei.c:4172 [inline]
       __se_sys_symlink fs/namei.c:4170 [inline]
       __x64_sys_symlink+0x59/0x80 fs/namei.c:4170
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x457b67
      Code: 0f 1f 00 b8 5c 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d bb fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4d bb fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fff045ce0f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000058
      RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000457b67
      RDX: 00007fff045ce173 RSI: 00000000004bd63f RDI: 00007fff045ce160
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      R10: 0000000000000075 R11: 0000000000000202 R12: 0000000000000000
      R13: 0000000000000001 R14: 000000000000029b R15: 0000000000000001
      
      Allocated by task 24763:
       save_stack+0x45/0xd0 mm/kasan/common.c:73
       set_track mm/kasan/common.c:85 [inline]
       __kasan_kmalloc mm/kasan/common.c:496 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
       kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
       kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3609
       kmalloc include/linux/slab.h:545 [inline]
       mISDN_open+0x9a/0x270 drivers/isdn/mISDN/timerdev.c:59
       misc_open+0x398/0x4c0 drivers/char/misc.c:141
       chrdev_open+0x247/0x6b0 fs/char_dev.c:417
       do_dentry_open+0x47d/0x1130 fs/open.c:771
       vfs_open+0xa0/0xd0 fs/open.c:880
       do_last fs/namei.c:3418 [inline]
       path_openat+0x10d7/0x4690 fs/namei.c:3534
       do_filp_open+0x1a1/0x280 fs/namei.c:3564
       do_sys_open+0x3fe/0x5d0 fs/open.c:1063
       __do_sys_openat fs/open.c:1090 [inline]
       __se_sys_openat fs/open.c:1084 [inline]
       __x64_sys_openat+0x9d/0x100 fs/open.c:1084
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 24762:
       save_stack+0x45/0xd0 mm/kasan/common.c:73
       set_track mm/kasan/common.c:85 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
       __cache_free mm/slab.c:3487 [inline]
       kfree+0xcf/0x230 mm/slab.c:3806
       mISDN_close+0x2a1/0x390 drivers/isdn/mISDN/timerdev.c:97
       __fput+0x2df/0x8d0 fs/file_table.c:278
       ____fput+0x16/0x20 fs/file_table.c:309
       task_work_run+0x14a/0x1c0 kernel/task_work.c:113
       tracehook_notify_resume include/linux/tracehook.h:188 [inline]
       exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
       prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
       do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff88809fc18900
       which belongs to the cache kmalloc-192 of size 192
      The buggy address is located 72 bytes inside of
       192-byte region [ffff88809fc18900, ffff88809fc189c0)
      The buggy address belongs to the page:
      page:ffffea00027f0600 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0xffff88809fc18000
      flags: 0x1fffc0000000200(slab)
      raw: 01fffc0000000200 ffffea000269f648 ffffea00029f7408 ffff88812c3f0040
      raw: ffff88809fc18000 ffff88809fc18000 000000010000000b 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88809fc18800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff88809fc18880: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88809fc18900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
       ffff88809fc18980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
       ffff88809fc18a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Karsten Keil <isdn@linux-pingi.de>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bdcc5bc2
    • A
      net: dsa: mv88e6xxx: Fix counting of ATU violations · 75c05a74
      Andrew Lunn 提交于
      The ATU port vector contains a bit per port of the switch. The code
      wrongly used it as a port number, and incremented a port counter. This
      resulted in the wrong interfaces counter being incremented, and
      potentially going off the end of the array of ports.
      
      Fix this by using the source port ID for the violation, which really
      is a port number.
      Reported-by: NChris Healy <Chris.Healy@zii.aero>
      Tested-by: NChris Healy <Chris.Healy@zii.aero>
      Fixes: 65f60e45 ("net: dsa: mv88e6xxx: Keep ATU/VTU violation statistics")
      Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      75c05a74
    • D
      9c0bda64
    • G
      net/mlx5e: Use the inner headers to determine tc/pedit offload limitation on decap flows · 1651925d
      Guy Shattah 提交于
      In packets that need to be decaped the internal headers
      have to be checked, not the external ones.
      
      Fixes: bdd66ac0 ("net/mlx5e: Disallow TC offloading of unsupported match/action combinations")
      Signed-off-by: NGuy Shattah <sguy@mellanox.com>
      Reviewed-by: NOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      1651925d
    • O
      net/mlx5e: Properly set steering match levels for offloaded TC decap rules · 6363651d
      Or Gerlitz 提交于
      The match level computed by the driver gets to be wrong for decap
      rules with wildcarded inner packet match such as:
      
      tc filter add dev vxlan_sys_4789 protocol all parent ffff: prio 2 flower
             enc_dst_ip 192.168.0.9 enc_key_id 100 enc_dst_port 4789
             action tunnel_key unset
             action mirred egress redirect dev eth1
      
      The FW errs for a missing matching meta-data indicator for the outer
      headers (where we do have a match), and a wrong matching meta-data
      indicator for the inner headers (where we don't have a match).
      
      Fix that by taking into account the matching on the tunnel info and
      relating the match level of the encapsulated packet to the firmware
      inner headers indicator in case of decap.
      
      As for vxlan we mandate a match on the tunnel udp dst port, and in general
      we practically madndate a match on the source or dest ip for any IP tunnel,
      the fix was done in a minimal manner around the tunnel match parsing code.
      
      Fixes: d708f902 ('net/mlx5e: Get the required HW match level while parsing TC flow matches')
      Signed-off-by: NOr Gerlitz <ogerlitz@mellanox.com>
      Reported-by: NSlava Ovsiienko <viacheslavo@mellanox.com>
      Reviewed-by: NJianbo Liu <jianbol@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      6363651d
    • R
      net/mlx5e: FPGA, fix Innova IPsec TX offload data path performance · 82eaa1fa
      Raed Salem 提交于
      At Innova IPsec TX offload data path a special software parser metadata
      is used to pass some packet attributes to the hardware, this metadata
      is passed using the Ethernet control segment of a WQE (a HW descriptor)
      header.
      
      The cited commit might nullify this header, hence the metadata is lost,
      this caused a significant performance drop during hw offloading
      operation.
      
      Fix by restoring the metadata at the Ethernet control segment in case
      it was nullified.
      
      Fixes: 37fdffb2 ("net/mlx5: WQ, fixes for fragmented WQ buffers API")
      Signed-off-by: NRaed Salem <raeds@mellanox.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      82eaa1fa
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · f09bef61
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Use CONFIG_NF_TABLES_INET from seltests, not NF_TABLES_INET.
         From Naresh Kamboju.
      
      2) Add a test to cover masquerading and redirect case, from Florian
         Westphal.
      
      3) Two packets coming from the same socket may race to set up NAT,
         ending up with different tuples and the packet losing race being
         dropped. Update nf_conntrack_tuple_taken() to exercise clash
         resolution for this case. From Martynas Pumputis and Florian
         Westphal.
      
      4) Unbind anonymous sets from the commit and abort path, this fixes
         a splat due to double set list removal/release in case that the
         transaction needs to be aborted.
      
      5) Do not preserve original output interface for packets that are
         redirected in the output chain when ip6_route_me_harder() is
         called. Otherwise packets end up going not going to the loopback
         device. From Eli Cooper.
      
      6) Fix bogus splat in nft_compat with CONFIG_REFCOUNT_FULL=y, this
         also simplifies the existing logic to deal with the list insertions
         of the xtables extensions. From Florian Westphal.
      
      Diffstat look rather larger than usual because of the new selftest, but
      Florian and I consider that having tests soon into the tree is good to
      improve coverage. If there's a different policy in this regard, please,
      let me know.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f09bef61
  3. 05 2月, 2019 10 次提交
    • F
      netfilter: nft_compat: don't use refcount_inc on newly allocated entry · 947e492c
      Florian Westphal 提交于
      When I moved the refcount to refcount_t type I missed the fact that
      refcount_inc() will result in use-after-free warning with
      CONFIG_REFCOUNT_FULL=y builds.
      
      The correct fix would be to init the reference count to 1 at allocation
      time, but, unfortunately we cannot do this, as we can't undo that
      in case something else fails later in the batch.
      
      So only solution I see is to special-case the 'new entry' condition
      and replace refcount_inc() with a "delayed" refcount_set(1) in this case,
      as done here.
      
      The .activate callback can be removed to simplify things, we only
      need to make sure that deactivate() decrements/unlinks the entry
      from the list at end of transaction phase (commit or abort).
      
      Fixes: 12c44aba ("netfilter: nft_compat: use refcnt_t type for nft_xt reference count")
      Reported-by: NJordan Glover <Golden_Miller83@protonmail.ch>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      947e492c
    • E
      netfilter: ipv6: Don't preserve original oif for loopback address · 15df03c6
      Eli Cooper 提交于
      Commit 508b0904 ("netfilter: ipv6: Preserve link scope traffic
      original oif") made ip6_route_me_harder() keep the original oif for
      link-local and multicast packets. However, it also affected packets
      for the loopback address because it used rt6_need_strict().
      
      REDIRECT rules in the OUTPUT chain rewrite the destination to loopback
      address; thus its oif should not be preserved. This commit fixes the bug
      that redirected local packets are being dropped. Actually the packet was
      not exactly dropped; Instead it was sent out to the original oif rather
      than lo. When a packet with daddr ::1 is sent to the router, it is
      effectively dropped.
      
      Fixes: 508b0904 ("netfilter: ipv6: Preserve link scope traffic original oif")
      Signed-off-by: NEli Cooper <elicooper@gmx.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      15df03c6
    • M
      net: dsa: Fix lockdep false positive splat · c8101f77
      Marc Zyngier 提交于
      Creating a macvtap on a DSA-backed interface results in the following
      splat when lockdep is enabled:
      
      [   19.638080] IPv6: ADDRCONF(NETDEV_CHANGE): lan0: link becomes ready
      [   23.041198] device lan0 entered promiscuous mode
      [   23.043445] device eth0 entered promiscuous mode
      [   23.049255]
      [   23.049557] ============================================
      [   23.055021] WARNING: possible recursive locking detected
      [   23.060490] 5.0.0-rc3-00013-g56c857a1b8d3 #118 Not tainted
      [   23.066132] --------------------------------------------
      [   23.071598] ip/2861 is trying to acquire lock:
      [   23.076171] 00000000f61990cb (_xmit_ETHER){+...}, at: dev_set_rx_mode+0x1c/0x38
      [   23.083693]
      [   23.083693] but task is already holding lock:
      [   23.089696] 00000000ecf0c3b4 (_xmit_ETHER){+...}, at: dev_uc_add+0x24/0x70
      [   23.096774]
      [   23.096774] other info that might help us debug this:
      [   23.103494]  Possible unsafe locking scenario:
      [   23.103494]
      [   23.109584]        CPU0
      [   23.112093]        ----
      [   23.114601]   lock(_xmit_ETHER);
      [   23.117917]   lock(_xmit_ETHER);
      [   23.121233]
      [   23.121233]  *** DEADLOCK ***
      [   23.121233]
      [   23.127325]  May be due to missing lock nesting notation
      [   23.127325]
      [   23.134315] 2 locks held by ip/2861:
      [   23.137987]  #0: 000000003b766c72 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x338/0x4e0
      [   23.146231]  #1: 00000000ecf0c3b4 (_xmit_ETHER){+...}, at: dev_uc_add+0x24/0x70
      [   23.153757]
      [   23.153757] stack backtrace:
      [   23.158243] CPU: 0 PID: 2861 Comm: ip Not tainted 5.0.0-rc3-00013-g56c857a1b8d3 #118
      [   23.166212] Hardware name: Globalscale Marvell ESPRESSOBin Board (DT)
      [   23.172843] Call trace:
      [   23.175358]  dump_backtrace+0x0/0x188
      [   23.179116]  show_stack+0x14/0x20
      [   23.182524]  dump_stack+0xb4/0xec
      [   23.185928]  __lock_acquire+0x123c/0x1860
      [   23.190048]  lock_acquire+0xc8/0x248
      [   23.193724]  _raw_spin_lock_bh+0x40/0x58
      [   23.197755]  dev_set_rx_mode+0x1c/0x38
      [   23.201607]  dev_set_promiscuity+0x3c/0x50
      [   23.205820]  dsa_slave_change_rx_flags+0x5c/0x70
      [   23.210567]  __dev_set_promiscuity+0x148/0x1e0
      [   23.215136]  __dev_set_rx_mode+0x74/0x98
      [   23.219167]  dev_uc_add+0x54/0x70
      [   23.222575]  macvlan_open+0x170/0x1d0
      [   23.226336]  __dev_open+0xe0/0x160
      [   23.229830]  __dev_change_flags+0x16c/0x1b8
      [   23.234132]  dev_change_flags+0x20/0x60
      [   23.238074]  do_setlink+0x2d0/0xc50
      [   23.241658]  __rtnl_newlink+0x5f8/0x6e8
      [   23.245601]  rtnl_newlink+0x50/0x78
      [   23.249184]  rtnetlink_rcv_msg+0x360/0x4e0
      [   23.253397]  netlink_rcv_skb+0xe8/0x130
      [   23.257338]  rtnetlink_rcv+0x14/0x20
      [   23.261012]  netlink_unicast+0x190/0x210
      [   23.265043]  netlink_sendmsg+0x288/0x350
      [   23.269075]  sock_sendmsg+0x18/0x30
      [   23.272659]  ___sys_sendmsg+0x29c/0x2c8
      [   23.276602]  __sys_sendmsg+0x60/0xb8
      [   23.280276]  __arm64_sys_sendmsg+0x1c/0x28
      [   23.284488]  el0_svc_common+0xd8/0x138
      [   23.288340]  el0_svc_handler+0x24/0x80
      [   23.292192]  el0_svc+0x8/0xc
      
      This looks fairly harmless (no actual deadlock occurs), and is
      fixed in a similar way to c6894dec ("bridge: fix lockdep
      addr_list_lock false positive splat") by putting the addr_list_lock
      in its own lockdep class.
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c8101f77
    • R
      net: dsa: slave: Don't propagate flag changes on down slave interfaces · 17ab4f61
      Rundong Ge 提交于
      The unbalance of master's promiscuity or allmulti will happen after ifdown
      and ifup a slave interface which is in a bridge.
      
      When we ifdown a slave interface , both the 'dsa_slave_close' and
      'dsa_slave_change_rx_flags' will clear the master's flags. The flags
      of master will be decrease twice.
      In the other hand, if we ifup the slave interface again, since the
      slave's flags were cleared the 'dsa_slave_open' won't set the master's
      flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if'
      will set the master's flags. The flags of master is increase once.
      
      Only propagating flag changes when a slave interface is up makes
      sure this does not happen. The 'vlan_dev_change_rx_flags' had the
      same problem and was fixed, and changes here follows that fix.
      
      Fixes: 91da11f8 ("net: Distributed Switch Architecture protocol support")
      Signed-off-by: NRundong Ge <rdong.ge@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      17ab4f61
    • D
      Merge branch 's390-qeth-fixes' · 0429f237
      David S. Miller 提交于
      Julian Wiedmann says:
      
      ====================
      s390/qeth: fixes 2019-02-04
      
      please apply the following four fixes to -net.
      
      Patch 1 takes care of a common resource leak in various error paths, while the
      second patch fixes a misordered kfree when cleaning up after an error.
      The other two patches ensure that there's no stale work dangling on workqueues
      when the qeth device has already been offlined and/or removed.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0429f237
    • J
      s390/qeth: conclude all event processing before offlining a card · c0a2e4d1
      Julian Wiedmann 提交于
      Work for Bridgeport events is currently placed on a driver-wide
      workqueue. If the card is removed and freed while any such work is still
      active, this causes a use-after-free.
      So put the events on a per-card queue, where we can control their
      lifetime. As we also don't want stale events to last beyond an
      offline & online cycle, flush this queue when setting the card offline.
      
      Fixes: b4d72c08 ("qeth: bridgeport support - basic control")
      Signed-off-by: NJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c0a2e4d1
    • J
      s390/qeth: cancel close_dev work before removing a card · c2780c1a
      Julian Wiedmann 提交于
      A card's close_dev work is scheduled on a driver-wide workqueue. If the
      card is removed and freed while the work is still active, this causes a
      use-after-free.
      So make sure that the work is completed before freeing the card.
      
      Fixes: 0f54761d ("qeth: Support VEPA mode")
      Signed-off-by: NJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c2780c1a
    • J
      s390/qeth: fix use-after-free in error path · afa0c590
      Julian Wiedmann 提交于
      The error path in qeth_alloc_qdio_buffers() that takes care of
      cleaning up the Output Queues is buggy. It first frees the queue, but
      then calls qeth_clear_outq_buffers() with that very queue struct.
      
      Make the call to qeth_clear_outq_buffers() part of the free action
      (in the correct order), and while at it fix the naming of the helper.
      
      Fixes: 0da9581d ("qeth: exploit asynchronous delivery of storage blocks")
      Signed-off-by: NJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: NAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      afa0c590
    • J
      s390/qeth: release cmd buffer in error paths · 5065b2dd
      Julian Wiedmann 提交于
      Whenever we fail before/while starting an IO, make sure to release the
      IO buffer. Usually qeth_irq() would do this for us, but if the IO
      doesn't even start we obviously won't get an interrupt for it either.
      Signed-off-by: NJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5065b2dd
    • P
      net: cls_flower: Remove filter from mask before freeing it · c1f7e029
      Petr Machata 提交于
      In fl_change(), when adding a new rule (i.e. fold == NULL), a driver may
      reject the new rule, for example due to resource exhaustion. By that
      point, the new rule was already assigned a mask, and it was added to
      that mask's hash table. The clean-up path that's invoked as a result of
      the rejection however neglects to undo the hash table addition, and
      proceeds to free the new rule, thus leaving a dangling pointer in the
      hash table.
      
      Fix by removing fnew from the mask's hash table before it is freed.
      
      Fixes: 35cc3cef ("net/sched: cls_flower: Reject duplicated rules also under skip_sw")
      Signed-off-by: NPetr Machata <petrm@mellanox.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Reviewed-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c1f7e029