1. 08 3月, 2017 26 次提交
    • W
      ipv6: reorder icmpv6_init() and ip6_mr_init() · 15e66807
      WANG Cong 提交于
      Andrey reported the following kernel crash:
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 14446 Comm: syz-executor6 Not tainted 4.10.0+ #82
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      task: ffff88001f311700 task.stack: ffff88001f6e8000
      RIP: 0010:ip6mr_sk_done+0x15a/0x3d0 net/ipv6/ip6mr.c:1618
      RSP: 0018:ffff88001f6ef418 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 1ffff10003edde8c RCX: ffffc900043ee000
      RDX: 0000000000000004 RSI: ffffffff83e3b3f8 RDI: 0000000000000020
      RBP: ffff88001f6ef508 R08: fffffbfff0dcc5d8 R09: 0000000000000000
      R10: ffffffff86e62ec0 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: ffff88001f6ef4e0 R15: ffff8800380a0040
      FS:  00007f7a52cec700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000000000061c500 CR3: 000000001f1ae000 CR4: 00000000000006f0
      DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
      Call Trace:
       rawv6_close+0x4c/0x80 net/ipv6/raw.c:1217
       inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
       inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
       sock_release+0x8d/0x1e0 net/socket.c:597
       __sock_create+0x39d/0x880 net/socket.c:1226
       sock_create_kern+0x3f/0x50 net/socket.c:1243
       inet_ctl_sock_create+0xbb/0x280 net/ipv4/af_inet.c:1526
       icmpv6_sk_init+0x163/0x500 net/ipv6/icmp.c:954
       ops_init+0x10a/0x550 net/core/net_namespace.c:115
       setup_net+0x261/0x660 net/core/net_namespace.c:291
       copy_net_ns+0x27e/0x540 net/core/net_namespace.c:396
      9pnet_virtio: no channels available for device ./file1
       create_new_namespaces+0x437/0x9b0 kernel/nsproxy.c:106
       unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
       SYSC_unshare kernel/fork.c:2281 [inline]
       SyS_unshare+0x64e/0x1000 kernel/fork.c:2231
       entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      This is because net->ipv6.mr6_tables is not initialized at that point,
      ip6mr_rules_init() is not called yet, therefore on the error path when
      we iterator the list, we trigger this oops. Fix this by reordering
      ip6mr_rules_init() before icmpv6_sk_init().
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      15e66807
    • E
      dccp: fix use-after-free in dccp_feat_activate_values · 62f8f4d9
      Eric Dumazet 提交于
      Dmitry reported crashes in DCCP stack [1]
      
      Problem here is that when I got rid of listener spinlock, I missed the
      fact that DCCP stores a complex state in struct dccp_request_sock,
      while TCP does not.
      
      Since multiple cpus could access it at the same time, we need to add
      protection.
      
      [1]
      BUG: KASAN: use-after-free in dccp_feat_activate_values+0x967/0xab0
      net/dccp/feat.c:1541 at addr ffff88003713be68
      Read of size 8 by task syz-executor2/8457
      CPU: 2 PID: 8457 Comm: syz-executor2 Not tainted 4.10.0-rc7+ #127
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:15 [inline]
       dump_stack+0x292/0x398 lib/dump_stack.c:51
       kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
       print_address_description mm/kasan/report.c:200 [inline]
       kasan_report_error mm/kasan/report.c:289 [inline]
       kasan_report.part.1+0x20e/0x4e0 mm/kasan/report.c:311
       kasan_report mm/kasan/report.c:332 [inline]
       __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:332
       dccp_feat_activate_values+0x967/0xab0 net/dccp/feat.c:1541
       dccp_create_openreq_child+0x464/0x610 net/dccp/minisocks.c:121
       dccp_v6_request_recv_sock+0x1f6/0x1960 net/dccp/ipv6.c:457
       dccp_check_req+0x335/0x5a0 net/dccp/minisocks.c:186
       dccp_v6_rcv+0x69e/0x1d00 net/dccp/ipv6.c:711
       ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
       dst_input include/net/dst.h:507 [inline]
       ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
       __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
       __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
       process_backlog+0xe5/0x6c0 net/core/dev.c:4839
       napi_poll net/core/dev.c:5202 [inline]
       net_rx_action+0xe70/0x1900 net/core/dev.c:5267
       __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
       do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902
       </IRQ>
       do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328
       do_softirq kernel/softirq.c:176 [inline]
       __local_bh_enable_ip+0x1f2/0x200 kernel/softirq.c:181
       local_bh_enable include/linux/bottom_half.h:31 [inline]
       rcu_read_unlock_bh include/linux/rcupdate.h:971 [inline]
       ip6_finish_output2+0xbb0/0x23d0 net/ipv6/ip6_output.c:123
       ip6_finish_output+0x302/0x960 net/ipv6/ip6_output.c:148
       NF_HOOK_COND include/linux/netfilter.h:246 [inline]
       ip6_output+0x1cb/0x8d0 net/ipv6/ip6_output.c:162
       ip6_xmit+0xcdf/0x20d0 include/net/dst.h:501
       inet6_csk_xmit+0x320/0x5f0 net/ipv6/inet6_connection_sock.c:179
       dccp_transmit_skb+0xb09/0x1120 net/dccp/output.c:141
       dccp_xmit_packet+0x215/0x760 net/dccp/output.c:280
       dccp_write_xmit+0x168/0x1d0 net/dccp/output.c:362
       dccp_sendmsg+0x79c/0xb10 net/dccp/proto.c:796
       inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
       sock_sendmsg_nosec net/socket.c:635 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:645
       SYSC_sendto+0x660/0x810 net/socket.c:1687
       SyS_sendto+0x40/0x50 net/socket.c:1655
       entry_SYSCALL_64_fastpath+0x1f/0xc2
      RIP: 0033:0x4458b9
      RSP: 002b:00007f8ceb77bb58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 00000000004458b9
      RDX: 0000000000000023 RSI: 0000000020e60000 RDI: 0000000000000017
      RBP: 00000000006e1b90 R08: 00000000200f9fe1 R09: 0000000000000020
      R10: 0000000000008010 R11: 0000000000000282 R12: 00000000007080a8
      R13: 0000000000000000 R14: 00007f8ceb77c9c0 R15: 00007f8ceb77c700
      Object at ffff88003713be50, in cache kmalloc-64 size: 64
      Allocated:
      PID = 8446
       save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
       save_stack+0x43/0xd0 mm/kasan/kasan.c:502
       set_track mm/kasan/kasan.c:514 [inline]
       kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
       kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2738
       kmalloc include/linux/slab.h:490 [inline]
       dccp_feat_entry_new+0x214/0x410 net/dccp/feat.c:467
       dccp_feat_push_change+0x38/0x220 net/dccp/feat.c:487
       __feat_register_sp+0x223/0x2f0 net/dccp/feat.c:741
       dccp_feat_propagate_ccid+0x22b/0x2b0 net/dccp/feat.c:949
       dccp_feat_server_ccid_dependencies+0x1b3/0x250 net/dccp/feat.c:1012
       dccp_make_response+0x1f1/0xc90 net/dccp/output.c:423
       dccp_v6_send_response+0x4ec/0xc20 net/dccp/ipv6.c:217
       dccp_v6_conn_request+0xaba/0x11b0 net/dccp/ipv6.c:377
       dccp_rcv_state_process+0x51e/0x1650 net/dccp/input.c:606
       dccp_v6_do_rcv+0x213/0x350 net/dccp/ipv6.c:632
       sk_backlog_rcv include/net/sock.h:893 [inline]
       __sk_receive_skb+0x36f/0xcc0 net/core/sock.c:479
       dccp_v6_rcv+0xba5/0x1d00 net/dccp/ipv6.c:742
       ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
       dst_input include/net/dst.h:507 [inline]
       ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
       __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
       __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
       process_backlog+0xe5/0x6c0 net/core/dev.c:4839
       napi_poll net/core/dev.c:5202 [inline]
       net_rx_action+0xe70/0x1900 net/core/dev.c:5267
       __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
      Freed:
      PID = 15
       save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
       save_stack+0x43/0xd0 mm/kasan/kasan.c:502
       set_track mm/kasan/kasan.c:514 [inline]
       kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
       slab_free_hook mm/slub.c:1355 [inline]
       slab_free_freelist_hook mm/slub.c:1377 [inline]
       slab_free mm/slub.c:2954 [inline]
       kfree+0xe8/0x2b0 mm/slub.c:3874
       dccp_feat_entry_destructor.part.4+0x48/0x60 net/dccp/feat.c:418
       dccp_feat_entry_destructor net/dccp/feat.c:416 [inline]
       dccp_feat_list_pop net/dccp/feat.c:541 [inline]
       dccp_feat_activate_values+0x57f/0xab0 net/dccp/feat.c:1543
       dccp_create_openreq_child+0x464/0x610 net/dccp/minisocks.c:121
       dccp_v6_request_recv_sock+0x1f6/0x1960 net/dccp/ipv6.c:457
       dccp_check_req+0x335/0x5a0 net/dccp/minisocks.c:186
       dccp_v6_rcv+0x69e/0x1d00 net/dccp/ipv6.c:711
       ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
       dst_input include/net/dst.h:507 [inline]
       ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
       __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
       __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
       process_backlog+0xe5/0x6c0 net/core/dev.c:4839
       napi_poll net/core/dev.c:5202 [inline]
       net_rx_action+0xe70/0x1900 net/core/dev.c:5267
       __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
      Memory state around the buggy address:
       ffff88003713bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff88003713bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88003713be00: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
                                                                ^
      
      Fixes: 079096f1 ("tcp/dccp: install syn_recv requests into ehash table")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Tested-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      62f8f4d9
    • T
      ibmvnic: Allocate number of rx/tx buffers agreed on by firmware · 068d9f90
      Thomas Falcon 提交于
      The amount of TX/RX buffers that the vNIC driver currently allocates
      is different from the amount agreed upon in negotiation with firmware.
      Correct that by allocating the requested number of buffers confirmed
      by firmware.
      Signed-off-by: NThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      068d9f90
    • T
      ibmvnic: Fix overflowing firmware/hardware TX queue · 142c0ac4
      Thomas Falcon 提交于
      Use a counter to track the number of outstanding transmissions sent
      that have not received completions. If the counter reaches the maximum
      number of queue entries, stop transmissions on that queue. As we receive
      more completions from firmware, wake the queue once the counter reaches
      an acceptable level.
      
      This patch prevents hardware/firmware TX queue from filling up and
      and generating errors.  Since incorporating this fix, internal testing
      has reported that these firmware errors have stopped.
      Signed-off-by: NThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      142c0ac4
    • A
      net/sched: act_skbmod: remove unneeded rcu_read_unlock in tcf_skbmod_dump · 6c4dc75c
      Alexey Khoroshilov 提交于
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru>
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6c4dc75c
    • D
      Merge branch 'rds-fixes' · 72c3fbf8
      David S. Miller 提交于
      Sowmini Varadhan says:
      
      ====================
      rds: tcp: fix various rds-tcp issues during netns create/delete sequences
      
      Dmitry Vyukov reported some syszkaller panics during netns deletion.
      
      While I have not been able to reproduce those exact panics, my attempts
      to do so uncovered a few other problems, which are fixed patch 2 and
      patch 3 of this patch series. In addition, as mentioned in,
       https://www.spinics.net/lists/netdev/msg422997.html
      code-inspection points that the rds_connection needs to take an explicit
      refcnt on the struct net so that it is held down until all cleanup is
      completed for netns removal, and this is fixed by patch1.
      
      The following scripts were run concurrently to uncover/test patch{2, 3}
      while simultaneously running rds-ping to 12.0.0.18 from another system:
      
        # cat del.rds
        while [ 1 ]; do
                modprobe rds_tcp
                modprobe -r rds-tcp
        done
      
        # cat del.netns
        while [ 1 ]; do
                ip netns delete blue
                ip netns add blue
                ip link add link eth1 address a:b:c:d:e:f blue0 type macvlan
                ip link set blue0 netns blue
                ip netns exec blue ip addr add 12.0.0.18/24 dev blue0
                ip netns exec blue ifconfig blue0 up
                sleep 3;
        done
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      72c3fbf8
    • S
      rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races · b21dd450
      Sowmini Varadhan 提交于
      Commit a93d01f5 ("RDS: TCP: avoid bad page reference in
      rds_tcp_listen_data_ready") added the function
      rds_tcp_listen_sock_def_readable()  to handle the case when a
      partially set-up acceptor socket drops into rds_tcp_listen_data_ready().
      However, if the listen socket (rtn->rds_tcp_listen_sock) is itself going
      through a tear-down via rds_tcp_listen_stop(), the (*ready)() will be
      null and we would hit a panic  of the form
        BUG: unable to handle kernel NULL pointer dereference at   (null)
        IP:           (null)
         :
        ? rds_tcp_listen_data_ready+0x59/0xb0 [rds_tcp]
        tcp_data_queue+0x39d/0x5b0
        tcp_rcv_established+0x2e5/0x660
        tcp_v4_do_rcv+0x122/0x220
        tcp_v4_rcv+0x8b7/0x980
          :
      In the above case, it is not fatal to encounter a NULL value for
      ready- we should just drop the packet and let the flush of the
      acceptor thread finish gracefully.
      
      In general, the tear-down sequence for listen() and accept() socket
      that is ensured by this commit is:
           rtn->rds_tcp_listen_sock = NULL; /* prevent any new accepts */
           In rds_tcp_listen_stop():
               serialize with, and prevent, further callbacks using lock_sock()
               flush rds_wq
               flush acceptor workq
               sock_release(listen socket)
      Signed-off-by: NSowmini Varadhan <sowmini.varadhan@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b21dd450
    • S
      rds: tcp: Reorder initialization sequence in rds_tcp_init to avoid races · 16c09b1c
      Sowmini Varadhan 提交于
      Order of initialization in rds_tcp_init needs to be done so
      that resources are set up and destroyed in the correct synchronization
      sequence with both the data path, as well as netns create/destroy
      path. Specifically,
      
      - we must call register_pernet_subsys and get the rds_tcp_netid
        before calling register_netdevice_notifier, otherwise we risk
        the sequence
          1. register_netdevice_notifier sets up netdev notifier callback
          2. rds_tcp_dev_event -> rds_tcp_kill_sock uses netid 0, and finds
             the wrong rtn, resulting in a panic with string that is of the form:
      
        BUG: unable to handle kernel NULL pointer dereference at 000000000000000d
        IP: rds_tcp_kill_sock+0x3a/0x1d0 [rds_tcp]
               :
      
      - the rds_tcp_incoming_slab kmem_cache must be initialized before the
        datapath starts up. The latter can happen any time after the
        pernet_subsys registration of rds_tcp_net_ops, whose -> init
        function sets up the listen socket. If the rds_tcp_incoming_slab has
        not been set up at that time, a panic of the form below may be
        encountered
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000014
        IP: kmem_cache_alloc+0x90/0x1c0
           :
        rds_tcp_data_recv+0x1e7/0x370 [rds_tcp]
        tcp_read_sock+0x96/0x1c0
        rds_tcp_recv_path+0x65/0x80 [rds_tcp]
           :
      Signed-off-by: NSowmini Varadhan <sowmini.varadhan@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      16c09b1c
    • S
      rds: tcp: Take explicit refcounts on struct net · 8edc3aff
      Sowmini Varadhan 提交于
      It is incorrect for the rds_connection to piggyback on the
      sock_net() refcount for the netns because this gives rise to
      a chicken-and-egg problem during rds_conn_destroy. Instead explicitly
      take a ref on the net, and hold the netns down till the connection
      tear-down is complete.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NSowmini Varadhan <sowmini.varadhan@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8edc3aff
    • D
      Merge branch 'sock_hold-misuses' · fa4c7fb2
      David S. Miller 提交于
      Eric Dumazet says:
      
      ====================
      net: fix possible sock_hold() misuses
      
      skb_complete_wifi_ack() and skb_complete_tx_timestamp() currently
      call sock_hold() on sockets that might have transitioned their sk_refcnt
      to zero already.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fa4c7fb2
    • E
      net: fix socket refcounting in skb_complete_tx_timestamp() · 9ac25fc0
      Eric Dumazet 提交于
      TX skbs do not necessarily hold a reference on skb->sk->sk_refcnt
      By the time TX completion happens, sk_refcnt might be already 0.
      
      sock_hold()/sock_put() would then corrupt critical state, like
      sk_wmem_alloc and lead to leaks or use after free.
      
      Fixes: 62bccb8c ("net-timestamp: Make the clone operation stand-alone from phy timestamping")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Alexander Duyck <alexander.h.duyck@intel.com>
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Cc: Soheil Hassas Yeganeh <soheil@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Acked-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9ac25fc0
    • E
      net: fix socket refcounting in skb_complete_wifi_ack() · dd4f1072
      Eric Dumazet 提交于
      TX skbs do not necessarily hold a reference on skb->sk->sk_refcnt
      By the time TX completion happens, sk_refcnt might be already 0.
      
      sock_hold()/sock_put() would then corrupt critical state, like
      sk_wmem_alloc.
      
      Fixes: bf7fa551 ("mac80211: Resolve sk_refcnt/sk_wmem_alloc issue in wifi ack path")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Alexander Duyck <alexander.h.duyck@intel.com>
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Cc: Soheil Hassas Yeganeh <soheil@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Acked-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dd4f1072
    • D
      rxrpc: Call state should be read with READ_ONCE() under some circumstances · 146d8fef
      David Howells 提交于
      The call state may be changed at any time by the data-ready routine in
      response to received packets, so if the call state is to be read and acted
      upon several times in a function, READ_ONCE() must be used unless the call
      state lock is held.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      146d8fef
    • E
      tcp: fix various issues for sockets morphing to listen state · 02b2faaf
      Eric Dumazet 提交于
      Dmitry Vyukov reported a divide by 0 triggered by syzkaller, exploiting
      tcp_disconnect() path that was never really considered and/or used
      before syzkaller ;)
      
      I was not able to reproduce the bug, but it seems issues here are the
      three possible actions that assumed they would never trigger on a
      listener.
      
      1) tcp_write_timer_handler
      2) tcp_delack_timer_handler
      3) MTU reduction
      
      Only IPv6 MTU reduction was properly testing TCP_CLOSE and TCP_LISTEN
       states from tcp_v6_mtu_reduced()
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      02b2faaf
    • D
      Merge branch 'bnx2x-fixes' · b73d2da8
      David S. Miller 提交于
      Michal Schmidt says:
      
      ====================
      bnx2x: PTP crash, VF VLAN fixes
      
      here are fixes for a crash with PTP, a crash in setting of VF multicast
      addresses, and non-working VLAN filters configuration from the VF side.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b73d2da8
    • M
      bnx2x: add missing configuration of VF VLAN filters · e3951325
      Michal Schmidt 提交于
      Configuring VLANs from the VF side had no effect, because the PF ignored
      filters of type VFPF_VLAN_FILTER in the VF-PF message.
      
      Add the missing filter type to configure.
      Signed-off-by: NMichal Schmidt <mschmidt@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e3951325
    • M
      bnx2x: fix incorrect filter count in an error message · 74bcbeb7
      Michal Schmidt 提交于
      filters->count is the number of filters we were supposed to configure.
      There is no reason to increase it by +1 when printing the count in an error
      message.
      Signed-off-by: NMichal Schmidt <mschmidt@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      74bcbeb7
    • M
      bnx2x: do not rollback VF MAC/VLAN filters we did not configure · 78d55054
      Michal Schmidt 提交于
      On failure to configure a VF MAC/VLAN filter we should not attempt to
      rollback filters that we failed to configure with -EEXIST.
      Signed-off-by: NMichal Schmidt <mschmidt@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      78d55054
    • M
      bnx2x: fix detection of VLAN filtering feature for VF · 83bd9eb8
      Michal Schmidt 提交于
      VFs are currently missing the VLAN filtering feature, because we were
      checking the PF's acquire response before actually performing the acquire.
      
      Fix it by setting the feature flag later when we have the PF response.
      Signed-off-by: NMichal Schmidt <mschmidt@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      83bd9eb8
    • M
      bnx2x: fix possible overrun of VFPF multicast addresses array · 22118d86
      Michal Schmidt 提交于
      It is too late to check for the limit of the number of VF multicast
      addresses after they have already been copied to the req->multicast[]
      array, possibly overflowing it.
      
      Do the check before copying.
      
      Also fix the error path to not skip unlocking vf2pf_mutex.
      Signed-off-by: NMichal Schmidt <mschmidt@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      22118d86
    • M
      bnx2x: lower verbosity of VF stats debug messages · 850268d3
      Michal Schmidt 提交于
      When BNX2X_MSG_IOV is enabled, the driver produces too many VF statistics
      messages. Lower the verbosity of the VF stats messages similarly as in
      commit 76ca70fa ("bnx2x: [Debug] change verbosity of some prints").
      Signed-off-by: NMichal Schmidt <mschmidt@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      850268d3
    • M
      bnx2x: prevent crash when accessing PTP with interface down · 466e8bf1
      Michal Schmidt 提交于
      It is possible to crash the kernel by accessing a PTP device while its
      associated bnx2x interface is down. Before the interface is brought up,
      the timecounter is not initialized, so accessing it results in NULL
      dereference.
      
      Fix it by checking if the interface is up.
      
      Use -ENETDOWN as the error code when the interface is down.
       -EFAULT in bnx2x_ptp_adjfreq() did not seem right.
      
      Tested using phc_ctl get/set/adj/freq commands.
      Signed-off-by: NMichal Schmidt <mschmidt@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      466e8bf1
    • B
    • B
    • A
      net/mlx5e: add IPV6 dependency · 0253f268
      Arnd Bergmann 提交于
      The ethernet support now calls directly into the ipv6 core code, which
      fails if IPV6 is a loadable module but mlx5 is built-in:
      
      drivers/net/ethernet/mellanox/mlx5/core/en_tc.o: In function `mlx5e_create_encap_header_ipv6':
      en_tc.c:(.text.mlx5e_create_encap_header_ipv6+0x110): undefined reference to `ip6_route_output_flags'
      
      This adds a dependency to ensure that MLX5_CORE_EN can only be built
      if we are able link the kernel successfully. The downside is that the
      ethernet option can be hidden. Alternatively we could make MLX5_CORE
      depend on "IPV6 || !IPV6", which would force MLX5_CORE to be a module
      when IPV6 is, including in configurations where we don't use the ethernet
      support at all.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0253f268
    • C
      dt: emac: document device-tree based phy discovery and setup · a3a4a816
      Christian Lamparter 提交于
      This patch adds documentation for a new "phy-handle" property,
      "fixed-link" and "mdio" sub-node. These allows the enumeration
      of PHYs which are supported by the phy library under drivers/net/phy.
      
      The EMAC ethernet controller in IBM and AMCC 4xx chips is
      currently stuck with a few privately defined phy
      implementations. It has no support for PHYs which
      are supported by the generic phylib.
      Acked-by: NRob Herring <robh@kernel.org>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NChristian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a3a4a816
  2. 06 3月, 2017 2 次提交
  3. 05 3月, 2017 5 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8d70eeb8
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix double-free in batman-adv, from Sven Eckelmann.
      
       2) Fix packet stats for fast-RX path, from Joannes Berg.
      
       3) Netfilter's ip_route_me_harder() doesn't handle request sockets
          properly, fix from Florian Westphal.
      
       4) Fix sendmsg deadlock in rxrpc, from David Howells.
      
       5) Add missing RCU locking to transport hashtable scan, from Xin Long.
      
       6) Fix potential packet loss in mlxsw driver, from Ido Schimmel.
      
       7) Fix race in NAPI handling between poll handlers and busy polling,
          from Eric Dumazet.
      
       8) TX path in vxlan and geneve need proper RCU locking, from Jakub
          Kicinski.
      
       9) SYN processing in DCCP and TCP need to disable BH, from Eric
          Dumazet.
      
      10) Properly handle net_enable_timestamp() being invoked from IRQ
          context, also from Eric Dumazet.
      
      11) Fix crash on device-tree systems in xgene driver, from Alban Bedel.
      
      12) Do not call sk_free() on a locked socket, from Arnaldo Carvalho de
          Melo.
      
      13) Fix use-after-free in netvsc driver, from Dexuan Cui.
      
      14) Fix max MTU setting in bonding driver, from WANG Cong.
      
      15) xen-netback hash table can be allocated from softirq context, so use
          GFP_ATOMIC. From Anoob Soman.
      
      16) Fix MAC address change bug in bgmac driver, from Hari Vyas.
      
      17) strparser needs to destroy strp_wq on module exit, from WANG Cong.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (69 commits)
        strparser: destroy workqueue on module exit
        sfc: fix IPID endianness in TSOv2
        sfc: avoid max() in array size
        rds: remove unnecessary returned value check
        rxrpc: Fix potential NULL-pointer exception
        nfp: correct DMA direction in XDP DMA sync
        nfp: don't tell FW about the reserved buffer space
        net: ethernet: bgmac: mac address change bug
        net: ethernet: bgmac: init sequence bug
        xen-netback: don't vfree() queues under spinlock
        xen-netback: keep a local pointer for vif in backend_disconnect()
        netfilter: nf_tables: don't call nfnetlink_set_err() if nfnetlink_send() fails
        netfilter: nft_set_rbtree: incorrect assumption on lower interval lookups
        netfilter: nf_conntrack_sip: fix wrong memory initialisation
        can: flexcan: fix typo in comment
        can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
        can: gs_usb: fix coding style
        can: gs_usb: Don't use stack memory for USB transfers
        ixgbe: Limit use of 2K buffers on architectures with 256B or larger cache lines
        ixgbe: update the rss key on h/w, when ethtool ask for it
        ...
      8d70eeb8
    • L
      Merge tag 'kvm-4.11-2' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 2d62e076
      Linus Torvalds 提交于
      Pull more KVM updates from Radim Krčmář:
       "Second batch of KVM changes for the 4.11 merge window:
      
        PPC:
         - correct assumption about ASDR on POWER9
         - fix MMIO emulation on POWER9
      
        x86:
         - add a simple test for ioperm
         - cleanup TSS (going through KVM tree as the whole undertaking was
           caused by VMX's use of TSS)
         - fix nVMX interrupt delivery
         - fix some performance counters in the guest
      
        ... and two cleanup patches"
      
      * tag 'kvm-4.11-2' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: nVMX: Fix pending events injection
        x86/kvm/vmx: remove unused variable in segment_base()
        selftests/x86: Add a basic selftest for ioperm
        x86/asm: Tidy up TSS limit code
        kvm: convert kvm.users_count from atomic_t to refcount_t
        KVM: x86: never specify a sample period for virtualized in_tx_cp counters
        KVM: PPC: Book3S HV: Don't use ASDR for real-mode HPT faults on POWER9
        KVM: PPC: Book3S HV: Fix software walk of guest process page tables
      2d62e076
    • L
      Merge tag 'docs-4.11-fixes' of git://git.lwn.net/linux · be834aaf
      Linus Torvalds 提交于
      Pull documentation fixes from Jonathan Corbet:
       "A few fixes for the docs tree, including one for a 4.11 build
        regression"
      
      * tag 'docs-4.11-fixes' of git://git.lwn.net/linux:
        Documentation/sphinx: fix primary_domain configuration
        docs: Fix htmldocs build failure
        doc/ko_KR/memory-barriers: Update control-dependencies section
        pcieaer doc: update the link
        Documentation: Update path to sysrq.txt
      be834aaf
    • L
      Merge tag 'staging-4.11-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 91aff98b
      Linus Torvalds 提交于
      Pull staging/IIO driver fixes from Greg KH:
       "Here are a few small staging and IIO driver fixes for issues that
        showed up after the big set if changes you merged last week.
      
        Nothing major, just small bugs resolved in some IIO drivers, a lustre
        allocation fix, and some RaspberryPi driver fixes for reported
        problems, as well as a MAINTAINERS entry update.
      
        All of these have been in linux-next for a week with no reported
        issues"
      
      * tag 'staging-4.11-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: fsl-mc: fix warning in DT ranges parser
        MAINTAINERS: Remove Noralf Trønnes as fbtft maintainer
        staging: vchiq_2835_arm: Make cache-line-size a required DT property
        staging: bcm2835/mmal-vchiq: unlock on error in buffer_from_host()
        staging/lustre/lnet: Fix allocation size for sv_cpt_data
        iio: adc: xilinx: Fix error handling
        iio: 104-quad-8: Fix off-by-one error when addressing flag register
        iio: adc: handle unknow of_device_id data
      91aff98b
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 33a8b3e9
      Linus Torvalds 提交于
      Pull crypto fixes from Herbert Xu:
      
       - vmalloc stack regression in CCM
      
       - Build problem in CRC32 on ARM
      
       - Memory leak in cavium
      
       - Missing Kconfig dependencies in atmel and mediatek
      
       - XTS Regression on some platforms (s390 and ppc)
      
       - Memory overrun in CCM test vector
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: vmx - Use skcipher for xts fallback
        crypto: vmx - Use skcipher for cbc fallback
        crypto: testmgr - Pad aes_ccm_enc_tv_template vector
        crypto: arm/crc32 - add build time test for CRC instruction support
        crypto: arm/crc32 - fix build error with outdated binutils
        crypto: ccm - move cbcmac input off the stack
        crypto: xts - Propagate NEED_FALLBACK bit
        crypto: api - Add crypto_requires_off helper
        crypto: atmel - CRYPTO_DEV_MEDIATEK should depend on HAS_DMA
        crypto: atmel - CRYPTO_DEV_ATMEL_TDES and CRYPTO_DEV_ATMEL_SHA should depend on HAS_DMA
        crypto: cavium - fix leak on curr if curr->head fails to be allocated
        crypto: cavium - Fix couple of static checker errors
      33a8b3e9
  4. 04 3月, 2017 7 次提交
    • L
      Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 0710f3ff
      Linus Torvalds 提交于
      Pull misc final vfs updates from Al Viro:
       "A few unrelated patches that got beating in -next.
      
        Everything else will have to go into the next window ;-/"
      
      * 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        hfs: fix hfs_readdir()
        selftest for default_file_splice_read() infoleak
        9p: constify ->d_name handling
      0710f3ff
    • L
      Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · a3b4924b
      Linus Torvalds 提交于
      Pull more SCSI updates from James Bottomley:
       "This is the set of stuff that didn't quite make the initial pull and a
        set of fixes for stuff which did.
      
        The new stuff is basically lpfc (nvme), qedi and aacraid. The fixes
        cover a lot of previously submitted stuff, the most important of which
        probably covers some of the failing irq vectors allocation and other
        fallout from having the SCSI command allocated as part of the block
        allocation functions"
      
      * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (59 commits)
        scsi: qedi: Fix memory leak in tmf response processing.
        scsi: aacraid: remove redundant zero check on ret
        scsi: lpfc: use proper format string for dma_addr_t
        scsi: lpfc: use div_u64 for 64-bit division
        scsi: mac_scsi: Fix MAC_SCSI=m option when SCSI=m
        scsi: cciss: correct check map error.
        scsi: qla2xxx: fix spelling mistake: "seperator" -> "separator"
        scsi: aacraid: Fixed expander hotplug for SMART family
        scsi: mpt3sas: switch to pci_alloc_irq_vectors
        scsi: qedf: fixup compilation warning about atomic_t usage
        scsi: remove scsi_execute_req_flags
        scsi: merge __scsi_execute into scsi_execute
        scsi: simplify scsi_execute_req_flags
        scsi: make the sense header argument to scsi_test_unit_ready mandatory
        scsi: sd: improve TUR handling in sd_check_events
        scsi: always zero sshdr in scsi_normalize_sense
        scsi: scsi_dh_emc: return success in clariion_std_inquiry()
        scsi: fix memory leak of sdpk on when gd fails to allocate
        scsi: sd: make sd_devt_release() static
        scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.
        ...
      a3b4924b
    • W
      strparser: destroy workqueue on module exit · f78ef7cd
      WANG Cong 提交于
      Fixes: 43a0c675 ("strparser: Stream parser for messages")
      Cc: Tom Herbert <tom@herbertland.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f78ef7cd
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 20b83643
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are:
      
      1) Missing check for full sock in ip_route_me_harder(), from
         Florian Westphal.
      
      2) Incorrect sip helper structure initilization that breaks it when
         several ports are used, from Christophe Leroy.
      
      3) Fix incorrect assumption when looking up for matching with adjacent
         intervals in the nft_set_rbtree.
      
      4) Fix broken netlink event error reporting in nf_tables that results
         in misleading ESRCH errors propagated to userspace listeners.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      20b83643
    • L
      Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 0b94da8d
      Linus Torvalds 提交于
      Pull libnvdimm fixes from Dan Williams:
       "A fix and regression test case for nvdimm namespace label
        compatibility.
      
        Details:
      
         - An "nvdimm namespace label" is metadata on an nvdimm that
           provisions dimm capacity into a "namespace" that can host a block
           device / dax-filesytem, or a device-dax character device.
      
           A namespace is an object that other operating environment and
           platform firmware needs to comprehend for capabilities like booting
           from an nvdimm.
      
           The label metadata contains a checksum that Linux was not
           calculating correctly leading to other environments rejecting the
           Linux label.
      
         These have received a build success notification from the kbuild
         robot, and a positive test result from Nick who reported the problem"
      
      * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        nfit, libnvdimm: fix interleave set cookie calculation
        tools/testing/nvdimm: make iset cookie predictable
      0b94da8d
    • L
      Merge tag 'pci-v4.11-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · e27fd02d
      Linus Torvalds 提交于
      Pull PCI fixes from Bjorn Helgaas:
      
       - fix NULL pointer dereferences in many DesignWare-based drivers due to
         refactoring error
      
       - fix Altera config write breakage due to my refactoring error
      
      * tag 'pci-v4.11-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: altera: Fix TLP_CFG_DW0 for TLP write
        PCI: dwc: Fix crashes seen due to missing assignments
      e27fd02d
    • L
      Merge branch 'parisc-4.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · f47e2db4
      Linus Torvalds 提交于
      Pull parisc fixes and cleanups from Helge Deller:
       "Nothing really important in this patchset: fix resource leaks in error
        paths, coding style cleanups and code removal"
      
      * 'parisc-4.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Remove flush_user_dcache_range and flush_user_icache_range
        parisc: fix a printk
        parisc: ccio-dma: Handle return NULL error from ioremap_nocache
        parisc: Define access_ok() as macro
        parisc: eisa: Fix resource leaks in error paths
        parisc: eisa: Remove coding style errors
      f47e2db4