1. 06 Jun, 2017 9 commits
    • Nikolay Aleksandrov's avatar
      net: bridge: fix a null pointer dereference in br_afspec · 1020ce31
      Nikolay Aleksandrov authored
      We might call br_afspec() with p == NULL which is a valid use case if
      the action is on the bridge device itself, but the bridge tunnel code
      dereferences the p pointer without checking, so check if p is null
      first.
      Reported-by: default avatarGustavo A. R. Silva <garsilva@embeddedor.com>
      Fixes: efa5356b ("bridge: per vlan dst_metadata netlink support")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Acked-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1020ce31
    • Eugeniu Rosca's avatar
      ravb: Fix use-after-free on `ifconfig eth0 down` · 79514ef6
      Eugeniu Rosca authored
      Commit a47b70ea ("ravb: unmap descriptors when freeing rings") has
      introduced the issue seen in [1] reproduced on H3ULCB board.
      
      Fix this by relocating the RX skb ringbuffer free operation, so that
      swiotlb page unmapping can be done first. Freeing of aligned TX buffers
      is not relevant to the issue seen in [1]. Still, reposition TX free
      calls as well, to have all kfree() operations performed consistently
      _after_ dma_unmap_*()/dma_free_*().
      
      [1] Console screenshot with the problem reproduced:
      
      salvator-x login: root
      root@salvator-x:~# ifconfig eth0 up
      Micrel KSZ9031 Gigabit PHY e6800000.ethernet-ffffffff:00: \
             attached PHY driver [Micrel KSZ9031 Gigabit PHY]   \
             (mii_bus:phy_addr=e6800000.ethernet-ffffffff:00, irq=235)
      IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
      root@salvator-x:~#
      root@salvator-x:~# ifconfig eth0 down
      
      ==================================================================
      BUG: KASAN: use-after-free in swiotlb_tbl_unmap_single+0xc4/0x35c
      Write of size 1538 at addr ffff8006d884f780 by task ifconfig/1649
      
      CPU: 0 PID: 1649 Comm: ifconfig Not tainted 4.12.0-rc4-00004-g112eb072 #32
      Hardware name: Renesas H3ULCB board based on r8a7795 (DT)
      Call trace:
      [<ffff20000808f11c>] dump_backtrace+0x0/0x3a4
      [<ffff20000808f4d4>] show_stack+0x14/0x1c
      [<ffff20000865970c>] dump_stack+0xf8/0x150
      [<ffff20000831f8b0>] print_address_description+0x7c/0x330
      [<ffff200008320010>] kasan_report+0x2e0/0x2f4
      [<ffff20000831eac0>] check_memory_region+0x20/0x14c
      [<ffff20000831f054>] memcpy+0x48/0x68
      [<ffff20000869ed50>] swiotlb_tbl_unmap_single+0xc4/0x35c
      [<ffff20000869fcf4>] unmap_single+0x90/0xa4
      [<ffff20000869fd14>] swiotlb_unmap_page+0xc/0x14
      [<ffff2000080a2974>] __swiotlb_unmap_page+0xcc/0xe4
      [<ffff2000088acdb8>] ravb_ring_free+0x514/0x870
      [<ffff2000088b25dc>] ravb_close+0x288/0x36c
      [<ffff200008aaf8c4>] __dev_close_many+0x14c/0x174
      [<ffff200008aaf9b4>] __dev_close+0xc8/0x144
      [<ffff200008ac2100>] __dev_change_flags+0xd8/0x194
      [<ffff200008ac221c>] dev_change_flags+0x60/0xb0
      [<ffff200008ba2dec>] devinet_ioctl+0x484/0x9d4
      [<ffff200008ba7b78>] inet_ioctl+0x190/0x194
      [<ffff200008a78c44>] sock_do_ioctl+0x78/0xa8
      [<ffff200008a7a128>] sock_ioctl+0x110/0x3c4
      [<ffff200008365a70>] vfs_ioctl+0x90/0xa0
      [<ffff200008365dbc>] do_vfs_ioctl+0x148/0xc38
      [<ffff2000083668f0>] SyS_ioctl+0x44/0x74
      [<ffff200008083770>] el0_svc_naked+0x24/0x28
      
      The buggy address belongs to the page:
      page:ffff7e001b6213c0 count:0 mapcount:0 mapping:          (null) index:0x0
      flags: 0x4000000000000000()
      raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: 0000000000000000 ffff7e001b6213e0 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8006d884f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff8006d884f700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff8006d884f780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                         ^
       ffff8006d884f800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff8006d884f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      ==================================================================
      Disabling lock debugging due to kernel taint
      root@salvator-x:~#
      
      Fixes: a47b70ea ("ravb: unmap descriptors when freeing rings")
      Signed-off-by: default avatarEugeniu Rosca <erosca@de.adit-jv.com>
      Acked-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79514ef6
    • Richard Haines's avatar
      net/ipv6: Fix CALIPSO causing GPF with datagram support · e3ebdb20
      Richard Haines authored
      When using CALIPSO with IPPROTO_UDP it is possible to trigger a GPF as the
      IP header may have moved.
      
      Also update the payload length after adding the CALIPSO option.
      Signed-off-by: default avatarRichard Haines <richard_c_haines@btinternet.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarHuw Davies <huw@codeweavers.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3ebdb20
    • Colin Ian King's avatar
      net: stmmac: ensure jumbo_frm error return is correctly checked for -ve value · 59423815
      Colin Ian King authored
      The current comparison of entry < 0 will never be true since entry is an
      unsigned integer. Make entry an int to ensure -ve error return values
      from the call to jumbo_frm are correctly being caught.
      
      Detected by CoverityScan, CID#1238760 ("Macro compares unsigned to 0")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59423815
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2017-06-06' of... · 7b868fed
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2017-06-06' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.12
      
      It has been a slow start of cycle and this the first set of fixes for
      4.12. Nothing really major here.
      
      wcn36xx
      
      * fix an issue with module reload
      
      brcmfmac
      
      * fix aligment regression on 64 bit systems
      
      iwlwifi
      
      * fixes for memory leaks, runtime PM, memory initialisation and other
        smaller problems
      
      * fix IBSS on devices using DQA mode (7260 and up)
      
      * fix the minimum firmware API requirement for 7265D, 3168, 8000 and
        8265
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7b868fed
    • David S. Miller's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue · 80971dfb
      David S. Miller authored
      Jeff Kirsher says:
      
      ====================
      Intel Wired LAN Driver Updates 2017-06-06
      
      This series contains fixes to i40e and i40evf only.
      
      Mauro S. M. Rodrigues fixes a flood in the kernel log which was introduced
      in a previous commit because of a mistaken substitution of __I40E_VSI_DOWN
      instead of __I40E_DOWN when testing the state of the PF.
      
      Björn Töpel fixes an issue introduced in a previous commit where the
      offset was incorrect and could lead to data corruption for architectures
      using PAGE_SIZE larger than 8191.  Fixed the issue by updating the
      page_offset correctly using the proper setting for truesize.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      80971dfb
    • David S. Miller's avatar
      Revert "sit: reload iphdr in ipip6_rcv" · f4eb17e1
      David S. Miller authored
      This reverts commit b699d003.
      
      As per Eric Dumazet, the pskb_may_pull() is a NOP in this
      particular case, so the 'iph' reload is unnecessary.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4eb17e1
    • Björn Töpel's avatar
      i40e/i40evf: proper update of the page_offset field · 2aae918c
      Björn Töpel authored
      In f8b45b74 ("i40e/i40evf: Use build_skb to build frames")
      i40e_build_skb updates the page_offset field with an incorrect offset,
      which can lead to data corruption. This patch updates page_offset
      correctly, by properly setting truesize.
      
      Note that the bug only appears on architectures where PAGE_SIZE is
      8192 or larger.
      
      Fixes: f8b45b74 ("i40e/i40evf: Use build_skb to build frames")
      Signed-off-by: default avatarBjörn Töpel <bjorn.topel@intel.com>
      Acked-by: default avatarAlexander Duyck <alexander.h.duyck@intel.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      2aae918c
    • Mauro S. M. Rodrigues's avatar
      i40e: Fix state flags for bit set and clean operations of PF · 9e6c9c0f
      Mauro S. M. Rodrigues authored
      Commit 0da36b97 ("i40e: use DECLARE_BITMAP for state fields")
      introduced changes in the way i40e works with state flags converting
      them to bitmaps using kernel bitmap API. This change introduced a
      regression due to a mistaken substitution using __I40E_VSI_DOWN instead
      of __I40E_DOWN when testing state of a PF at i40e_reset_subtask()
      function. This caused a flood in the kernel log with the follow message:
      
      [49.013] i40e 0002:01:00.0: bad reset request 0x00000020
      
      Commit d19cb64b ("i40e: separate PF and VSI state flags")
      also introduced some misuse of the VSI and PF flags, so both could be
      considered as the offenders.
      
      This patch simply fixes the flags where it makes sense by changing
      __I40E_VSI_DOWN to __I40E_DOWN.
      
      Fixes: 0da36b97 ("i40e: use DECLARE_BITMAP for state fields")
      Fixes: d19cb64b ("i40e: separate PF and VSI state flags")
      Reviewed-by: default avatar"Guilherme G. Piccoli" <gpiccoli@linux.vnet.ibm.com>
      Signed-off-by: default avatar"Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      9e6c9c0f
  2. 05 Jun, 2017 23 commits
  3. 04 Jun, 2017 2 commits
    • Liam McBirnie's avatar
      ip6_tunnel: fix traffic class routing for tunnels · 5f733ee6
      Liam McBirnie authored
      ip6_route_output() requires that the flowlabel contains the traffic
      class for policy routing.
      
      Commit 0e9a7095 ("ip6_tunnel, ip6_gre: fix setting of DSCP on
      encapsulated packets") removed the code which previously added the
      traffic class to the flowlabel.
      
      The traffic class is added here because only route lookup needs the
      flowlabel to contain the traffic class.
      
      Fixes: 0e9a7095 ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets")
      Signed-off-by: default avatarLiam McBirnie <liam.mcbirnie@boeing.com>
      Acked-by: default avatarPeter Dawson <peter.a.dawson@boeing.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f733ee6
    • Timur Tabi's avatar
      net: qcom/emac: do not use hardware mdio automatic polling · 24609669
      Timur Tabi authored
      Use software polling (PHY_POLL) to check for link state changes instead
      of relying on the EMAC's hardware polling feature.  Some PHY drivers
      are unable to get a functioning link because the HW polling is not
      robust enough.
      
      The EMAC is able to poll the PHY on the MDIO bus looking for link state
      changes (via the Link Status bit in the Status Register at address 0x1).
      When the link state changes, the EMAC triggers an interrupt and tells the
      driver what the new state is.  The feature eliminates the need for
      software to poll the MDIO bus.
      
      Unfortunately, this feature is incompatible with phylib, because it
      ignores everything that the PHY core and PHY drivers are trying to do.
      In particular:
      
      1. It assumes a compatible register set, so PHYs with different registers
         may not work.
      
      2. It doesn't allow for hardware errata that have work-arounds implemented
         in the PHY driver.
      
      3. It doesn't support multiple register pages. If the PHY core switches
         the register set to another page, the EMAC won't know the page has
         changed and will still attempt to read the same PHY register.
      
      4. It only checks the copper side of the link, not the SGMII side.  Some
         PHY drivers (e.g. at803x) may also check the SGMII side, and
         report the link as not ready during autonegotiation if the SGMII link
         is still down.  Phylib then waits for another interrupt to query
         the PHY again, but the EMAC won't send another interrupt because it
         thinks the link is up.
      
      Cc: stable@vger.kernel.org # 4.11.x
      Tested-by: default avatarManoj Iyer <manoj.iyer@canonical.com>
      Signed-off-by: default avatarTimur Tabi <timur@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      24609669
  4. 02 Jun, 2017 6 commits