1. 18 Aug, 2019 2 commits
  2. 17 Aug, 2019 2 commits
  3. 16 Aug, 2019 4 commits
  4. 15 Aug, 2019 11 commits
    • David S. Miller's avatar
      Merge tag 'rxrpc-fixes-20190814' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 480fd998
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Fix local endpoint handling
      
      Here's a pair of patches that fix two issues in the handling of local
      endpoints (rxrpc_local structs):
      
       (1) Use list_replace_init() rather than list_replace() if we're going to
           unconditionally delete the replaced item later, lest the list get
           corrupted.
      
       (2) Don't access the rxrpc_local object after passing our ref to the
           workqueue, not even to illuminate tracepoints, as the work function
           may cause the object to be freed.  We have to cache the information
           beforehand.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      480fd998
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 12ed6015
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      This patchset contains Netfilter fixes for net:
      
      1) Extend selftest to cover flowtable with ipsec, from Florian Westphal.
      
      2) Fix interaction of ipsec with flowtable, also from Florian.
      
      3) User-after-free with bound set to rule that fails to load.
      
      4) Adjust state and timeout for flows that expire.
      
      5) Timeout update race with flows in teardown state.
      
      6) Ensure conntrack id hash calculation use invariants as input,
         from Dirk Morris.
      
      7) Do not push flows into flowtable for TCP fin/rst packets.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12ed6015
    • Eric Dumazet's avatar
      net/packet: fix race in tpacket_snd() · 32d3182c
      Eric Dumazet authored
      packet_sendmsg() checks tx_ring.pg_vec to decide
      if it must call tpacket_snd().
      
      Problem is that the check is lockless, meaning another thread
      can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
      tx_ring.pg_vec back to NULL.
      
      Given that tpacket_snd() grabs pg_vec_lock mutex, we can
      perform the check again to solve the race.
      
      syzbot reported :
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
      Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
      RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
      RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
      R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
      R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
      FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       packet_current_frame net/packet/af_packet.c:487 [inline]
       tpacket_snd net/packet/af_packet.c:2667 [inline]
       packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:657
       ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
       __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg net/socket.c:2439 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
       do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 69e3c75f ("net: TX_RING and packet mmap")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32d3182c
    • Wenwen Wang's avatar
      net: myri10ge: fix memory leaks · 20fb7c7a
      Wenwen Wang authored
      In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices
      related structures. Later on, myri10ge_request_irq() is used to get an irq.
      However, if this process fails, the allocated slices related structures are
      not deallocated, leading to memory leaks. To fix this issue, revise the
      target label of the goto statement to 'abort_with_slices'.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20fb7c7a
    • John Fastabend's avatar
      net: tls, fix sk_write_space NULL write when tx disabled · d85f0177
      John Fastabend authored
      The ctx->sk_write_space pointer is only set when TLS tx mode is enabled.
      When running without TX mode its a null pointer but we still set the
      sk sk_write_space pointer on close().
      
      Fix the close path to only overwrite sk->sk_write_space when the current
      pointer is to the tls_write_space function indicating the tls module should
      clean it up properly as well.
      Reported-by: default avatarHillf Danton <hdanton@sina.com>
      Cc: Ying Xue <ying.xue@windriver.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Fixes: 57c722e9 ("net/tls: swap sk_write_space on close")
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d85f0177
    • Wenwen Wang's avatar
      liquidio: add cleanup in octeon_setup_iq() · 6f967f8b
      Wenwen Wang authored
      If oct->fn_list.enable_io_queues() fails, no cleanup is executed, leading
      to memory/resource leaks. To fix this issue, invoke
      octeon_delete_instr_queue() before returning from the function.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f967f8b
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-08-15' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 0b24a441
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-08-15
      
      This series introduces two fixes to mlx5 driver.
      
      1) Eran fixes a compatibility issue with ethtool flash.
      2) Maxim fixes a race in XSK wakeup flow.
      
      Please pull and let me know if there is any problem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b24a441
    • Eran Ben Elisha's avatar
      net/mlx5e: Fix compatibility issue with ethtool flash device · f43d48d1
      Eran Ben Elisha authored
      Cited patch deleted ethtool flash device support, as ethtool core can
      fallback into devlink flash callback. However, this is supported only if
      there is a devlink port registered over the corresponding netdevice.
      
      As mlx5e do not have devlink port support over native netdevice, it broke
      the ability to flash device via ethtool.
      
      This patch re-add the ethtool callback to avoid user functionality breakage
      when trying to flash device via ethtool.
      
      Fixes: 9c8bca26 ("mlx5: Move firmware flash implementation to devlink")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      f43d48d1
    • Maxim Mikityanskiy's avatar
      net/mlx5e: Fix a race with XSKICOSQ in XSK wakeup flow · e0d57d9c
      Maxim Mikityanskiy authored
      Add a missing spinlock around XSKICOSQ usage at the activation stage,
      because there is a race between a configuration change and the
      application calling sendto().
      
      Fixes: db05815b ("net/mlx5e: Add XSK zero-copy support")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      e0d57d9c
    • Anders Roxell's avatar
      selftests: net: tcp_fastopen_backup_key.sh: fix shellcheck issue · 2aafdf5a
      Anders Roxell authored
      When running tcp_fastopen_backup_key.sh the following issue was seen in
      a busybox environment.
      ./tcp_fastopen_backup_key.sh: line 33: [: -ne: unary operator expected
      
      Shellcheck showed the following issue.
      $ shellcheck tools/testing/selftests/net/tcp_fastopen_backup_key.sh
      
      In tools/testing/selftests/net/tcp_fastopen_backup_key.sh line 33:
              if [ $val -ne 0 ]; then
                   ^-- SC2086: Double quote to prevent globbing and word splitting.
      
      Rework to do a string comparison instead.
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2aafdf5a
    • Wenwen Wang's avatar
      cxgb4: fix a memory leak bug · c554336e
      Wenwen Wang authored
      In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails,
      leading to a memory leak bug. To fix this issue, free t before returning
      the error.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c554336e
  5. 14 Aug, 2019 11 commits
  6. 13 Aug, 2019 1 commit
    • Dirk Morris's avatar
      netfilter: conntrack: Use consistent ct id hash calculation · 656c8e9c
      Dirk Morris authored
      Change ct id hash calculation to only use invariants.
      
      Currently the ct id hash calculation is based on some fields that can
      change in the lifetime on a conntrack entry in some corner cases. The
      current hash uses the whole tuple which contains an hlist pointer which
      will change when the conntrack is placed on the dying list resulting in
      a ct id change.
      
      This patch also removes the reply-side tuple and extension pointer from
      the hash calculation so that the ct id will will not change from
      initialization until confirmation.
      
      Fixes: 3c791076 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
      Signed-off-by: default avatarDirk Morris <dmorris@metaloft.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      656c8e9c
  7. 12 Aug, 2019 9 commits