1. 29 May, 2019 32 commits
    • Gustavo A. R. Silva's avatar
      macvlan: Replace strncpy() by strscpy() · 36f18439
      Gustavo A. R. Silva authored
      The strncpy() function is being deprecated. Replace it by the safer
      strscpy() and fix the following Coverity warning:
      
      "Calling strncpy with a maximum size argument of 16 bytes on destination
      array ifrr.ifr_ifrn.ifrn_name of size 16 bytes might leave the destination
      string unterminated."
      
      Notice that, unlike strncpy(), strscpy() always null-terminates the
      destination string.
      
      Addresses-Coverity-ID: 1445537 ("Buffer not null terminated")
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      36f18439
    • David S. Miller's avatar
      Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue · be1b5b78
      David S. Miller authored
      Jeff Kirsher says:
      
      ====================
      1GbE Intel Wired LAN Driver Updates 2019-05-28
      
      This series contains updates to e1000e, igb and igc.
      
      Feng adds additional information on a warning message when a read of a
      hardware register fails.
      
      Gustavo A. R. Silva fixes up two "fall through" code comments so that
      the checkers can actually determine that we did comment that the case
      statement is falling through to the next case.
      
      Sasha does some cleanup on the igc driver by removing duplicate
      white space and removed a unneeded workaround for igc.  Adds support for
      flow control to the igc driver.
      
      Konstantin Khlebnikov reverts a previous fix which was causing a false
      positive for a hardware hang.  Provides a fix so that when link is lost
      the packets in the transmit queue are flushed and wakes the transmit
      queue when the NIC is ready to send packets.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be1b5b78
    • David S. Miller's avatar
      Merge branch 'net-API-and-initial-implementation-for-nexthop-objects' · c38e57ae
      David S. Miller authored
      David Ahern says:
      
      ====================
      net: API and initial implementation for nexthop objects
      
      This set contains the API and initial implementation for nexthops as
      standalone objects.
      
      Patch 1 contains the UAPI and updates to selinux struct.
      
      Patch 2 contains the barebones code for nexthop commands, rbtree
      maintenance and notifications.
      
      Patch 3 then adds support for IPv4 gateways along with handling of
      netdev events.
      
      Patch 4 adds support for IPv6 gateways.
      
      Patch 5 has the implementation of the encap attributes.
      
      Patch 6 adds support for nexthop groups.
      
      At the end of this set, nexthop objects can be created and deleted and
      userspace can monitor nexthop events, but ipv4 and ipv6 routes can not
      use them yet. Once the nexthop struct is defined, follow on sets add it
      to fib{6}_info and handle it within the respective code before routes
      can be inserted using them.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c38e57ae
    • David Ahern's avatar
      nexthop: Add support for nexthop groups · 430a0491
      David Ahern authored
      Allow the creation of nexthop groups which reference other nexthop
      objects to create multipath routes:
      
                            +--------------+
         +------------+   +--------------+ |
         | nh  nh_grp --->| nh_grp_entry |-+
         +------------+   +---------|----+
           ^                |       |    +------------+
           +----------------+       +--->| nh, weight |
              nh_parent                  +------------+
      
      A group entry points to a nexthop with a weight for that hop within the
      group. The nexthop has a list_head, grp_list, for tracking which groups
      it is a member of and the group entry has a reference back to the parent.
      The grp_list is used when a nexthop is deleted - to efficiently remove
      it from groups using it.
      
      If a nexthop group spec is given, no other attributes can be set. Each
      nexthop id in a group spec must already exist.
      
      Similar to single nexthops, the specification of a nexthop group can be
      updated so that data is managed with rcu locking.
      
      Add path selection function to account for multiple paths and add
      ipv{4,6}_good_nh helpers to know that if a neighbor entry exists it is
      in a good state.
      
      Update NETDEV event handling to rebalance multipath nexthop groups if
      a nexthop is deleted due to a link event (down or unregister).
      
      When a nexthop is removed any groups using it are updated. Groups using a
      nexthop a tracked via a grp_list.
      
      Nexthop dumps can be limited to groups only by adding NHA_GROUPS to the
      request.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      430a0491
    • David Ahern's avatar
      nexthop: Add support for lwt encaps · b513bd03
      David Ahern authored
      Add support for NHA_ENCAP and NHA_ENCAP_TYPE. Leverages the existing code
      for lwtunnel within fib_nh_common, so the only change needed is handling
      the attributes in the nexthop code.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b513bd03
    • David Ahern's avatar
      nexthop: Add support for IPv6 gateways · 53010f99
      David Ahern authored
      Handle IPv6 gateway in a nexthop spec. If nh_family is set to AF_INET6,
      NHA_GATEWAY is expected to be an IPv6 address. Add ipv6 option to gw in
      nh_config to hold the address, add fib6_nh to nh_info to leverage the
      ipv6 initialization and cleanup code. Update nh_fill_node to dump the v6
      address.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      53010f99
    • David Ahern's avatar
      nexthop: Add support for IPv4 nexthops · 597cfe4f
      David Ahern authored
      Add support for IPv4 nexthops. If nh_family is set to AF_INET, then
      NHA_GATEWAY is expected to be an IPv4 address.
      
      Register for netdev events to be notified of admin up/down changes as
      well as deletes. A hash table is used to track nexthop per devices to
      quickly convert device events to the affected nexthops.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      597cfe4f
    • David Ahern's avatar
      net: Initial nexthop code · ab84be7e
      David Ahern authored
      Barebones start point for nexthops. Implementation for RTM commands,
      notifications, management of rbtree for holding nexthops by id, and
      kernel side data structures for nexthops and nexthop config.
      
      Nexthops are maintained in an rbtree sorted by id. Similar to routes,
      nexthops are configured per namespace using netns_nexthop struct added
      to struct net.
      
      Nexthop notifications are sent when a nexthop is added or deleted,
      but NOT if the delete is due to a device event or network namespace
      teardown (which also involves device events). Applications are
      expected to use the device down event to flush nexthops and any
      routes used by the nexthops.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab84be7e
    • David Ahern's avatar
      net: nexthop uapi · 65ee00a9
      David Ahern authored
      New UAPI for nexthops as standalone objects:
      - defines netlink ancillary header, struct nhmsg
      - RTM commands for nexthop objects, RTM_*NEXTHOP,
      - RTNLGRP for nexthop notifications, RTNLGRP_NEXTHOP,
      - Attributes for creating nexthops, NHA_*
      - Attribute for route specs to specify a nexthop by id, RTA_NH_ID.
      
      The nexthop attributes and semantics follow the route and RTA ones for
      device, gateway and lwt encap. Unique to nexthop objects are a blackhole
      and a group which contains references to other nexthop objects. With the
      exception of blackhole and group, nexthop objects MUST contain a device.
      Gateway and encap are optional. Nexthop groups can only reference other
      pre-existing nexthops by id. If the NHA_ID attribute is present that id
      is used for the nexthop. If not specified, one is auto assigned.
      
      Dump requests can include attributes:
      - NHA_GROUPS to return only nexthop groups,
      - NHA_MASTER to limit dumps to nexthops with devices enslaved to the
        given master (e.g., VRF)
      - NHA_OIF to limit dumps to nexthops using given device
      
      nlmsg_route_perms in selinux code is updated for the new RTM comands.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65ee00a9
    • David S. Miller's avatar
      Merge branch 'hns3-next' · 602e0f29
      David S. Miller authored
      Huazhong Tan says:
      
      ====================
      code optimizations & bugfixes for HNS3 driver
      
      This patch-set includes code optimizations and bugfixes for the HNS3
      ethernet controller driver.
      
      [patch 1/12] fixes a compile warning reported by kbuild test robot.
      
      [patch 2/12] fixes HNS3_RXD_GRO_SIZE_M macro definition error.
      
      [patch 3/12] adds a debugfs command to dump firmware information.
      
      [patch 4/12 - 10/12] adds some code optimizaions and cleanups for
      reset and driver unloading.
      
      [patch 11/12 - 12/12] adds two bugfixes.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      602e0f29
    • Huazhong Tan's avatar
      net: hns3: fix a memory leak issue for hclge_map_unmap_ring_to_vf_vector · 49f971bd
      Huazhong Tan authored
      When hclge_bind_ring_with_vector() fails,
      hclge_map_unmap_ring_to_vf_vector() returns the error
      directly, so nobody will free the memory allocated by
      hclge_get_ring_chain_from_mbx().
      
      So hclge_free_vector_ring_chain() should be called no matter
      hclge_bind_ring_with_vector() fails or not.
      
      Fixes: 84e095d6 ("net: hns3: Change PF to add ring-vect binding & resetQ to mailbox")
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49f971bd
    • Huazhong Tan's avatar
      net: hns3: adjust hns3_uninit_phy()'s location in the hns3_client_uninit() · 0d2f68c7
      Huazhong Tan authored
      hns3_uninit_phy() should be called before checking
      HNS3_NIC_STATE_INITED flags, otherwise when this checking fails,
      there is nobody to call hns3_uninit_phy().
      
      Fixes: c8a8045b ("net: hns3: Fix NULL deref when unloading driver")
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d2f68c7
    • Huazhong Tan's avatar
      net: hns3: stop schedule reset service while unloading driver · acfc3d55
      Huazhong Tan authored
      When unloading driver, the reset task should not be scheduled
      anymore. If disable IRQ before cancel ongoing reset task,
      the IRQ may be re-enabled by the reset task.
      
      This patch uses HCLGE_STATE_REMOVING/HCLGEVF_STATE_REMOVING
      flag to indicate that the driver is unloading, and we should
      stop new coming reset service to be scheduled, otherwise,
      reset service will access some resource which has been freed
      by unloading.
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      acfc3d55
    • Huazhong Tan's avatar
      net: hns3: add handshake with hardware while doing reset · ada13ee3
      Huazhong Tan authored
      When reset happens, the hardware reset should begin after the
      driver has finished its preparatory work, otherwise it may cause
      some hardware error.
      
      Before Hardware's reset, it will wait for the driver to write
      bit HCLGE_NIC_CMQ_ENABLE of register HCLGE_NIC_CSQ_DEPTH_REG
      to 1, while the driver finishes its preparatory work will do that.
      BTW, since some cases this register will be cleared, so it needs
      some sync time before driver's writing.
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ada13ee3
    • Huazhong Tan's avatar
      net: hns3: modify hclgevf_init_client_instance() · 1db58f86
      Huazhong Tan authored
      hclgevf_init_client_instance() is a little bloated and there is
      some duplicated code. This patch adds some cleanup for it.
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1db58f86
    • Huazhong Tan's avatar
      net: hns3: modify hclge_init_client_instance() · 994e04f1
      Huazhong Tan authored
      hclge_init_client_instance() is a little bloated and there is
      some duplicated code. This patch adds some cleanup for it.
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      994e04f1
    • Huazhong Tan's avatar
      net: hns3: use HCLGEVF_STATE_NIC_REGISTERED to indicate VF NIC client has registered · 25d1817c
      Huazhong Tan authored
      When VF NIC client's init_instance() succeeds, it means this client
      has been registered successfully, so we use HCLGEVF_STATE_NIC_REGISTERED
      to indicate that. And before calling VF NIC client's uninit_instance(),
      we clear this state.
      
      So any operation of VF NIC client from HCLGEVF is not allowed if this
      state is not set.
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25d1817c
    • Huazhong Tan's avatar
      net: hns3: use HCLGE_STATE_ROCE_REGISTERED to indicate PF ROCE client has registered · 2a0bfc36
      Huazhong Tan authored
      When PF ROCE client's init_instance() succeeds, it means this client
      has been registered successfully, so we use HCLGE_STATE_ROCE_REGISTERED
      to indicate that. And before calling PF ROCE client's uninit_instance(),
      we clear this state.
      
      So any operation of the ROCE client from HCLGE is not allowed if this
      state is not set.
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a0bfc36
    • Huazhong Tan's avatar
      net: hns3: use HCLGE_STATE_NIC_REGISTERED to indicate PF NIC client has registered · bd9109c9
      Huazhong Tan authored
      When PF NIC client's init_instance() succeeds, it means this client
      has been registered successfully, so we use HCLGE_STATE_NIC_REGISTERED
      to indicate that. And before calling PF NIC client's uninit_instance(),
      we clear this state.
      
      So any operation of PF NIC client from HCLGE is not allowed if this
      state is not set.
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bd9109c9
    • Zhongzhu Liu's avatar
      net: hns3: add support for dump firmware statistics by debugfs · 33a90e2f
      Zhongzhu Liu authored
      This patch prints firmware statistics information.
      
      debugfs command:
      echo dump m7 info > cmd
      
      estuary:/dbg/hns3/0000:7d:00.0$ echo dump m7 info > cmd
      [  172.577240] hns3 0000:7d:00.0: 0x00000000  0x00000000  0x00000000
      [  172.583471] hns3 0000:7d:00.0: 0x00000000  0x00000000  0x00000000
      [  172.589552] hns3 0000:7d:00.0: 0x00000030  0x00000000  0x00000000
      [  172.595632] hns3 0000:7d:00.0: 0x00000000  0x00000000  0x00000000
      estuary:/dbg/hns3/0000:7d:00.0$
      Signed-off-by: default avatarZhongzhu Liu <liuzhongzhu@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      33a90e2f
    • Yunsheng Lin's avatar
      net: hns3: fix for HNS3_RXD_GRO_SIZE_M macro · eff858c1
      Yunsheng Lin authored
      According to hardware user menual, the GRO_SIZE is 14 bits width,
      the HNS3_RXD_GRO_SIZE_M is 10 bits width now, which may cause
      hardware GRO received packet error problem.
      
      Fixes: a6d53b97 ("net: hns3: Adds GRO params to SKB for the stack")
      Signed-off-by: default avatarYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eff858c1
    • Jian Shen's avatar
      net: hns3: fix compile warning without CONFIG_RFS_ACCEL · 4c152276
      Jian Shen authored
      The ifdef condition of function hclge_add_fd_entry_by_arfs() is
      unnecessary. It may cause compile warning when CONFIG_RFS_ACCEL
      is not chosen. This patch fixes it by removing the ifdef condition.
      
      Fixes: d93ed94f ("net: hns3: add aRFS support for PF")
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarJian Shen <shenjian15@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4c152276
    • Xue Chaojing's avatar
      hinic: fix a bug in set rx mode · 66350023
      Xue Chaojing authored
      in set_rx_mode, __dev_mc_sync and netdev_for_each_mc_addr will
      repeatedly set the multicast mac address. so we delete this loop.
      Signed-off-by: default avatarXue Chaojing <xuechaojing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      66350023
    • David S. Miller's avatar
      Merge branch 'inet-frags-followup' · 2e56571d
      David S. Miller authored
      Eric Dumazet says:
      
      ====================
      inet: frags: followup to 'inet-frags-avoid-possible-races-at-netns-dismantle'
      
      Latest patch series ('inet-frags-avoid-possible-races-at-netns-dismantle')
      brought another syzbot report shown in the third patch changelog.
      
      While fixing the issue, I had to call inet_frags_fini() later
      in IPv6 and ilowpan.
      
      Also I believe a completion is needed to ensure proper dismantle
      at module removal.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2e56571d
    • Eric Dumazet's avatar
      inet: frags: fix use-after-free read in inet_frag_destroy_rcu · dc93f46b
      Eric Dumazet authored
      As caught by syzbot [1], the rcu grace period that is respected
      before fqdir_rwork_fn() proceeds and frees fqdir is not enough
      to prevent inet_frag_destroy_rcu() being run after the freeing.
      
      We need a proper rcu_barrier() synchronization to replace
      the one we had in inet_frags_fini()
      
      We also have to fix a potential problem at module removal :
      inet_frags_fini() needs to make sure that all queued work queues
      (fqdir_rwork_fn) have completed, otherwise we might
      call kmem_cache_destroy() too soon and get another use-after-free.
      
      [1]
      BUG: KASAN: use-after-free in inet_frag_destroy_rcu+0xd9/0xe0 net/ipv4/inet_fragment.c:201
      Read of size 8 at addr ffff88806ed47a18 by task swapper/1/0
      
      CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.2.0-rc1+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
       __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
       kasan_report+0x12/0x20 mm/kasan/common.c:614
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
       inet_frag_destroy_rcu+0xd9/0xe0 net/ipv4/inet_fragment.c:201
       __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
       rcu_do_batch kernel/rcu/tree.c:2092 [inline]
       invoke_rcu_callbacks kernel/rcu/tree.c:2310 [inline]
       rcu_core+0xba5/0x1500 kernel/rcu/tree.c:2291
       __do_softirq+0x25c/0x94c kernel/softirq.c:293
       invoke_softirq kernel/softirq.c:374 [inline]
       irq_exit+0x180/0x1d0 kernel/softirq.c:414
       exiting_irq arch/x86/include/asm/apic.h:536 [inline]
       smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1068
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806
       </IRQ>
      RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
      Code: ff ff 48 89 df e8 f2 95 8c fa eb 82 e9 07 00 00 00 0f 00 2d e4 45 4b 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d d4 45 4b 00 fb f4 <c3> 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 8e 18 42 fa e8 99
      RSP: 0018:ffff8880a98e7d78 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
      RAX: 1ffffffff1164e11 RBX: ffff8880a98d4340 RCX: 0000000000000000
      RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffff8880a98d4bbc
      RBP: ffff8880a98e7da8 R08: ffff8880a98d4340 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
      R13: ffffffff88b27078 R14: 0000000000000001 R15: 0000000000000000
       arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:571
       default_idle_call+0x36/0x90 kernel/sched/idle.c:94
       cpuidle_idle_call kernel/sched/idle.c:154 [inline]
       do_idle+0x377/0x560 kernel/sched/idle.c:263
       cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:354
       start_secondary+0x34e/0x4c0 arch/x86/kernel/smpboot.c:267
       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
      
      Allocated by task 8877:
       save_stack+0x23/0x90 mm/kasan/common.c:71
       set_track mm/kasan/common.c:79 [inline]
       __kasan_kmalloc mm/kasan/common.c:489 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
       kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
       kmem_cache_alloc_trace+0x151/0x750 mm/slab.c:3555
       kmalloc include/linux/slab.h:547 [inline]
       kzalloc include/linux/slab.h:742 [inline]
       fqdir_init include/net/inet_frag.h:115 [inline]
       ipv6_frags_init_net+0x48/0x460 net/ipv6/reassembly.c:513
       ops_init+0xb3/0x410 net/core/net_namespace.c:130
       setup_net+0x2d3/0x740 net/core/net_namespace.c:316
       copy_net_ns+0x1df/0x340 net/core/net_namespace.c:439
       create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
       unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
       ksys_unshare+0x440/0x980 kernel/fork.c:2692
       __do_sys_unshare kernel/fork.c:2760 [inline]
       __se_sys_unshare kernel/fork.c:2758 [inline]
       __x64_sys_unshare+0x31/0x40 kernel/fork.c:2758
       do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 17:
       save_stack+0x23/0x90 mm/kasan/common.c:71
       set_track mm/kasan/common.c:79 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
       __cache_free mm/slab.c:3432 [inline]
       kfree+0xcf/0x220 mm/slab.c:3755
       fqdir_rwork_fn+0x33/0x40 net/ipv4/inet_fragment.c:154
       process_one_work+0x989/0x1790 kernel/workqueue.c:2269
       worker_thread+0x98/0xe40 kernel/workqueue.c:2415
       kthread+0x354/0x420 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      The buggy address belongs to the object at ffff88806ed47a00
       which belongs to the cache kmalloc-512 of size 512
      The buggy address is located 24 bytes inside of
       512-byte region [ffff88806ed47a00, ffff88806ed47c00)
      The buggy address belongs to the page:
      page:ffffea0001bb51c0 refcount:1 mapcount:0 mapping:ffff8880aa400940 index:0x0
      flags: 0x1fffc0000000200(slab)
      raw: 01fffc0000000200 ffffea000282a788 ffffea0001bb53c8 ffff8880aa400940
      raw: 0000000000000000 ffff88806ed47000 0000000100000006 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88806ed47900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff88806ed47980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88806ed47a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
       ffff88806ed47a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff88806ed47b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: 3c8fc878 ("inet: frags: rework rhashtable dismantle")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc93f46b
    • Eric Dumazet's avatar
      inet: frags: call inet_frags_fini() after unregister_pernet_subsys() · ae7352d3
      Eric Dumazet authored
      Both IPv6 and 6lowpan are calling inet_frags_fini() too soon.
      
      inet_frags_fini() is dismantling a kmem_cache, that might be needed
      later when unregister_pernet_subsys() eventually has to remove
      frags queues from hash tables and free them.
      
      This fixes potential use-after-free, and is a prereq for the following patch.
      
      Fixes: d4ad4d22 ("inet: frags: use kmem_cache for inet_frag_queue")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae7352d3
    • Eric Dumazet's avatar
      inet: frags: uninline fqdir_init() · 6b73d197
      Eric Dumazet authored
      fqdir_init() is not fast path and is getting bigger.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6b73d197
    • Willem de Bruijn's avatar
      selftests/net: ipv6 flowlabel · 3fb321fd
      Willem de Bruijn authored
      Test the IPv6 flowlabel control and datapath interfaces:
      
      Acquire and release the right to use flowlabels with socket option
      IPV6_FLOWLABEL_MGR.
      
      Then configure flowlabels on send and read them on recv with cmsg
      IPV6_FLOWINFO. Also verify auto-flowlabel if not explicitly set.
      
      This helped identify the issue fixed in commit 95c16925 ("ipv6:
      invert flowlabel sharing check in process and user mode")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3fb321fd
    • Camelia Groza's avatar
      enetc: Enable TC offloading with mqprio · cbe9e835
      Camelia Groza authored
      Add support to configure multiple prioritized TX traffic
      classes with mqprio.
      
      Configure one BD ring per TC for the moment, one netdev
      queue per TC.
      Signed-off-by: default avatarCamelia Groza <camelia.groza@nxp.com>
      Signed-off-by: default avatarClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cbe9e835
    • David S. Miller's avatar
      Merge branch 'stmmac-SPDX' · 7f334323
      David S. Miller authored
      Neil Armstrong says:
      
      ====================
      net: stmmac: dwmac-meson: update with SPDX Licence identifier
      
      Update the SPDX Licence identifier for the Amlogic Meson6 and Meson8 dwmac
      glue drivers.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7f334323
    • Neil Armstrong's avatar
    • Neil Armstrong's avatar
  2. 28 May, 2019 8 commits