1. 07 May, 2020 12 commits
  2. 06 May, 2020 7 commits
  3. 05 May, 2020 2 commits
  4. 04 May, 2020 13 commits
    • Qiushi Wu's avatar
      nfp: abm: fix a memory leak bug · bd4af432
      Qiushi Wu authored
      In function nfp_abm_vnic_set_mac, pointer nsp is allocated by nfp_nsp_open.
      But when nfp_nsp_has_hwinfo_lookup fail, the pointer is not released,
      which can lead to a memory leak bug. Fix this issue by adding
      nfp_nsp_close(nsp) in the error path.
      
      Fixes: f6e71efd ("nfp: abm: look up MAC addresses via management FW")
      Signed-off-by: default avatarQiushi Wu <wu000273@umn.edu>
      Acked-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bd4af432
    • Cong Wang's avatar
      atm: fix a memory leak of vcc->user_back · 8d9f73c0
      Cong Wang authored
      In lec_arp_clear_vccs() only entry->vcc is freed, but vcc
      could be installed on entry->recv_vcc too in lec_vcc_added().
      
      This fixes the following memory leak:
      
      unreferenced object 0xffff8880d9266b90 (size 16):
        comm "atm2", pid 425, jiffies 4294907980 (age 23.488s)
        hex dump (first 16 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5  ............kkk.
        backtrace:
          [<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151
          [<(____ptrval____)>] lane_ioctl+0x4b3/0x569
          [<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236
          [<(____ptrval____)>] svc_ioctl+0x17d/0x198
          [<(____ptrval____)>] sock_do_ioctl+0x47/0x12f
          [<(____ptrval____)>] sock_ioctl+0x2f9/0x322
          [<(____ptrval____)>] vfs_ioctl+0x1e/0x2b
          [<(____ptrval____)>] ksys_ioctl+0x61/0x80
          [<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19
          [<(____ptrval____)>] do_syscall_64+0x57/0x65
          [<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      Cc: Gengming Liu <l.dmxcsnsbh@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d9f73c0
    • Cong Wang's avatar
      atm: fix a UAF in lec_arp_clear_vccs() · 93a2014a
      Cong Wang authored
      Gengming reported a UAF in lec_arp_clear_vccs(),
      where we add a vcc socket to an entry in a per-device
      list but free the socket without removing it from the
      list when vcc->dev is NULL.
      
      We need to call lec_vcc_close() to search and remove
      those entries contain the vcc being destroyed. This can
      be done by calling vcc->push(vcc, NULL) unconditionally
      in vcc_destroy_socket().
      
      Another issue discovered by Gengming's reproducer is
      the vcc->dev may point to the static device lecatm_dev,
      for which we don't need to register/unregister device,
      so we can just check for vcc->dev->ops->owner.
      Reported-by: default avatarGengming Liu <l.dmxcsnsbh@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      93a2014a
    • Colin Ian King's avatar
      net: stmmac: gmac5+: fix potential integer overflow on 32 bit multiply · 44d95cc6
      Colin Ian King authored
      The multiplication of cfg->ctr[1] by 1000000000 is performed using a
      32 bit multiplication (since cfg->ctr[1] is a u32) and this can lead
      to a potential overflow. Fix this by making the constant a ULL to
      ensure a 64 bit multiply occurs.
      
      Fixes: 504723af ("net: stmmac: Add basic EST support for GMAC5+")
      Addresses-Coverity: ("Unintentional integer overflow")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44d95cc6
    • Cong Wang's avatar
      net_sched: fix tcm_parent in tc filter dump · a7df4870
      Cong Wang authored
      When we tell kernel to dump filters from root (ffff:ffff),
      those filters on ingress (ffff:0000) are matched, but their
      true parents must be dumped as they are. However, kernel
      dumps just whatever we tell it, that is either ffff:ffff
      or ffff:0000:
      
       $ nl-cls-list --dev=dummy0 --parent=root
       cls basic dev dummy0 id none parent root prio 49152 protocol ip match-all
       cls basic dev dummy0 id :1 parent root prio 49152 protocol ip match-all
       $ nl-cls-list --dev=dummy0 --parent=ffff:
       cls basic dev dummy0 id none parent ffff: prio 49152 protocol ip match-all
       cls basic dev dummy0 id :1 parent ffff: prio 49152 protocol ip match-all
      
      This is confusing and misleading, more importantly this is
      a regression since 4.15, so the old behavior must be restored.
      
      And, when tc filters are installed on a tc class, the parent
      should be the classid, rather than the qdisc handle. Commit
      edf6711c ("net: sched: remove classid and q fields from tcf_proto")
      removed the classid we save for filters, we can just restore
      this classid in tcf_block.
      
      Steps to reproduce this:
       ip li set dev dummy0 up
       tc qd add dev dummy0 ingress
       tc filter add dev dummy0 parent ffff: protocol arp basic action pass
       tc filter show dev dummy0 root
      
      Before this patch:
       filter protocol arp pref 49152 basic
       filter protocol arp pref 49152 basic handle 0x1
      	action order 1: gact action pass
      	 random type none pass val 0
      	 index 1 ref 1 bind 1
      
      After this patch:
       filter parent ffff: protocol arp pref 49152 basic
       filter parent ffff: protocol arp pref 49152 basic handle 0x1
       	action order 1: gact action pass
       	 random type none pass val 0
      	 index 1 ref 1 bind 1
      
      Fixes: a10fa201 ("net: sched: propagate q and parent from caller down to tcf_fill_node")
      Fixes: edf6711c ("net: sched: remove classid and q fields from tcf_proto")
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7df4870
    • Arnd Bergmann's avatar
      cxgb4/chcr: avoid -Wreturn-local-addr warning · 071a43e6
      Arnd Bergmann authored
      gcc-10 warns about functions that return a pointer to a stack
      variable. In chcr_write_cpl_set_tcb_ulp(), this does not actually
      happen, but it's too hard to see for the compiler:
      
      drivers/crypto/chelsio/chcr_ktls.c: In function 'chcr_write_cpl_set_tcb_ulp.constprop':
      drivers/crypto/chelsio/chcr_ktls.c:760:9: error: function may return address of local variable [-Werror=return-local-addr]
        760 |  return pos;
            |         ^~~
      drivers/crypto/chelsio/chcr_ktls.c:712:5: note: declared here
        712 |  u8 buf[48] = {0};
            |     ^~~
      
      Split the middle part of the function out into a helper to make
      it easier to understand by both humans and compilers, which avoids
      the warning.
      
      Fixes: 5a4b9fe7 ("cxgb4/chcr: complete record tx handling")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      071a43e6
    • Julian Wiedmann's avatar
      s390/qeth: fix cancelling of TX timer on dev_close() · c649c41d
      Julian Wiedmann authored
      With the introduction of TX coalescing, .ndo_start_xmit now potentially
      starts the TX completion timer. So only kill the timer _after_ TX has
      been disabled.
      
      Fixes: ee1e52d1 ("s390/qeth: add TX IRQ coalescing support for IQD devices")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c649c41d
    • Dejin Zheng's avatar
      net: enetc: fix an issue about leak system resources · d975cb7e
      Dejin Zheng authored
      the related system resources were not released when enetc_hw_alloc()
      return error in the enetc_pci_mdio_probe(), add iounmap() for error
      handling label "err_hw_alloc" to fix it.
      
      Fixes: 6517798d ("enetc: Make MDIO accessors more generic and export to include/linux/fsl")
      Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
      Signed-off-by: default avatarDejin Zheng <zhengdejin5@gmail.com>
      Reviewed-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d975cb7e
    • Tariq Toukan's avatar
      net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() · 40e47307
      Tariq Toukan authored
      When ENOSPC is set the idx is still valid and gets set to the global
      MLX4_SINK_COUNTER_INDEX.  However gcc's static analysis cannot tell that
      ENOSPC is impossible from mlx4_cmd_imm() and gives this warning:
      
      drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be
      used uninitialized in this function [-Wmaybe-uninitialized]
       2552 |    priv->def_counter[port] = idx;
      
      Also, when ENOSPC is returned mlx4_allocate_default_counters should not
      fail.
      
      Fixes: 6de5f7f6 ("net/mlx4_core: Allocate default counter per port")
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40e47307
    • Aya Levin's avatar
      devlink: Fix reporter's recovery condition · bea0c5c9
      Aya Levin authored
      Devlink health core conditions the reporter's recovery with the
      expiration of the grace period. This is not relevant for the first
      recovery. Explicitly demand that the grace period will only apply to
      recoveries other than the first.
      
      Fixes: c8e1da0b ("devlink: Add health report functionality")
      Signed-off-by: default avatarAya Levin <ayal@mellanox.com>
      Reviewed-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bea0c5c9
    • Maxim Petrov's avatar
      stmmac: fix pointer check after utilization in stmmac_interrupt · f42234ff
      Maxim Petrov authored
      The paranoidal pointer check in IRQ handler looks very strange - it
      really protects us only against bogus drivers which request IRQ line
      with null pointer dev_id. However, the code fragment is incorrect
      because the dev pointer is used before the actual check which leads
      to undefined behavior. Remove the check to avoid confusing people
      with incorrect code.
      Signed-off-by: default avatarMaxim Petrov <mmrmaximuzz@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f42234ff
    • Tuong Lien's avatar
      tipc: fix partial topology connection closure · 980d6927
      Tuong Lien authored
      When an application connects to the TIPC topology server and subscribes
      to some services, a new connection is created along with some objects -
      'tipc_subscription' to store related data correspondingly...
      However, there is one omission in the connection handling that when the
      connection or application is orderly shutdown (e.g. via SIGQUIT, etc.),
      the connection is not closed in kernel, the 'tipc_subscription' objects
      are not freed too.
      This results in:
      - The maximum number of subscriptions (65535) will be reached soon, new
      subscriptions will be rejected;
      - TIPC module cannot be removed (unless the objects  are somehow forced
      to release first);
      
      The commit fixes the issue by closing the connection if the 'recvmsg()'
      returns '0' i.e. when the peer is shutdown gracefully. It also includes
      the other unexpected cases.
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarTuong Lien <tuong.t.lien@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      980d6927
    • Florian Fainelli's avatar
      net: dsa: Do not make user port errors fatal · 86f8b1c0
      Florian Fainelli authored
      Prior to 1d27732f ("net: dsa: setup and teardown ports"), we would
      not treat failures to set-up an user port as fatal, but after this
      commit we would, which is a regression for some systems where interfaces
      may be declared in the Device Tree, but the underlying hardware may not
      be present (pluggable daughter cards for instance).
      
      Fixes: 1d27732f ("net: dsa: setup and teardown ports")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86f8b1c0
  5. 03 May, 2020 3 commits
  6. 01 May, 2020 3 commits