1. 11 Dec, 2019 17 commits
  2. 10 Dec, 2019 1 commit
  3. 09 Dec, 2019 20 commits
    • Davide Caratti's avatar
      tc-testing: unbreak full listing of tdc testcases · 991a3459
      Davide Caratti authored
      the following command currently fails:
      
       [root@fedora tc-testing]# ./tdc.py -l
       The following test case IDs are not unique:
       {'6f5e'}
       Please correct them before continuing.
      
      this happens because there are two tests having the same id:
      
       [root@fedora tc-testing]# grep -r 6f5e tc-tests/*
       tc-tests/actions/pedit.json:        "id": "6f5e",
       tc-tests/filters/basic.json:        "id": "6f5e",
      
      fix it replacing the latest duplicate id with a brand new one:
      
       [root@fedora tc-testing]# sed -i 's/6f5e//1' tc-tests/filters/basic.json
       [root@fedora tc-testing]# ./tdc.py -i
      
      Fixes: 4717b053 ("tc-testing: Introduced tdc tests for basic filter")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      991a3459
    • Chuhong Yuan's avatar
      fjes: fix missed check in fjes_acpi_add · a288f105
      Chuhong Yuan authored
      fjes_acpi_add() misses a check for platform_device_register_simple().
      Add a check to fix it.
      
      Fixes: 658d439b ("fjes: Introduce FUJITSU Extended Socket Network Device driver")
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a288f105
    • Mao Wenan's avatar
      af_packet: set defaule value for tmo · b43d1f9f
      Mao Wenan authored
      There is softlockup when using TPACKET_V3:
      ...
      NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms!
      (__irq_svc) from [<c0558a0c>] (_raw_spin_unlock_irqrestore+0x44/0x54)
      (_raw_spin_unlock_irqrestore) from [<c027b7e8>] (mod_timer+0x210/0x25c)
      (mod_timer) from [<c0549c30>]
      (prb_retire_rx_blk_timer_expired+0x68/0x11c)
      (prb_retire_rx_blk_timer_expired) from [<c027a7ac>]
      (call_timer_fn+0x90/0x17c)
      (call_timer_fn) from [<c027ab6c>] (run_timer_softirq+0x2d4/0x2fc)
      (run_timer_softirq) from [<c021eaf4>] (__do_softirq+0x218/0x318)
      (__do_softirq) from [<c021eea0>] (irq_exit+0x88/0xac)
      (irq_exit) from [<c0240130>] (msa_irq_exit+0x11c/0x1d4)
      (msa_irq_exit) from [<c0209cf0>] (handle_IPI+0x650/0x7f4)
      (handle_IPI) from [<c02015bc>] (gic_handle_irq+0x108/0x118)
      (gic_handle_irq) from [<c0558ee4>] (__irq_usr+0x44/0x5c)
      ...
      
      If __ethtool_get_link_ksettings() is failed in
      prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies
      is zero and the timer expire for retire_blk_timer is turn to
      mod_timer(&pkc->retire_blk_timer, jiffies + 0),
      which will trigger cpu usage of softirq is 100%.
      
      Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.")
      Tested-by: default avatarXiao Jiangfeng <xiaojiangfeng@huawei.com>
      Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b43d1f9f
    • Grygorii Strashko's avatar
      net: ethernet: ti: davinci_cpdma: fix warning "device driver frees DMA memory with different size" · 8a2b2220
      Grygorii Strashko authored
      The TI CPSW(s) driver produces warning with DMA API debug options enabled:
      
      WARNING: CPU: 0 PID: 1033 at kernel/dma/debug.c:1025 check_unmap+0x4a8/0x968
      DMA-API: cpsw 48484000.ethernet: device driver frees DMA memory with different size
       [device address=0x00000000abc6aa02] [map size=64 bytes] [unmap size=42 bytes]
      CPU: 0 PID: 1033 Comm: ping Not tainted 5.3.0-dirty #41
      Hardware name: Generic DRA72X (Flattened Device Tree)
      [<c0112c60>] (unwind_backtrace) from [<c010d270>] (show_stack+0x10/0x14)
      [<c010d270>] (show_stack) from [<c09bc564>] (dump_stack+0xd8/0x110)
      [<c09bc564>] (dump_stack) from [<c013b93c>] (__warn+0xe0/0x10c)
      [<c013b93c>] (__warn) from [<c013b9ac>] (warn_slowpath_fmt+0x44/0x6c)
      [<c013b9ac>] (warn_slowpath_fmt) from [<c01e0368>] (check_unmap+0x4a8/0x968)
      [<c01e0368>] (check_unmap) from [<c01e08a8>] (debug_dma_unmap_page+0x80/0x90)
      [<c01e08a8>] (debug_dma_unmap_page) from [<c0752414>] (__cpdma_chan_free+0x114/0x16c)
      [<c0752414>] (__cpdma_chan_free) from [<c07525c4>] (__cpdma_chan_process+0x158/0x17c)
      [<c07525c4>] (__cpdma_chan_process) from [<c0753690>] (cpdma_chan_process+0x3c/0x5c)
      [<c0753690>] (cpdma_chan_process) from [<c0758660>] (cpsw_tx_mq_poll+0x48/0x94)
      [<c0758660>] (cpsw_tx_mq_poll) from [<c0803018>] (net_rx_action+0x108/0x4e4)
      [<c0803018>] (net_rx_action) from [<c010230c>] (__do_softirq+0xec/0x598)
      [<c010230c>] (__do_softirq) from [<c0143914>] (do_softirq.part.4+0x68/0x74)
      [<c0143914>] (do_softirq.part.4) from [<c0143a44>] (__local_bh_enable_ip+0x124/0x17c)
      [<c0143a44>] (__local_bh_enable_ip) from [<c0871590>] (ip_finish_output2+0x294/0xb7c)
      [<c0871590>] (ip_finish_output2) from [<c0875440>] (ip_output+0x210/0x364)
      [<c0875440>] (ip_output) from [<c0875e2c>] (ip_send_skb+0x1c/0xf8)
      [<c0875e2c>] (ip_send_skb) from [<c08a7fd4>] (raw_sendmsg+0x9a8/0xc74)
      [<c08a7fd4>] (raw_sendmsg) from [<c07d6b90>] (sock_sendmsg+0x14/0x24)
      [<c07d6b90>] (sock_sendmsg) from [<c07d8260>] (__sys_sendto+0xbc/0x100)
      [<c07d8260>] (__sys_sendto) from [<c01011ac>] (__sys_trace_return+0x0/0x14)
      Exception stack(0xea9a7fa8 to 0xea9a7ff0)
      ...
      
      The reason is that cpdma_chan_submit_si() now stores original buffer length
      (sw_len) in CPDMA descriptor instead of adjusted buffer length (hw_len)
      used to map the buffer.
      
      Hence, fix an issue by passing correct buffer length in CPDMA descriptor.
      
      Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Fixes: 6670acac ("net: ethernet: ti: davinci_cpdma: add dma mapped submit")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Reviewed-by: default avatarIvan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a2b2220
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 7da538c1
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Wait for rcu grace period after releasing netns in ctnetlink,
         from Florian Westphal.
      
      2) Incorrect command type in flowtable offload ndo invocation,
         from wenxu.
      
      3) Incorrect callback type in flowtable offload flow tuple
         updates, also from wenxu.
      
      4) Fix compile warning on flowtable offload infrastructure due to
         possible reference to uninitialized variable, from Nathan Chancellor.
      
      5) Do not inline nf_ct_resolve_clash(), this is called from slow
         path / stress situations. From Florian Westphal.
      
      6) Missing IPv6 flow selector description in flowtable offload.
      
      7) Missing check for NETDEV_UNREGISTER in nf_tables offload
         infrastructure, from wenxu.
      
      8) Update NAT selftest to use randomized netns names, from
         Florian Westphal.
      
      9) Restore nfqueue bridge support, from Marco Oliverio.
      
      10) Compilation warning in SCTP_CHUNKMAP_*() on xt_sctp header.
          From Phil Sutter.
      
      11) Fix bogus lookup/get match for non-anonymous rbtree sets.
      
      12) Missing netlink validation for NFT_SET_ELEM_INTERVAL_END
          elements.
      
      13) Missing netlink validation for NFT_DATA_VALUE after
          nft_data_init().
      
      14) If rule specifies no actions, offload infrastructure returns
          EOPNOTSUPP.
      
      15) Module refcount leak in object updates.
      
      16) Missing sanitization for ARP traffic from br_netfilter, from
          Eric Dumazet.
      
      17) Compilation breakage on big-endian due to incorrect memcpy()
          size in the flowtable offload infrastructure.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7da538c1
    • Pablo Neira Ayuso's avatar
      netfilter: nf_flow_table_offload: Correct memcpy size for flow_overload_mangle() · 7acd9378
      Pablo Neira Ayuso authored
      In function 'memcpy',
           inlined from 'flow_offload_mangle' at net/netfilter/nf_flow_table_offload.c:112:2,
           inlined from 'flow_offload_port_dnat' at net/netfilter/nf_flow_table_offload.c:373:2,
           inlined from 'nf_flow_rule_route_ipv4' at net/netfilter/nf_flow_table_offload.c:424:3:
      ./include/linux/string.h:376:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
         376 |    __read_overflow2();
             |    ^~~~~~~~~~~~~~~~~~
      
      The original u8* was done in the hope to make this more adaptable but
      consensus is to keep this like it is in tc pedit.
      
      Fixes: c29f74e0 ("netfilter: nf_flow_table: hardware offload support")
      Reported-by: default avatarLaura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7acd9378
    • Martin Schiller's avatar
      net/x25: add new state X25_STATE_5 · f8fc57e8
      Martin Schiller authored
      This is needed, because if the flag X25_ACCPT_APPRV_FLAG is not set on a
      socket (manual call confirmation) and the channel is cleared by remote
      before the manual call confirmation was sent, this situation needs to
      be handled.
      Signed-off-by: default avatarMartin Schiller <ms@dev.tdt.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8fc57e8
    • Ido Schimmel's avatar
      selftests: forwarding: Delete IPv6 address at the end · 65cb1398
      Ido Schimmel authored
      When creating the second host in h2_create(), two addresses are assigned
      to the interface, but only one is deleted. When running the test twice
      in a row the following error is observed:
      
      $ ./router_bridge_vlan.sh
      TEST: ping                                                          [ OK ]
      TEST: ping6                                                         [ OK ]
      TEST: vlan                                                          [ OK ]
      $ ./router_bridge_vlan.sh
      RTNETLINK answers: File exists
      TEST: ping                                                          [ OK ]
      TEST: ping6                                                         [ OK ]
      TEST: vlan                                                          [ OK ]
      
      Fix this by deleting the address during cleanup.
      
      Fixes: 5b1e7f9e ("selftests: forwarding: Test routed bridge interface")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65cb1398
    • Ido Schimmel's avatar
      mlxsw: spectrum_router: Remove unlikely user-triggerable warning · 62201c00
      Ido Schimmel authored
      In case the driver vetoes the addition of an IPv6 multipath route, the
      IPv6 stack will emit delete notifications for the sibling routes that
      were already added to the FIB trie. Since these siblings are not present
      in hardware, a warning will be generated.
      
      Have the driver ignore notifications for routes it does not have.
      
      Fixes: ebee3cad ("ipv6: Add IPv6 multipath notifications for add / replace")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62201c00
    • Xin Long's avatar
      sctp: fully initialize v4 addr in some functions · b6f3320b
      Xin Long authored
      Syzbot found a crash:
      
        BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline]
        BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
        BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
        Call Trace:
          crc32_body lib/crc32.c:112 [inline]
          crc32_le_generic lib/crc32.c:179 [inline]
          __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
          chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90
          crypto_shash_update+0x4c5/0x530 crypto/shash.c:107
          crc32c+0x150/0x220 lib/libcrc32c.c:47
          sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36
          __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640
          sctp_compute_cksum include/net/sctp/checksum.h:59 [inline]
          sctp_packet_pack net/sctp/output.c:528 [inline]
          sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597
          sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline]
          sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194
          sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757
          sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline]
          sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline]
          sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155
          sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185
          sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433
          sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline]
          sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672
      
      The issue was caused by transport->ipaddr set with uninit addr param, which
      was passed by:
      
        sctp_transport_init net/sctp/transport.c:47 [inline]
        sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100
        sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611
        sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline]
      
      where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize
      the padding of addr->v4.
      
      Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr)
      will become the part of skb, and the issue occurs.
      
      This patch is to fix it by initializing the padding of addr->v4 in
      sctp_v4_from_addr_param(), as well as other functions that do the similar
      thing, and these functions shouldn't trust that the caller initializes the
      memory, as Marcelo suggested.
      
      Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6f3320b
    • Eric Dumazet's avatar
      bonding: fix bond_neigh_init() · 9e99bfef
      Eric Dumazet authored
      1) syzbot reported an uninit-value in bond_neigh_setup() [1]
      
       bond_neigh_setup() uses a temporary on-stack 'struct neigh_parms parms',
       but only clears parms.neigh_setup field.
      
       A stacked bonding device would then enter bond_neigh_setup()
       and read garbage from parms->dev.
      
       If we get really unlucky and garbage is matching @dev, then we
       could recurse and eventually crash.
      
       Let's make sure the whole structure is cleared to avoid surprises.
      
      2) bond_neigh_setup() can be called while another cpu manipulates
       the master device, removing or adding a slave.
       We need at least rcu protection to prevent use-after-free.
      
      Note: Prior code does not support a stack of bonding devices,
            this patch does not attempt to fix this, and leave a comment instead.
      
      [1]
      
      BUG: KMSAN: uninit-value in bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655
      CPU: 0 PID: 11256 Comm: syz-executor.0 Not tainted 5.4.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
       __msan_warning+0x57/0xa0 mm/kmsan/kmsan_instr.c:245
       bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655
       bond_neigh_init+0x216/0x4b0 drivers/net/bonding/bond_main.c:3626
       ___neigh_create+0x169e/0x2c40 net/core/neighbour.c:613
       __neigh_create+0xbd/0xd0 net/core/neighbour.c:674
       ip6_finish_output2+0x149a/0x2670 net/ipv6/ip6_output.c:113
       __ip6_finish_output+0x83d/0x8f0 net/ipv6/ip6_output.c:142
       ip6_finish_output+0x2db/0x420 net/ipv6/ip6_output.c:152
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:175
       dst_output include/net/dst.h:436 [inline]
       NF_HOOK include/linux/netfilter.h:305 [inline]
       mld_sendpack+0xebd/0x13d0 net/ipv6/mcast.c:1682
       mld_send_cr net/ipv6/mcast.c:1978 [inline]
       mld_ifc_timer_expire+0x116b/0x1680 net/ipv6/mcast.c:2477
       call_timer_fn+0x232/0x530 kernel/time/timer.c:1404
       expire_timers kernel/time/timer.c:1449 [inline]
       __run_timers+0xd60/0x1270 kernel/time/timer.c:1773
       run_timer_softirq+0x2d/0x50 kernel/time/timer.c:1786
       __do_softirq+0x4a1/0x83a kernel/softirq.c:293
       invoke_softirq kernel/softirq.c:375 [inline]
       irq_exit+0x230/0x280 kernel/softirq.c:416
       exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:536
       smp_apic_timer_interrupt+0x48/0x70 arch/x86/kernel/apic/apic.c:1138
       apic_timer_interrupt+0x2e/0x40 arch/x86/entry/entry_64.S:835
       </IRQ>
      RIP: 0010:kmsan_free_page+0x18d/0x1c0 mm/kmsan/kmsan_shadow.c:439
      Code: 4c 89 ff 44 89 f6 e8 82 0d ee ff 65 ff 0d 9f 26 3b 60 65 8b 05 98 26 3b 60 85 c0 75 24 e8 5b f6 35 ff 4c 89 6d d0 ff 75 d0 9d <48> 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 0f 0b 0f 0b 0f
      RSP: 0018:ffffb328034af818 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
      RAX: 0000000000000000 RBX: ffffe2d7471f8360 RCX: 0000000000000000
      RDX: ffffffffadea7000 RSI: 0000000000000004 RDI: ffff93496fcda104
      RBP: ffffb328034af850 R08: ffff934a47e86d00 R09: ffff93496fc41900
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
      R13: 0000000000000246 R14: 0000000000000000 R15: ffffe2d7472225c0
       free_pages_prepare mm/page_alloc.c:1138 [inline]
       free_pcp_prepare mm/page_alloc.c:1230 [inline]
       free_unref_page_prepare+0x1d9/0x770 mm/page_alloc.c:3025
       free_unref_page mm/page_alloc.c:3074 [inline]
       free_the_page mm/page_alloc.c:4832 [inline]
       __free_pages+0x154/0x230 mm/page_alloc.c:4840
       __vunmap+0xdac/0xf20 mm/vmalloc.c:2277
       __vfree mm/vmalloc.c:2325 [inline]
       vfree+0x7c/0x170 mm/vmalloc.c:2355
       copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:883 [inline]
       get_entries net/ipv6/netfilter/ip6_tables.c:1041 [inline]
       do_ip6t_get_ctl+0xfa4/0x1030 net/ipv6/netfilter/ip6_tables.c:1709
       nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
       nf_getsockopt+0x481/0x4e0 net/netfilter/nf_sockopt.c:122
       ipv6_getsockopt+0x264/0x510 net/ipv6/ipv6_sockglue.c:1400
       tcp_getsockopt+0x1c6/0x1f0 net/ipv4/tcp.c:3688
       sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3110
       __sys_getsockopt+0x533/0x7b0 net/socket.c:2129
       __do_sys_getsockopt net/socket.c:2144 [inline]
       __se_sys_getsockopt+0xe1/0x100 net/socket.c:2141
       __x64_sys_getsockopt+0x62/0x80 net/socket.c:2141
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45d20a
      Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 8d 8b fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 6a 8b fb ff c3 66 0f 1f 84 00 00 00 00 00
      RSP: 002b:0000000000a6f618 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
      RAX: ffffffffffffffda RBX: 0000000000a6f640 RCX: 000000000045d20a
      RDX: 0000000000000041 RSI: 0000000000000029 RDI: 0000000000000003
      RBP: 0000000000717cc0 R08: 0000000000a6f63c R09: 0000000000004000
      R10: 0000000000a6f740 R11: 0000000000000212 R12: 0000000000000003
      R13: 0000000000000000 R14: 0000000000000029 R15: 0000000000715b00
      
      Local variable description: ----parms@bond_neigh_init
      Variable was created at:
       bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617
       bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617
      
      Fixes: 9918d5bf ("bonding: modify only neigh_parms owned by us")
      Fixes: 234bcf8a ("net/bonding: correctly proxy slave neigh param setup ndo function")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e99bfef
    • Eric Dumazet's avatar
      neighbour: remove neigh_cleanup() method · f394722f
      Eric Dumazet authored
      neigh_cleanup() has not been used for seven years, and was a wrong design.
      
      Messing with shared pointer in bond_neigh_init() without proper
      memory barriers would at least trigger syzbot complains eventually.
      
      It is time to remove this stuff.
      
      Fixes: b63b70d8 ("IPoIB: Use a private hash table for path lookup in xmit path")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f394722f
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-5.5-20191208' of... · 43aad810
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-5.5-20191208' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-12-08
      
      this is a pull request of 13 patches for net/master.
      
      The first two patches are by Dan Murphy. He adds himself as a maintainer to the
      m-can MMIO and tcan SPI driver.
      
      The next two patches the j1939 stack. The first one is by Oleksij Rempel and
      fixes a locking problem found by the syzbot, the second one is by me an fixes a
      mistake in the documentation.
      
      Srinivas Neeli fixes missing RX CAN packets on CANFD2.0 in the xilinx driver.
      
      Sean Nyekjaer fixes a possible deadlock in the the flexcan driver after
      suspend/resume. Joakim Zhang contributes two patches for the flexcan driver
      that fix problems with the low power enter/exit.
      
      The next 4 patches all target the tcan part of the m_can driver. Sean Nyekjaer
      adds the required delay after reset and fixes the device tree binding example.
      Dan Murphy's patches make the wake-gpio optional.
      
      In the last patch Xiaolong Huang fixes several kernel memory info leaks to the
      USB device in the kvaser_usb_leaf driver.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43aad810
    • Eric Dumazet's avatar
      netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() · 56042858
      Eric Dumazet authored
      syzbot is kind enough to remind us we need to call skb_may_pull()
      
      BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
      CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
       __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
       br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
       nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
       nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512
       nf_hook include/linux/netfilter.h:260 [inline]
       NF_HOOK include/linux/netfilter.h:303 [inline]
       __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109
       br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234
       br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162
       nf_hook_bridge_pre net/bridge/br_input.c:245 [inline]
       br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348
       __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830
       __netif_receive_skb_one_core net/core/dev.c:4927 [inline]
       __netif_receive_skb net/core/dev.c:5043 [inline]
       process_backlog+0x610/0x13c0 net/core/dev.c:5874
       napi_poll net/core/dev.c:6311 [inline]
       net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379
       __do_softirq+0x4a1/0x83a kernel/softirq.c:293
       do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091
       </IRQ>
       do_softirq kernel/softirq.c:338 [inline]
       __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190
       local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
       rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline]
       __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819
       dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825
       packet_snd net/packet/af_packet.c:2959 [inline]
       packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       __sys_sendto+0xc44/0xc70 net/socket.c:1952
       __do_sys_sendto net/socket.c:1964 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1960
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45a679
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679
      RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003
      RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4
      R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
       kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
       kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
       slab_alloc_node mm/slub.c:2773 [inline]
       __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
       __kmalloc_reserve net/core/skbuff.c:141 [inline]
       __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
       alloc_skb include/linux/skbuff.h:1049 [inline]
       alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662
       sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244
       packet_alloc_skb net/packet/af_packet.c:2807 [inline]
       packet_snd net/packet/af_packet.c:2902 [inline]
       packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       __sys_sendto+0xc44/0xc70 net/socket.c:1952
       __do_sys_sendto net/socket.c:1964 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1960
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: c4e70a87 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      56042858
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables_offload: return EOPNOTSUPP if rule specifies no actions · 81ec6107
      Pablo Neira Ayuso authored
      If the rule only specifies the matching side, return EOPNOTSUPP.
      Otherwise, the front-end relies on the drivers to reject this rule.
      
      Fixes: c9626a2c ("netfilter: nf_tables: add hardware offload support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      81ec6107
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: skip module reference count bump on object updates · fd57d0cb
      Pablo Neira Ayuso authored
      Use __nft_obj_type_get() instead, otherwise there is a module reference
      counter leak.
      
      Fixes: d62d0ba9 ("netfilter: nf_tables: Introduce stateful object update operation")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      fd57d0cb
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init() · 0d2c96af
      Pablo Neira Ayuso authored
      Userspace might bogusly sent NFT_DATA_VERDICT in several netlink
      attributes that assume NFT_DATA_VALUE. Moreover, make sure that error
      path invokes nft_data_release() to decrement the reference count on the
      chain object.
      
      Fixes: 96518518 ("netfilter: add nftables")
      Fixes: 0f3cd9b3 ("netfilter: nf_tables: add range expression")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0d2c96af
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END · bffc124b
      Pablo Neira Ayuso authored
      Only NFTA_SET_ELEM_KEY and NFTA_SET_ELEM_FLAGS make sense for elements
      whose NFT_SET_ELEM_INTERVAL_END flag is set on.
      
      Fixes: 96518518 ("netfilter: add nftables")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      bffc124b
    • Pablo Neira Ayuso's avatar
      netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets · db3b665d
      Pablo Neira Ayuso authored
      The existing rbtree implementation might store consecutive elements
      where the closing element and the opening element might overlap, eg.
      
      	[ a, a+1) [ a+1, a+2)
      
      This patch removes the optimization for non-anonymous sets in the exact
      matching case, where it is assumed to stop searching in case that the
      closing element is found. Instead, invalidate candidate interval and
      keep looking further in the tree.
      
      The lookup/get operation might return false, while there is an element
      in the rbtree. Moreover, the get operation returns true as if a+2 would
      be in the tree. This happens with named sets after several set updates.
      
      The existing lookup optimization (that only works for the anonymous
      sets) might not reach the opening [ a+1,... element if the closing
      ...,a+1) is found in first place when walking over the rbtree. Hence,
      walking the full tree in that case is needed.
      
      This patch fixes the lookup and get operations.
      
      Fixes: e701001e ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates")
      Fixes: ba0e4d99 ("netfilter: nf_tables: get set elements via netlink")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      db3b665d
    • Phil Sutter's avatar
      netfilter: uapi: Avoid undefined left-shift in xt_sctp.h · 16416655
      Phil Sutter authored
      With 'bytes(__u32)' being 32, a left-shift of 31 may happen which is
      undefined for the signed 32-bit value 1. Avoid this by declaring 1 as
      unsigned.
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      16416655
  4. 08 Dec, 2019 2 commits
    • Linus Torvalds's avatar
      Linux 5.5-rc1 · e42617b8
      Linus Torvalds authored
      e42617b8
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 95e6ba51
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) More jumbo frame fixes in r8169, from Heiner Kallweit.
      
       2) Fix bpf build in minimal configuration, from Alexei Starovoitov.
      
       3) Use after free in slcan driver, from Jouni Hogander.
      
       4) Flower classifier port ranges don't work properly in the HW offload
          case, from Yoshiki Komachi.
      
       5) Use after free in hns3_nic_maybe_stop_tx(), from Yunsheng Lin.
      
       6) Out of bounds access in mqprio_dump(), from Vladyslav Tarasiuk.
      
       7) Fix flow dissection in dsa TX path, from Alexander Lobakin.
      
       8) Stale syncookie timestampe fixes from Guillaume Nault.
      
      [ Did an evil merge to silence a warning introduced by this pull - Linus ]
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits)
        r8169: fix rtl_hw_jumbo_disable for RTL8168evl
        net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add()
        r8169: add missing RX enabling for WoL on RTL8125
        vhost/vsock: accept only packets with the right dst_cid
        net: phy: dp83867: fix hfs boot in rgmii mode
        net: ethernet: ti: cpsw: fix extra rx interrupt
        inet: protect against too small mtu values.
        gre: refetch erspan header from skb->data after pskb_may_pull()
        pppoe: remove redundant BUG_ON() check in pppoe_pernet
        tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE()
        tcp: tighten acceptance of ACKs not matching a child socket
        tcp: fix rejected syncookies due to stale timestamps
        lpc_eth: kernel BUG on remove
        tcp: md5: fix potential overestimation of TCP option space
        net: sched: allow indirect blocks to bind to clsact in TC
        net: core: rename indirect block ingress cb function
        net-sysfs: Call dev_hold always in netdev_queue_add_kobject
        net: dsa: fix flow dissection on Tx path
        net/tls: Fix return values to avoid ENOTSUPP
        net: avoid an indirect call in ____sys_recvmsg()
        ...
      95e6ba51