1. 19 Jul, 2021 16 commits
  2. 18 Jul, 2021 4 commits
    • Nguyen Dinh Phi's avatar
      netrom: Decrease sock refcount when sock timers expire · 517a16b1
      Nguyen Dinh Phi authored
      Commit 63346650 ("netrom: switch to sock timer API") switched to use
      sock timer API. It replaces mod_timer() by sk_reset_timer(), and
      del_timer() by sk_stop_timer().
      
      Function sk_reset_timer() will increase the refcount of sock if it is
      called on an inactive timer, hence, in case the timer expires, we need to
      decrease the refcount ourselves in the handler, otherwise, the sock
      refcount will be unbalanced and the sock will never be freed.
      Signed-off-by: default avatarNguyen Dinh Phi <phind.uet@gmail.com>
      Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com
      Fixes: 63346650 ("netrom: switch to sock timer API")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      517a16b1
    • Xin Long's avatar
      sctp: trim optlen when it's a huge value in sctp_setsockopt · 2f3fdd8d
      Xin Long authored
      After commit ca84bd05 ("sctp: copy the optval from user space in
      sctp_setsockopt"), it does memory allocation in sctp_setsockopt with
      the optlen, and it would fail the allocation and return error if the
      optlen from user space is a huge value.
      
      This breaks some sockopts, like SCTP_HMAC_IDENT, SCTP_RESET_STREAMS and
      SCTP_AUTH_KEY, as when processing these sockopts before, optlen would
      be trimmed to a biggest value it needs when optlen is a huge value,
      instead of failing the allocation and returning error.
      
      This patch is to fix the allocation failure when it's a huge optlen from
      user space by trimming it to the biggest size sctp sockopt may need when
      necessary, and this biggest size is from sctp_setsockopt_reset_streams()
      for SCTP_RESET_STREAMS, which is bigger than those for SCTP_HMAC_IDENT
      and SCTP_AUTH_KEY.
      
      Fixes: ca84bd05 ("sctp: copy the optval from user space in sctp_setsockopt")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f3fdd8d
    • Pavel Skripkin's avatar
      net: sched: fix memory leak in tcindex_partial_destroy_work · f5051bce
      Pavel Skripkin authored
      Syzbot reported memory leak in tcindex_set_parms(). The problem was in
      non-freed perfect hash in tcindex_partial_destroy_work().
      
      In tcindex_set_parms() new tcindex_data is allocated and some fields from
      old one are copied to new one, but not the perfect hash. Since
      tcindex_partial_destroy_work() is the destroy function for old
      tcindex_data, we need to free perfect hash to avoid memory leak.
      
      Reported-and-tested-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com
      Fixes: 331b7292 ("net: sched: RCU cls_tcindex")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5051bce
    • Pravin B Shelar's avatar
      net: Fix zero-copy head len calculation. · a17ad096
      Pravin B Shelar authored
      In some cases skb head could be locked and entire header
      data is pulled from skb. When skb_zerocopy() called in such cases,
      following BUG is triggered. This patch fixes it by copying entire
      skb in such cases.
      This could be optimized incase this is performance bottleneck.
      
      ---8<---
      kernel BUG at net/core/skbuff.c:2961!
      invalid opcode: 0000 [#1] SMP PTI
      CPU: 2 PID: 0 Comm: swapper/2 Tainted: G           OE     5.4.0-77-generic #86-Ubuntu
      Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.13.0-1ubuntu1.1 04/01/2014
      RIP: 0010:skb_zerocopy+0x37a/0x3a0
      RSP: 0018:ffffbcc70013ca38 EFLAGS: 00010246
      Call Trace:
       <IRQ>
       queue_userspace_packet+0x2af/0x5e0 [openvswitch]
       ovs_dp_upcall+0x3d/0x60 [openvswitch]
       ovs_dp_process_packet+0x125/0x150 [openvswitch]
       ovs_vport_receive+0x77/0xd0 [openvswitch]
       netdev_port_receive+0x87/0x130 [openvswitch]
       netdev_frame_hook+0x4b/0x60 [openvswitch]
       __netif_receive_skb_core+0x2b4/0xc90
       __netif_receive_skb_one_core+0x3f/0xa0
       __netif_receive_skb+0x18/0x60
       process_backlog+0xa9/0x160
       net_rx_action+0x142/0x390
       __do_softirq+0xe1/0x2d6
       irq_exit+0xae/0xb0
       do_IRQ+0x5a/0xf0
       common_interrupt+0xf/0xf
      
      Code that triggered BUG:
      int
      skb_zerocopy(struct sk_buff *to, struct sk_buff *from, int len, int hlen)
      {
              int i, j = 0;
              int plen = 0; /* length of skb->head fragment */
              int ret;
              struct page *page;
              unsigned int offset;
      
              BUG_ON(!from->head_frag && !hlen);
      Signed-off-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a17ad096
  3. 17 Jul, 2021 1 commit
    • Mahesh Bandewar's avatar
      bonding: fix build issue · 5b69874f
      Mahesh Bandewar authored
      The commit 9a560550 (" bonding: Add struct bond_ipesc to manage SA") is causing
      following build error when XFRM is not selected in kernel config.
      
      lld: error: undefined symbol: xfrm_dev_state_flush
      >>> referenced by bond_main.c:3453 (drivers/net/bonding/bond_main.c:3453)
      >>>               net/bonding/bond_main.o:(bond_netdev_event) in archive drivers/built-in.a
      
      Fixes: 9a560550 (" bonding: Add struct bond_ipesc to manage SA")
      Signed-off-by: default avatarMahesh Bandewar <maheshb@google.com>
      CC: Taehee Yoo <ap420073@gmail.com>
      CC: Jay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b69874f
  4. 16 Jul, 2021 3 commits
  5. 15 Jul, 2021 14 commits
  6. 14 Jul, 2021 2 commits
    • David S. Miller's avatar
      Merge branch 'r8152-pm-fixxes' · 3ffd3dad
      David S. Miller authored
      Takashi Iwai says:
      
      ====================
      r8152: Fix a couple of PM problems
      
      it seems that r8152 driver suffers from the deadlock at both runtime
      and system PM.  Formerly, it was seen more often at hibernation
      resume, but now it's triggered more frequently, as reported in SUSE
      Bugzilla:
        https://bugzilla.suse.com/show_bug.cgi?id=1186194
      
      While debugging the problem, I stumbled on a few obvious bugs and here
      is the results with two patches for addressing the resume problem.
      
      ***
      
      However, the story doesn't end here, unfortunately, and those patches
      don't seem sufficing.  The rest major problem is that the driver calls
      napi_disable() and napi_enable() in the PM suspend callbacks.  This
      makes the system stalling at (runtime-)suspend.  If we drop
      napi_disable() and napi_enable() calls in the PM suspend callbacks, it
      starts working (that was the result in Bugzilla comment 13):
        https://bugzilla.suse.com/show_bug.cgi?id=1186194#c13
      
      So, my patches aren't enough and we still need to investigate
      further.  It'd be appreciated if anyone can give a fix or a hint for
      more debugging.  The usage of napi_disable() at PM callbacks is unique
      in this driver and looks rather suspicious to me; but I'm no expert in
      this area so I might be wrong...
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3ffd3dad
    • Takashi Iwai's avatar
      r8152: Fix a deadlock by doubly PM resume · 776ac63a
      Takashi Iwai authored
      r8152 driver sets up the MAC address at reset-resume, while
      rtl8152_set_mac_address() has the temporary autopm get/put.  This may
      lead to a deadlock as the PM lock has been already taken for the
      execution of the runtime PM callback.
      
      This patch adds the workaround to avoid the superfluous autpm when
      called from rtl8152_reset_resume().
      
      Link: https://bugzilla.suse.com/show_bug.cgi?id=1186194Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      776ac63a