1. 15 Apr, 2019 2 commits
  2. 14 Apr, 2019 8 commits
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-04-09' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 73248801
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-04-09
      
      This series provides some fixes to mlx5 driver.
      
      I've cc'ed some of the checksum fixes to Eric Dumazet and i would like to get
      his feedback before you pull.
      
      For -stable v4.19
      ('net/mlx5: FPGA, tls, idr remove on flow delete')
      ('net/mlx5: FPGA, tls, hold rcu read lock a bit longer')
      
      For -stable v4.20
      ('net/mlx5e: Rx, Check ip headers sanity')
      ('Revert "net/mlx5e: Enable reporting checksum unnecessary also for L3 packets"')
      ('net/mlx5e: Rx, Fixup skb checksum for packets with tail padding')
      
      For -stable v5.0
      ('net/mlx5e: Switch to Toeplitz RSS hash by default')
      ('net/mlx5e: Protect against non-uplink representor for encap')
      ('net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      73248801
    • Eric Dumazet's avatar
      rtnetlink: fix rtnl_valid_stats_req() nlmsg_len check · 69f23a09
      Eric Dumazet authored
      Jakub forgot to either use nlmsg_len() or nlmsg_msg_size(),
      allowing KMSAN to detect a possible uninit-value in rtnl_stats_get
      
      BUG: KMSAN: uninit-value in rtnl_stats_get+0x6d9/0x11d0 net/core/rtnetlink.c:4997
      CPU: 0 PID: 10428 Comm: syz-executor034 Not tainted 5.1.0-rc2+ #24
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x173/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:619
       __msan_warning+0x7a/0xf0 mm/kmsan/kmsan_instr.c:310
       rtnl_stats_get+0x6d9/0x11d0 net/core/rtnetlink.c:4997
       rtnetlink_rcv_msg+0x115b/0x1550 net/core/rtnetlink.c:5192
       netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2485
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5210
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1925
       sock_sendmsg_nosec net/socket.c:622 [inline]
       sock_sendmsg net/socket.c:632 [inline]
       ___sys_sendmsg+0xdb3/0x1220 net/socket.c:2137
       __sys_sendmsg net/socket.c:2175 [inline]
       __do_sys_sendmsg net/socket.c:2184 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2182
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2182
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      Fixes: 51bc860d ("rtnetlink: stats: validate attributes in get as well as dumps")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69f23a09
    • David S. Miller's avatar
      Merge branch 'qed-doorbell-overflow-recovery' · a6b16d8d
      David S. Miller authored
      Denis Bolotin says:
      
      ====================
      qed: Fix the Doorbell Overflow Recovery mechanism
      
      This patch series fixes and improves the doorbell recovery mechanism.
      The main goals of this series are to fix missing attentions from the
      doorbells block (DORQ) or not handling them properly, and execute the
      recovery from periodic handler instead of the attention handler.
      
      Please consider applying the series to net.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a6b16d8d
    • Denis Bolotin's avatar
      qed: Fix the DORQ's attentions handling · 0d72c2ac
      Denis Bolotin authored
      Separate the overflow handling from the hardware interrupt status analysis.
      The interrupt status is a single register and is common for all PFs. The
      first PF reading the register is not necessarily the one who overflowed.
      All PFs must check their overflow status on every attention.
      In this change we clear the sticky indication in the attention handler to
      allow doorbells to be processed again as soon as possible, but running
      the doorbell recovery is scheduled for the periodic handler to reduce the
      time spent in the attention handler.
      Checking the need for DORQ flush was changed to "db_bar_no_edpm" because
      qed_edpm_enabled()'s result could change dynamically and might have
      prevented a needed flush.
      Signed-off-by: default avatarDenis Bolotin <dbolotin@marvell.com>
      Signed-off-by: default avatarMichal Kalderon <mkalderon@marvell.com>
      Signed-off-by: default avatarAriel Elior <aelior@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d72c2ac
    • Denis Bolotin's avatar
      qed: Fix missing DORQ attentions · d4476b8a
      Denis Bolotin authored
      When the DORQ (doorbell block) is overflowed, all PFs get attentions at the
      same time. If one PF finished handling the attention before another PF even
      started, the second PF might miss the DORQ's attention bit and not handle
      the attention at all.
      If the DORQ attention is missed and the issue is not resolved, another
      attention will not be sent, therefore each attention is treated as a
      potential DORQ attention.
      As a result, the attention callback is called more frequently so the debug
      print was moved to reduce its quantity.
      The number of periodic doorbell recovery handler schedules was reduced
      because it was the previous way to mitigating the missed attention issue.
      Signed-off-by: default avatarDenis Bolotin <dbolotin@marvell.com>
      Signed-off-by: default avatarMichal Kalderon <mkalderon@marvell.com>
      Signed-off-by: default avatarAriel Elior <aelior@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d4476b8a
    • Denis Bolotin's avatar
      qed: Fix the doorbell address sanity check · b61b04ad
      Denis Bolotin authored
      Fix the condition which verifies that doorbell address is inside the
      doorbell bar by checking that the end of the address is within range
      as well.
      Signed-off-by: default avatarDenis Bolotin <dbolotin@marvell.com>
      Signed-off-by: default avatarMichal Kalderon <mkalderon@marvell.com>
      Signed-off-by: default avatarAriel Elior <aelior@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b61b04ad
    • Denis Bolotin's avatar
      qed: Delete redundant doorbell recovery types · 9ac6bb14
      Denis Bolotin authored
      DB_REC_DRY_RUN (running doorbell recovery without sending doorbells) is
      never used. DB_REC_ONCE (send a single doorbell from the doorbell recovery)
      is not needed anymore because by running the periodic handler we make sure
      we check the overflow status later instead.
      This patch is needed because in the next patches, the only doorbell
      recovery type being used is DB_REC_REAL_DEAL, and the fixes are much
      cleaner without this enum.
      Signed-off-by: default avatarDenis Bolotin <dbolotin@marvell.com>
      Signed-off-by: default avatarMichal Kalderon <mkalderon@marvell.com>
      Signed-off-by: default avatarAriel Elior <aelior@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9ac6bb14
    • Eric Dumazet's avatar
      ipv4: ensure rcu_read_lock() in ipv4_link_failure() · c543cb4a
      Eric Dumazet authored
      fib_compute_spec_dst() needs to be called under rcu protection.
      
      syzbot reported :
      
      WARNING: suspicious RCU usage
      5.1.0-rc4+ #165 Not tainted
      include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      1 lock held by swapper/0/0:
       #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline]
       #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315
      
      stack backtrace:
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162
       __in_dev_get_rcu include/linux/inetdevice.h:220 [inline]
       fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294
       spec_dst_fill net/ipv4/ip_options.c:245 [inline]
       __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343
       ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195
       dst_link_failure include/net/dst.h:427 [inline]
       arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297
       neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995
       neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081
       call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
       expire_timers kernel/time/timer.c:1362 [inline]
       __run_timers kernel/time/timer.c:1681 [inline]
       __run_timers kernel/time/timer.c:1649 [inline]
       run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
       __do_softirq+0x266/0x95a kernel/softirq.c:293
       invoke_softirq kernel/softirq.c:374 [inline]
       irq_exit+0x180/0x1d0 kernel/softirq.c:414
       exiting_irq arch/x86/include/asm/apic.h:536 [inline]
       smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
      
      Fixes: ed0de45a ("ipv4: recompile ip options in ipv4_link_failure")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c543cb4a
  3. 13 Apr, 2019 1 commit
  4. 12 Apr, 2019 25 commits
    • David S. Miller's avatar
      Merge branch 'rxrpc-fixes' · 9e550f01
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Fixes
      
      Here is a collection of fixes for rxrpc:
      
       (1) rxrpc_error_report() needs to call sock_error() to clear the error
           code from the UDP transport socket, lest it be unexpectedly revisited
           on the next kernel_sendmsg() call.  This has been causing all sorts of
           weird effects in AFS as the effects have typically been felt by the
           wrong RxRPC call.
      
       (2) Allow a kernel user of AF_RXRPC to easily detect if an rxrpc call has
           completed.
      
       (3) Allow errors incurred by attempting to transmit data through the UDP
           socket to get back up the stack to AFS.
      
       (4) Make AFS use (2) to abort the synchronous-mode call waiting loop if
           the rxrpc-level call completed.
      
       (5) Add a missing tracepoint case for tracing abort reception.
      
       (6) Fix detection and handling of out-of-order ACKs.
      
      ====================
      Tested-by: default avatarJonathan Billings <jsbillin@umich.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e550f01
    • Jeffrey Altman's avatar
      rxrpc: Fix detection of out of order acks · 1a2391c3
      Jeffrey Altman authored
      The rxrpc packet serial number cannot be safely used to compute out of
      order ack packets for several reasons:
      
       1. The allocation of serial numbers cannot be assumed to imply the order
          by which acks are populated and transmitted.  In some rxrpc
          implementations, delayed acks and ping acks are transmitted
          asynchronously to the receipt of data packets and so may be transmitted
          out of order.  As a result, they can race with idle acks.
      
       2. Serial numbers are allocated by the rxrpc connection and not the call
          and as such may wrap independently if multiple channels are in use.
      
      In any case, what matters is whether the ack packet provides new
      information relating to the bounds of the window (the firstPacket and
      previousPacket in the ACK data).
      
      Fix this by discarding packets that appear to wind back the window bounds
      rather than on serial number procession.
      
      Fixes: 298bc15b ("rxrpc: Only take the rwind and mtu values from latest ACK")
      Signed-off-by: default avatarJeffrey Altman <jaltman@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1a2391c3
    • David Howells's avatar
      rxrpc: Trace received connection aborts · 39ce6755
      David Howells authored
      Trace received calls that are aborted due to a connection abort, typically
      because of authentication failure.  Without this, connection aborts don't
      show up in the trace log.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      39ce6755
    • Marc Dionne's avatar
      afs: Check for rxrpc call completion in wait loop · f7f1dd31
      Marc Dionne authored
      Check the state of the rxrpc call backing an afs call in each iteration of
      the call wait loop in case the rxrpc call has already been terminated at
      the rxrpc layer.
      
      Interrupt the wait loop and mark the afs call as complete if the rxrpc
      layer call is complete.
      
      There were cases where rxrpc errors were not passed up to afs, which could
      result in this loop waiting forever for an afs call to transition to
      AFS_CALL_COMPLETE while the rx call was already complete.
      Signed-off-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f7f1dd31
    • Marc Dionne's avatar
      rxrpc: Allow errors to be returned from rxrpc_queue_packet() · 8e8715aa
      Marc Dionne authored
      Change rxrpc_queue_packet()'s signature so that it can return any error
      code it may encounter when trying to send the packet.
      
      This allows the caller to eventually do something in case of error - though
      it should be noted that the packet has been queued and a resend is
      scheduled.
      Signed-off-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e8715aa
    • Marc Dionne's avatar
      rxrpc: Make rxrpc_kernel_check_life() indicate if call completed · 4611da30
      Marc Dionne authored
      Make rxrpc_kernel_check_life() pass back the life counter through the
      argument list and return true if the call has not yet completed.
      Suggested-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4611da30
    • Marc Dionne's avatar
      rxrpc: Clear socket error · 56d282d9
      Marc Dionne authored
      When an ICMP or ICMPV6 error is received, the error will be attached
      to the socket (sk_err) and the report function will get called.
      Clear any pending error here by calling sock_error().
      
      This would cause the following attempt to use the socket to fail with
      the error code stored by the ICMP error, resulting in unexpected errors
      with various side effects depending on the context.
      Signed-off-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarJonathan Billings <jsbillin@umich.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      56d282d9
    • Colin Ian King's avatar
      qede: fix write to free'd pointer error and double free of ptp · 1dc2b3d6
      Colin Ian King authored
      The err2 error return path calls qede_ptp_disable that cleans up
      on an error and frees ptp. After this, the free'd ptp is dereferenced
      when ptp->clock is set to NULL and the code falls-through to error
      path err1 that frees ptp again.
      
      Fix this by calling qede_ptp_disable and exiting via an error
      return path that does not set ptp->clock or kfree ptp.
      
      Addresses-Coverity: ("Write to pointer after free")
      Fixes: 03574497 ("qede: Add support for PTP resource locking.")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1dc2b3d6
    • Colin Ian King's avatar
      vxge: fix return of a free'd memblock on a failed dma mapping · 0a2c34f1
      Colin Ian King authored
      Currently if a pci dma mapping failure is detected a free'd
      memblock address is returned rather than a NULL (that indicates
      an error). Fix this by ensuring NULL is returned on this error case.
      
      Addresses-Coverity: ("Use after free")
      Fixes: 528f7272 ("vxge: code cleanup and reorganization")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0a2c34f1
    • Kalle Valo's avatar
      Merge tag 'iwlwifi-for-kalle-2019-04-03' of... · 832bc250
      Kalle Valo authored
      Merge tag 'iwlwifi-for-kalle-2019-04-03' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes
      
      Second batch of iwlwifi fixes intended for v5.1
      
      * fix for a potential deadlock in the TX path;
      * a fix for offloaded rate-control;
      * support new PCI HW IDs which use a new FW;
      832bc250
    • Stanislaw Gruszka's avatar
      mt76x02: avoid status_list.lock and sta->rate_ctrl_lock dependency · bafdf85d
      Stanislaw Gruszka authored
      Move ieee80211_tx_status_ext() outside of status_list lock section
      in order to avoid locking dependency and possible deadlock reposed by
      LOCKDEP in below warning.
      
      Also do mt76_tx_status_lock() just before it's needed.
      
      [  440.224832] WARNING: possible circular locking dependency detected
      [  440.224833] 5.1.0-rc2+ #22 Not tainted
      [  440.224834] ------------------------------------------------------
      [  440.224835] kworker/u16:28/2362 is trying to acquire lock:
      [  440.224836] 0000000089b8cacf (&(&q->lock)->rlock#2){+.-.}, at: mt76_wake_tx_queue+0x4c/0xb0 [mt76]
      [  440.224842]
                     but task is already holding lock:
      [  440.224842] 000000002cfedc59 (&(&sta->lock)->rlock){+.-.}, at: ieee80211_stop_tx_ba_cb+0x32/0x1f0 [mac80211]
      [  440.224863]
                     which lock already depends on the new lock.
      
      [  440.224863]
                     the existing dependency chain (in reverse order) is:
      [  440.224864]
                     -> #3 (&(&sta->lock)->rlock){+.-.}:
      [  440.224869]        _raw_spin_lock_bh+0x34/0x40
      [  440.224880]        ieee80211_start_tx_ba_session+0xe4/0x3d0 [mac80211]
      [  440.224894]        minstrel_ht_get_rate+0x45c/0x510 [mac80211]
      [  440.224906]        rate_control_get_rate+0xc1/0x140 [mac80211]
      [  440.224918]        ieee80211_tx_h_rate_ctrl+0x195/0x3c0 [mac80211]
      [  440.224930]        ieee80211_xmit_fast+0x26d/0xa50 [mac80211]
      [  440.224942]        __ieee80211_subif_start_xmit+0xfc/0x310 [mac80211]
      [  440.224954]        ieee80211_subif_start_xmit+0x38/0x390 [mac80211]
      [  440.224956]        dev_hard_start_xmit+0xb8/0x300
      [  440.224957]        __dev_queue_xmit+0x7d4/0xbb0
      [  440.224968]        ip6_finish_output2+0x246/0x860 [ipv6]
      [  440.224978]        mld_sendpack+0x1bd/0x360 [ipv6]
      [  440.224987]        mld_ifc_timer_expire+0x1a4/0x2f0 [ipv6]
      [  440.224989]        call_timer_fn+0x89/0x2a0
      [  440.224990]        run_timer_softirq+0x1bd/0x4d0
      [  440.224992]        __do_softirq+0xdb/0x47c
      [  440.224994]        irq_exit+0xfa/0x100
      [  440.224996]        smp_apic_timer_interrupt+0x9a/0x220
      [  440.224997]        apic_timer_interrupt+0xf/0x20
      [  440.224999]        cpuidle_enter_state+0xc1/0x470
      [  440.225000]        do_idle+0x21a/0x260
      [  440.225001]        cpu_startup_entry+0x19/0x20
      [  440.225004]        start_secondary+0x135/0x170
      [  440.225006]        secondary_startup_64+0xa4/0xb0
      [  440.225007]
                     -> #2 (&(&sta->rate_ctrl_lock)->rlock){+.-.}:
      [  440.225009]        _raw_spin_lock_bh+0x34/0x40
      [  440.225022]        rate_control_tx_status+0x4f/0xb0 [mac80211]
      [  440.225031]        ieee80211_tx_status_ext+0x142/0x1a0 [mac80211]
      [  440.225035]        mt76x02_send_tx_status+0x2e4/0x340 [mt76x02_lib]
      [  440.225037]        mt76x02_tx_status_data+0x31/0x40 [mt76x02_lib]
      [  440.225040]        mt76u_tx_status_data+0x51/0xa0 [mt76_usb]
      [  440.225042]        process_one_work+0x237/0x5d0
      [  440.225043]        worker_thread+0x3c/0x390
      [  440.225045]        kthread+0x11d/0x140
      [  440.225046]        ret_from_fork+0x3a/0x50
      [  440.225047]
                     -> #1 (&(&list->lock)->rlock#8){+.-.}:
      [  440.225049]        _raw_spin_lock_bh+0x34/0x40
      [  440.225052]        mt76_tx_status_skb_add+0x51/0x100 [mt76]
      [  440.225054]        mt76x02u_tx_prepare_skb+0xbd/0x116 [mt76x02_usb]
      [  440.225056]        mt76u_tx_queue_skb+0x5f/0x180 [mt76_usb]
      [  440.225058]        mt76_tx+0x93/0x190 [mt76]
      [  440.225070]        ieee80211_tx_frags+0x148/0x210 [mac80211]
      [  440.225081]        __ieee80211_tx+0x75/0x1b0 [mac80211]
      [  440.225092]        ieee80211_tx+0xde/0x110 [mac80211]
      [  440.225105]        __ieee80211_tx_skb_tid_band+0x72/0x90 [mac80211]
      [  440.225122]        ieee80211_send_auth+0x1f3/0x360 [mac80211]
      [  440.225141]        ieee80211_auth.cold.40+0x6c/0x100 [mac80211]
      [  440.225156]        ieee80211_mgd_auth.cold.50+0x132/0x15f [mac80211]
      [  440.225171]        cfg80211_mlme_auth+0x149/0x360 [cfg80211]
      [  440.225181]        nl80211_authenticate+0x273/0x2e0 [cfg80211]
      [  440.225183]        genl_family_rcv_msg+0x196/0x3a0
      [  440.225184]        genl_rcv_msg+0x47/0x8e
      [  440.225185]        netlink_rcv_skb+0x3a/0xf0
      [  440.225187]        genl_rcv+0x24/0x40
      [  440.225188]        netlink_unicast+0x16d/0x210
      [  440.225189]        netlink_sendmsg+0x204/0x3b0
      [  440.225191]        sock_sendmsg+0x36/0x40
      [  440.225193]        ___sys_sendmsg+0x259/0x2b0
      [  440.225194]        __sys_sendmsg+0x47/0x80
      [  440.225196]        do_syscall_64+0x60/0x1f0
      [  440.225197]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  440.225198]
                     -> #0 (&(&q->lock)->rlock#2){+.-.}:
      [  440.225200]        lock_acquire+0xb9/0x1a0
      [  440.225202]        _raw_spin_lock_bh+0x34/0x40
      [  440.225204]        mt76_wake_tx_queue+0x4c/0xb0 [mt76]
      [  440.225215]        ieee80211_agg_start_txq+0xe8/0x2b0 [mac80211]
      [  440.225225]        ieee80211_stop_tx_ba_cb+0xb8/0x1f0 [mac80211]
      [  440.225235]        ieee80211_ba_session_work+0x1c1/0x2f0 [mac80211]
      [  440.225236]        process_one_work+0x237/0x5d0
      [  440.225237]        worker_thread+0x3c/0x390
      [  440.225239]        kthread+0x11d/0x140
      [  440.225240]        ret_from_fork+0x3a/0x50
      [  440.225240]
                     other info that might help us debug this:
      
      [  440.225241] Chain exists of:
                       &(&q->lock)->rlock#2 --> &(&sta->rate_ctrl_lock)->rlock --> &(&sta->lock)->rlock
      
      [  440.225243]  Possible unsafe locking scenario:
      
      [  440.225244]        CPU0                    CPU1
      [  440.225244]        ----                    ----
      [  440.225245]   lock(&(&sta->lock)->rlock);
      [  440.225245]                                lock(&(&sta->rate_ctrl_lock)->rlock);
      [  440.225246]                                lock(&(&sta->lock)->rlock);
      [  440.225247]   lock(&(&q->lock)->rlock#2);
      [  440.225248]
                      *** DEADLOCK ***
      
      [  440.225249] 5 locks held by kworker/u16:28/2362:
      [  440.225250]  #0: 0000000048fcd291 ((wq_completion)phy0){+.+.}, at: process_one_work+0x1b5/0x5d0
      [  440.225252]  #1: 00000000f1c6828f ((work_completion)(&sta->ampdu_mlme.work)){+.+.}, at: process_one_work+0x1b5/0x5d0
      [  440.225254]  #2: 00000000433d2b2c (&sta->ampdu_mlme.mtx){+.+.}, at: ieee80211_ba_session_work+0x5c/0x2f0 [mac80211]
      [  440.225265]  #3: 000000002cfedc59 (&(&sta->lock)->rlock){+.-.}, at: ieee80211_stop_tx_ba_cb+0x32/0x1f0 [mac80211]
      [  440.225276]  #4: 000000009d7b9a44 (rcu_read_lock){....}, at: ieee80211_agg_start_txq+0x33/0x2b0 [mac80211]
      [  440.225286]
                     stack backtrace:
      [  440.225288] CPU: 2 PID: 2362 Comm: kworker/u16:28 Not tainted 5.1.0-rc2+ #22
      [  440.225289] Hardware name: LENOVO 20KGS23S0P/20KGS23S0P, BIOS N23ET55W (1.30 ) 08/31/2018
      [  440.225300] Workqueue: phy0 ieee80211_ba_session_work [mac80211]
      [  440.225301] Call Trace:
      [  440.225304]  dump_stack+0x85/0xc0
      [  440.225306]  print_circular_bug.isra.38.cold.58+0x15c/0x195
      [  440.225307]  check_prev_add.constprop.48+0x5f0/0xc00
      [  440.225309]  ? check_prev_add.constprop.48+0x39d/0xc00
      [  440.225311]  ? __lock_acquire+0x41d/0x1100
      [  440.225312]  __lock_acquire+0xd98/0x1100
      [  440.225313]  ? __lock_acquire+0x41d/0x1100
      [  440.225315]  lock_acquire+0xb9/0x1a0
      [  440.225317]  ? mt76_wake_tx_queue+0x4c/0xb0 [mt76]
      [  440.225319]  _raw_spin_lock_bh+0x34/0x40
      [  440.225321]  ? mt76_wake_tx_queue+0x4c/0xb0 [mt76]
      [  440.225323]  mt76_wake_tx_queue+0x4c/0xb0 [mt76]
      [  440.225334]  ieee80211_agg_start_txq+0xe8/0x2b0 [mac80211]
      [  440.225344]  ieee80211_stop_tx_ba_cb+0xb8/0x1f0 [mac80211]
      [  440.225354]  ieee80211_ba_session_work+0x1c1/0x2f0 [mac80211]
      [  440.225356]  process_one_work+0x237/0x5d0
      [  440.225358]  worker_thread+0x3c/0x390
      [  440.225359]  ? wq_calc_node_cpumask+0x70/0x70
      [  440.225360]  kthread+0x11d/0x140
      [  440.225362]  ? kthread_create_on_node+0x40/0x40
      [  440.225363]  ret_from_fork+0x3a/0x50
      
      Cc: stable@vger.kernel.org
      Fixes: 88046b2c ("mt76: add support for reporting tx status with skb")
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Acked-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      bafdf85d
    • Vijayakumar Durai's avatar
      rt2x00: do not increment sequence number while re-transmitting · 746ba11f
      Vijayakumar Durai authored
      Currently rt2x00 devices retransmit the management frames with
      incremented sequence number if hardware is assigning the sequence.
      
      This is HW bug fixed already for non-QOS data frames, but it should
      be fixed for management frames except beacon.
      
      Without fix retransmitted frames have wrong SN:
      
       AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1648, FN=0, Flags=........C Frame is not being retransmitted 1648 1
       AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1649, FN=0, Flags=....R...C Frame is being retransmitted 1649 1
       AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1650, FN=0, Flags=....R...C Frame is being retransmitted 1650 1
      
      With the fix SN stays correctly the same:
      
       88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=........C
       88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C
       88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVijayakumar Durai <vijayakumar.durai1@vivint.com>
      [sgruszka: simplify code, change comments and changelog]
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      746ba11f
    • Felix Fietkau's avatar
      mt76: mt7603: send BAR after powersave wakeup · 9dc27bcb
      Felix Fietkau authored
      Now that the sequence number allocation is fixed, we can finally send a BAR
      at powersave wakeup time to refresh the receiver side reorder window
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      9dc27bcb
    • Felix Fietkau's avatar
      mt76: mt7603: fix sequence number assignment · aa3cb24b
      Felix Fietkau authored
      If the MT_TXD3_SN_VALID flag is not set in the tx descriptor, the hardware
      assigns the sequence number. However, the rest of the code assumes that the
      sequence number specified in the 802.11 header gets transmitted.
      This was causing issues with the aggregation setup, which worked for the
      initial one (where the sequence numbers were still close), but not for
      further teardown/re-establishing of sessions.
      
      Additionally, the overwrite of the TID sequence number in WTBL2 was resetting
      the hardware assigned sequence numbers, causing them to drift further apart.
      
      Fix this by using the software assigned sequence numbers
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      aa3cb24b
    • Felix Fietkau's avatar
      mt76: mt7603: add missing initialization for dev->ps_lock · 2170e215
      Felix Fietkau authored
      Fixes lockdep complaint and a potential race condition
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      2170e215
    • Tetsuo Handa's avatar
      udpv6: Check address length before reading address family · bddc028a
      Tetsuo Handa authored
      KMSAN will complain if valid address length passed to udpv6_pre_connect()
      is shorter than sizeof("struct sockaddr"->sa_family) bytes.
      
      (This patch is bogus if it is guaranteed that udpv6_pre_connect() is
      always called after checking "struct sockaddr"->sa_family. In that case,
      we want a comment why we don't need to check valid address length here.)
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bddc028a
    • Tetsuo Handa's avatar
      bpf: Check address length before reading address family · ba024f25
      Tetsuo Handa authored
      KMSAN will complain if valid address length passed to bpf_bind() is
      shorter than sizeof("struct sockaddr"->sa_family) bytes.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Acked-by: default avatarAndrey Ignatov <rdna@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ba024f25
    • Tetsuo Handa's avatar
      llc: Check address length before reading address field · c68e747d
      Tetsuo Handa authored
      KMSAN will complain if valid address length passed to bind() is shorter
      than sizeof(struct sockaddr_llc) bytes.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c68e747d
    • Tetsuo Handa's avatar
      Bluetooth: Check address length before reading address field · bd7d46dd
      Tetsuo Handa authored
      KMSAN will complain if valid address length passed to bind() is shorter
      than sizeof(struct sockaddr_sco) bytes.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bd7d46dd
    • Tetsuo Handa's avatar
      rxrpc: Check address length before reading srx_service field · a9107a14
      Tetsuo Handa authored
      KMSAN will complain if valid address length passed to bind() is shorter
      than sizeof(struct sockaddr_rxrpc) bytes.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a9107a14
    • Tetsuo Handa's avatar
      net: netlink: Check address length before reading groups field · d852be84
      Tetsuo Handa authored
      KMSAN will complain if valid address length passed to bind() is shorter
      than sizeof(struct sockaddr_nl) bytes.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d852be84
    • Tetsuo Handa's avatar
      sctp: Check address length before reading address family · 175f7c1f
      Tetsuo Handa authored
      KMSAN will complain if valid address length passed to connect() is shorter
      than sizeof("struct sockaddr"->sa_family) bytes.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      175f7c1f
    • Tetsuo Handa's avatar
      mISDN: Check address length before reading address family · 238ffdc4
      Tetsuo Handa authored
      KMSAN will complain if valid address length passed to bind() is shorter
      than sizeof("struct sockaddr_mISDN"->family) bytes.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      238ffdc4
    • Tetsuo Handa's avatar
      net/rds: Check address length before reading address family · dd3ac9a6
      Tetsuo Handa authored
      syzbot is reporting uninitialized value at rds_connect() [1] and
      rds_bind() [2]. This is because syzbot is passing ulen == 0 whereas
      these functions expect that it is safe to access sockaddr->family field
      in order to determine minimal address length for validation.
      
      [1] https://syzkaller.appspot.com/bug?id=f4e61c010416c1e6f0fa3ffe247561b60a50ad71
      [2] https://syzkaller.appspot.com/bug?id=a4bf9e41b7e055c3823fdcd83e8c58ca7270e38fReported-by: default avatarsyzbot <syzbot+0049bebbf3042dbd2e8f@syzkaller.appspotmail.com>
      Reported-by: default avatarsyzbot <syzbot+915c9f99f3dbc4bd6cd1@syzkaller.appspotmail.com>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dd3ac9a6
    • Eric Dumazet's avatar
      dctcp: more accurate tracking of packets delivery · e3058450
      Eric Dumazet authored
      After commit e21db6f6 ("tcp: track total bytes delivered with ECN CE marks")
      core TCP stack does a very good job tracking ECN signals.
      
      The "sender's best estimate of CE information" Yuchung mentioned in his
      patch is indeed the best we can do.
      
      DCTCP can use tp->delivered_ce and tp->delivered to not duplicate the logic,
      and use the existing best estimate.
      
      This solves some problems, since current DCTCP logic does not deal with losses
      and/or GRO or ack aggregation very well.
      
      This also removes a dubious use of inet_csk(sk)->icsk_ack.rcv_mss
      (this should have been tp->mss_cache), and a 64 bit divide.
      
      Finally, we can see that the DCTCP logic, calling dctcp_update_alpha() for
      every ACK could be done differently, calling it only once per RTT.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Cc: Soheil Hassas Yeganeh <soheil@google.com>
      Cc: Florian Westphal <fw@strlen.de>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Lawrence Brakmo <brakmo@fb.com>
      Cc: Abdul Kabbani <akabbani@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3058450
  5. 11 Apr, 2019 4 commits
    • David Ahern's avatar
      selftests: fib_tests: Fix 'Command line is not complete' errors · a5f62298
      David Ahern authored
      A couple of tests are verifying a route has been removed. The helper
      expects the prefix as the first part of the expected output. When
      checking that a route has been deleted the prefix is empty leading
      to an invalid ip command:
      
        $ ip ro ls match
        Command line is not complete. Try option "help"
      
      Fix by moving the comparison of expected output and output to a new
      function that is used by both check_route and check_route6. Use the
      new helper for the 2 checks on route removal.
      
      Also, remove the reset of 'set -x' in route_setup which overrides the
      user managed setting.
      
      Fixes: d69faad7 ("selftests: fib_tests: Add prefix route tests with metric")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5f62298
    • YueHaibing's avatar
      net: netrom: Fix error cleanup path of nr_proto_init · d3706566
      YueHaibing authored
      Syzkaller report this:
      
      BUG: unable to handle kernel paging request at fffffbfff830524b
      PGD 237fe8067 P4D 237fe8067 PUD 237e64067 PMD 1c9716067 PTE 0
      Oops: 0000 [#1] SMP KASAN PTI
      CPU: 1 PID: 4465 Comm: syz-executor.0 Not tainted 5.0.0+ #5
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      RIP: 0010:__list_add_valid+0x21/0xe0 lib/list_debug.c:23
      Code: 8b 0c 24 e9 17 fd ff ff 90 55 48 89 fd 48 8d 7a 08 53 48 89 d3 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 48 83 ec 08 <80> 3c 02 00 0f 85 8b 00 00 00 48 8b 53 08 48 39 f2 75 35 48 89 f2
      RSP: 0018:ffff8881ea2278d0 EFLAGS: 00010282
      RAX: dffffc0000000000 RBX: ffffffffc1829250 RCX: 1ffff1103d444ef4
      RDX: 1ffffffff830524b RSI: ffffffff85659300 RDI: ffffffffc1829258
      RBP: ffffffffc1879250 R08: fffffbfff0acb269 R09: fffffbfff0acb269
      R10: ffff8881ea2278f0 R11: fffffbfff0acb268 R12: ffffffffc1829250
      R13: dffffc0000000000 R14: 0000000000000008 R15: ffffffffc187c830
      FS:  00007fe0361df700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: fffffbfff830524b CR3: 00000001eb39a001 CR4: 00000000007606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       __list_add include/linux/list.h:60 [inline]
       list_add include/linux/list.h:79 [inline]
       proto_register+0x444/0x8f0 net/core/sock.c:3375
       nr_proto_init+0x73/0x4b3 [netrom]
       ? 0xffffffffc1628000
       ? 0xffffffffc1628000
       do_one_initcall+0xbc/0x47d init/main.c:887
       do_init_module+0x1b5/0x547 kernel/module.c:3456
       load_module+0x6405/0x8c10 kernel/module.c:3804
       __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
       do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fe0361dec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00007fe0361dec70 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe0361df6bc
      R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
      Modules linked in: netrom(+) ax25 fcrypt pcbc af_alg arizona_ldo1 v4l2_common videodev media v4l2_dv_timings hdlc ide_cd_mod snd_soc_sigmadsp_regmap snd_soc_sigmadsp intel_spi_platform intel_spi mtd spi_nor snd_usbmidi_lib usbcore lcd ti_ads7950 hi6421_regulator snd_soc_kbl_rt5663_max98927 snd_soc_hdac_hdmi snd_hda_ext_core snd_hda_core snd_soc_rt5663 snd_soc_core snd_pcm_dmaengine snd_compress snd_soc_rl6231 mac80211 rtc_rc5t583 spi_slave_time leds_pwm hid_gt683r hid industrialio_triggered_buffer kfifo_buf industrialio ir_kbd_i2c rc_core led_class_flash dwc_xlgmac snd_ymfpci gameport snd_mpu401_uart snd_rawmidi snd_ac97_codec snd_pcm ac97_bus snd_opl3_lib snd_timer snd_seq_device snd_hwdep snd soundcore iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan
       bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ide_pci_generic piix aesni_intel aes_x86_64 crypto_simd cryptd glue_helper ide_core psmouse input_leds i2c_piix4 serio_raw intel_agp intel_gtt ata_generic agpgart pata_acpi parport_pc rtc_cmos parport floppy sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: rxrpc]
      Dumping ftrace buffer:
         (ftrace buffer empty)
      CR2: fffffbfff830524b
      ---[ end trace 039ab24b305c4b19 ]---
      
      If nr_proto_init failed, it may forget to call proto_unregister,
      tiggering this issue.This patch rearrange code of nr_proto_init
      to avoid such issues.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d3706566
    • Andy Duan's avatar
      net: fec: manage ahb clock in runtime pm · d7c3a206
      Andy Duan authored
      Some SOC like i.MX6SX clock have some limits:
      - ahb clock should be disabled before ipg.
      - ahb and ipg clocks are required for MAC MII bus.
      So, move the ahb clock to runtime management together with
      ipg clock.
      Signed-off-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d7c3a206
    • Nikolay Aleksandrov's avatar
      net: bridge: multicast: use rcu to access port list from br_multicast_start_querier · c5b493ce
      Nikolay Aleksandrov authored
      br_multicast_start_querier() walks over the port list but it can be
      called from a timer with only multicast_lock held which doesn't protect
      the port list, so use RCU to walk over it.
      
      Fixes: c83b8fab ("bridge: Restart queries when last querier expires")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5b493ce