1. 08 Sep, 2018 1 commit
  2. 07 Sep, 2018 2 commits
    • Maciej S. Szmigiero's avatar
      r8169: set TxConfig register after TX / RX is enabled, just like RxConfig · f74dd480
      Maciej S. Szmigiero authored
      Commit 3559d81e ("r8169: simplify rtl_hw_start_8169") changed order of
      two register writes:
      1) Caused RxConfig to be written before TX / RX is enabled,
      2) Caused TxConfig to be written before TX / RX is enabled.
      
      At least on XIDs 10000000 ("RTL8169sb/8110sb") and
      18000000 ("RTL8169sc/8110sc") such writes are ignored by the chip, leaving
      values in these registers intact.
      
      Change 1) was reverted by
      commit 05212ba8 ("r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices"),
      however change 2) wasn't.
      
      In practice, this caused TxConfig's "InterFrameGap time" and "Max DMA Burst
      Size per Tx DMA Burst" bits to be zero dramatically reducing TX performance
      (in my tests it dropped from around 500Mbps to around 50Mbps).
      
      This patch fixes the issue by moving TxConfig register write a bit later in
      the code so it happens after TX / RX is already enabled.
      
      Fixes: 05212ba8 ("r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices")
      Signed-off-by: default avatarMaciej S. Szmigiero <mail@maciej.szmigiero.name>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f74dd480
    • Cong Wang's avatar
      tipc: call start and done ops directly in __tipc_nl_compat_dumpit() · 8f5c5fcf
      Cong Wang authored
      __tipc_nl_compat_dumpit() uses a netlink_callback on stack,
      so the only way to align it with other ->dumpit() call path
      is calling tipc_dump_start() and tipc_dump_done() directly
      inside it. Otherwise ->dumpit() would always get NULL from
      cb->args[].
      
      But tipc_dump_start() uses sock_net(cb->skb->sk) to retrieve
      net pointer, the cb->skb here doesn't set skb->sk, the net pointer
      is saved in msg->net instead, so introduce a helper function
      __tipc_dump_start() to pass in msg->net.
      
      Ying pointed out cb->args[0...3] are already used by other
      callbacks on this call path, so we can't use cb->args[0] any
      more, use cb->args[4] instead.
      
      Fixes: 9a07efa9 ("tipc: switch to rhashtable iterator")
      Reported-and-tested-by: syzbot+e93a2c41f91b8e2c7d9b@syzkaller.appspotmail.com
      Cc: Jon Maloy <jon.maloy@ericsson.com>
      Cc: Ying Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8f5c5fcf
  3. 06 Sep, 2018 17 commits
  4. 05 Sep, 2018 3 commits
  5. 04 Sep, 2018 17 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 28619527
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Must perform TXQ teardown before unregistering interfaces in
          mac80211, from Toke Høiland-Jørgensen.
      
       2) Don't allow creating mac80211_hwsim with less than one channel, from
          Johannes Berg.
      
       3) Division by zero in cfg80211, fix from Johannes Berg.
      
       4) Fix endian issue in tipc, from Haiqing Bai.
      
       5) BPF sockmap use-after-free fixes from Daniel Borkmann.
      
       6) Spectre-v1 in mac80211_hwsim, from Jinbum Park.
      
       7) Missing rhashtable_walk_exit() in tipc, from Cong Wang.
      
       8) Revert kvzalloc() conversion of AF_PACKET, it breaks mmap() when
          kvzalloc() tries to use kmalloc() pages. From Eric Dumazet.
      
       9) Fix deadlock in hv_netvsc, from Dexuan Cui.
      
      10) Do not restart timewait timer on RST, from Florian Westphal.
      
      11) Fix double lwstate refcount grab in ipv6, from Alexey Kodanev.
      
      12) Unsolicit report count handling is off-by-one, fix from Hangbin Liu.
      
      13) Sleep-in-atomic in cadence driver, from Jia-Ju Bai.
      
      14) Respect ttl-inherit in ip6 tunnel driver, from Hangbin Liu.
      
      15) Use-after-free in act_ife, fix from Cong Wang.
      
      16) Missing hold to meta module in act_ife, from Vlad Buslov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (91 commits)
        net: phy: sfp: Handle unimplemented hwmon limits and alarms
        net: sched: action_ife: take reference to meta module
        act_ife: fix a potential use-after-free
        net/mlx5: Fix SQ offset in QPs with small RQ
        tipc: correct spelling errors for tipc_topsrv_queue_evt() comments
        tipc: correct spelling errors for struct tipc_bc_base's comment
        bnxt_en: Do not adjust max_cp_rings by the ones used by RDMA.
        bnxt_en: Clean up unused functions.
        bnxt_en: Fix firmware signaled resource change logic in open.
        sctp: not traverse asoc trans list if non-ipv6 trans exists for ipv6_flowlabel
        sctp: fix invalid reference to the index variable of the iterator
        net/ibm/emac: wrong emac_calc_base call was used by typo
        net: sched: null actions array pointer before releasing action
        vhost: fix VHOST_GET_BACKEND_FEATURES ioctl request definition
        r8169: add support for NCube 8168 network card
        ip6_tunnel: respect ttl inherit for ip6tnl
        mac80211: shorten the IBSS debug messages
        mac80211: don't Tx a deauth frame if the AP forbade Tx
        mac80211: Fix station bandwidth setting after channel switch
        mac80211: fix a race between restart and CSA flows
        ...
      28619527
    • Andrew Lunn's avatar
      net: phy: sfp: Handle unimplemented hwmon limits and alarms · a33710bd
      Andrew Lunn authored
      Not all SFPs implement the registers containing sensor limits and
      alarms. Luckily, there is a bit indicating if they are implemented or
      not. Add checking for this bit, when deciding if the hwmon attributes
      should be visible.
      
      Fixes: 1323061a ("net: phy: sfp: Add HWMON support for module sensors")
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a33710bd
    • Vlad Buslov's avatar
      net: sched: action_ife: take reference to meta module · 84cb8eb2
      Vlad Buslov authored
      Recent refactoring of add_metainfo() caused use_all_metadata() to add
      metainfo to ife action metalist without taking reference to module. This
      causes warning in module_put called from ife action cleanup function.
      
      Implement add_metainfo_and_get_ops() function that returns with reference
      to module taken if metainfo was added successfully, and call it from
      use_all_metadata(), instead of calling __add_metainfo() directly.
      
      Example warning:
      
      [  646.344393] WARNING: CPU: 1 PID: 2278 at kernel/module.c:1139 module_put+0x1cb/0x230
      [  646.352437] Modules linked in: act_meta_skbtcindex act_meta_mark act_meta_skbprio act_ife ife veth nfsv3 nfs fscache xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c tun ebtable_filter ebtables ip6table_filter ip6_tables bridge stp llc mlx5_ib ib_uverbs ib_core intel_rapl sb_edac x86_pkg_temp_thermal mlx5_core coretemp kvm_intel kvm nfsd igb irqbypass crct10dif_pclmul devlink crc32_pclmul mei_me joydev ses crc32c_intel enclosure auth_rpcgss i2c_algo_bit ioatdma ptp mei pps_core ghash_clmulni_intel iTCO_wdt iTCO_vendor_support pcspkr dca ipmi_ssif lpc_ich target_core_mod i2c_i801 ipmi_si ipmi_devintf pcc_cpufreq wmi ipmi_msghandler nfs_acl lockd acpi_pad acpi_power_meter grace sunrpc mpt3sas raid_class scsi_transport_sas
      [  646.425631] CPU: 1 PID: 2278 Comm: tc Not tainted 4.19.0-rc1+ #799
      [  646.432187] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017
      [  646.440595] RIP: 0010:module_put+0x1cb/0x230
      [  646.445238] Code: f3 66 94 02 e8 26 ff fa ff 85 c0 74 11 0f b6 1d 51 30 94 02 80 fb 01 77 60 83 e3 01 74 13 65 ff 0d 3a 83 db 73 e9 2b ff ff ff <0f> 0b e9 00 ff ff ff e8 59 01 fb ff 85 c0 75 e4 48 c7 c2 20 62 6b
      [  646.464997] RSP: 0018:ffff880354d37068 EFLAGS: 00010286
      [  646.470599] RAX: 0000000000000000 RBX: ffffffffc0a52518 RCX: ffffffff8c2668db
      [  646.478118] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffc0a52518
      [  646.485641] RBP: ffffffffc0a52180 R08: fffffbfff814a4a4 R09: fffffbfff814a4a3
      [  646.493164] R10: ffffffffc0a5251b R11: fffffbfff814a4a4 R12: 1ffff1006a9a6e0d
      [  646.500687] R13: 00000000ffffffff R14: ffff880362bab890 R15: dead000000000100
      [  646.508213] FS:  00007f4164c99800(0000) GS:ffff88036fe40000(0000) knlGS:0000000000000000
      [  646.516961] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  646.523080] CR2: 00007f41638b8420 CR3: 0000000351df0004 CR4: 00000000001606e0
      [  646.530595] Call Trace:
      [  646.533408]  ? find_symbol_in_section+0x260/0x260
      [  646.538509]  tcf_ife_cleanup+0x11b/0x200 [act_ife]
      [  646.543695]  tcf_action_cleanup+0x29/0xa0
      [  646.548078]  __tcf_action_put+0x5a/0xb0
      [  646.552289]  ? nla_put+0x65/0xe0
      [  646.555889]  __tcf_idr_release+0x48/0x60
      [  646.560187]  tcf_generic_walker+0x448/0x6b0
      [  646.564764]  ? tcf_action_dump_1+0x450/0x450
      [  646.569411]  ? __lock_is_held+0x84/0x110
      [  646.573720]  ? tcf_ife_walker+0x10c/0x20f [act_ife]
      [  646.578982]  tca_action_gd+0x972/0xc40
      [  646.583129]  ? tca_get_fill.constprop.17+0x250/0x250
      [  646.588471]  ? mark_lock+0xcf/0x980
      [  646.592324]  ? check_chain_key+0x140/0x1f0
      [  646.596832]  ? debug_show_all_locks+0x240/0x240
      [  646.601839]  ? memset+0x1f/0x40
      [  646.605350]  ? nla_parse+0xca/0x1a0
      [  646.609217]  tc_ctl_action+0x215/0x230
      [  646.613339]  ? tcf_action_add+0x220/0x220
      [  646.617748]  rtnetlink_rcv_msg+0x56a/0x6d0
      [  646.622227]  ? rtnl_fdb_del+0x3f0/0x3f0
      [  646.626466]  netlink_rcv_skb+0x18d/0x200
      [  646.630752]  ? rtnl_fdb_del+0x3f0/0x3f0
      [  646.634959]  ? netlink_ack+0x500/0x500
      [  646.639106]  netlink_unicast+0x2d0/0x370
      [  646.643409]  ? netlink_attachskb+0x340/0x340
      [  646.648050]  ? _copy_from_iter_full+0xe9/0x3e0
      [  646.652870]  ? import_iovec+0x11e/0x1c0
      [  646.657083]  netlink_sendmsg+0x3b9/0x6a0
      [  646.661388]  ? netlink_unicast+0x370/0x370
      [  646.665877]  ? netlink_unicast+0x370/0x370
      [  646.670351]  sock_sendmsg+0x6b/0x80
      [  646.674212]  ___sys_sendmsg+0x4a1/0x520
      [  646.678443]  ? copy_msghdr_from_user+0x210/0x210
      [  646.683463]  ? lock_downgrade+0x320/0x320
      [  646.687849]  ? debug_show_all_locks+0x240/0x240
      [  646.692760]  ? do_raw_spin_unlock+0xa2/0x130
      [  646.697418]  ? _raw_spin_unlock+0x24/0x30
      [  646.701798]  ? __handle_mm_fault+0x1819/0x1c10
      [  646.706619]  ? __pmd_alloc+0x320/0x320
      [  646.710738]  ? debug_show_all_locks+0x240/0x240
      [  646.715649]  ? restore_nameidata+0x7b/0xa0
      [  646.720117]  ? check_chain_key+0x140/0x1f0
      [  646.724590]  ? check_chain_key+0x140/0x1f0
      [  646.729070]  ? __fget_light+0xbc/0xd0
      [  646.733121]  ? __sys_sendmsg+0xd7/0x150
      [  646.737329]  __sys_sendmsg+0xd7/0x150
      [  646.741359]  ? __ia32_sys_shutdown+0x30/0x30
      [  646.746003]  ? up_read+0x53/0x90
      [  646.749601]  ? __do_page_fault+0x484/0x780
      [  646.754105]  ? do_syscall_64+0x1e/0x2c0
      [  646.758320]  do_syscall_64+0x72/0x2c0
      [  646.762353]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  646.767776] RIP: 0033:0x7f4163872150
      [  646.771713] Code: 8b 15 3c 7d 2b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 83 3d b9 d5 2b 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be cd 00 00 48 89 04 24
      [  646.791474] RSP: 002b:00007ffdef7d6b58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [  646.799721] RAX: ffffffffffffffda RBX: 0000000000000024 RCX: 00007f4163872150
      [  646.807240] RDX: 0000000000000000 RSI: 00007ffdef7d6bd0 RDI: 0000000000000003
      [  646.814760] RBP: 000000005b8b9482 R08: 0000000000000001 R09: 0000000000000000
      [  646.822286] R10: 00000000000005e7 R11: 0000000000000246 R12: 00007ffdef7dad20
      [  646.829807] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000679bc0
      [  646.837360] irq event stamp: 6083
      [  646.841043] hardirqs last  enabled at (6081): [<ffffffff8c220a7d>] __call_rcu+0x17d/0x500
      [  646.849882] hardirqs last disabled at (6083): [<ffffffff8c004f06>] trace_hardirqs_off_thunk+0x1a/0x1c
      [  646.859775] softirqs last  enabled at (5968): [<ffffffff8d4004a1>] __do_softirq+0x4a1/0x6ee
      [  646.868784] softirqs last disabled at (6082): [<ffffffffc0a78759>] tcf_ife_cleanup+0x39/0x200 [act_ife]
      [  646.878845] ---[ end trace b1b8c12ffe51e657 ]---
      
      Fixes: 5ffe57da ("act_ife: fix a potential deadlock")
      Signed-off-by: default avatarVlad Buslov <vladbu@mellanox.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84cb8eb2
    • Cong Wang's avatar
      act_ife: fix a potential use-after-free · 6d784f16
      Cong Wang authored
      Immediately after module_put(), user could delete this
      module, so e->ops could be already freed before we call
      e->ops->release().
      
      Fix this by moving module_put() after ops->release().
      
      Fixes: ef6980b6 ("introduce IFE action")
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6d784f16
    • Tariq Toukan's avatar
      net/mlx5: Fix SQ offset in QPs with small RQ · 639505d4
      Tariq Toukan authored
      Correct the formula for calculating the RQ page remainder,
      which should be in byte granularity.  The result will be
      non-zero only for RQs smaller than PAGE_SIZE, as an RQ size
      is a power of 2.
      
      Divide this by the SQ stride (MLX5_SEND_WQE_BB) to get the
      SQ offset in strides granularity.
      
      Fixes: d7037ad7 ("net/mlx5: Fix QP fragmented buffer allocation")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Reviewed-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      639505d4
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2018-09-03' of... · fc3e3bf5
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2018-09-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Here are quite a large number of fixes, notably:
       * various A-MSDU building fixes (currently only affects mt76)
       * syzkaller & spectre fixes in hwsim
       * TXQ vs. teardown fix that was causing crashes
       * embed WMM info in reg rule, bad code here had been causing crashes
       * one compilation issue with fix from Arnd (rfkill-gpio includes)
       * fixes for a race and bad data during/after channel switch
       * nl80211: a validation fix, attribute type & unit fixes
      along with other small fixes.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc3e3bf5
    • Zhenbo Gao's avatar
      tipc: correct spelling errors for tipc_topsrv_queue_evt() comments · a484ef34
      Zhenbo Gao authored
      tipc_conn_queue_evt -> tipc_topsrv_queue_evt
      tipc_send_work -> tipc_conn_send_work
      tipc_send_to_sock -> tipc_conn_send_to_sock
      Signed-off-by: default avatarZhenbo Gao <zhenbo.gao@windriver.com>
      Reviewed-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a484ef34
    • Zhenbo Gao's avatar
      tipc: correct spelling errors for struct tipc_bc_base's comment · 9cc1bf39
      Zhenbo Gao authored
      Trivial fix for two spelling mistakes.
      Signed-off-by: default avatarZhenbo Gao <zhenbo.gao@windriver.com>
      Reviewed-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9cc1bf39
    • David S. Miller's avatar
      Merge branch 'bnxt_en-Bug-fixes' · a104d18d
      David S. Miller authored
      Michael Chan says:
      
      ====================
      bnxt_en: Bug fixes.
      
      This short series fixes resource related logic in the driver, mostly
      affecting the RDMA driver under corner cases.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a104d18d
    • Michael Chan's avatar
      bnxt_en: Do not adjust max_cp_rings by the ones used by RDMA. · 00fe9c32
      Michael Chan authored
      Currently, the driver adjusts the bp->hw_resc.max_cp_rings by the number
      of MSIX vectors used by RDMA.  There is one code path in open that needs
      to check the true max_cp_rings including any used by RDMA.  This code
      is now checking for the reduced max_cp_rings which will fail when the
      number of cp rings is very small.
      
      To fix this in a clean way, we don't adjust max_cp_rings anymore.
      Instead, we add a helper bnxt_get_max_func_cp_rings_for_en() to get the
      reduced max_cp_rings when appropriate.
      
      Fixes: ec86f14e ("bnxt_en: Add ULP calls to stop and restart IRQs.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      00fe9c32
    • Michael Chan's avatar
      bnxt_en: Clean up unused functions. · ad95c27b
      Michael Chan authored
      Remove unused bnxt_subtract_ulp_resources().  Change
      bnxt_get_max_func_irqs() to static since it is only locally used.
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad95c27b
    • Michael Chan's avatar
      bnxt_en: Fix firmware signaled resource change logic in open. · 6b95c3e9
      Michael Chan authored
      When the driver detects that resources have changed during open, it
      should reset the rx and tx rings to 0.  This will properly setup the
      init sequence to initialize the default rings again.  We also need
      to signal the RDMA driver to stop and clear its interrupts.  We then
      call the RoCE driver to restart if a new set of default rings is
      successfully reserved.
      
      Fixes: 25e1acd6 ("bnxt_en: Notify firmware about IF state changes.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6b95c3e9
    • David S. Miller's avatar
      Merge branch 'sctp-two-fixes-for-spp_ipv6_flowlabel-and-spp_dscp-sockopts' · 6570aa1d
      David S. Miller authored
      Xin Long says:
      
      ====================
      sctp: two fixes for spp_ipv6_flowlabel and spp_dscp sockopts
      
      This patchset fixes two problems in sctp_apply_peer_addr_params()
      when setting spp_ipv6_flowlabel or spp_dscp.
      ====================
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6570aa1d
    • Xin Long's avatar
      sctp: not traverse asoc trans list if non-ipv6 trans exists for ipv6_flowlabel · 741880e1
      Xin Long authored
      When users set params.spp_address and get a trans, ipv6_flowlabel flag
      should be applied into this trans. But even if this one is not an ipv6
      trans, it should not go to apply it into all other transes of the asoc
      but simply ignore it.
      
      Fixes: 0b0dce7a ("sctp: add spp_ipv6_flowlabel and spp_dscp for sctp_paddrparams")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      741880e1
    • Xin Long's avatar
      sctp: fix invalid reference to the index variable of the iterator · af8a2b8b
      Xin Long authored
      Now in sctp_apply_peer_addr_params(), if SPP_IPV6_FLOWLABEL flag is set
      and trans is NULL, it would use trans as the index variable to traverse
      transport_addr_list, then trans is set as the last transport of it.
      
      Later, if SPP_DSCP flag is set, it would enter into the wrong branch as
      trans is actually an invalid reference.
      
      So fix it by using a new index variable to traverse transport_addr_list
      for both SPP_DSCP and SPP_IPV6_FLOWLABEL flags process.
      
      Fixes: 0b0dce7a ("sctp: add spp_ipv6_flowlabel and spp_dscp for sctp_paddrparams")
      Reported-by: default avatarJulia Lawall <julia.lawall@lip6.fr>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af8a2b8b
    • Ivan Mikhaylov's avatar
      net/ibm/emac: wrong emac_calc_base call was used by typo · bf68066f
      Ivan Mikhaylov authored
      __emac_calc_base_mr1 was used instead of __emac4_calc_base_mr1
      by copy-paste mistake for emac4syn.
      
      Fixes: 45d6e545 ("net/ibm/emac: add 8192 rx/tx fifo size")
      Signed-off-by: default avatarIvan Mikhaylov <ivan@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf68066f
    • Vlad Buslov's avatar
      net: sched: null actions array pointer before releasing action · c10bbfae
      Vlad Buslov authored
      Currently, tcf_action_delete() nulls actions array pointer after putting
      and deleting it. However, if tcf_idr_delete_index() returns an error,
      pointer to action is not set to null. That results it being released second
      time in error handling code of tca_action_gd().
      
      Kasan error:
      
      [  807.367755] ==================================================================
      [  807.375844] BUG: KASAN: use-after-free in tc_setup_cb_call+0x14e/0x250
      [  807.382763] Read of size 8 at addr ffff88033e636000 by task tc/2732
      
      [  807.391289] CPU: 0 PID: 2732 Comm: tc Tainted: G        W         4.19.0-rc1+ #799
      [  807.399542] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017
      [  807.407948] Call Trace:
      [  807.410763]  dump_stack+0x92/0xeb
      [  807.414456]  print_address_description+0x70/0x360
      [  807.419549]  kasan_report+0x14d/0x300
      [  807.423582]  ? tc_setup_cb_call+0x14e/0x250
      [  807.428150]  tc_setup_cb_call+0x14e/0x250
      [  807.432539]  ? nla_put+0x65/0xe0
      [  807.436146]  fl_dump+0x394/0x3f0 [cls_flower]
      [  807.440890]  ? fl_tmplt_dump+0x140/0x140 [cls_flower]
      [  807.446327]  ? lock_downgrade+0x320/0x320
      [  807.450702]  ? lock_acquire+0xe2/0x220
      [  807.454819]  ? is_bpf_text_address+0x5/0x140
      [  807.459475]  ? memcpy+0x34/0x50
      [  807.462980]  ? nla_put+0x65/0xe0
      [  807.466582]  tcf_fill_node+0x341/0x430
      [  807.470717]  ? tcf_block_put+0xe0/0xe0
      [  807.474859]  tcf_node_dump+0xdb/0xf0
      [  807.478821]  fl_walk+0x8e/0x170 [cls_flower]
      [  807.483474]  tcf_chain_dump+0x35a/0x4d0
      [  807.487703]  ? tfilter_notify+0x170/0x170
      [  807.492091]  ? tcf_fill_node+0x430/0x430
      [  807.496411]  tc_dump_tfilter+0x362/0x3f0
      [  807.500712]  ? tc_del_tfilter+0x850/0x850
      [  807.505104]  ? kasan_unpoison_shadow+0x30/0x40
      [  807.509940]  ? __mutex_unlock_slowpath+0xcf/0x410
      [  807.515031]  netlink_dump+0x263/0x4f0
      [  807.519077]  __netlink_dump_start+0x2a0/0x300
      [  807.523817]  ? tc_del_tfilter+0x850/0x850
      [  807.528198]  rtnetlink_rcv_msg+0x46a/0x6d0
      [  807.532671]  ? rtnl_fdb_del+0x3f0/0x3f0
      [  807.536878]  ? tc_del_tfilter+0x850/0x850
      [  807.541280]  netlink_rcv_skb+0x18d/0x200
      [  807.545570]  ? rtnl_fdb_del+0x3f0/0x3f0
      [  807.549773]  ? netlink_ack+0x500/0x500
      [  807.553913]  netlink_unicast+0x2d0/0x370
      [  807.558212]  ? netlink_attachskb+0x340/0x340
      [  807.562855]  ? _copy_from_iter_full+0xe9/0x3e0
      [  807.567677]  ? import_iovec+0x11e/0x1c0
      [  807.571890]  netlink_sendmsg+0x3b9/0x6a0
      [  807.576192]  ? netlink_unicast+0x370/0x370
      [  807.580684]  ? netlink_unicast+0x370/0x370
      [  807.585154]  sock_sendmsg+0x6b/0x80
      [  807.589015]  ___sys_sendmsg+0x4a1/0x520
      [  807.593230]  ? copy_msghdr_from_user+0x210/0x210
      [  807.598232]  ? do_wp_page+0x174/0x880
      [  807.602276]  ? __handle_mm_fault+0x749/0x1c10
      [  807.607021]  ? __handle_mm_fault+0x1046/0x1c10
      [  807.611849]  ? __pmd_alloc+0x320/0x320
      [  807.615973]  ? check_chain_key+0x140/0x1f0
      [  807.620450]  ? check_chain_key+0x140/0x1f0
      [  807.624929]  ? __fget_light+0xbc/0xd0
      [  807.628970]  ? __sys_sendmsg+0xd7/0x150
      [  807.633172]  __sys_sendmsg+0xd7/0x150
      [  807.637201]  ? __ia32_sys_shutdown+0x30/0x30
      [  807.641846]  ? up_read+0x53/0x90
      [  807.645442]  ? __do_page_fault+0x484/0x780
      [  807.649949]  ? do_syscall_64+0x1e/0x2c0
      [  807.654164]  do_syscall_64+0x72/0x2c0
      [  807.658198]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  807.663625] RIP: 0033:0x7f42e9870150
      [  807.667568] Code: 8b 15 3c 7d 2b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 83 3d b9 d5 2b 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be cd 00 00 48 89 04 24
      [  807.687328] RSP: 002b:00007ffdbf595b58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [  807.695564] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f42e9870150
      [  807.703083] RDX: 0000000000000000 RSI: 00007ffdbf595b80 RDI: 0000000000000003
      [  807.710605] RBP: 00007ffdbf599d90 R08: 0000000000679bc0 R09: 000000000000000f
      [  807.718127] R10: 00000000000005e7 R11: 0000000000000246 R12: 00007ffdbf599d88
      [  807.725651] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      [  807.735048] Allocated by task 2687:
      [  807.738902]  kasan_kmalloc+0xa0/0xd0
      [  807.742852]  __kmalloc+0x118/0x2d0
      [  807.746615]  tcf_idr_create+0x44/0x320
      [  807.750738]  tcf_nat_init+0x41e/0x530 [act_nat]
      [  807.755638]  tcf_action_init_1+0x4e0/0x650
      [  807.760104]  tcf_action_init+0x1ce/0x2d0
      [  807.764395]  tcf_exts_validate+0x1d8/0x200
      [  807.768861]  fl_change+0x55a/0x26b4 [cls_flower]
      [  807.773845]  tc_new_tfilter+0x748/0xa20
      [  807.778051]  rtnetlink_rcv_msg+0x56a/0x6d0
      [  807.782517]  netlink_rcv_skb+0x18d/0x200
      [  807.786804]  netlink_unicast+0x2d0/0x370
      [  807.791095]  netlink_sendmsg+0x3b9/0x6a0
      [  807.795387]  sock_sendmsg+0x6b/0x80
      [  807.799240]  ___sys_sendmsg+0x4a1/0x520
      [  807.803445]  __sys_sendmsg+0xd7/0x150
      [  807.807473]  do_syscall_64+0x72/0x2c0
      [  807.811506]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      [  807.818776] Freed by task 2728:
      [  807.822283]  __kasan_slab_free+0x122/0x180
      [  807.826752]  kfree+0xf4/0x2f0
      [  807.830080]  __tcf_action_put+0x5a/0xb0
      [  807.834281]  tcf_action_put_many+0x46/0x70
      [  807.838747]  tca_action_gd+0x232/0xc40
      [  807.842862]  tc_ctl_action+0x215/0x230
      [  807.846977]  rtnetlink_rcv_msg+0x56a/0x6d0
      [  807.851444]  netlink_rcv_skb+0x18d/0x200
      [  807.855731]  netlink_unicast+0x2d0/0x370
      [  807.860021]  netlink_sendmsg+0x3b9/0x6a0
      [  807.864312]  sock_sendmsg+0x6b/0x80
      [  807.868166]  ___sys_sendmsg+0x4a1/0x520
      [  807.872372]  __sys_sendmsg+0xd7/0x150
      [  807.876401]  do_syscall_64+0x72/0x2c0
      [  807.880431]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      [  807.887704] The buggy address belongs to the object at ffff88033e636000
                      which belongs to the cache kmalloc-256 of size 256
      [  807.900909] The buggy address is located 0 bytes inside of
                      256-byte region [ffff88033e636000, ffff88033e636100)
      [  807.913155] The buggy address belongs to the page:
      [  807.918322] page:ffffea000cf98d80 count:1 mapcount:0 mapping:ffff88036f80ee00 index:0x0 compound_mapcount: 0
      [  807.928831] flags: 0x5fff8000008100(slab|head)
      [  807.933647] raw: 005fff8000008100 ffffea000db44f00 0000000400000004 ffff88036f80ee00
      [  807.942050] raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000
      [  807.950456] page dumped because: kasan: bad access detected
      
      [  807.958240] Memory state around the buggy address:
      [  807.963405]  ffff88033e635f00: fc fc fc fc fb fb fb fb fb fb fb fc fc fc fc fb
      [  807.971288]  ffff88033e635f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
      [  807.979166] >ffff88033e636000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  807.994882]                    ^
      [  807.998477]  ffff88033e636080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  808.006352]  ffff88033e636100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
      [  808.014230] ==================================================================
      [  808.022108] Disabling lock debugging due to kernel taint
      
      Fixes: edfaf94f ("net_sched: improve and refactor tcf_action_put_many()")
      Signed-off-by: default avatarVlad Buslov <vladbu@mellanox.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c10bbfae