1. 05 Jan, 2021 17 commits
  2. 04 Jan, 2021 19 commits
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · a8f33c03
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Missing sanitization of rateest userspace string, bug has been
         triggered by syzbot, patch from Florian Westphal.
      
      2) Report EOPNOTSUPP on missing set features in nft_dynset, otherwise
         error reporting to userspace via EINVAL is misleading since this is
         reserved for malformed netlink requests.
      
      3) New binaries with old kernels might silently accept several set
         element expressions. New binaries set on the NFT_SET_EXPR and
         NFT_DYNSET_F_EXPR flags to request for several expressions per
         element, hence old kernels which do not support for this bail out
         with EOPNOTSUPP.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf:
        netfilter: nftables: add set expression flags
        netfilter: nft_dynset: report EOPNOTSUPP on missing set feature
        netfilter: xt_RATEEST: reject non-null terminated string from userspace
      ====================
      
      Link: https://lore.kernel.org/r/20210103192920.18639-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a8f33c03
    • Jakub Kicinski's avatar
      Merge branch 'net-dsa-lantiq_gswip-two-fixes-for-net-stable' · 08ad4839
      Jakub Kicinski authored
      Martin Blumenstingl says:
      
      ====================
      net: dsa: lantiq_gswip: two fixes for -net/-stable
      
      While testing the lantiq_gswip driver in OpenWrt at least one board had
      a non-working Ethernet port connected to an internal 100Mbit/s PHY22F
      GPHY. The problem which could be observed:
      - the PHY would detect the link just fine
      - ethtool stats would see the TX counter rise
      - the RX counter in ethtool was stuck at zero
      
      It turns out that two independent patches are needed to fix this:
      - first we need to enable the MII data lines also for internal PHYs
      - second we need to program the GSWIP_MII_CFG registers for all ports
        except the CPU port
      
      These two patches have also been tested by back-porting them on top of
      Linux 5.4.86 in OpenWrt.
      
      Special thanks to Hauke for debugging and brainstorming this on IRC
      with me!
      ====================
      
      Link: https://lore.kernel.org/r/20210103012544.3259029-1-martin.blumenstingl@googlemail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      08ad4839
    • Martin Blumenstingl's avatar
      net: dsa: lantiq_gswip: Fix GSWIP_MII_CFG(p) register access · 709a3c9d
      Martin Blumenstingl authored
      There is one GSWIP_MII_CFG register for each switch-port except the CPU
      port. The register offset for the first port is 0x0, 0x02 for the
      second, 0x04 for the third and so on.
      
      Update the driver to not only restrict the GSWIP_MII_CFG registers to
      ports 0, 1 and 5. Handle ports 0..5 instead but skip the CPU port. This
      means we are not overwriting the configuration for the third port (port
      two since we start counting from zero) with the settings for the sixth
      port (with number five) anymore.
      
      The GSWIP_MII_PCDU(p) registers are not updated because there's really
      only three (one for each of the following ports: 0, 1, 5).
      
      Fixes: 14fceff4 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200")
      Signed-off-by: default avatarMartin Blumenstingl <martin.blumenstingl@googlemail.com>
      Acked-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      709a3c9d
    • Martin Blumenstingl's avatar
      net: dsa: lantiq_gswip: Enable GSWIP_MII_CFG_EN also for internal PHYs · c1a9ec7e
      Martin Blumenstingl authored
      Enable GSWIP_MII_CFG_EN also for internal PHYs to make traffic flow.
      Without this the PHY link is detected properly and ethtool statistics
      for TX are increasing but there's no RX traffic coming in.
      
      Fixes: 14fceff4 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200")
      Suggested-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: default avatarMartin Blumenstingl <martin.blumenstingl@googlemail.com>
      Acked-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c1a9ec7e
    • Xie He's avatar
      net: lapb: Decrease the refcount of "struct lapb_cb" in lapb_device_event · b40f97b9
      Xie He authored
      In lapb_device_event, lapb_devtostruct is called to get a reference to
      an object of "struct lapb_cb". lapb_devtostruct increases the refcount
      of the object and returns a pointer to it. However, we didn't decrease
      the refcount after we finished using the pointer. This patch fixes this
      problem.
      
      Fixes: a4989fa9 ("net/lapb: support netdev events")
      Cc: Martin Schiller <ms@dev.tdt.de>
      Signed-off-by: default avatarXie He <xie.he.0141@gmail.com>
      Link: https://lore.kernel.org/r/20201231174331.64539-1-xie.he.0141@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b40f97b9
    • Heiner Kallweit's avatar
      r8169: work around power-saving bug on some chip versions · e80bd76f
      Heiner Kallweit authored
      A user reported failing network with RTL8168dp (a quite rare chip
      version). Realtek confirmed that few chip versions suffer from a PLL
      power-down hw bug.
      
      Fixes: 07df5bd8 ("r8169: power down chip in probe")
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Link: https://lore.kernel.org/r/a1c39460-d533-7f9e-fa9d-2b8990b02426@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e80bd76f
    • Bjørn Mork's avatar
      net: usb: qmi_wwan: add Quectel EM160R-GL · cfd82dfc
      Bjørn Mork authored
      New modem using ff/ff/30 for QCDM, ff/00/00 for  AT and NMEA,
      and ff/ff/ff for RMNET/QMI.
      
      T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
      D: Ver= 3.20 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs= 1
      P: Vendor=2c7c ProdID=0620 Rev= 4.09
      S: Manufacturer=Quectel
      S: Product=EM160R-GL
      S: SerialNumber=e31cedc1
      C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=896mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none)
      E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
      E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
      E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
      E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
      E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Link: https://lore.kernel.org/r/20201230152451.245271-1-bjorn@mork.noSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cfd82dfc
    • Ido Schimmel's avatar
      selftests: mlxsw: Set headroom size of correct port · 2ff2c7e2
      Ido Schimmel authored
      The test was setting the headroom size of the wrong port. This was not
      visible because of a firmware bug that canceled this bug.
      
      Set the headroom size of the correct port, so that the test will pass
      with both old and new firmware versions.
      
      Fixes: bfa80478 ("selftests: mlxsw: Add a PFC test")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
      Link: https://lore.kernel.org/r/20201230114251.394009-1-idosch@idosch.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2ff2c7e2
    • Charles Keepax's avatar
      net: macb: Correct usage of MACB_CAPS_CLK_HW_CHG flag · 1d0d561a
      Charles Keepax authored
      A new flag MACB_CAPS_CLK_HW_CHG was added and all callers of
      macb_set_tx_clk were gated on the presence of this flag.
      
      -   if (!clk)
      + if (!bp->tx_clk || !(bp->caps & MACB_CAPS_CLK_HW_CHG))
      
      However the flag was not added to anything other than the new
      sama7g5_gem, turning that function call into a no op for all other
      systems. This breaks the networking on Zynq.
      
      The commit message adding this states: a new capability so that
      macb_set_tx_clock() to not be called for IPs having this
      capability
      
      This strongly implies that present of the flag was intended to skip
      the function not absence of the flag. Update the if statement to
      this effect, which repairs the existing users.
      
      Fixes: daafa1d3 ("net: macb: add capability to not set the clock rate")
      Suggested-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarCharles Keepax <ckeepax@opensource.cirrus.com>
      Reviewed-by: default avatarClaudiu Beznea <claudiu.beznea@microchip.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20210104103802.13091-1-ckeepax@opensource.cirrus.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1d0d561a
    • YANG LI's avatar
      ibmvnic: fix: NULL pointer dereference. · 862aecbd
      YANG LI authored
      The error is due to dereference a null pointer in function
      reset_one_sub_crq_queue():
      
      if (!scrq) {
          netdev_dbg(adapter->netdev,
                     "Invalid scrq reset. irq (%d) or msgs(%p).\n",
      		scrq->irq, scrq->msgs);
      		return -EINVAL;
      }
      
      If the expression is true, scrq must be a null pointer and cannot
      dereference.
      
      Fixes: 9281cf2d ("ibmvnic: avoid memset null scrq msgs")
      Signed-off-by: default avatarYANG LI <abaci-bugfix@linux.alibaba.com>
      Reported-by: default avatarAbaci <abaci@linux.alibaba.com>
      Acked-by: default avatarLijun Pan <ljp@linux.ibm.com>
      Link: https://lore.kernel.org/r/1609312994-121032-1-git-send-email-abaci-bugfix@linux.alibaba.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      862aecbd
    • Baruch Siach's avatar
      docs: networking: packet_mmap: fix old config reference · e4da63cd
      Baruch Siach authored
      Before commit 889b8f96 ("packet: Kill CONFIG_PACKET_MMAP.") there
      used to be a CONFIG_PACKET_MMAP config symbol that depended on
      CONFIG_PACKET. The text still implies that PACKET_MMAP can be disabled.
      Remove that from the text, as well as reference to old kernel versions.
      
      Also, drop reference to broken link to information for pre 2.6.5
      kernels.
      
      Make a slight working improvement (s/In/On/) while at it.
      Signed-off-by: default avatarBaruch Siach <baruch@tkos.co.il>
      Link: https://lore.kernel.org/r/80089f3783372c8fd7833f28ce774a171b2ef252.1609232919.git.baruch@tkos.co.ilSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e4da63cd
    • Baruch Siach's avatar
      17e94567
    • Yunjian Wang's avatar
      vhost_net: fix ubuf refcount incorrectly when sendmsg fails · 01e31bea
      Yunjian Wang authored
      Currently the vhost_zerocopy_callback() maybe be called to decrease
      the refcount when sendmsg fails in tun. The error handling in vhost
      handle_tx_zerocopy() will try to decrease the same refcount again.
      This is wrong. To fix this issue, we only call vhost_net_ubuf_put()
      when vq->heads[nvq->desc].len == VHOST_DMA_IN_PROGRESS.
      
      Fixes: bab632d6 ("vhost: vhost TX zero-copy support")
      Signed-off-by: default avatarYunjian Wang <wangyunjian@huawei.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Link: https://lore.kernel.org/r/1609207308-20544-1-git-send-email-wangyunjian@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      01e31bea
    • Taehee Yoo's avatar
      bareudp: Fix use of incorrect min_headroom size · 10ad3e99
      Taehee Yoo authored
      In the bareudp6_xmit_skb(), it calculates min_headroom.
      At that point, it uses struct iphdr, but it's not correct.
      So panic could occur.
      The struct ipv6hdr should be used.
      
      Test commands:
          ip netns add A
          ip netns add B
          ip link add veth0 netns A type veth peer name veth1 netns B
          ip netns exec A ip link set veth0 up
          ip netns exec A ip a a 2001:db8:0::1/64 dev veth0
          ip netns exec B ip link set veth1 up
          ip netns exec B ip a a 2001:db8:0::2/64 dev veth1
      
          for i in {10..1}
          do
                  let A=$i-1
                  ip netns exec A ip link add bareudp$i type bareudp dstport $i \
      		    ethertype 0x86dd
                  ip netns exec A ip link set bareudp$i up
                  ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev bareudp$i
                  ip netns exec A ip -6 r a 2001:db8:$i::2 encap ip6 src \
      		    2001:db8:$A::1 dst 2001:db8:$A::2 via 2001:db8:$i::2 \
      		    dev bareudp$i
      
                  ip netns exec B ip link add bareudp$i type bareudp dstport $i \
      		    ethertype 0x86dd
                  ip netns exec B ip link set bareudp$i up
                  ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev bareudp$i
                  ip netns exec B ip -6 r a 2001:db8:$i::1 encap ip6 src \
      		    2001:db8:$A::2 dst 2001:db8:$A::1 via 2001:db8:$i::1 \
      		    dev bareudp$i
          done
          ip netns exec A ping 2001:db8:7::2
      
      Splat looks like:
      [   66.436679][    C2] skbuff: skb_under_panic: text:ffffffff928614c8 len:454 put:14 head:ffff88810abb4000 data:ffff88810abb3ffa tail:0x1c0 end:0x3ec0 dev:veth0
      [   66.441626][    C2] ------------[ cut here ]------------
      [   66.443458][    C2] kernel BUG at net/core/skbuff.c:109!
      [   66.445313][    C2] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [   66.447606][    C2] CPU: 2 PID: 913 Comm: ping Not tainted 5.10.0+ #819
      [   66.450251][    C2] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      [   66.453713][    C2] RIP: 0010:skb_panic+0x15d/0x15f
      [   66.455345][    C2] Code: 98 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 60 8b 78 93 41 57 41 56 41 55 48 8b 54 24 20 48 8b 74 24 28 e8 b5 40 f9 ff <0f> 0b 48 8b 6c 24 20 89 34 24 e8 08 c9 98 fe 8b 34 24 48 c7 c1 80
      [   66.462314][    C2] RSP: 0018:ffff888119209648 EFLAGS: 00010286
      [   66.464281][    C2] RAX: 0000000000000089 RBX: ffff888003159000 RCX: 0000000000000000
      [   66.467216][    C2] RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed10232412c0
      [   66.469768][    C2] RBP: ffff88810a53d440 R08: ffffed102328018d R09: ffffed102328018d
      [   66.472297][    C2] R10: ffff888119400c67 R11: ffffed102328018c R12: 000000000000000e
      [   66.474833][    C2] R13: ffff88810abb3ffa R14: 00000000000001c0 R15: 0000000000003ec0
      [   66.477361][    C2] FS:  00007f37c0c72f00(0000) GS:ffff888119200000(0000) knlGS:0000000000000000
      [   66.480214][    C2] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   66.482296][    C2] CR2: 000055a058808570 CR3: 000000011039e002 CR4: 00000000003706e0
      [   66.484811][    C2] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   66.487793][    C2] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   66.490424][    C2] Call Trace:
      [   66.491469][    C2]  <IRQ>
      [   66.492374][    C2]  ? eth_header+0x28/0x190
      [   66.494054][    C2]  ? eth_header+0x28/0x190
      [   66.495401][    C2]  skb_push.cold.99+0x22/0x22
      [   66.496700][    C2]  eth_header+0x28/0x190
      [   66.497867][    C2]  neigh_resolve_output+0x3de/0x720
      [   66.499615][    C2]  ? __neigh_update+0x7e8/0x20a0
      [   66.501176][    C2]  __neigh_update+0x8bd/0x20a0
      [   66.502749][    C2]  ndisc_update+0x34/0xc0
      [   66.504010][    C2]  ndisc_recv_na+0x8da/0xb80
      [   66.505041][    C2]  ? pndisc_redo+0x20/0x20
      [   66.505888][    C2]  ? rcu_read_lock_sched_held+0xc0/0xc0
      [   66.506965][    C2]  ndisc_rcv+0x3a0/0x470
      [   66.507797][    C2]  icmpv6_rcv+0xad9/0x1b00
      [   66.508645][    C2]  ip6_protocol_deliver_rcu+0xcd6/0x1560
      [   66.509719][    C2]  ip6_input_finish+0x5b/0xf0
      [   66.510615][    C2]  ip6_input+0xcd/0x2d0
      [   66.511406][    C2]  ? ip6_input_finish+0xf0/0xf0
      [   66.512327][    C2]  ? rcu_read_lock_held+0x91/0xa0
      [   66.513279][    C2]  ? ip6_protocol_deliver_rcu+0x1560/0x1560
      [   66.514414][    C2]  ipv6_rcv+0xe8/0x300
      [ ... ]
      Acked-by: default avatarGuillaume Nault <gnault@redhat.com>
      Fixes: 571912c6 ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Link: https://lore.kernel.org/r/20201228152146.24270-1-ap420073@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      10ad3e99
    • Taehee Yoo's avatar
      bareudp: set NETIF_F_LLTX flag · d9e44981
      Taehee Yoo authored
      Like other tunneling interfaces, the bareudp doesn't need TXLOCK.
      So, It is good to set the NETIF_F_LLTX flag to improve performance and
      to avoid lockdep's false-positive warning.
      
      Test commands:
          ip netns add A
          ip netns add B
          ip link add veth0 netns A type veth peer name veth1 netns B
          ip netns exec A ip link set veth0 up
          ip netns exec A ip a a 10.0.0.1/24 dev veth0
          ip netns exec B ip link set veth1 up
          ip netns exec B ip a a 10.0.0.2/24 dev veth1
      
          for i in {2..1}
          do
                  let A=$i-1
                  ip netns exec A ip link add bareudp$i type bareudp \
      		    dstport $i ethertype ip
                  ip netns exec A ip link set bareudp$i up
                  ip netns exec A ip a a 10.0.$i.1/24 dev bareudp$i
                  ip netns exec A ip r a 10.0.$i.2 encap ip src 10.0.$A.1 \
      		    dst 10.0.$A.2 via 10.0.$i.2 dev bareudp$i
      
                  ip netns exec B ip link add bareudp$i type bareudp \
      		    dstport $i ethertype ip
                  ip netns exec B ip link set bareudp$i up
                  ip netns exec B ip a a 10.0.$i.2/24 dev bareudp$i
                  ip netns exec B ip r a 10.0.$i.1 encap ip src 10.0.$A.2 \
      		    dst 10.0.$A.1 via 10.0.$i.1 dev bareudp$i
          done
          ip netns exec A ping 10.0.2.2
      
      Splat looks like:
      [   96.992803][  T822] ============================================
      [   96.993954][  T822] WARNING: possible recursive locking detected
      [   96.995102][  T822] 5.10.0+ #819 Not tainted
      [   96.995927][  T822] --------------------------------------------
      [   96.997091][  T822] ping/822 is trying to acquire lock:
      [   96.998083][  T822] ffff88810f753898 (_xmit_NONE#2){+.-.}-{2:2}, at: __dev_queue_xmit+0x1f52/0x2960
      [   96.999813][  T822]
      [   96.999813][  T822] but task is already holding lock:
      [   97.001192][  T822] ffff88810c385498 (_xmit_NONE#2){+.-.}-{2:2}, at: __dev_queue_xmit+0x1f52/0x2960
      [   97.002908][  T822]
      [   97.002908][  T822] other info that might help us debug this:
      [   97.004401][  T822]  Possible unsafe locking scenario:
      [   97.004401][  T822]
      [   97.005784][  T822]        CPU0
      [   97.006407][  T822]        ----
      [   97.007010][  T822]   lock(_xmit_NONE#2);
      [   97.007779][  T822]   lock(_xmit_NONE#2);
      [   97.008550][  T822]
      [   97.008550][  T822]  *** DEADLOCK ***
      [   97.008550][  T822]
      [   97.010057][  T822]  May be due to missing lock nesting notation
      [   97.010057][  T822]
      [   97.011594][  T822] 7 locks held by ping/822:
      [   97.012426][  T822]  #0: ffff888109a144f0 (sk_lock-AF_INET){+.+.}-{0:0}, at: raw_sendmsg+0x12f7/0x2b00
      [   97.014191][  T822]  #1: ffffffffbce2f5a0 (rcu_read_lock_bh){....}-{1:2}, at: ip_finish_output2+0x249/0x2020
      [   97.016045][  T822]  #2: ffffffffbce2f5a0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1fd/0x2960
      [   97.017897][  T822]  #3: ffff88810c385498 (_xmit_NONE#2){+.-.}-{2:2}, at: __dev_queue_xmit+0x1f52/0x2960
      [   97.019684][  T822]  #4: ffffffffbce2f600 (rcu_read_lock){....}-{1:2}, at: bareudp_xmit+0x31b/0x3690 [bareudp]
      [   97.021573][  T822]  #5: ffffffffbce2f5a0 (rcu_read_lock_bh){....}-{1:2}, at: ip_finish_output2+0x249/0x2020
      [   97.023424][  T822]  #6: ffffffffbce2f5a0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1fd/0x2960
      [   97.025259][  T822]
      [   97.025259][  T822] stack backtrace:
      [   97.026349][  T822] CPU: 3 PID: 822 Comm: ping Not tainted 5.10.0+ #819
      [   97.027609][  T822] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      [   97.029407][  T822] Call Trace:
      [   97.030015][  T822]  dump_stack+0x99/0xcb
      [   97.030783][  T822]  __lock_acquire.cold.77+0x149/0x3a9
      [   97.031773][  T822]  ? stack_trace_save+0x81/0xa0
      [   97.032661][  T822]  ? register_lock_class+0x1910/0x1910
      [   97.033673][  T822]  ? register_lock_class+0x1910/0x1910
      [   97.034679][  T822]  ? rcu_read_lock_sched_held+0x91/0xc0
      [   97.035697][  T822]  ? rcu_read_lock_bh_held+0xa0/0xa0
      [   97.036690][  T822]  lock_acquire+0x1b2/0x730
      [   97.037515][  T822]  ? __dev_queue_xmit+0x1f52/0x2960
      [   97.038466][  T822]  ? check_flags+0x50/0x50
      [   97.039277][  T822]  ? netif_skb_features+0x296/0x9c0
      [   97.040226][  T822]  ? validate_xmit_skb+0x29/0xb10
      [   97.041151][  T822]  _raw_spin_lock+0x30/0x70
      [   97.041977][  T822]  ? __dev_queue_xmit+0x1f52/0x2960
      [   97.042927][  T822]  __dev_queue_xmit+0x1f52/0x2960
      [   97.043852][  T822]  ? netdev_core_pick_tx+0x290/0x290
      [   97.044824][  T822]  ? mark_held_locks+0xb7/0x120
      [   97.045712][  T822]  ? lockdep_hardirqs_on_prepare+0x12c/0x3e0
      [   97.046824][  T822]  ? __local_bh_enable_ip+0xa5/0xf0
      [   97.047771][  T822]  ? ___neigh_create+0x12a8/0x1eb0
      [   97.048710][  T822]  ? trace_hardirqs_on+0x41/0x120
      [   97.049626][  T822]  ? ___neigh_create+0x12a8/0x1eb0
      [   97.050556][  T822]  ? __local_bh_enable_ip+0xa5/0xf0
      [   97.051509][  T822]  ? ___neigh_create+0x12a8/0x1eb0
      [   97.052443][  T822]  ? check_chain_key+0x244/0x5f0
      [   97.053352][  T822]  ? rcu_read_lock_bh_held+0x56/0xa0
      [   97.054317][  T822]  ? ip_finish_output2+0x6ea/0x2020
      [   97.055263][  T822]  ? pneigh_lookup+0x410/0x410
      [   97.056135][  T822]  ip_finish_output2+0x6ea/0x2020
      [ ... ]
      Acked-by: default avatarGuillaume Nault <gnault@redhat.com>
      Fixes: 571912c6 ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Link: https://lore.kernel.org/r/20201228152136.24215-1-ap420073@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d9e44981
    • Linus Torvalds's avatar
      Merge branch 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu · 36bbbd0e
      Linus Torvalds authored
      Pull RCU fix from Paul McKenney:
       "This is a fix for a regression in the v5.10 merge window, but it was
        reported quite late in the v5.10 process, plus generating and testing
        the fix took some time.
      
        The regression is due to commit 36dadef2 ("kprobes: Init kprobes
        in early_initcall") which on powerpc can use RCU Tasks before
        initialization, resulting in boot failures.
      
        The fix is straightforward, simply moving initialization of RCU Tasks
        before the early_initcall()s. The fix has been exposed to -next and
        kbuild test robot testing, and has been tested by the PowerPC guys"
      
      * 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu:
        rcu-tasks: Move RCU-tasks initialization to before early_initcall()
      36bbbd0e
    • Linus Torvalds's avatar
      Merge tag 'compiler-attributes-for-linus-v5.11' of git://github.com/ojeda/linux · f4f6a2e3
      Linus Torvalds authored
      Pull ENABLE_MUST_CHECK removal from Miguel Ojeda:
       "Remove CONFIG_ENABLE_MUST_CHECK (Masahiro Yamada)"
      
      Note that this removes the config option by making the must-check
      unconditional, not by removing must check itself.
      
      * tag 'compiler-attributes-for-linus-v5.11' of git://github.com/ojeda/linux:
        Compiler Attributes: remove CONFIG_ENABLE_MUST_CHECK
      f4f6a2e3
    • David Howells's avatar
      afs: Fix directory entry size calculation · 366911cd
      David Howells authored
      The number of dirent records used by an AFS directory entry should be
      calculated using the assumption that there is a 16-byte name field in the
      first block, rather than a 20-byte name field (which is actually the case).
      This miscalculation is historic and effectively standard, so we have to use
      it.
      
      The calculation we need to use is:
      
      	1 + (((strlen(name) + 1) + 15) >> 5)
      
      where we are adding one to the strlen() result to account for the NUL
      termination.
      
      Fix this by the following means:
      
       (1) Create an inline function to do the calculation for a given name
           length.
      
       (2) Use the function to calculate the number of records used for a dirent
           in afs_dir_iterate_block().
      
           Use this to move the over-end check out of the loop since it only
           needs to be done once.
      
           Further use this to only go through the loop for the 2nd+ records
           composing an entry.  The only test there now is for if the record is
           allocated - and we already checked the first block at the top of the
           outer loop.
      
       (3) Add a max name length check in afs_dir_iterate_block().
      
       (4) Make afs_edit_dir_add() and afs_edit_dir_remove() use the function
           from (1) to calculate the number of blocks rather than doing it
           incorrectly themselves.
      
      Fixes: 63a4681f ("afs: Locally edit directory data for mkdir/create/unlink/...")
      Fixes: ^1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      366911cd
    • David Howells's avatar
      afs: Work around strnlen() oops with CONFIG_FORTIFIED_SOURCE=y · 26982a89
      David Howells authored
      AFS has a structured layout in its directory contents (AFS dirs are
      downloaded as files and parsed locally by the client for lookup/readdir).
      The slots in the directory are defined by union afs_xdr_dirent.  This,
      however, only directly allows a name of a length that will fit into that
      union.  To support a longer name, the next 1-8 contiguous entries are
      annexed to the first one and the name flows across these.
      
      afs_dir_iterate_block() uses strnlen(), limited to the space to the end of
      the page, to find out how long the name is.  This worked fine until
      6a39e62a.  With that commit, the compiler determines the size of the
      array and asserts that the string fits inside that array.  This is a
      problem for AFS because we *expect* it to overflow one or more arrays.
      
      A similar problem also occurs in afs_dir_scan_block() when a directory file
      is being locally edited to avoid the need to redownload it.  There strlen()
      was being used safely because each page has the last byte set to 0 when the
      file is downloaded and validated (in afs_dir_check_page()).
      
      Fix this by changing the afs_xdr_dirent union name field to an
      indeterminate-length array and dropping the overflow field.
      
      (Note that whilst looking at this, I realised that the calculation of the
      number of slots a dirent used is non-standard and not quite right, but I'll
      address that in a separate patch.)
      
      The issue can be triggered by something like:
      
              touch /afs/example.com/thisisaveryveryverylongname
      
      and it generates a report that looks like:
      
              detected buffer overflow in strnlen
              ------------[ cut here ]------------
              kernel BUG at lib/string.c:1149!
              ...
              RIP: 0010:fortify_panic+0xf/0x11
              ...
              Call Trace:
               afs_dir_iterate_block+0x12b/0x35b
               afs_dir_iterate+0x14e/0x1ce
               afs_do_lookup+0x131/0x417
               afs_lookup+0x24f/0x344
               lookup_open.isra.0+0x1bb/0x27d
               open_last_lookups+0x166/0x237
               path_openat+0xe0/0x159
               do_filp_open+0x48/0xa4
               ? kmem_cache_alloc+0xf5/0x16e
               ? __clear_close_on_exec+0x13/0x22
               ? _raw_spin_unlock+0xa/0xb
               do_sys_openat2+0x72/0xde
               do_sys_open+0x3b/0x58
               do_syscall_64+0x2d/0x3a
               entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 6a39e62a ("lib: string.h: detect intra-object overflow in fortified string functions")
      Reported-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      cc: Daniel Axtens <dja@axtens.net>
      26982a89
  3. 03 Jan, 2021 1 commit
  4. 02 Jan, 2021 3 commits
    • Linus Torvalds's avatar
      Merge tag 's390-5.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 3516bd72
      Linus Torvalds authored
      Pull s390 cleanups from Vasily Gorbik:
       "Update defconfigs and sort config select list"
      
      * tag 's390-5.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/Kconfig: sort config S390 select list once again
        s390: update defconfigs
      3516bd72
    • Linus Torvalds's avatar
      Merge tag 'pm-5.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · d9296a7b
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix a crash in intel_pstate during resume from suspend-to-RAM
        that may occur after recent changes and two resource leaks in error
        paths in the operating performance points (OPP) framework, add a new
        C-states table to intel_idle and update the cpuidle MAINTAINERS entry
        to cover the governors too.
      
        Specifics:
      
         - Fix recently introduced crash in the intel_pstate driver that
           occurs if scale-invariance is disabled during resume from
           suspend-to-RAM due to inconsistent changes of APERF or MPERF MSR
           values made by the platform firmware (Rafael Wysocki).
      
         - Fix a memory leak and add a missing clk_put() in error paths in the
           OPP framework (Quanyang Wang, Viresh Kumar).
      
         - Add new C-states table for SnowRidge processors to the intel_idle
           driver (Artem Bityutskiy).
      
         - Update the MAINTAINERS entry for cpuidle to make it clear that the
           governors are covered by it too (Lukas Bulwahn)"
      
      * tag 'pm-5.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        intel_idle: add SnowRidge C-state table
        cpufreq: intel_pstate: Fix fast-switch fallback path
        opp: Call the missing clk_put() on error
        opp: fix memory leak in _allocate_opp_table
        MAINTAINERS: include governors into CPU IDLE TIME MANAGEMENT FRAMEWORK
      d9296a7b
    • Rafael J. Wysocki's avatar
      Merge branches 'pm-cpufreq' and 'pm-cpuidle' · 89ecf09e
      Rafael J. Wysocki authored
      * pm-cpufreq:
        cpufreq: intel_pstate: Fix fast-switch fallback path
      
      * pm-cpuidle:
        intel_idle: add SnowRidge C-state table
        MAINTAINERS: include governors into CPU IDLE TIME MANAGEMENT FRAMEWORK
      89ecf09e