1. 06 Jan, 2020 12 commits
    • Eran Ben Elisha's avatar
      net/mlx5e: Always print health reporter message to dmesg · 99cda454
      Eran Ben Elisha authored
      In case a reporter exists, error message is logged only to the devlink
      tracer. The devlink tracer is a visibility utility only, which user can
      choose not to monitor.
      After cited patch, 3rd party monitoring tools that tracks these error
      message will no longer find them in dmesg, causing a regression.
      
      With this patch, error messages are also logged into the dmesg.
      
      Fixes: c50de4af ("net/mlx5e: Generalize tx reporter's functionality")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      99cda454
    • Dmytro Linkin's avatar
      net/mlx5e: Avoid duplicating rule destinations · 554fe75c
      Dmytro Linkin authored
      Following scenario easily break driver logic and crash the kernel:
      1. Add rule with mirred actions to same device.
      2. Delete this rule.
      In described scenario rule is not added to database and on deletion
      driver access invalid entry.
      Example:
      
       $ tc filter add dev ens1f0_0 ingress protocol ip prio 1 \
             flower skip_sw \
             action mirred egress mirror dev ens1f0_1 pipe \
             action mirred egress redirect dev ens1f0_1
       $ tc filter del dev ens1f0_0 ingress protocol ip prio 1
      
      Dmesg output:
      
      [  376.634396] mlx5_core 0000:82:00.0: mlx5_cmd_check:756:(pid 3439): DESTROY_FLOW_GROUP(0x934) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0x563e2f)
      [  376.654983] mlx5_core 0000:82:00.0: del_hw_flow_group:567:(pid 3439): flow steering can't destroy fg 89 of ft 3145728
      [  376.673433] kasan: CONFIG_KASAN_INLINE enabled
      [  376.683769] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  376.695229] general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
      [  376.705069] CPU: 7 PID: 3439 Comm: tc Not tainted 5.4.0-rc5+ #76
      [  376.714959] Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0a 08/12/2016
      [  376.726371] RIP: 0010:mlx5_del_flow_rules+0x105/0x960 [mlx5_core]
      [  376.735817] Code: 01 00 00 00 48 83 eb 08 e8 28 d9 ff ff 4c 39 e3 75 d8 4c 8d bd c0 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 84 04 00 00 48 8d 7d 28 8b 9 d
      [  376.761261] RSP: 0018:ffff888847c56db8 EFLAGS: 00010202
      [  376.770054] RAX: dffffc0000000000 RBX: ffff8888582a6da0 RCX: ffff888847c56d60
      [  376.780743] RDX: 0000000000000058 RSI: 0000000000000008 RDI: 0000000000000282
      [  376.791328] RBP: 0000000000000000 R08: fffffbfff0c60ea6 R09: fffffbfff0c60ea6
      [  376.802050] R10: fffffbfff0c60ea5 R11: ffffffff8630752f R12: ffff8888582a6da0
      [  376.812798] R13: dffffc0000000000 R14: ffff8888582a6da0 R15: 00000000000002c0
      [  376.823445] FS:  00007f675f9a8840(0000) GS:ffff88886d200000(0000) knlGS:0000000000000000
      [  376.834971] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  376.844179] CR2: 00000000007d9640 CR3: 00000007d3f26003 CR4: 00000000001606e0
      [  376.854843] Call Trace:
      [  376.868542]  __mlx5_eswitch_del_rule+0x49/0x300 [mlx5_core]
      [  376.877735]  mlx5e_tc_del_fdb_flow+0x6ec/0x9e0 [mlx5_core]
      [  376.921549]  mlx5e_flow_put+0x2b/0x50 [mlx5_core]
      [  376.929813]  mlx5e_delete_flower+0x5b6/0xbd0 [mlx5_core]
      [  376.973030]  tc_setup_cb_reoffload+0x29/0xc0
      [  376.980619]  fl_reoffload+0x50a/0x770 [cls_flower]
      [  377.015087]  tcf_block_playback_offloads+0xbd/0x250
      [  377.033400]  tcf_block_setup+0x1b2/0xc60
      [  377.057247]  tcf_block_offload_cmd+0x195/0x240
      [  377.098826]  tcf_block_offload_unbind+0xe7/0x180
      [  377.107056]  __tcf_block_put+0xe5/0x400
      [  377.114528]  ingress_destroy+0x3d/0x60 [sch_ingress]
      [  377.122894]  qdisc_destroy+0xf1/0x5a0
      [  377.129993]  qdisc_graft+0xa3d/0xe50
      [  377.151227]  tc_get_qdisc+0x48e/0xa20
      [  377.165167]  rtnetlink_rcv_msg+0x35d/0x8d0
      [  377.199528]  netlink_rcv_skb+0x11e/0x340
      [  377.219638]  netlink_unicast+0x408/0x5b0
      [  377.239913]  netlink_sendmsg+0x71b/0xb30
      [  377.267505]  sock_sendmsg+0xb1/0xf0
      [  377.273801]  ___sys_sendmsg+0x635/0x900
      [  377.312784]  __sys_sendmsg+0xd3/0x170
      [  377.338693]  do_syscall_64+0x95/0x460
      [  377.344833]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  377.352321] RIP: 0033:0x7f675e58e090
      
      To avoid this, for every mirred action check if output device was
      already processed. If so - drop rule with EOPNOTSUPP error.
      Signed-off-by: default avatarDmytro Linkin <dmitrolin@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Reviewed-by: default avatarVlad Buslov <vladbu@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      554fe75c
    • David S. Miller's avatar
      Merge branch 'atlantic-bugfixes' · d76063c5
      David S. Miller authored
      Igor Russkikh says:
      
      ====================
      Aquantia/Marvell atlantic bugfixes 2020/01
      
      Here is a set of recently discovered bugfixes,
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d76063c5
    • Igor Russkikh's avatar
      net: atlantic: remove duplicate entries · b585f860
      Igor Russkikh authored
      Function entries were duplicated accidentally, removing the dups.
      
      Fixes: ea4b4d7f ("net: atlantic: loopback tests via private flags")
      Signed-off-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b585f860
    • Igor Russkikh's avatar
      net: atlantic: loopback configuration in improper place · 883daa18
      Igor Russkikh authored
      Initial loopback configuration should be called earlier, before
      starting traffic on HW blocks. Otherwise depending on race conditions
      it could be kept disabled.
      
      Fixes: ea4b4d7f ("net: atlantic: loopback tests via private flags")
      Signed-off-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      883daa18
    • Igor Russkikh's avatar
      net: atlantic: broken link status on old fw · ac70957e
      Igor Russkikh authored
      Last code/checkpatch cleanup did a copy paste error where code from
      firmware 3 API logic was moved to firmware 1 logic.
      
      This resulted in FW1.x users would never see the link state as active.
      
      Fixes: 7b0c342f ("net: atlantic: code style cleanup")
      Signed-off-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac70957e
    • Vikas Gupta's avatar
      firmware: tee_bnxt: Fix multiple call to tee_client_close_context · 4012a6f2
      Vikas Gupta authored
      Fix calling multiple tee_client_close_context in case of shm allocation
      fails.
      
      Fixes: 24688095 (“firmware: broadcom: add OP-TEE based BNXT f/w manager”)
      Signed-off-by: default avatarVikas Gupta <vikas.gupta@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4012a6f2
    • Andrew Lunn's avatar
      net: dsa: mv88e6xxx: Preserve priority when setting CPU port. · d8dc2c96
      Andrew Lunn authored
      The 6390 family uses an extended register to set the port connected to
      the CPU. The lower 5 bits indicate the port, the upper three bits are
      the priority of the frames as they pass through the switch, what
      egress queue they should use, etc. Since frames being set to the CPU
      are typically management frames, BPDU, IGMP, ARP, etc set the priority
      to 7, the reset default, and the highest.
      
      Fixes: 33641994 ("net: dsa: mv88e6xxx: Monitor and Management tables")
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Tested-by: default avatarChris Healy <cphealy@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d8dc2c96
    • Krzysztof Kozlowski's avatar
      net: ethernet: sxgbe: Rename Samsung to lowercase · 5adcb8b1
      Krzysztof Kozlowski authored
      Fix up inconsistent usage of upper and lowercase letters in "Samsung"
      name.
      
      "SAMSUNG" is not an abbreviation but a regular trademarked name.
      Therefore it should be written with lowercase letters starting with
      capital letter.
      
      Although advertisement materials usually use uppercase "SAMSUNG", the
      lowercase version is used in all legal aspects (e.g. on Wikipedia and in
      privacy/legal statements on
      https://www.samsung.com/semiconductor/privacy-global/).
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5adcb8b1
    • Krzysztof Kozlowski's avatar
      net: wan: sdla: Fix cast from pointer to integer of different size · 00c0688c
      Krzysztof Kozlowski authored
      Since net_device.mem_start is unsigned long, it should not be cast to
      int right before casting to pointer.  This fixes warning (compile
      testing on alpha architecture):
      
          drivers/net/wan/sdla.c: In function ‘sdla_transmit’:
          drivers/net/wan/sdla.c:711:13: warning:
              cast to pointer from integer of different size [-Wint-to-pointer-cast]
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      00c0688c
    • Xin Long's avatar
      sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY · be7a7729
      Xin Long authored
      This patch is to fix a memleak caused by no place to free cmd->obj.chunk
      for the unprocessed SCTP_CMD_REPLY. This issue occurs when failing to
      process a cmd while there're still SCTP_CMD_REPLY cmds on the cmd seq
      with an allocated chunk in cmd->obj.chunk.
      
      So fix it by freeing cmd->obj.chunk for each SCTP_CMD_REPLY cmd left on
      the cmd seq when any cmd returns error. While at it, also remove 'nomem'
      label.
      
      Reported-by: syzbot+107c4aff5f392bf1517f@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be7a7729
    • Ying Xue's avatar
      tipc: eliminate KMSAN: uninit-value in __tipc_nl_compat_dumpit error · a7869e5f
      Ying Xue authored
      syzbot found the following crash on:
      =====================================================
      BUG: KMSAN: uninit-value in __nlmsg_parse include/net/netlink.h:661 [inline]
      BUG: KMSAN: uninit-value in nlmsg_parse_deprecated
      include/net/netlink.h:706 [inline]
      BUG: KMSAN: uninit-value in __tipc_nl_compat_dumpit+0x553/0x11e0
      net/tipc/netlink_compat.c:215
      CPU: 0 PID: 12425 Comm: syz-executor062 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x1c9/0x220 lib/dump_stack.c:118
        kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
        __msan_warning+0x57/0xa0 mm/kmsan/kmsan_instr.c:245
        __nlmsg_parse include/net/netlink.h:661 [inline]
        nlmsg_parse_deprecated include/net/netlink.h:706 [inline]
        __tipc_nl_compat_dumpit+0x553/0x11e0 net/tipc/netlink_compat.c:215
        tipc_nl_compat_dumpit+0x761/0x910 net/tipc/netlink_compat.c:308
        tipc_nl_compat_handle net/tipc/netlink_compat.c:1252 [inline]
        tipc_nl_compat_recv+0x12e9/0x2870 net/tipc/netlink_compat.c:1311
        genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline]
        genl_family_rcv_msg net/netlink/genetlink.c:717 [inline]
        genl_rcv_msg+0x1dd0/0x23a0 net/netlink/genetlink.c:734
        netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
        genl_rcv+0x63/0x80 net/netlink/genetlink.c:745
        netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
        netlink_unicast+0xfa0/0x1100 net/netlink/af_netlink.c:1328
        netlink_sendmsg+0x11f0/0x1480 net/netlink/af_netlink.c:1917
        sock_sendmsg_nosec net/socket.c:639 [inline]
        sock_sendmsg net/socket.c:659 [inline]
        ____sys_sendmsg+0x1362/0x13f0 net/socket.c:2330
        ___sys_sendmsg net/socket.c:2384 [inline]
        __sys_sendmsg+0x4f0/0x5e0 net/socket.c:2417
        __do_sys_sendmsg net/socket.c:2426 [inline]
        __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
        __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
        do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:295
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x444179
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
      48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
      ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffd2d6409c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444179
      RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003
      RBP: 00000000006ce018 R08: 0000000000000000 R09: 00000000004002e0
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e20
      R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
        kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
        kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
        kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:86
        slab_alloc_node mm/slub.c:2774 [inline]
        __kmalloc_node_track_caller+0xe47/0x11f0 mm/slub.c:4382
        __kmalloc_reserve net/core/skbuff.c:141 [inline]
        __alloc_skb+0x309/0xa50 net/core/skbuff.c:209
        alloc_skb include/linux/skbuff.h:1049 [inline]
        nlmsg_new include/net/netlink.h:888 [inline]
        tipc_nl_compat_dumpit+0x6e4/0x910 net/tipc/netlink_compat.c:301
        tipc_nl_compat_handle net/tipc/netlink_compat.c:1252 [inline]
        tipc_nl_compat_recv+0x12e9/0x2870 net/tipc/netlink_compat.c:1311
        genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline]
        genl_family_rcv_msg net/netlink/genetlink.c:717 [inline]
        genl_rcv_msg+0x1dd0/0x23a0 net/netlink/genetlink.c:734
        netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
        genl_rcv+0x63/0x80 net/netlink/genetlink.c:745
        netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
        netlink_unicast+0xfa0/0x1100 net/netlink/af_netlink.c:1328
        netlink_sendmsg+0x11f0/0x1480 net/netlink/af_netlink.c:1917
        sock_sendmsg_nosec net/socket.c:639 [inline]
        sock_sendmsg net/socket.c:659 [inline]
        ____sys_sendmsg+0x1362/0x13f0 net/socket.c:2330
        ___sys_sendmsg net/socket.c:2384 [inline]
        __sys_sendmsg+0x4f0/0x5e0 net/socket.c:2417
        __do_sys_sendmsg net/socket.c:2426 [inline]
        __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
        __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
        do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:295
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      =====================================================
      
      The complaint above occurred because the memory region pointed by attrbuf
      variable was not initialized. To eliminate this warning, we use kcalloc()
      rather than kmalloc_array() to allocate memory for attrbuf.
      
      Reported-by: syzbot+b1fd2bf2c89d8407e15f@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7869e5f
  2. 05 Jan, 2020 4 commits
    • Stephen Boyd's avatar
      macb: Don't unregister clks unconditionally · d89091a4
      Stephen Boyd authored
      The only clk init function in this driver that register a clk is
      fu540_c000_clk_init(), and thus we need to unregister the clk when this
      driver is removed on that platform. Other init functions, for example
      macb_clk_init(), don't register clks and therefore we shouldn't
      unregister the clks when this driver is removed. Convert this
      registration path to devm so it gets auto-unregistered when this driver
      is removed and drop the clk_unregister() calls in driver remove (and
      error paths) so that we don't erroneously remove a clk from the system
      that isn't registered by this driver.
      
      Otherwise we get strange crashes with a use-after-free when the
      devm_clk_get() call in macb_clk_init() calls clk_put() on a clk pointer
      that has become invalid because it is freed in clk_unregister().
      
      Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
      Cc: Yash Shah <yash.shah@sifive.com>
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Fixes: c218ad55 ("macb: Add support for SiFive FU540-C000")
      Signed-off-by: default avatarStephen Boyd <sboyd@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d89091a4
    • Krzysztof Kozlowski's avatar
      MAINTAINERS: Drop obsolete entries from Samsung sxgbe ethernet driver · 15a821f0
      Krzysztof Kozlowski authored
      The emails to ks.giri@samsung.com and vipul.pandya@samsung.com bounce
      with 550 error code:
      
          host mailin.samsung.com[203.254.224.12] said: 550
          5.1.1 Recipient address rejected: User unknown (in reply to RCPT TO
          command)"
      
      Drop Girish K S and Vipul Pandya from sxgbe maintainers entry.
      
      Cc: Byungho An <bh74.an@samsung.com>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      15a821f0
    • Carl Huang's avatar
      net: qrtr: fix len of skb_put_padto in qrtr_node_enqueue · ce57785b
      Carl Huang authored
      The len used for skb_put_padto is wrong, it need to add len of hdr.
      
      In qrtr_node_enqueue, local variable size_t len is assign with
      skb->len, then skb_push(skb, sizeof(*hdr)) will add skb->len with
      sizeof(*hdr), so local variable size_t len is not same with skb->len
      after skb_push(skb, sizeof(*hdr)).
      
      Then the purpose of skb_put_padto(skb, ALIGN(len, 4)) is to add add
      pad to the end of the skb's data if skb->len is not aligned to 4, but
      unfortunately it use len instead of skb->len, at this line, skb->len
      is 32 bytes(sizeof(*hdr)) more than len, for example, len is 3 bytes,
      then skb->len is 35 bytes(3 + 32), and ALIGN(len, 4) is 4 bytes, so
      __skb_put_padto will do nothing after check size(35) < len(4), the
      correct value should be 36(sizeof(*hdr) + ALIGN(len, 4) = 32 + 4),
      then __skb_put_padto will pass check size(35) < len(36) and add 1 byte
      to the end of skb's data, then logic is correct.
      
      function of skb_push:
      void *skb_push(struct sk_buff *skb, unsigned int len)
      {
      	skb->data -= len;
      	skb->len  += len;
      	if (unlikely(skb->data < skb->head))
      		skb_under_panic(skb, len, __builtin_return_address(0));
      	return skb->data;
      }
      
      function of skb_put_padto
      static inline int skb_put_padto(struct sk_buff *skb, unsigned int len)
      {
      	return __skb_put_padto(skb, len, true);
      }
      
      function of __skb_put_padto
      static inline int __skb_put_padto(struct sk_buff *skb, unsigned int len,
      				  bool free_on_error)
      {
      	unsigned int size = skb->len;
      
      	if (unlikely(size < len)) {
      		len -= size;
      		if (__skb_pad(skb, len, free_on_error))
      			return -ENOMEM;
      		__skb_put(skb, len);
      	}
      	return 0;
      }
      Signed-off-by: default avatarCarl Huang <cjhuang@codeaurora.org>
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce57785b
    • Fenghua Yu's avatar
      drivers/net/b44: Change to non-atomic bit operations on pwol_mask · f11421ba
      Fenghua Yu authored
      Atomic operations that span cache lines are super-expensive on x86
      (not just to the current processor, but also to other processes as all
      memory operations are blocked until the operation completes). Upcoming
      x86 processors have a switch to cause such operations to generate a #AC
      trap. It is expected that some real time systems will enable this mode
      in BIOS.
      
      In preparation for this, it is necessary to fix code that may execute
      atomic instructions with operands that cross cachelines because the #AC
      trap will crash the kernel.
      
      Since "pwol_mask" is local and never exposed to concurrency, there is
      no need to set bits in pwol_mask using atomic operations.
      
      Directly operate on the byte which contains the bit instead of using
      __set_bit() to avoid any big endian concern due to type cast to
      unsigned long in __set_bit().
      Suggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarFenghua Yu <fenghua.yu@intel.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f11421ba
  3. 03 Jan, 2020 10 commits
  4. 02 Jan, 2020 11 commits
  5. 31 Dec, 2019 3 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 738d2902
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix big endian overflow in nf_flow_table, from Arnd Bergmann.
      
       2) Fix port selection on big endian in nft_tproxy, from Phil Sutter.
      
       3) Fix precision tracking for unbound scalars in bpf verifier, from
          Daniel Borkmann.
      
       4) Fix integer overflow in socket rcvbuf check in UDP, from Antonio
          Messina.
      
       5) Do not perform a neigh confirmation during a pmtu update over a
          tunnel, from Hangbin Liu.
      
       6) Fix DMA mapping leak in dpaa_eth driver, from Madalin Bucur.
      
       7) Various PTP fixes for sja1105 dsa driver, from Vladimir Oltean.
      
       8) Add missing to dummy definition of of_mdiobus_child_is_phy(), from
          Geert Uytterhoeven
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (54 commits)
        hsr: fix slab-out-of-bounds Read in hsr_debugfs_rename()
        net/sched: add delete_empty() to filters and use it in cls_flower
        tcp: Fix highest_sack and highest_sack_seq
        ptp: fix the race between the release of ptp_clock and cdev
        net: dsa: sja1105: Reconcile the meaning of TPID and TPID2 for E/T and P/Q/R/S
        Documentation: net: dsa: sja1105: Remove text about taprio base-time limitation
        net: dsa: sja1105: Remove restriction of zero base-time for taprio offload
        net: dsa: sja1105: Really make the PTP command read-write
        net: dsa: sja1105: Take PTP egress timestamp by port, not mgmt slot
        cxgb4/cxgb4vf: fix flow control display for auto negotiation
        mlxsw: spectrum: Use dedicated policer for VRRP packets
        mlxsw: spectrum_router: Skip loopback RIFs during MAC validation
        net: stmmac: dwmac-meson8b: Fix the RGMII TX delay on Meson8b/8m2 SoCs
        net/sched: act_mirred: Pull mac prior redir to non mac_header_xmit device
        net_sched: sch_fq: properly set sk->sk_pacing_status
        bnx2x: Fix accounting of vlan resources among the PFs
        bnx2x: Use appropriate define for vlan credit
        of: mdio: Add missing inline to of_mdiobus_child_is_phy() dummy
        net: phy: aquantia: add suspend / resume ops for AQR105
        dpaa_eth: fix DMA mapping leak
        ...
      738d2902
    • Linus Torvalds's avatar
      Merge tag 'tomoyo-fixes-for-5.5' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1 · c5c928c6
      Linus Torvalds authored
      Pull tomoyo fixes from Tetsuo Handa:
       "Two bug fixes:
      
         - Suppress RCU warning at list_for_each_entry_rcu()
      
         - Don't use fancy names on sockets"
      
      * tag 'tomoyo-fixes-for-5.5' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1:
        tomoyo: Suppress RCU warning at list_for_each_entry_rcu().
        tomoyo: Don't use nifty names on sockets.
      c5c928c6
    • Taehee Yoo's avatar
      hsr: fix slab-out-of-bounds Read in hsr_debugfs_rename() · 04b69426
      Taehee Yoo authored
      hsr slave interfaces don't have debugfs directory.
      So, hsr_debugfs_rename() shouldn't be called when hsr slave interface name
      is changed.
      
      Test commands:
          ip link add dummy0 type dummy
          ip link add dummy1 type dummy
          ip link add hsr0 type hsr slave1 dummy0 slave2 dummy1
          ip link set dummy0 name ap
      
      Splat looks like:
      [21071.899367][T22666] ap: renamed from dummy0
      [21071.914005][T22666] ==================================================================
      [21071.919008][T22666] BUG: KASAN: slab-out-of-bounds in hsr_debugfs_rename+0xaa/0xb0 [hsr]
      [21071.923640][T22666] Read of size 8 at addr ffff88805febcd98 by task ip/22666
      [21071.926941][T22666]
      [21071.927750][T22666] CPU: 0 PID: 22666 Comm: ip Not tainted 5.5.0-rc2+ #240
      [21071.929919][T22666] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [21071.935094][T22666] Call Trace:
      [21071.935867][T22666]  dump_stack+0x96/0xdb
      [21071.936687][T22666]  ? hsr_debugfs_rename+0xaa/0xb0 [hsr]
      [21071.937774][T22666]  print_address_description.constprop.5+0x1be/0x360
      [21071.939019][T22666]  ? hsr_debugfs_rename+0xaa/0xb0 [hsr]
      [21071.940081][T22666]  ? hsr_debugfs_rename+0xaa/0xb0 [hsr]
      [21071.940949][T22666]  __kasan_report+0x12a/0x16f
      [21071.941758][T22666]  ? hsr_debugfs_rename+0xaa/0xb0 [hsr]
      [21071.942674][T22666]  kasan_report+0xe/0x20
      [21071.943325][T22666]  hsr_debugfs_rename+0xaa/0xb0 [hsr]
      [21071.944187][T22666]  hsr_netdev_notify+0x1fe/0x9b0 [hsr]
      [21071.945052][T22666]  ? __module_text_address+0x13/0x140
      [21071.945897][T22666]  notifier_call_chain+0x90/0x160
      [21071.946743][T22666]  dev_change_name+0x419/0x840
      [21071.947496][T22666]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
      [21071.948600][T22666]  ? netdev_adjacent_rename_links+0x280/0x280
      [21071.949577][T22666]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
      [21071.950672][T22666]  ? lock_downgrade+0x6e0/0x6e0
      [21071.951345][T22666]  ? do_setlink+0x811/0x2ef0
      [21071.951991][T22666]  do_setlink+0x811/0x2ef0
      [21071.952613][T22666]  ? is_bpf_text_address+0x81/0xe0
      [ ... ]
      
      Reported-by: syzbot+9328206518f08318a5fd@syzkaller.appspotmail.com
      Fixes: 4c2d5e33 ("hsr: rename debugfs file when interface name is changed")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      04b69426