1. 01 Nov, 2019 8 commits
  2. 31 Oct, 2019 12 commits
    • Manfred Rudigier's avatar
      igb: Enable media autosense for the i350. · fb2308ba
      Manfred Rudigier authored
      This patch enables the hardware feature "Media Auto Sense" also on the
      i350. It works in the same way as on the 82850 devices. Hardware designs
      using dual PHYs (fiber/copper) can enable this feature by setting the MAS
      enable bits in the NVM_COMPAT register (0x03) in the EEPROM.
      Signed-off-by: default avatarManfred Rudigier <manfred.rudigier@omicronenergy.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      fb2308ba
    • Lyude Paul's avatar
      igb/igc: Don't warn on fatal read failures when the device is removed · 94bc1e52
      Lyude Paul authored
      Fatal read errors are worth warning about, unless of course the device
      was just unplugged from the machine - something that's a rather normal
      occurrence when the igb/igc adapter is located on a Thunderbolt dock. So,
      let's only WARN() if there's a fatal read error while the device is
      still present.
      
      This fixes the following WARN splat that's been appearing whenever I
      unplug my Caldigit TS3 Thunderbolt dock from my laptop:
      
        igb 0000:09:00.0 enp9s0: PCIe link lost
        ------------[ cut here ]------------
        igb: Failed to read reg 0x18!
        WARNING: CPU: 7 PID: 516 at
        drivers/net/ethernet/intel/igb/igb_main.c:756 igb_rd32+0x57/0x6a [igb]
        Modules linked in: igb dca thunderbolt fuse vfat fat elan_i2c mei_wdt
        mei_hdcp i915 wmi_bmof intel_wmi_thunderbolt iTCO_wdt
        iTCO_vendor_support x86_pkg_temp_thermal intel_powerclamp joydev
        coretemp crct10dif_pclmul crc32_pclmul i2c_algo_bit ghash_clmulni_intel
        intel_cstate drm_kms_helper intel_uncore syscopyarea sysfillrect
        sysimgblt fb_sys_fops intel_rapl_perf intel_xhci_usb_role_switch mei_me
        drm roles idma64 i2c_i801 ucsi_acpi typec_ucsi mei intel_lpss_pci
        processor_thermal_device typec intel_pch_thermal intel_soc_dts_iosf
        intel_lpss int3403_thermal thinkpad_acpi wmi int340x_thermal_zone
        ledtrig_audio int3400_thermal acpi_thermal_rel acpi_pad video
        pcc_cpufreq ip_tables serio_raw nvme nvme_core crc32c_intel uas
        usb_storage e1000e i2c_dev
        CPU: 7 PID: 516 Comm: kworker/u16:3 Not tainted 5.2.0-rc1Lyude-Test+ #14
        Hardware name: LENOVO 20L8S2N800/20L8S2N800, BIOS N22ET35W (1.12 ) 04/09/2018
        Workqueue: kacpi_hotplug acpi_hotplug_work_fn
        RIP: 0010:igb_rd32+0x57/0x6a [igb]
        Code: 87 b8 fc ff ff 48 c7 47 08 00 00 00 00 48 c7 c6 33 42 9b c0 4c 89
        c7 e8 47 45 cd dc 89 ee 48 c7 c7 43 42 9b c0 e8 c1 94 71 dc <0f> 0b eb
        08 8b 00 ff c0 75 b0 eb c8 44 89 e0 5d 41 5c c3 0f 1f 44
        RSP: 0018:ffffba5801cf7c48 EFLAGS: 00010286
        RAX: 0000000000000000 RBX: ffff9e7956608840 RCX: 0000000000000007
        RDX: 0000000000000000 RSI: ffffba5801cf7b24 RDI: ffff9e795e3d6a00
        RBP: 0000000000000018 R08: 000000009dec4a01 R09: ffffffff9e61018f
        R10: 0000000000000000 R11: ffffba5801cf7ae5 R12: 00000000ffffffff
        R13: ffff9e7956608840 R14: ffff9e795a6f10b0 R15: 0000000000000000
        FS:  0000000000000000(0000) GS:ffff9e795e3c0000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000564317bc4088 CR3: 000000010e00a006 CR4: 00000000003606e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         igb_release_hw_control+0x1a/0x30 [igb]
         igb_remove+0xc5/0x14b [igb]
         pci_device_remove+0x3b/0x93
         device_release_driver_internal+0xd7/0x17e
         pci_stop_bus_device+0x36/0x75
         pci_stop_bus_device+0x66/0x75
         pci_stop_bus_device+0x66/0x75
         pci_stop_and_remove_bus_device+0xf/0x19
         trim_stale_devices+0xc5/0x13a
         ? __pm_runtime_resume+0x6e/0x7b
         trim_stale_devices+0x103/0x13a
         ? __pm_runtime_resume+0x6e/0x7b
         trim_stale_devices+0x103/0x13a
         acpiphp_check_bridge+0xd8/0xf5
         acpiphp_hotplug_notify+0xf7/0x14b
         ? acpiphp_check_bridge+0xf5/0xf5
         acpi_device_hotplug+0x357/0x3b5
         acpi_hotplug_work_fn+0x1a/0x23
         process_one_work+0x1a7/0x296
         worker_thread+0x1a8/0x24c
         ? process_scheduled_works+0x2c/0x2c
         kthread+0xe9/0xee
         ? kthread_destroy_worker+0x41/0x41
         ret_from_fork+0x35/0x40
        ---[ end trace 252bf10352c63d22 ]---
      Signed-off-by: default avatarLyude Paul <lyude@redhat.com>
      Fixes: 47e16692 ("igb/igc: warn when fatal read failure happens")
      Acked-by: default avatarSasha Neftin <sasha.neftin@intel.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Acked-by: default avatarFeng Tang <feng.tang@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      94bc1e52
    • Eric Dumazet's avatar
      tcp: increase tcp_max_syn_backlog max value · 623d0c2d
      Eric Dumazet authored
      tcp_max_syn_backlog default value depends on memory size
      and TCP ehash size. Before this patch, the max value
      was 2048 [1], which is considered too small nowadays.
      
      Increase it to 4096 to match the recent SOMAXCONN change.
      
      [1] This is with TCP ehash size being capped to 524288 buckets.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willy Tarreau <w@1wt.eu>
      Cc: Yue Cao <ycao009@ucr.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      623d0c2d
    • Eric Dumazet's avatar
      net: increase SOMAXCONN to 4096 · 19f92a03
      Eric Dumazet authored
      SOMAXCONN is /proc/sys/net/core/somaxconn default value.
      
      It has been defined as 128 more than 20 years ago.
      
      Since it caps the listen() backlog values, the very small value has
      caused numerous problems over the years, and many people had
      to raise it on their hosts after beeing hit by problems.
      
      Google has been using 1024 for at least 15 years, and we increased
      this to 4096 after TCP listener rework has been completed, more than
      4 years ago. We got no complain of this change breaking any
      legacy application.
      
      Many applications indeed setup a TCP listener with listen(fd, -1);
      meaning they let the system select the backlog.
      
      Raising SOMAXCONN lowers chance of the port being unavailable under
      even small SYNFLOOD attack, and reduces possibilities of side channel
      vulnerabilities.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willy Tarreau <w@1wt.eu>
      Cc: Yue Cao <ycao009@ucr.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      19f92a03
    • Ido Schimmel's avatar
      netdevsim: Fix use-after-free during device dismantle · 6d6f0383
      Ido Schimmel authored
      Commit da58f90f ("netdevsim: Add devlink-trap support") added
      delayed work to netdevsim that periodically iterates over the registered
      netdevsim ports and reports various packet traps via devlink.
      
      While the delayed work takes the 'port_list_lock' mutex to protect
      against concurrent addition / deletion of ports, during device creation
      / dismantle ports are added / deleted without this lock, which can
      result in a use-after-free [1].
      
      Fix this by making sure that the ports list is always modified under the
      lock.
      
      [1]
      [   59.205543] ==================================================================
      [   59.207748] BUG: KASAN: use-after-free in nsim_dev_trap_report_work+0xa67/0xad0
      [   59.210247] Read of size 8 at addr ffff8883cbdd3398 by task kworker/3:1/38
      [   59.212584]
      [   59.213148] CPU: 3 PID: 38 Comm: kworker/3:1 Not tainted 5.4.0-rc3-custom-16119-ge6abb5f0261e #2013
      [   59.215896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014
      [   59.218384] Workqueue: events nsim_dev_trap_report_work
      [   59.219428] Call Trace:
      [   59.219924]  dump_stack+0xa9/0x10e
      [   59.220623]  print_address_description.constprop.4+0x21/0x340
      [   59.221976]  ? vprintk_func+0x66/0x240
      [   59.222752]  __kasan_report.cold.8+0x78/0x91
      [   59.223602]  ? nsim_dev_trap_report_work+0xa67/0xad0
      [   59.224603]  kasan_report+0xe/0x20
      [   59.225296]  nsim_dev_trap_report_work+0xa67/0xad0
      [   59.226435]  ? rcu_read_lock_sched_held+0xaf/0xe0
      [   59.227512]  ? trace_event_raw_event_rcu_quiescent_state_report+0x360/0x360
      [   59.228851]  process_one_work+0x98f/0x1760
      [   59.229684]  ? pwq_dec_nr_in_flight+0x330/0x330
      [   59.230656]  worker_thread+0x91/0xc40
      [   59.231587]  ? process_one_work+0x1760/0x1760
      [   59.232451]  kthread+0x34a/0x410
      [   59.233104]  ? __kthread_queue_delayed_work+0x240/0x240
      [   59.234141]  ret_from_fork+0x3a/0x50
      [   59.234982]
      [   59.235371] Allocated by task 187:
      [   59.236189]  save_stack+0x19/0x80
      [   59.236853]  __kasan_kmalloc.constprop.5+0xc1/0xd0
      [   59.237822]  kmem_cache_alloc_trace+0x14c/0x380
      [   59.238769]  __nsim_dev_port_add+0xaf/0x5c0
      [   59.239627]  nsim_dev_probe+0x4fc/0x1140
      [   59.240550]  really_probe+0x264/0xc00
      [   59.241418]  driver_probe_device+0x208/0x2e0
      [   59.242255]  __device_attach_driver+0x215/0x2d0
      [   59.243150]  bus_for_each_drv+0x154/0x1d0
      [   59.243944]  __device_attach+0x1ba/0x2b0
      [   59.244923]  bus_probe_device+0x1dd/0x290
      [   59.245805]  device_add+0xbac/0x1550
      [   59.246528]  new_device_store+0x1f4/0x400
      [   59.247306]  bus_attr_store+0x7b/0xa0
      [   59.248047]  sysfs_kf_write+0x10f/0x170
      [   59.248941]  kernfs_fop_write+0x283/0x430
      [   59.249843]  __vfs_write+0x81/0x100
      [   59.250546]  vfs_write+0x1ce/0x510
      [   59.251190]  ksys_write+0x104/0x200
      [   59.251873]  do_syscall_64+0xa4/0x4e0
      [   59.252642]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [   59.253837]
      [   59.254203] Freed by task 187:
      [   59.254811]  save_stack+0x19/0x80
      [   59.255463]  __kasan_slab_free+0x125/0x170
      [   59.256265]  kfree+0x100/0x440
      [   59.256870]  nsim_dev_remove+0x98/0x100
      [   59.257651]  nsim_bus_remove+0x16/0x20
      [   59.258382]  device_release_driver_internal+0x20b/0x4d0
      [   59.259588]  bus_remove_device+0x2e9/0x5a0
      [   59.260551]  device_del+0x410/0xad0
      [   59.263777]  device_unregister+0x26/0xc0
      [   59.264616]  nsim_bus_dev_del+0x16/0x60
      [   59.265381]  del_device_store+0x2d6/0x3c0
      [   59.266295]  bus_attr_store+0x7b/0xa0
      [   59.267192]  sysfs_kf_write+0x10f/0x170
      [   59.267960]  kernfs_fop_write+0x283/0x430
      [   59.268800]  __vfs_write+0x81/0x100
      [   59.269551]  vfs_write+0x1ce/0x510
      [   59.270252]  ksys_write+0x104/0x200
      [   59.270910]  do_syscall_64+0xa4/0x4e0
      [   59.271680]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [   59.272812]
      [   59.273211] The buggy address belongs to the object at ffff8883cbdd3200
      [   59.273211]  which belongs to the cache kmalloc-512 of size 512
      [   59.275838] The buggy address is located 408 bytes inside of
      [   59.275838]  512-byte region [ffff8883cbdd3200, ffff8883cbdd3400)
      [   59.278151] The buggy address belongs to the page:
      [   59.279215] page:ffffea000f2f7400 refcount:1 mapcount:0 mapping:ffff8883ecc0ce00 index:0x0 compound_mapcount: 0
      [   59.281449] flags: 0x200000000010200(slab|head)
      [   59.282356] raw: 0200000000010200 ffffea000f2f3a08 ffffea000f2fd608 ffff8883ecc0ce00
      [   59.283949] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
      [   59.285608] page dumped because: kasan: bad access detected
      [   59.286981]
      [   59.287337] Memory state around the buggy address:
      [   59.288310]  ffff8883cbdd3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   59.289763]  ffff8883cbdd3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   59.291452] >ffff8883cbdd3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   59.292945]                             ^
      [   59.293815]  ffff8883cbdd3400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   59.295220]  ffff8883cbdd3480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   59.296872] ==================================================================
      
      Fixes: da58f90f ("netdevsim: Add devlink-trap support")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reported-by: syzbot+9ed8f68ab30761f3678e@syzkaller.appspotmail.com
      Acked-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6d6f0383
    • David Howells's avatar
      rxrpc: Fix handling of last subpacket of jumbo packet · f9c32435
      David Howells authored
      When rxrpc_recvmsg_data() sets the return value to 1 because it's drained
      all the data for the last packet, it checks the last-packet flag on the
      whole packet - but this is wrong, since the last-packet flag is only set on
      the final subpacket of the last jumbo packet.  This means that a call that
      receives its last packet in a jumbo packet won't complete properly.
      
      Fix this by having rxrpc_locate_data() determine the last-packet state of
      the subpacket it's looking at and passing that back to the caller rather
      than having the caller look in the packet header.  The caller then needs to
      cache this in the rxrpc_call struct as rxrpc_locate_data() isn't then
      called again for this packet.
      
      Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
      Fixes: e2de6c40 ("rxrpc: Use info in skbuff instead of reparsing a jumbo packet")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9c32435
    • David S. Miller's avatar
      Merge tag 'mac80211-for-net-2019-10-31' of... · 5a7ec667
      David S. Miller authored
      Merge tag 'mac80211-for-net-2019-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Just two fixes:
       * HT operation is not allowed on channel 14 (Japan only)
       * netlink policy for nexthop attribute was wrong
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5a7ec667
    • David S. Miller's avatar
      Merge branch 'hv_netvsc-fix-error-handling-in-netvsc_attach-set_features' · 3da09663
      David S. Miller authored
      Haiyang Zhang says:
      
      ====================
      hv_netvsc: fix error handling in netvsc_attach/set_features
      
      The error handling code path in these functions are not correct.
      This patch set fixes them.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3da09663
    • Haiyang Zhang's avatar
      hv_netvsc: Fix error handling in netvsc_attach() · 719b85c3
      Haiyang Zhang authored
      If rndis_filter_open() fails, we need to remove the rndis device created
      in earlier steps, before returning an error code. Otherwise, the retry of
      netvsc_attach() from its callers will fail and hang.
      
      Fixes: 7b2ee50c ("hv_netvsc: common detach logic")
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      719b85c3
    • Haiyang Zhang's avatar
      hv_netvsc: Fix error handling in netvsc_set_features() · c4509a5a
      Haiyang Zhang authored
      When an error is returned by rndis_filter_set_offload_params(), we should
      still assign the unaffected features to ndev->features. Otherwise, these
      features will be missing.
      
      Fixes: d6792a5a ("hv_netvsc: Add handler for LRO setting change")
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4509a5a
    • Vishal Kulkarni's avatar
      cxgb4: fix panic when attaching to ULD fail · fc89cc35
      Vishal Kulkarni authored
      Release resources when attaching to ULD fail. Otherwise, data
      mismatch is seen between LLD and ULD later on, which lead to
      kernel panic when accessing resources that should not even
      exist in the first place.
      
      Fixes: 94cdb8bb ("cxgb4: Add support for dynamic allocation of resources for ULD")
      Signed-off-by: default avatarShahjada Abul Husain <shahjada@chelsio.com>
      Signed-off-by: default avatarVishal Kulkarni <vishal@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc89cc35
    • Eric Dumazet's avatar
      net: annotate lockless accesses to sk->sk_napi_id · ee8d153d
      Eric Dumazet authored
      We already annotated most accesses to sk->sk_napi_id
      
      We missed sk_mark_napi_id() and sk_mark_napi_id_once()
      which might be called without socket lock held in UDP stack.
      
      KCSAN reported :
      BUG: KCSAN: data-race in udpv6_queue_rcv_one_skb / udpv6_queue_rcv_one_skb
      
      write to 0xffff888121c6d108 of 4 bytes by interrupt on cpu 0:
       sk_mark_napi_id include/net/busy_poll.h:125 [inline]
       __udpv6_queue_rcv_skb net/ipv6/udp.c:571 [inline]
       udpv6_queue_rcv_one_skb+0x70c/0xb40 net/ipv6/udp.c:672
       udpv6_queue_rcv_skb+0xb5/0x400 net/ipv6/udp.c:689
       udp6_unicast_rcv_skb.isra.0+0xd7/0x180 net/ipv6/udp.c:832
       __udp6_lib_rcv+0x69c/0x1770 net/ipv6/udp.c:913
       udpv6_rcv+0x2b/0x40 net/ipv6/udp.c:1015
       ip6_protocol_deliver_rcu+0x22a/0xbe0 net/ipv6/ip6_input.c:409
       ip6_input_finish+0x30/0x50 net/ipv6/ip6_input.c:450
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip6_input+0x177/0x190 net/ipv6/ip6_input.c:459
       dst_input include/net/dst.h:442 [inline]
       ip6_rcv_finish+0x110/0x140 net/ipv6/ip6_input.c:76
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ipv6_rcv+0x1a1/0x1b0 net/ipv6/ip6_input.c:284
       __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010
       __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124
       process_backlog+0x1d3/0x420 net/core/dev.c:5955
       napi_poll net/core/dev.c:6392 [inline]
       net_rx_action+0x3ae/0xa90 net/core/dev.c:6460
      
      write to 0xffff888121c6d108 of 4 bytes by interrupt on cpu 1:
       sk_mark_napi_id include/net/busy_poll.h:125 [inline]
       __udpv6_queue_rcv_skb net/ipv6/udp.c:571 [inline]
       udpv6_queue_rcv_one_skb+0x70c/0xb40 net/ipv6/udp.c:672
       udpv6_queue_rcv_skb+0xb5/0x400 net/ipv6/udp.c:689
       udp6_unicast_rcv_skb.isra.0+0xd7/0x180 net/ipv6/udp.c:832
       __udp6_lib_rcv+0x69c/0x1770 net/ipv6/udp.c:913
       udpv6_rcv+0x2b/0x40 net/ipv6/udp.c:1015
       ip6_protocol_deliver_rcu+0x22a/0xbe0 net/ipv6/ip6_input.c:409
       ip6_input_finish+0x30/0x50 net/ipv6/ip6_input.c:450
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip6_input+0x177/0x190 net/ipv6/ip6_input.c:459
       dst_input include/net/dst.h:442 [inline]
       ip6_rcv_finish+0x110/0x140 net/ipv6/ip6_input.c:76
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ipv6_rcv+0x1a1/0x1b0 net/ipv6/ip6_input.c:284
       __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010
       __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124
       process_backlog+0x1d3/0x420 net/core/dev.c:5955
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 10890 Comm: syz-executor.0 Not tainted 5.4.0-rc3+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: e68b6e50 ("udp: enable busy polling for all sockets")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee8d153d
  3. 30 Oct, 2019 19 commits
    • Eric Dumazet's avatar
      net: annotate accesses to sk->sk_incoming_cpu · 7170a977
      Eric Dumazet authored
      This socket field can be read and written by concurrent cpus.
      
      Use READ_ONCE() and WRITE_ONCE() annotations to document this,
      and avoid some compiler 'optimizations'.
      
      KCSAN reported :
      
      BUG: KCSAN: data-race in tcp_v4_rcv / tcp_v4_rcv
      
      write to 0xffff88812220763c of 4 bytes by interrupt on cpu 0:
       sk_incoming_cpu_update include/net/sock.h:953 [inline]
       tcp_v4_rcv+0x1b3c/0x1bb0 net/ipv4/tcp_ipv4.c:1934
       ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204
       ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
       dst_input include/net/dst.h:442 [inline]
       ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
       __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010
       __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124
       process_backlog+0x1d3/0x420 net/core/dev.c:5955
       napi_poll net/core/dev.c:6392 [inline]
       net_rx_action+0x3ae/0xa90 net/core/dev.c:6460
       __do_softirq+0x115/0x33f kernel/softirq.c:292
       do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
       do_softirq.part.0+0x6b/0x80 kernel/softirq.c:337
       do_softirq kernel/softirq.c:329 [inline]
       __local_bh_enable_ip+0x76/0x80 kernel/softirq.c:189
      
      read to 0xffff88812220763c of 4 bytes by interrupt on cpu 1:
       sk_incoming_cpu_update include/net/sock.h:952 [inline]
       tcp_v4_rcv+0x181a/0x1bb0 net/ipv4/tcp_ipv4.c:1934
       ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204
       ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
       dst_input include/net/dst.h:442 [inline]
       ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
       __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010
       __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124
       process_backlog+0x1d3/0x420 net/core/dev.c:5955
       napi_poll net/core/dev.c:6392 [inline]
       net_rx_action+0x3ae/0xa90 net/core/dev.c:6460
       __do_softirq+0x115/0x33f kernel/softirq.c:292
       run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
       smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7170a977
    • Jiri Pirko's avatar
      mlxsw: core: Unpublish devlink parameters during reload · b7265a0d
      Jiri Pirko authored
      The devlink parameter "acl_region_rehash_interval" is a runtime
      parameter whose value is stored in a dynamically allocated memory. While
      reloading the driver, this memory is freed and then allocated again. A
      use-after-free might happen if during this time frame someone tries to
      retrieve its value.
      
      Since commit 070c63f2 ("net: devlink: allow to change namespaces
      during reload") the use-after-free can be reliably triggered when
      reloading the driver into a namespace, as after freeing the memory (via
      reload_down() callback) all the parameters are notified.
      
      Fix this by unpublishing and then re-publishing the parameters during
      reload.
      
      Fixes: 98bbf70c ("mlxsw: spectrum: add "acl_region_rehash_interval" devlink param")
      Fixes: 7c62cfb8 ("devlink: publish params only after driver init is done")
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7265a0d
    • Sudarsana Reddy Kalluru's avatar
      qed: Optimize execution time for nvm attributes configuration. · c63b0968
      Sudarsana Reddy Kalluru authored
      Current implementation for nvm_attr configuration instructs the management
      FW to load/unload the nvm-cfg image for each user-provided attribute in
      the input file. This consumes lot of cycles even for few tens of
      attributes.
      This patch updates the implementation to perform load/commit of the config
      for every 50 attributes. After loading the nvm-image, MFW expects that
      config should be committed in a predefined timer value (5 sec), hence it's
      not possible to write large number of attributes in a single load/commit
      window. Hence performing the commits in chunks.
      
      Fixes: 0dabbe1b ("qed: Add driver API for flashing the config attributes.")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <skalluru@marvell.com>
      Signed-off-by: default avatarAriel Elior <aelior@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c63b0968
    • Taehee Yoo's avatar
      vxlan: fix unexpected failure of vxlan_changelink() · c6761cf5
      Taehee Yoo authored
      After commit 0ce1822c ("vxlan: add adjacent link to limit depth
      level"), vxlan_changelink() could fail because of
      netdev_adjacent_change_prepare().
      netdev_adjacent_change_prepare() returns -EEXIST when old lower device
      and new lower device are same.
      (old lower device is "dst->remote_dev" and new lower device is "lowerdev")
      So, before calling it, lowerdev should be NULL if these devices are same.
      
      Test command1:
          ip link add dummy0 type dummy
          ip link add vxlan0 type vxlan dev dummy0 dstport 4789 vni 1
          ip link set vxlan0 type vxlan ttl 5
          RTNETLINK answers: File exists
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Fixes: 0ce1822c ("vxlan: add adjacent link to limit depth level")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c6761cf5
    • Colin Ian King's avatar
      qed: fix spelling mistake "queuess" -> "queues" · dc99da4f
      Colin Ian King authored
      There is a spelling misake in a DP_NOTICE message. Fix it.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc99da4f
    • Ayala Beker's avatar
      iwlwifi: fw api: support new API for scan config cmd · 3d206e68
      Ayala Beker authored
      The API was reduced to include only knowledge currently needed by the
      FW scan logic, the rest is legacy.  Support the new, reduced version.
      
      Using the old API with newer firmwares (starting from
      iwlwifi-*-50.ucode, which implements and requires the new API version)
      causes an assertion failure similar to this one:
      
      [    2.854505] iwlwifi 0000:00:14.3: 0x20000038 | BAD_COMMAND
      Signed-off-by: default avatarAyala Beker <ayala.beker@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      3d206e68
    • Lorenzo Bianconi's avatar
      mt76: dma: fix buffer unmap with non-linear skbs · 7bd0650b
      Lorenzo Bianconi authored
      mt76 dma layer is supposed to unmap skb data buffers while keep txwi
      mapped on hw dma ring. At the moment mt76 wrongly unmap txwi or does
      not unmap data fragments in even positions for non-linear skbs. This
      issue may result in hw hangs with A-MSDU if the system relies on IOMMU
      or SWIOTLB. Fix this behaviour properly unmapping data fragments on
      non-linear skbs.
      
      Fixes: 17f1de56 ("mt76: add common code shared between multiple chipsets")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      7bd0650b
    • Lorenzo Bianconi's avatar
      mt76: mt76x2e: disable pcie_aspm by default · f37f0550
      Lorenzo Bianconi authored
      On same device (e.g. U7612E-H1) PCIE_ASPM causes continuous mcu hangs and
      instability. Since mt76x2 series does not manage PCIE PS states, first we
      try to disable ASPM using pci_disable_link_state. If it fails, we will
      disable PCIE PS configuring PCI registers.
      This patch has been successfully tested on U7612E-H1 mini-pice card
      Tested-by: default avatarOleksandr Natalenko <oleksandr@natalenko.name>
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      f37f0550
    • Markus Theil's avatar
      nl80211: fix validation of mesh path nexthop · 1fab1b89
      Markus Theil authored
      Mesh path nexthop should be a ethernet address, but current validation
      checks against 4 byte integers.
      
      Cc: stable@vger.kernel.org
      Fixes: 2ec600d6 ("nl80211/cfg80211: support for mesh, sta dumping")
      Signed-off-by: default avatarMarkus Theil <markus.theil@tu-ilmenau.de>
      Link: https://lore.kernel.org/r/20191029093003.10355-1-markus.theil@tu-ilmenau.deSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      1fab1b89
    • Masashi Honma's avatar
      nl80211: Disallow setting of HT for channel 14 · ec649fed
      Masashi Honma authored
      This patch disables setting of HT20 and more for channel 14 because
      the channel is only for IEEE 802.11b.
      
      The patch for net/wireless/util.c was unit-tested.
      
      The patch for net/wireless/chan.c was tested with iw command.
      
      Before this patch.
      $ sudo iw dev <ifname> set channel 14 HT20
      $
      
      After this patch.
      $ sudo iw dev <ifname> set channel 14 HT20
      kernel reports: invalid channel definition
      command failed: Invalid argument (-22)
      $
      Signed-off-by: default avatarMasashi Honma <masashi.honma@gmail.com>
      Link: https://lore.kernel.org/r/20191021075045.2719-1-masashi.honma@gmail.com
      [clean up the code, use != instead of equivalent >]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      ec649fed
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-10-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 6f74a55d
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-10-24
      
      This series introduces misc fixes to mlx5 driver.
      
      v1->v2:
       - Dropped the kTLS counter documentation patch, Tariq will fix it and
         send it later.
       - Added a new fix for link speed mode reporting.
        ('net/mlx5e: Initialize link modes bitmap on stack')
      
      For -stable v4.14
        ('net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget')
      
      For -stable v4.19
        ('net/mlx5e: Fix ethtool self test: link speed')
      
      For -stable v5.2
        ('net/mlx5: Fix flow counter list auto bits struct')
        ('net/mlx5: Fix rtable reference leak')
      
      For -stable v5.3
        ('net/mlx5e: Remove incorrect match criteria assignment line')
        ('net/mlx5e: Determine source port properly for vlan push action')
        ('net/mlx5e: Initialize link modes bitmap on stack')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f74a55d
    • Nikolay Aleksandrov's avatar
      net: rtnetlink: fix a typo fbd -> fdb · 8b73018f
      Nikolay Aleksandrov authored
      A simple typo fix in the nl error message (fbd -> fdb).
      
      CC: David Ahern <dsahern@gmail.com>
      Fixes: 8c6e137f ("rtnetlink: Update rtnl_fdb_dump for strict data checking")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8b73018f
    • Ursula Braun's avatar
      net/smc: fix refcounting for non-blocking connect() · 301428ea
      Ursula Braun authored
      If a nonblocking socket is immediately closed after connect(),
      the connect worker may not have started. This results in a refcount
      problem, since sock_hold() is called from the connect worker.
      This patch moves the sock_hold in front of the connect worker
      scheduling.
      
      Reported-by: syzbot+4c063e6dea39e4b79f29@syzkaller.appspotmail.com
      Fixes: 50717a37 ("net/smc: nonblocking connect rework")
      Reviewed-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      301428ea
    • Taehee Yoo's avatar
      bonding: fix using uninitialized mode_lock · ad9bd8da
      Taehee Yoo authored
      When a bonding interface is being created, it setups its mode and options.
      At that moment, it uses mode_lock so mode_lock should be initialized
      before that moment.
      
      rtnl_newlink()
      	rtnl_create_link()
      		alloc_netdev_mqs()
      			->setup() //bond_setup()
      	->newlink //bond_newlink
      		bond_changelink()
      		register_netdevice()
      			->ndo_init() //bond_init()
      
      After commit 089bca2c ("bonding: use dynamic lockdep key instead of
      subclass"), mode_lock is initialized in bond_init().
      So in the bond_changelink(), un-initialized mode_lock can be used.
      mode_lock should be initialized in bond_setup().
      This patch partially reverts commit 089bca2c ("bonding: use dynamic
      lockdep key instead of subclass")
      
      Test command:
          ip link add bond0 type bond mode 802.3ad lacp_rate 0
      
      Splat looks like:
      [   60.615127] INFO: trying to register non-static key.
      [   60.615900] the code is fine but needs lockdep annotation.
      [   60.616697] turning off the locking correctness validator.
      [   60.617490] CPU: 1 PID: 957 Comm: ip Not tainted 5.4.0-rc3+ #109
      [   60.618350] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   60.619481] Call Trace:
      [   60.619918]  dump_stack+0x7c/0xbb
      [   60.620453]  register_lock_class+0x1215/0x14d0
      [   60.621131]  ? alloc_netdev_mqs+0x7b3/0xcc0
      [   60.621771]  ? is_bpf_text_address+0x86/0xf0
      [   60.622416]  ? is_dynamic_key+0x230/0x230
      [   60.623032]  ? unwind_get_return_address+0x5f/0xa0
      [   60.623757]  ? create_prof_cpu_mask+0x20/0x20
      [   60.624408]  ? arch_stack_walk+0x83/0xb0
      [   60.625023]  __lock_acquire+0xd8/0x3de0
      [   60.625616]  ? stack_trace_save+0x82/0xb0
      [   60.626225]  ? stack_trace_consume_entry+0x160/0x160
      [   60.626957]  ? deactivate_slab.isra.80+0x2c5/0x800
      [   60.627668]  ? register_lock_class+0x14d0/0x14d0
      [   60.628380]  ? alloc_netdev_mqs+0x7b3/0xcc0
      [   60.629020]  ? save_stack+0x69/0x80
      [   60.629574]  ? save_stack+0x19/0x80
      [   60.630121]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
      [   60.630859]  ? __kmalloc_node+0x16f/0x480
      [   60.631472]  ? alloc_netdev_mqs+0x7b3/0xcc0
      [   60.632121]  ? rtnl_create_link+0x2ed/0xad0
      [   60.634388]  ? __rtnl_newlink+0xad4/0x11b0
      [   60.635024]  lock_acquire+0x164/0x3b0
      [   60.635608]  ? bond_3ad_update_lacp_rate+0x91/0x200 [bonding]
      [   60.636463]  _raw_spin_lock_bh+0x38/0x70
      [   60.637084]  ? bond_3ad_update_lacp_rate+0x91/0x200 [bonding]
      [   60.637930]  bond_3ad_update_lacp_rate+0x91/0x200 [bonding]
      [   60.638753]  ? bond_3ad_lacpdu_recv+0xb30/0xb30 [bonding]
      [   60.639552]  ? bond_opt_get_val+0x180/0x180 [bonding]
      [   60.640307]  ? ___slab_alloc+0x5aa/0x610
      [   60.640925]  bond_option_lacp_rate_set+0x71/0x140 [bonding]
      [   60.641751]  __bond_opt_set+0x1ff/0xbb0 [bonding]
      [   60.643217]  ? kasan_unpoison_shadow+0x30/0x40
      [   60.643924]  bond_changelink+0x9a4/0x1700 [bonding]
      [   60.644653]  ? memset+0x1f/0x40
      [   60.742941]  ? bond_slave_changelink+0x1a0/0x1a0 [bonding]
      [   60.752694]  ? alloc_netdev_mqs+0x8ea/0xcc0
      [   60.753330]  ? rtnl_create_link+0x2ed/0xad0
      [   60.753964]  bond_newlink+0x1e/0x60 [bonding]
      [   60.754612]  __rtnl_newlink+0xb9f/0x11b0
      [ ... ]
      
      Reported-by: syzbot+8da67f407bcba2c72e6e@syzkaller.appspotmail.com
      Reported-by: syzbot+0d083911ab18b710da71@syzkaller.appspotmail.com
      Fixes: 089bca2c ("bonding: use dynamic lockdep key instead of subclass")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad9bd8da
    • Anson Huang's avatar
      net: fec_ptp: Use platform_get_irq_xxx_optional() to avoid error message · b86bcb29
      Anson Huang authored
      Use platform_get_irq_byname_optional() and platform_get_irq_optional()
      instead of platform_get_irq_byname() and platform_get_irq() for optional
      IRQs to avoid below error message during probe:
      
      [    0.795803] fec 30be0000.ethernet: IRQ pps not found
      [    0.800787] fec 30be0000.ethernet: IRQ index 3 not found
      Signed-off-by: default avatarAnson Huang <Anson.Huang@nxp.com>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Reviewed-by: default avatarStephen Boyd <swboyd@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b86bcb29
    • Anson Huang's avatar
      net: fec_main: Use platform_get_irq_byname_optional() to avoid error message · 3b56be21
      Anson Huang authored
      Failed to get irq using name is NOT fatal as driver will use index
      to get irq instead, use platform_get_irq_byname_optional() instead
      of platform_get_irq_byname() to avoid below error message during
      probe:
      
      [    0.819312] fec 30be0000.ethernet: IRQ int0 not found
      [    0.824433] fec 30be0000.ethernet: IRQ int1 not found
      [    0.829539] fec 30be0000.ethernet: IRQ int2 not found
      Signed-off-by: default avatarAnson Huang <Anson.Huang@nxp.com>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Reviewed-by: default avatarStephen Boyd <swboyd@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b56be21
    • Jakub Kicinski's avatar
      MAINTAINERS: remove Dave Watson as TLS maintainer · f9f29338
      Jakub Kicinski authored
      Dave's Facebook email address is not working, and my attempts
      to contact him are failing. Let's remove it to trim down the
      list of TLS maintainers.
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9f29338
    • Xin Long's avatar
      vxlan: check tun_info options_len properly · eadf52cf
      Xin Long authored
      This patch is to improve the tun_info options_len by dropping
      the skb when TUNNEL_VXLAN_OPT is set but options_len is less
      than vxlan_metadata. This can void a potential out-of-bounds
      access on ip_tun_info.
      
      Fixes: ee122c79 ("vxlan: Flow based tunneling")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eadf52cf
    • Xin Long's avatar
      erspan: fix the tun_info options_len check for erspan · 2eb8d6d2
      Xin Long authored
      The check for !md doens't really work for ip_tunnel_info_opts(info) which
      only does info + 1. Also to avoid out-of-bounds access on info, it should
      ensure options_len is not less than erspan_metadata in both erspan_xmit()
      and ip6erspan_tunnel_xmit().
      
      Fixes: 1a66a836 ("gre: add collect_md mode to ERSPAN tunnel")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2eb8d6d2
  4. 29 Oct, 2019 1 commit