1. 13 Sep, 2017 4 commits
    • Cong Wang's avatar
      net_sched: get rid of tcfa_rcu · d7fb60b9
      Cong Wang authored
      gen estimator has been rewritten in commit 1c0d32fd
      ("net_sched: gen_estimator: complete rewrite of rate estimators"),
      the caller is no longer needed to wait for a grace period.
      So this patch gets rid of it.
      
      This also completely closes a race condition between action free
      path and filter chain add/remove path for the following patch.
      Because otherwise the nested RCU callback can't be caught by
      rcu_barrier().
      
      Please see also the comments in code.
      
      Cc: Jiri Pirko <jiri@mellanox.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d7fb60b9
    • Eric Dumazet's avatar
      tcp/dccp: remove reqsk_put() from inet_child_forget() · da8ab578
      Eric Dumazet authored
      Back in linux-4.4, I inadvertently put a call to reqsk_put() in
      inet_child_forget(), forgetting it could be called from two different
      points.
      
      In the case it is called from inet_csk_reqsk_queue_add(), we want to
      keep the reference on the request socket, since it is released later by
      the caller (tcp_v{4|6}_rcv())
      
      This bug never showed up because atomic_dec_and_test() was not signaling
      the underflow, and SLAB_DESTROY_BY RCU semantic for request sockets
      prevented the request to be put in quarantine.
      
      Recent conversion of socket refcount from atomic_t to refcount_t finally
      exposed the bug.
      
      So move the reqsk_put() to inet_csk_listen_stop() to fix this.
      
      Thanks to Shankara Pailoor for using syzkaller and providing
      a nice set of .config and C repro.
      
      WARNING: CPU: 2 PID: 4277 at lib/refcount.c:186
      refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:186
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 2 PID: 4277 Comm: syz-executor0 Not tainted 4.13.0-rc7 #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      Ubuntu-1.8.2-1ubuntu1 04/01/2014
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:16 [inline]
       dump_stack+0xf7/0x1aa lib/dump_stack.c:52
       panic+0x1ae/0x3a7 kernel/panic.c:180
       __warn+0x1c4/0x1d9 kernel/panic.c:541
       report_bug+0x211/0x2d0 lib/bug.c:183
       fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:190
       do_trap_no_signal arch/x86/kernel/traps.c:224 [inline]
       do_trap+0x260/0x390 arch/x86/kernel/traps.c:273
       do_error_trap+0x118/0x340 arch/x86/kernel/traps.c:310
       do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:323
       invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:846
      RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:186
      RSP: 0018:ffff88006e006b60 EFLAGS: 00010286
      RAX: 0000000000000026 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000026 RSI: 1ffff1000dc00d2c RDI: ffffed000dc00d60
      RBP: ffff88006e006bf0 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000dc00d6d
      R13: 00000000ffffffff R14: 0000000000000001 R15: ffff88006ce9d340
       refcount_dec_and_test+0x1a/0x20 lib/refcount.c:211
       reqsk_put+0x71/0x2b0 include/net/request_sock.h:123
       tcp_v4_rcv+0x259e/0x2e20 net/ipv4/tcp_ipv4.c:1729
       ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
       NF_HOOK include/linux/netfilter.h:248 [inline]
       ip_local_deliver+0x1ce/0x6d0 net/ipv4/ip_input.c:257
       dst_input include/net/dst.h:477 [inline]
       ip_rcv_finish+0x8db/0x19c0 net/ipv4/ip_input.c:397
       NF_HOOK include/linux/netfilter.h:248 [inline]
       ip_rcv+0xc3f/0x17d0 net/ipv4/ip_input.c:488
       __netif_receive_skb_core+0x1fb7/0x31f0 net/core/dev.c:4298
       __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4336
       process_backlog+0x1c5/0x6d0 net/core/dev.c:5102
       napi_poll net/core/dev.c:5499 [inline]
       net_rx_action+0x6d3/0x14a0 net/core/dev.c:5565
       __do_softirq+0x2cb/0xb2d kernel/softirq.c:284
       do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:898
       </IRQ>
       do_softirq.part.16+0x63/0x80 kernel/softirq.c:328
       do_softirq kernel/softirq.c:176 [inline]
       __local_bh_enable_ip+0x84/0x90 kernel/softirq.c:181
       local_bh_enable include/linux/bottom_half.h:31 [inline]
       rcu_read_unlock_bh include/linux/rcupdate.h:705 [inline]
       ip_finish_output2+0x8ad/0x1360 net/ipv4/ip_output.c:231
       ip_finish_output+0x74e/0xb80 net/ipv4/ip_output.c:317
       NF_HOOK_COND include/linux/netfilter.h:237 [inline]
       ip_output+0x1cc/0x850 net/ipv4/ip_output.c:405
       dst_output include/net/dst.h:471 [inline]
       ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
       ip_queue_xmit+0x8c6/0x1810 net/ipv4/ip_output.c:504
       tcp_transmit_skb+0x1963/0x3320 net/ipv4/tcp_output.c:1123
       tcp_send_ack.part.35+0x38c/0x620 net/ipv4/tcp_output.c:3575
       tcp_send_ack+0x49/0x60 net/ipv4/tcp_output.c:3545
       tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:5795 [inline]
       tcp_rcv_state_process+0x4876/0x4b60 net/ipv4/tcp_input.c:5930
       tcp_v4_do_rcv+0x58a/0x820 net/ipv4/tcp_ipv4.c:1483
       sk_backlog_rcv include/net/sock.h:907 [inline]
       __release_sock+0x124/0x360 net/core/sock.c:2223
       release_sock+0xa4/0x2a0 net/core/sock.c:2715
       inet_wait_for_connect net/ipv4/af_inet.c:557 [inline]
       __inet_stream_connect+0x671/0xf00 net/ipv4/af_inet.c:643
       inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:682
       SYSC_connect+0x204/0x470 net/socket.c:1628
       SyS_connect+0x24/0x30 net/socket.c:1609
       entry_SYSCALL_64_fastpath+0x18/0xad
      RIP: 0033:0x451e59
      RSP: 002b:00007f474843fc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002a
      RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 0000000000451e59
      RDX: 0000000000000010 RSI: 0000000020002000 RDI: 0000000000000007
      RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000
      R13: 00007ffc040a0f8f R14: 00007f47484409c0 R15: 0000000000000000
      
      Fixes: ebb516af ("tcp/dccp: fix race at listener dismantle phase")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarShankara Pailoor <sp3485@columbia.edu>
      Tested-by: default avatarShankara Pailoor <sp3485@columbia.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      da8ab578
    • Christophe JAILLET's avatar
      openvswitch: Fix an error handling path in 'ovs_nla_init_match_and_action()' · 5829e62a
      Christophe JAILLET authored
      All other error handling paths in this function go through the 'error'
      label. This one should do the same.
      
      Fixes: 9cc9a5cb ("datapath: Avoid using stack larger than 1024.")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Acked-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5829e62a
    • Nisar Sayed's avatar
      smsc95xx: Configure pause time to 0xffff when tx flow control enabled · 9c082731
      Nisar Sayed authored
      Configure pause time to 0xffff when tx flow control enabled
      
      Set pause time to 0xffff in the pause frame to indicate the
      partner to stop sending the packets. When RX buffer frees up,
      the device sends pause frame with pause time zero for partner to
      resume transmission.
      
      Fixes: 2f7ca802 ("Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
      Signed-off-by: default avatarNisar Sayed <Nisar.Sayed@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9c082731
  2. 11 Sep, 2017 8 commits
  3. 09 Sep, 2017 28 commits
    • Dan Carpenter's avatar
      net: qualcomm: rmnet: Fix a double free · 1f4f554a
      Dan Carpenter authored
      There is a typo here so we accidentally free "skb" instead of "skbn".
      It leads to a double free and a leak.  After discussing with Subash,
      it's better to just move the check before the allocation and avoid the
      need to free.
      
      Fixes: ceed73a2 ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f4f554a
    • Linus Torvalds's avatar
      Merge tag 'nfsd-4.14' of git://linux-nfs.org/~bfields/linux · ad9a19d0
      Linus Torvalds authored
      Pull nfsd updates from Bruce Fields:
       "More RDMA work and some op-structure constification from Chuck Lever,
        and a small cleanup to our xdr encoding"
      
      * tag 'nfsd-4.14' of git://linux-nfs.org/~bfields/linux:
        svcrdma: Estimate Send Queue depth properly
        rdma core: Add rdma_rw_mr_payload()
        svcrdma: Limit RQ depth
        svcrdma: Populate tail iovec when receiving
        nfsd: Incoming xdr_bufs may have content in tail buffer
        svcrdma: Clean up svc_rdma_build_read_chunk()
        sunrpc: Const-ify struct sv_serv_ops
        nfsd: Const-ify NFSv4 encoding and decoding ops arrays
        sunrpc: Const-ify instances of struct svc_xprt_ops
        nfsd4: individual encoders no longer see error cases
        nfsd4: skip encoder in trivial error cases
        nfsd4: define ->op_release for compound ops
        nfsd4: opdesc will be useful outside nfs4proc.c
        nfsd4: move some nfsd4 op definitions to xdr4.h
      ad9a19d0
    • Linus Torvalds's avatar
      Merge branch 'for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 66ba772e
      Linus Torvalds authored
      Pull btrfs updates from David Sterba:
       "The changes range through all types: cleanups, core chagnes, sanity
        checks, fixes, other user visible changes, detailed list below:
      
         - deprecated: user transaction ioctl
      
         - mount option ssd does not change allocation alignments
      
         - degraded read-write mount is allowed if all the raid profile
           constraints are met, now based on more accurate check
      
         - defrag: do not reset compression afterwards; the NOCOMPRESS flag
           can be now overriden by defrag
      
         - prep work for better extent reference tracking (related to the
           qgroup slowness with balance)
      
         - prep work for compression heuristics
      
         - memory allocation reductions (may help latencies on a loaded
           system)
      
         - better accounting for io waiting states
      
         - error handling improvements (removed BUGs)
      
         - added more sanity checks for shared refs
      
         - fix readdir vs pagefault deadlock under some circumstances
      
         - fix for 'no-hole' mode, certain combination of compressed and
           inline extents
      
         - send: fix emission of invalid clone operations
      
         - fixup file mode if setting acls fail
      
         - more fixes from fuzzing
      
         - oher cleanups"
      
      * 'for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: (104 commits)
        btrfs: submit superblock io with REQ_META and REQ_PRIO
        btrfs: remove unnecessary memory barrier in btrfs_direct_IO
        btrfs: remove superfluous chunk_tree argument from btrfs_alloc_dev_extent
        btrfs: Remove chunk_objectid parameter of btrfs_alloc_dev_extent
        btrfs: pass fs_info to btrfs_del_root instead of tree_root
        Btrfs: add one more sanity check for shared ref type
        Btrfs: remove BUG_ON in __add_tree_block
        Btrfs: remove BUG() in add_data_reference
        Btrfs: remove BUG() in print_extent_item
        Btrfs: remove BUG() in btrfs_extent_inline_ref_size
        Btrfs: convert to use btrfs_get_extent_inline_ref_type
        Btrfs: add a helper to retrive extent inline ref type
        btrfs: scrub: simplify scrub worker initialization
        btrfs: scrub: clean up division in scrub_find_csum
        btrfs: scrub: clean up division in __scrub_mark_bitmap
        btrfs: scrub: use bool for flush_all_writes
        btrfs: preserve i_mode if __btrfs_set_acl() fails
        btrfs: Remove extraneous chunk_objectid variable
        btrfs: Remove chunk_objectid argument from btrfs_make_block_group
        btrfs: Remove extra parentheses from condition in copy_items()
        ...
      66ba772e
    • Linus Torvalds's avatar
      Merge branch 'for-4.14/block-postmerge' of git://git.kernel.dk/linux-block · 126e76ff
      Linus Torvalds authored
      Pull followup block layer updates from Jens Axboe:
       "I ended up splitting the main pull request for this series into two,
        mainly because of clashes between NVMe fixes that went into 4.13 after
        the for-4.14 branches were split off. This pull request is mostly
        NVMe, but not exclusively. In detail, it contains:
      
         - Two pull request for NVMe changes from Christoph. Nothing new on
           the feature front, basically just fixes all over the map for the
           core bits, transport, rdma, etc.
      
         - Series from Bart, cleaning up various bits in the BFQ scheduler.
      
         - Series of bcache fixes, which has been lingering for a release or
           two. Coly sent this in, but patches from various people in this
           area.
      
         - Set of patches for BFQ from Paolo himself, updating both
           documentation and fixing some corner cases in performance.
      
         - Series from Omar, attempting to now get the 4k loop support
           correct. Our confidence level is higher this time.
      
         - Series from Shaohua for loop as well, improving O_DIRECT
           performance and fixing a use-after-free"
      
      * 'for-4.14/block-postmerge' of git://git.kernel.dk/linux-block: (74 commits)
        bcache: initialize dirty stripes in flash_dev_run()
        loop: set physical block size to logical block size
        bcache: fix bch_hprint crash and improve output
        bcache: Update continue_at() documentation
        bcache: silence static checker warning
        bcache: fix for gc and write-back race
        bcache: increase the number of open buckets
        bcache: Correct return value for sysfs attach errors
        bcache: correct cache_dirty_target in __update_writeback_rate()
        bcache: gc does not work when triggering by manual command
        bcache: Don't reinvent the wheel but use existing llist API
        bcache: do not subtract sectors_to_gc for bypassed IO
        bcache: fix sequential large write IO bypass
        bcache: Fix leak of bdev reference
        block/loop: remove unused field
        block/loop: fix use after free
        bfq: Use icq_to_bic() consistently
        bfq: Suppress compiler warnings about comparisons
        bfq: Check kstrtoul() return value
        bfq: Declare local functions static
        ...
      126e76ff
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · fbd01410
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "The iwlwifi firmware compat fix is in here as well as some other
        stuff:
      
        1) Fix request socket leak introduced by BPF deadlock fix, from Eric
           Dumazet.
      
        2) Fix VLAN handling with TXQs in mac80211, from Johannes Berg.
      
        3) Missing __qdisc_drop conversions in prio and qfq schedulers, from
           Gao Feng.
      
        4) Use after free in netlink nlk groups handling, from Xin Long.
      
        5) Handle MTU update properly in ipv6 gre tunnels, from Xin Long.
      
        6) Fix leak of ipv6 fib tables on netns teardown, from Sabrina Dubroca
           with follow-on fix from Eric Dumazet.
      
        7) Need RCU and preemption disabled during generic XDP data patch,
           from John Fastabend"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (54 commits)
        bpf: make error reporting in bpf_warn_invalid_xdp_action more clear
        Revert "mdio_bus: Remove unneeded gpiod NULL check"
        bpf: devmap, use cond_resched instead of cpu_relax
        bpf: add support for sockmap detach programs
        net: rcu lock and preempt disable missing around generic xdp
        bpf: don't select potentially stale ri->map from buggy xdp progs
        net: tulip: Constify tulip_tbl
        net: ethernet: ti: netcp_core: no need in netif_napi_del
        davicom: Display proper debug level up to 6
        net: phy: sfp: rename dt properties to match the binding
        dt-binding: net: sfp binding documentation
        dt-bindings: add SFF vendor prefix
        dt-bindings: net: don't confuse with generic PHY property
        ip6_tunnel: fix setting hop_limit value for ipv6 tunnel
        ip_tunnel: fix setting ttl and tos value in collect_md mode
        ipv6: fix typo in fib6_net_exit()
        tcp: fix a request socket leak
        sctp: fix missing wake ups in some situations
        netfilter: xt_hashlimit: fix build error caused by 64bit division
        netfilter: xt_hashlimit: alloc hashtable with right size
        ...
      fbd01410
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · fbf4432f
      Linus Torvalds authored
      Merge more updates from Andrew Morton:
      
       - most of the rest of MM
      
       - a small number of misc things
      
       - lib/ updates
      
       - checkpatch
      
       - autofs updates
      
       - ipc/ updates
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (126 commits)
        ipc: optimize semget/shmget/msgget for lots of keys
        ipc/sem: play nicer with large nsops allocations
        ipc/sem: drop sem_checkid helper
        ipc: convert kern_ipc_perm.refcount from atomic_t to refcount_t
        ipc: convert sem_undo_list.refcnt from atomic_t to refcount_t
        ipc: convert ipc_namespace.count from atomic_t to refcount_t
        kcov: support compat processes
        sh: defconfig: cleanup from old Kconfig options
        mn10300: defconfig: cleanup from old Kconfig options
        m32r: defconfig: cleanup from old Kconfig options
        drivers/pps: use surrounding "if PPS" to remove numerous dependency checks
        drivers/pps: aesthetic tweaks to PPS-related content
        cpumask: make cpumask_next() out-of-line
        kmod: move #ifdef CONFIG_MODULES wrapper to Makefile
        kmod: split off umh headers into its own file
        MAINTAINERS: clarify kmod is just a kernel module loader
        kmod: split out umh code into its own file
        test_kmod: flip INT checks to be consistent
        test_kmod: remove paranoid UINT_MAX check on uint range processing
        vfat: deduplicate hex2bin()
        ...
      fbf4432f
    • Linus Torvalds's avatar
      remove gperf left-overs from build system · c054be10
      Linus Torvalds authored
      I removed all the gperf use, but not the Makefile rules.  Sam Ravnborg
      says I get bonus points for cleaning this up.  I'll hold him to it.
      Requested-by: default avatarSam Ravnborg <sam@ravnborg.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c054be10
    • Daniel Borkmann's avatar
      bpf: make error reporting in bpf_warn_invalid_xdp_action more clear · 9beb8bed
      Daniel Borkmann authored
      Differ between illegal XDP action code and just driver
      unsupported one to provide better feedback when we throw
      a one-time warning here. Reason is that with 814abfab
      ("xdp: add bpf_redirect helper function") not all drivers
      support the new XDP return code yet and thus they will
      fall into their 'default' case when checking for return
      codes after program return, which then triggers a
      bpf_warn_invalid_xdp_action() stating that the return
      code is illegal, but from XDP perspective it's not.
      
      I decided not to place something like a XDP_ACT_MAX define
      into uapi i) given we don't have this either for all other
      program types, ii) future action codes could have further
      encoding there, which would render such define unsuitable
      and we wouldn't be able to rip it out again, and iii) we
      rarely add new action codes.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9beb8bed
    • Florian Fainelli's avatar
      Revert "mdio_bus: Remove unneeded gpiod NULL check" · a010a2f6
      Florian Fainelli authored
      This reverts commit 95b80bf3 ("mdio_bus:
      Remove unneeded gpiod NULL check"), this commit assumed that GPIOLIB
      checks for NULL descriptors, so it's safe to drop them, but it is not
      when CONFIG_GPIOLIB is disabled in the kernel. If we do call
      gpiod_set_value_cansleep() on a GPIO descriptor we will issue warnings
      coming from the inline stubs declared in include/linux/gpio/consumer.h.
      
      Fixes: 95b80bf3 ("mdio_bus: Remove unneeded gpiod NULL check")
      Reported-by: default avatarWoojung Huh <Woojung.Huh@microchip.com>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Acked-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a010a2f6
    • David S. Miller's avatar
      Merge branch 'xdp-bpf-fixes' · a7bc5774
      David S. Miller authored
      John Fastabend says:
      
      ====================
      net: Fixes for XDP/BPF
      
      The following fixes, UAPI updates, and small improvement,
      
      i. XDP needs to be called inside RCU with preempt disabled.
      
      ii. Not strictly a bug fix but we have an attach command in the
      sockmap UAPI already to avoid having a single kernel released with
      only the attach and not the detach I'm pushing this into net branch.
      Its early in the RC cycle so I think this is OK (not ideal but better
      than supporting a UAPI with a missing detach forever).
      
      iii. Final patch replace cpu_relax with cond_resched in devmap.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7bc5774
    • John Fastabend's avatar
      bpf: devmap, use cond_resched instead of cpu_relax · 374fb014
      John Fastabend authored
      Be a bit more friendly about waiting for flush bits to complete.
      Replace the cpu_relax() with a cond_resched().
      Suggested-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      374fb014
    • John Fastabend's avatar
      bpf: add support for sockmap detach programs · 5a67da2a
      John Fastabend authored
      The bpf map sockmap supports adding programs via attach commands. This
      patch adds the detach command to keep the API symmetric and allow
      users to remove previously added programs. Otherwise the user would
      have to delete the map and re-add it to get in this state.
      
      This also adds a series of additional tests to capture detach operation
      and also attaching/detaching invalid prog types.
      
      API note: socks will run (or not run) programs depending on the state
      of the map at the time the sock is added. We do not for example walk
      the map and remove programs from previously attached socks.
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5a67da2a
    • John Fastabend's avatar
      net: rcu lock and preempt disable missing around generic xdp · bbbe211c
      John Fastabend authored
      do_xdp_generic must be called inside rcu critical section with preempt
      disabled to ensure BPF programs are valid and per-cpu variables used
      for redirect operations are consistent. This patch ensures this is true
      and fixes the splat below.
      
      The netif_receive_skb_internal() code path is now broken into two rcu
      critical sections. I decided it was better to limit the preempt_enable/disable
      block to just the xdp static key portion and the fallout is more
      rcu_read_lock/unlock calls. Seems like the best option to me.
      
      [  607.596901] =============================
      [  607.596906] WARNING: suspicious RCU usage
      [  607.596912] 4.13.0-rc4+ #570 Not tainted
      [  607.596917] -----------------------------
      [  607.596923] net/core/dev.c:3948 suspicious rcu_dereference_check() usage!
      [  607.596927]
      [  607.596927] other info that might help us debug this:
      [  607.596927]
      [  607.596933]
      [  607.596933] rcu_scheduler_active = 2, debug_locks = 1
      [  607.596938] 2 locks held by pool/14624:
      [  607.596943]  #0:  (rcu_read_lock_bh){......}, at: [<ffffffff95445ffd>] ip_finish_output2+0x14d/0x890
      [  607.596973]  #1:  (rcu_read_lock_bh){......}, at: [<ffffffff953c8e3a>] __dev_queue_xmit+0x14a/0xfd0
      [  607.597000]
      [  607.597000] stack backtrace:
      [  607.597006] CPU: 5 PID: 14624 Comm: pool Not tainted 4.13.0-rc4+ #570
      [  607.597011] Hardware name: Dell Inc. Precision Tower 5810/0HHV7N, BIOS A17 03/01/2017
      [  607.597016] Call Trace:
      [  607.597027]  dump_stack+0x67/0x92
      [  607.597040]  lockdep_rcu_suspicious+0xdd/0x110
      [  607.597054]  do_xdp_generic+0x313/0xa50
      [  607.597068]  ? time_hardirqs_on+0x5b/0x150
      [  607.597076]  ? mark_held_locks+0x6b/0xc0
      [  607.597088]  ? netdev_pick_tx+0x150/0x150
      [  607.597117]  netif_rx_internal+0x205/0x3f0
      [  607.597127]  ? do_xdp_generic+0xa50/0xa50
      [  607.597144]  ? lock_downgrade+0x2b0/0x2b0
      [  607.597158]  ? __lock_is_held+0x93/0x100
      [  607.597187]  netif_rx+0x119/0x190
      [  607.597202]  loopback_xmit+0xfd/0x1b0
      [  607.597214]  dev_hard_start_xmit+0x127/0x4e0
      
      Fixes: d4455169 ("net: xdp: support xdp generic on virtual devices")
      Fixes: b5cdae32 ("net: Generic XDP")
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bbbe211c
    • Daniel Borkmann's avatar
      bpf: don't select potentially stale ri->map from buggy xdp progs · 109980b8
      Daniel Borkmann authored
      We can potentially run into a couple of issues with the XDP
      bpf_redirect_map() helper. The ri->map in the per CPU storage
      can become stale in several ways, mostly due to misuse, where
      we can then trigger a use after free on the map:
      
      i) prog A is calling bpf_redirect_map(), returning XDP_REDIRECT
      and running on a driver not supporting XDP_REDIRECT yet. The
      ri->map on that CPU becomes stale when the XDP program is unloaded
      on the driver, and a prog B loaded on a different driver which
      supports XDP_REDIRECT return code. prog B would have to omit
      calling to bpf_redirect_map() and just return XDP_REDIRECT, which
      would then access the freed map in xdp_do_redirect() since not
      cleared for that CPU.
      
      ii) prog A is calling bpf_redirect_map(), returning a code other
      than XDP_REDIRECT. prog A is then detached, which triggers release
      of the map. prog B is attached which, similarly as in i), would
      just return XDP_REDIRECT without having called bpf_redirect_map()
      and thus be accessing the freed map in xdp_do_redirect() since
      not cleared for that CPU.
      
      iii) prog A is attached to generic XDP, calling the bpf_redirect_map()
      helper and returning XDP_REDIRECT. xdp_do_generic_redirect() is
      currently not handling ri->map (will be fixed by Jesper), so it's
      not being reset. Later loading a e.g. native prog B which would,
      say, call bpf_xdp_redirect() and then returns XDP_REDIRECT would
      find in xdp_do_redirect() that a map was set and uses that causing
      use after free on map access.
      
      Fix thus needs to avoid accessing stale ri->map pointers, naive
      way would be to call a BPF function from drivers that just resets
      it to NULL for all XDP return codes but XDP_REDIRECT and including
      XDP_REDIRECT for drivers not supporting it yet (and let ri->map
      being handled in xdp_do_generic_redirect()). There is a less
      intrusive way w/o letting drivers call a reset for each BPF run.
      
      The verifier knows we're calling into bpf_xdp_redirect_map()
      helper, so it can do a small insn rewrite transparent to the prog
      itself in the sense that it fills R4 with a pointer to the own
      bpf_prog. We have that pointer at verification time anyway and
      R4 is allowed to be used as per calling convention we scratch
      R0 to R5 anyway, so they become inaccessible and program cannot
      read them prior to a write. Then, the helper would store the prog
      pointer in the current CPUs struct redirect_info. Later in
      xdp_do_*_redirect() we check whether the redirect_info's prog
      pointer is the same as passed xdp_prog pointer, and if that's
      the case then all good, since the prog holds a ref on the map
      anyway, so it is always valid at that point in time and must
      have a reference count of at least 1. If in the unlikely case
      they are not equal, it means we got a stale pointer, so we clear
      and bail out right there. Also do reset map and the owning prog
      in bpf_xdp_redirect(), so that bpf_xdp_redirect_map() and
      bpf_xdp_redirect() won't get mixed up, only the last call should
      take precedence. A tc bpf_redirect() doesn't use map anywhere
      yet, so no need to clear it there since never accessed in that
      layer.
      
      Note that in case the prog is released, and thus the map as
      well we're still under RCU read critical section at that time
      and have preemption disabled as well. Once we commit with the
      __dev_map_insert_ctx() from xdp_do_redirect_map() and set the
      map to ri->map_to_flush, we still wait for a xdp_do_flush_map()
      to finish in devmap dismantle time once flush_needed bit is set,
      so that is fine.
      
      Fixes: 97f91a7c ("bpf: add bpf_redirect_map helper routine")
      Reported-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      109980b8
    • Kees Cook's avatar
      net: tulip: Constify tulip_tbl · 9a486c9d
      Kees Cook authored
      It looks like all users of tulip_tbl are reads, so mark this table
      as read-only.
      
      $ git grep tulip_tbl  # edited to avoid line-wraps...
      interrupt.c: iowrite32(tulip_tbl[tp->chip_id].valid_intrs, ...
      interrupt.c: iowrite32(tulip_tbl[tp->chip_id].valid_intrs&~RxPollInt, ...
      interrupt.c: iowrite32(tulip_tbl[tp->chip_id].valid_intrs, ...
      interrupt.c: iowrite32(tulip_tbl[tp->chip_id].valid_intrs | TimerInt,
      pnic.c:      iowrite32(tulip_tbl[tp->chip_id].valid_intrs, ioaddr + CSR7);
      tulip.h:     extern struct tulip_chip_table tulip_tbl[];
      tulip_core.c:struct tulip_chip_table tulip_tbl[] = {
      tulip_core.c:iowrite32(tulip_tbl[tp->chip_id].valid_intrs, ioaddr + CSR5);
      tulip_core.c:iowrite32(tulip_tbl[tp->chip_id].valid_intrs, ioaddr + CSR7);
      tulip_core.c:setup_timer(&tp->timer, tulip_tbl[tp->chip_id].media_timer,
      tulip_core.c:const char *chip_name = tulip_tbl[chip_idx].chip_name;
      tulip_core.c:if (pci_resource_len (pdev, 0) < tulip_tbl[chip_idx].io_size)
      tulip_core.c:ioaddr =  pci_iomap(..., tulip_tbl[chip_idx].io_size);
      tulip_core.c:tp->flags = tulip_tbl[chip_idx].flags;
      tulip_core.c:setup_timer(&tp->timer, tulip_tbl[tp->chip_id].media_timer,
      tulip_core.c:INIT_WORK(&tp->media_work, tulip_tbl[tp->chip_id].media_task);
      
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jarod Wilson <jarod@redhat.com>
      Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
      Cc: netdev@vger.kernel.org
      Cc: linux-parisc@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9a486c9d
    • Ivan Khoronzhuk's avatar
      net: ethernet: ti: netcp_core: no need in netif_napi_del · e333ac1f
      Ivan Khoronzhuk authored
      Don't remove rx_napi specifically just before free_netdev(),
      it's supposed to be done in it and is confusing w/o tx_napi deletion.
      Signed-off-by: default avatarIvan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e333ac1f
    • Mathieu Malaterre's avatar
      davicom: Display proper debug level up to 6 · 0fdbedc7
      Mathieu Malaterre authored
      This will make it explicit some messages are of the form:
      dm9000_dbg(db, 5, ...
      Signed-off-by: default avatarMathieu Malaterre <malat@debian.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0fdbedc7
    • Baruch Siach's avatar
      net: phy: sfp: rename dt properties to match the binding · 25ee0793
      Baruch Siach authored
      Make the Rx rate select control gpio property name match the documented
      binding. This would make the addition of 'rate-select1-gpios' for SFP+
      support more natural.
      
      Also, make the MOD-DEF0 gpio property name match the documentation.
      Signed-off-by: default avatarBaruch Siach <baruch@tkos.co.il>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25ee0793
    • Baruch Siach's avatar
      dt-binding: net: sfp binding documentation · 3ef37140
      Baruch Siach authored
      Add device-tree binding documentation SFP transceivers. Support for SFP
      transceivers has been recently introduced (drivers/net/phy/sfp.c).
      Signed-off-by: default avatarBaruch Siach <baruch@tkos.co.il>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3ef37140
    • Baruch Siach's avatar
      165da358
    • Baruch Siach's avatar
      dt-bindings: net: don't confuse with generic PHY property · c43593d8
      Baruch Siach authored
      This complements commit 9a94b3a4 (dt-binding: phy: don't confuse with
      Ethernet phy properties).
      
      The generic PHY 'phys' property sometime appears in the same node with
      the Ethernet PHY 'phy' or 'phy-handle' properties. Add a warning in
      ethernet.txt to reduce confusion.
      Signed-off-by: default avatarBaruch Siach <baruch@tkos.co.il>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c43593d8
    • Haishuang Yan's avatar
      ip6_tunnel: fix setting hop_limit value for ipv6 tunnel · 18e1173d
      Haishuang Yan authored
      Similar to vxlan/geneve tunnel, if hop_limit is zero, it should fall
      back to ip6_dst_hoplimt().
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      18e1173d
    • Haishuang Yan's avatar
      ip_tunnel: fix setting ttl and tos value in collect_md mode · 0f693f19
      Haishuang Yan authored
      ttl and tos variables are declared and assigned, but are not used in
      iptunnel_xmit() function.
      
      Fixes: cfc7381b ("ip_tunnel: add collect_md mode to IPIP tunnel")
      Cc: Alexei Starovoitov <ast@fb.com>
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0f693f19
    • Guillaume Knispel's avatar
      ipc: optimize semget/shmget/msgget for lots of keys · 0cfb6aee
      Guillaume Knispel authored
      ipc_findkey() used to scan all objects to look for the wanted key.  This
      is slow when using a high number of keys.  This change adds an rhashtable
      of kern_ipc_perm objects in ipc_ids, so that one lookup cease to be O(n).
      
      This change gives a 865% improvement of benchmark reaim.jobs_per_min on a
      56 threads Intel(R) Xeon(R) CPU E5-2695 v3 @ 2.30GHz with 256G memory [1]
      
      Other (more micro) benchmark results, by the author: On an i5 laptop, the
      following loop executed right after a reboot took, without and with this
      change:
      
          for (int i = 0, k=0x424242; i < KEYS; ++i)
              semget(k++, 1, IPC_CREAT | 0600);
      
                       total       total          max single  max single
         KEYS        without        with        call without   call with
      
            1            3.5         4.9   µs            3.5         4.9
           10            7.6         8.6   µs            3.7         4.7
           32           16.2        15.9   µs            4.3         5.3
          100           72.9        41.8   µs            3.7         4.7
         1000        5,630.0       502.0   µs             *           *
        10000    1,340,000.0     7,240.0   µs             *           *
        31900   17,600,000.0    22,200.0   µs             *           *
      
       *: unreliable measure: high variance
      
      The duration for a lookup-only usage was obtained by the same loop once
      the keys are present:
      
                       total       total          max single  max single
         KEYS        without        with        call without   call with
      
            1            2.1         2.5   µs            2.1         2.5
           10            4.5         4.8   µs            2.2         2.3
           32           13.0        10.8   µs            2.3         2.8
          100           82.9        25.1   µs             *          2.3
         1000        5,780.0       217.0   µs             *           *
        10000    1,470,000.0     2,520.0   µs             *           *
        31900   17,400,000.0     7,810.0   µs             *           *
      
      Finally, executing each semget() in a new process gave, when still
      summing only the durations of these syscalls:
      
      creation:
                       total       total
         KEYS        without        with
      
            1            3.7         5.0   µs
           10           32.9        36.7   µs
           32          125.0       109.0   µs
          100          523.0       353.0   µs
         1000       20,300.0     3,280.0   µs
        10000    2,470,000.0    46,700.0   µs
        31900   27,800,000.0   219,000.0   µs
      
      lookup-only:
                       total       total
         KEYS        without        with
      
            1            2.5         2.7   µs
           10           25.4        24.4   µs
           32          106.0        72.6   µs
          100          591.0       352.0   µs
         1000       22,400.0     2,250.0   µs
        10000    2,510,000.0    25,700.0   µs
        31900   28,200,000.0   115,000.0   µs
      
      [1] http://lkml.kernel.org/r/20170814060507.GE23258@yexl-desktop
      
      Link: http://lkml.kernel.org/r/20170815194954.ck32ta2z35yuzpwp@debixSigned-off-by: default avatarGuillaume Knispel <guillaume.knispel@supersonicimagine.com>
      Reviewed-by: default avatarMarc Pardo <marc.pardo@supersonicimagine.com>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Serge Hallyn <serge@hallyn.com>
      Cc: Andrey Vagin <avagin@openvz.org>
      Cc: Guillaume Knispel <guillaume.knispel@supersonicimagine.com>
      Cc: Marc Pardo <marc.pardo@supersonicimagine.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0cfb6aee
    • Davidlohr Bueso's avatar
      ipc/sem: play nicer with large nsops allocations · e4243b80
      Davidlohr Bueso authored
      Replacing semop()'s kmalloc for kvmalloc was originally proposed by
      Manfred on the premise that it can be called for large (than order-1)
      sizes.  For example, while Oracle recommends setting SEMOPM to a _minimum_
      of 100, some distros[1] encourage the setting to be a factor of the amount
      of db tasks (PROCESSES), which can get fishy for large systems (easily
      going beyond 1000).
      
      [1] An Example of Semaphore Settings
      https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Tuning_and_Optimizing_Red_Hat_Enterprise_Linux_for_Oracle_9i_and_10g_Databases/sect-Oracle_9i_and_10g_Tuning_Guide-Setting_Semaphores-An_Example_of_Semaphore_Settings.html
      
      So let's just convert this to kvmalloc, just like the rest of the
      allocations we do in ipc.  While the fallback vmalloc obviously involves
      more overhead, this by far the uncommon path, and it's better for the user
      than just erroring out with kmalloc.
      
      Link: http://lkml.kernel.org/r/20170803184136.13855-2-dave@stgolabs.netSigned-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e4243b80
    • Davidlohr Bueso's avatar
      ipc/sem: drop sem_checkid helper · 8419e64a
      Davidlohr Bueso authored
      ... 'tis not used.
      
      Link: http://lkml.kernel.org/r/20170803184136.13855-1-dave@stgolabs.netSigned-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8419e64a
    • Elena Reshetova's avatar
      ipc: convert kern_ipc_perm.refcount from atomic_t to refcount_t · 9405c03e
      Elena Reshetova authored
      refcount_t type and corresponding API should be used instead of atomic_t
      when the variable is used as a reference counter.  This allows to avoid
      accidental refcounter overflows that might lead to use-after-free
      situations.
      
      Link: http://lkml.kernel.org/r/1499417992-3238-4-git-send-email-elena.reshetova@intel.comSigned-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
      Signed-off-by: default avatarHans Liljestrand <ishkamiel@gmail.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid Windsor <dwindsor@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Serge Hallyn <serge@hallyn.com>
      Cc: <arozansk@redhat.com>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9405c03e
    • Elena Reshetova's avatar
      ipc: convert sem_undo_list.refcnt from atomic_t to refcount_t · f74370b8
      Elena Reshetova authored
      refcount_t type and corresponding API should be used instead of atomic_t
      when the variable is used as a reference counter.  This allows to avoid
      accidental refcounter overflows that might lead to use-after-free
      situations.
      
      Link: http://lkml.kernel.org/r/1499417992-3238-3-git-send-email-elena.reshetova@intel.comSigned-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
      Signed-off-by: default avatarHans Liljestrand <ishkamiel@gmail.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid Windsor <dwindsor@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Serge Hallyn <serge@hallyn.com>
      Cc: <arozansk@redhat.com>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f74370b8