1. 29 Jun, 2017 1 commit
    • Liping Zhang's avatar
      netfilter: nf_ct_dccp/sctp: fix memory leak after netns cleanup · deaa0a97
      Liping Zhang authored
      After running the following commands for a while, kmemleak reported that
      "1879 new suspected memory leaks" happened:
        # while : ; do
        ip netns add test
        ip netns delete test
        done
      
        unreferenced object 0xffff88006342fa38 (size 1024):
        comm "ip", pid 15477, jiffies 4295982857 (age 957.836s)
        hex dump (first 32 bytes):
          b8 b0 4d a0 ff ff ff ff c0 34 c3 59 00 88 ff ff  ..M......4.Y....
          04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8190510a>] kmemleak_alloc+0x4a/0xa0
          [<ffffffff81284130>] __kmalloc_track_caller+0x150/0x300
          [<ffffffff812302d0>] kmemdup+0x20/0x50
          [<ffffffffa04d598a>] dccp_init_net+0x8a/0x160 [nf_conntrack]
          [<ffffffffa04cf9f5>] nf_ct_l4proto_pernet_register_one+0x25/0x90
        ...
        unreferenced object 0xffff88006342da58 (size 1024):
        comm "ip", pid 15477, jiffies 4295982857 (age 957.836s)
        hex dump (first 32 bytes):
          10 b3 4d a0 ff ff ff ff 04 35 c3 59 00 88 ff ff  ..M......5.Y....
          04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8190510a>] kmemleak_alloc+0x4a/0xa0
          [<ffffffff81284130>] __kmalloc_track_caller+0x150/0x300
          [<ffffffff812302d0>] kmemdup+0x20/0x50
          [<ffffffffa04d6a9d>] sctp_init_net+0x5d/0x130 [nf_conntrack]
          [<ffffffffa04cf9f5>] nf_ct_l4proto_pernet_register_one+0x25/0x90
        ...
      
      This is because we forgot to implement the get_net_proto for sctp and
      dccp, so we won't invoke the nf_ct_unregister_sysctl to free the
      ctl_table when do netns cleanup. Also note, we will fail to register
      the sysctl for dccp/sctp either due to the lack of get_net_proto.
      
      Fixes: c51d3901 ("netfilter: conntrack: built-in support for DCCP")
      Fixes: a85406af ("netfilter: conntrack: built-in support for SCTP")
      Cc: Davide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
      Acked-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      deaa0a97
  2. 27 Jun, 2017 3 commits
  3. 25 Jun, 2017 3 commits
  4. 23 Jun, 2017 7 commits
    • David S. Miller's avatar
      Merge branch 'bnxt_en-fixes' · 92cc8a51
      David S. Miller authored
      Michael Chan says:
      
      ====================
      bnxt_en: Error handling and netpoll fixes.
      
      Add missing error handling and fix netpoll handling.  The current code
      handles RX and TX events in netpoll mode and is causing lots of warnings
      and errors in the RX code path in netpoll mode.  The fix is to only handle
      TX events in netpoll mode.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      92cc8a51
    • Michael Chan's avatar
      bnxt_en: Fix netpoll handling. · 2270bc5d
      Michael Chan authored
      To handle netpoll properly, the driver must only handle TX packets
      during NAPI.  Handling RX events cause warnings and errors in
      netpoll mode. The ndo_poll_controller() method should call
      napi_schedule() directly so that a NAPI weight of zero will be used
      during netpoll mode.
      
      The bnxt_en driver supports 2 ring modes: combined, and separate rx/tx.
      In separate rx/tx mode, the ndo_poll_controller() method will only
      process the tx rings.  In combined mode, the rx and tx completion
      entries are mixed in the completion ring and we need to drop the rx
      entries and recycle the rx buffers.
      
      Add a function bnxt_force_rx_discard() to handle this in netpoll mode
      when we see rx entries in combined ring mode.
      Reported-by: default avatarCalvin Owens <calvinowens@fb.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2270bc5d
    • Michael Chan's avatar
      bnxt_en: Add missing logic to handle TPA end error conditions. · 69c149e2
      Michael Chan authored
      When we get a TPA_END completion to handle a completed LRO packet, it
      is possible that hardware would indicate errors.  The current code is
      not checking for the error condition.  Define the proper error bits and
      the macro to check for this error and abort properly.
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69c149e2
    • Richard Cochran's avatar
      net: dp83640: Avoid NULL pointer dereference. · db9d8b29
      Richard Cochran authored
      The function, skb_complete_tx_timestamp(), used to allow passing in a
      NULL pointer for the time stamps, but that was changed in commit
      62bccb8c ("net-timestamp: Make the
      clone operation stand-alone from phy timestamping"), and the existing
      call sites, all of which are in the dp83640 driver, were fixed up.
      
      Even though the kernel-doc was subsequently updated in commit
      7a76a021 ("net-timestamp: Update
      skb_complete_tx_timestamp comment"), still a bug fix from Manfred
      Rudigier came into the driver using the old semantics.  Probably
      Manfred derived that patch from an older kernel version.
      
      This fix should be applied to the stable trees as well.
      
      Fixes: 81e8f2e9 ("net: dp83640: Fix tx timestamp overflow handling.")
      Signed-off-by: default avatarRichard Cochran <richardcochran@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      db9d8b29
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 43b786c6
      David S. Miller authored
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2017-06-23
      
      1) Fix xfrm garbage collecting when unregistering a netdevice.
         From Hangbin Liu.
      
      2) Fix NULL pointer derefernce when exiting a network namespace.
         From Hangbin Liu.
      
      3) Fix some error codes in pfkey to prevent a NULL pointer derefernce.
         From Dan Carpenter.
      
      4) Fix NULL pointer derefernce on allocation failure in pfkey.
         From Dan Carpenter.
      
      5) Adjust IPv6 payload_len to include extension headers. Otherwise
         we corrupt the packets when doing ESP GRO on transport mode.
         From Yossi Kuperman.
      
      6) Set nhoff to the proper offset of the IPv6 nexthdr when doing ESP GRO.
         From Yossi Kuperman.
      
      Please pull or let me know if there are problems.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43b786c6
    • WANG Cong's avatar
      sit: use __GFP_NOWARN for user controlled allocation · 0ccc22f4
      WANG Cong authored
      The memory allocation size is controlled by user-space,
      if it is too large just fail silently and return NULL,
      not to mention there is a fallback allocation later.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0ccc22f4
    • Michal Kubeček's avatar
      net: account for current skb length when deciding about UFO · a5cb659b
      Michal Kubeček authored
      Our customer encountered stuck NFS writes for blocks starting at specific
      offsets w.r.t. page boundary caused by networking stack sending packets via
      UFO enabled device with wrong checksum. The problem can be reproduced by
      composing a long UDP datagram from multiple parts using MSG_MORE flag:
      
        sendto(sd, buff, 1000, MSG_MORE, ...);
        sendto(sd, buff, 1000, MSG_MORE, ...);
        sendto(sd, buff, 3000, 0, ...);
      
      Assume this packet is to be routed via a device with MTU 1500 and
      NETIF_F_UFO enabled. When second sendto() gets into __ip_append_data(),
      this condition is tested (among others) to decide whether to call
      ip_ufo_append_data():
      
        ((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb))
      
      At the moment, we already have skb with 1028 bytes of data which is not
      marked for GSO so that the test is false (fragheaderlen is usually 20).
      Thus we append second 1000 bytes to this skb without invoking UFO. Third
      sendto(), however, has sufficient length to trigger the UFO path so that we
      end up with non-UFO skb followed by a UFO one. Later on, udp_send_skb()
      uses udp_csum() to calculate the checksum but that assumes all fragments
      have correct checksum in skb->csum which is not true for UFO fragments.
      
      When checking against MTU, we need to add skb->len to length of new segment
      if we already have a partially filled skb and fragheaderlen only if there
      isn't one.
      
      In the IPv6 case, skb can only be null if this is the first segment so that
      we have to use headersize (length of the first IPv6 header) rather than
      fragheaderlen (length of IPv6 header of further fragments) for skb == NULL.
      
      Fixes: e89e9cf5 ("[IPv4/IPv6]: UFO Scatter-gather approach")
      Fixes: e4c5e13a ("ipv6: Should use consistent conditional judgement for
      	ip6 fragment between __ip6_append_data and ip6_finish_output")
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Acked-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5cb659b
  5. 22 Jun, 2017 15 commits
  6. 21 Jun, 2017 7 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 48b6bbef
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix refcounting wrt timers which hold onto inet6 address objects,
          from Xin Long.
      
       2) Fix an ancient bug in wireless wext ioctls, from Johannes Berg.
      
       3) Firmware handling fixes in brcm80211 driver, from Arend Van Spriel.
      
       4) Several mlx5 driver fixes (firmware readiness, timestamp cap
          reporting, devlink command validity checking, tc offloading, etc.)
          From Eli Cohen, Maor Dickman, Chris Mi, and Or Gerlitz.
      
       5) Fix dst leak in IP/IP6 tunnels, from Haishuang Yan.
      
       6) Fix dst refcount bug in decnet, from Wei Wang.
      
       7) Netdev can be double freed in register_vlan_device(). Fix from Gao
          Feng.
      
       8) Don't allow object to be destroyed while it is being dumped in SCTP,
          from Xin Long.
      
       9) Fix dpaa_eth build when modular, from Madalin Bucur.
      
      10) Fix throw route leaks, from Serhey Popovych.
      
      11) IFLA_GROUP missing from if_nlmsg_size() and ifla_policy[] table,
          also from Serhey Popovych.
      
      12) Fix premature TX SKB free in stmmac, from Niklas Cassel.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (36 commits)
        igmp: add a missing spin_lock_init()
        net: stmmac: free an skb first when there are no longer any descriptors using it
        sfc: remove duplicate up_write on VF filter_sem
        rtnetlink: add IFLA_GROUP to ifla_policy
        ipv6: Do not leak throw route references
        dt-bindings: net: sms911x: Add missing optional VDD regulators
        dpaa_eth: reuse the dma_ops provided by the FMan MAC device
        fsl/fman: propagate dma_ops
        net/core: remove explicit do_softirq() from busy_poll_stop()
        fib_rules: Resolve goto rules target on delete
        sctp: ensure ep is not destroyed before doing the dump
        net/hns:bugfix of ethtool -t phy self_test
        net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
        cxgb4: notify uP to route ctrlq compl to rdma rspq
        ip6_tunnel: Correct tos value in collect_md mode
        decnet: always not take dst->__refcnt when inserting dst into hash table
        ip6_tunnel: fix potential issue in __ip6_tnl_rcv
        ip_tunnel: fix potential issue in ip_tunnel_rcv
        brcmfmac: fix uninitialized warning in brcmf_usb_probe_phase2()
        net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it
        ...
      48b6bbef
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · ce879b64
      Linus Torvalds authored
      Pull more pin control fixes from Linus Walleij:
       "Some late arriving fixes. I should have sent earlier, just swamped
        with work as usual. Thomas patch makes AMD systems usable despite
        firmware bugs so it is fairly important.
      
         - Make the AMD driver use a regular interrupt rather than a chained
           one, so the system does not lock up.
      
         - Fix a function call error deep inside the STM32 driver"
      
      * tag 'pinctrl-v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: stm32: Fix bad function call
        pinctrl/amd: Use regular interrupt instead of chained
      ce879b64
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · db1b5ccd
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - revert of a commit to magicmouse driver that regressess certain
         devices, from Daniel Stone
      
       - quirk for a specific Dell mouse, from Sebastian Parschauer
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        Revert "HID: magicmouse: Set multi-touch keybits for Magic Mouse"
        HID: Add quirk for Dell PIXART OEM mouse
      db1b5ccd
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching · dcba7108
      Linus Torvalds authored
      Pull livepatching fix from Jiri Kosina:
       "Fix the way how livepatches are being stacked with respect to RCU,
        from Petr Mladek"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching:
        livepatch: Fix stacking of patches with respect to RCU
      dcba7108
    • Linus Torvalds's avatar
      Merge branch 'ufs-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 021f6019
      Linus Torvalds authored
      Pull more ufs fixes from Al Viro:
       "More UFS fixes, unfortunately including build regression fix for the
        64-bit s_dsize commit. Fixed in this pile:
      
         - trivial bug in signedness of 32bit timestamps on ufs1
      
         - ESTALE instead of ufs_error() when doing open-by-fhandle on
           something deleted
      
         - build regression on 32bit in ufs_new_fragments() - calculating that
           many percents of u64 pulls libgcc stuff on some of those. Mea
           culpa.
      
         - fix hysteresis loop broken by typo in 2.4.14.7 (right next to the
           location of previous bug).
      
         - fix the insane limits of said hysteresis loop on filesystems with
           very low percentage of reserved blocks. If it's 5% or less, just
           use the OPTSPACE policy.
      
         - calculate those limits once and mount time.
      
        This tree does pass xfstests clean (both ufs1 and ufs2) and it _does_
        survive cross-builds.
      
        Again, my apologies for missing that, especially since I have noticed
        a related percentage-of-64bit issue in earlier patches (when dealing
        with amount of reserved blocks). Self-LART applied..."
      
      * 'ufs-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        ufs: fix the logics for tail relocation
        ufs_iget(): fail with -ESTALE on deleted inode
        fix signedness of timestamps on ufs1
      021f6019
    • Helge Deller's avatar
      Allow stack to grow up to address space limit · bd726c90
      Helge Deller authored
      Fix expand_upwards() on architectures with an upward-growing stack (parisc,
      metag and partly IA-64) to allow the stack to reliably grow exactly up to
      the address space limit given by TASK_SIZE.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      bd726c90
    • Hugh Dickins's avatar
      mm: fix new crash in unmapped_area_topdown() · f4cb767d
      Hugh Dickins authored
      Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
      mmap testing.  That's the VM_BUG_ON(gap_end < gap_start) at the
      end of unmapped_area_topdown().  Linus points out how MAP_FIXED
      (which does not have to respect our stack guard gap intentions)
      could result in gap_end below gap_start there.  Fix that, and
      the similar case in its alternative, unmapped_area().
      
      Cc: stable@vger.kernel.org
      Fixes: 1be7107f ("mm: larger stack guard gap, between vmas")
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Debugged-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f4cb767d
  7. 20 Jun, 2017 4 commits
    • WANG Cong's avatar
      igmp: add a missing spin_lock_init() · b4846fc3
      WANG Cong authored
      Andrey reported a lockdep warning on non-initialized
      spinlock:
      
       INFO: trying to register non-static key.
       the code is fine but needs lockdep annotation.
       turning off the locking correctness validator.
       CPU: 1 PID: 4099 Comm: a.out Not tainted 4.12.0-rc6+ #9
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
       Call Trace:
        __dump_stack lib/dump_stack.c:16
        dump_stack+0x292/0x395 lib/dump_stack.c:52
        register_lock_class+0x717/0x1aa0 kernel/locking/lockdep.c:755
        ? 0xffffffffa0000000
        __lock_acquire+0x269/0x3690 kernel/locking/lockdep.c:3255
        lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855
        __raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135
        _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:175
        spin_lock_bh ./include/linux/spinlock.h:304
        ip_mc_clear_src+0x27/0x1e0 net/ipv4/igmp.c:2076
        igmpv3_clear_delrec+0xee/0x4f0 net/ipv4/igmp.c:1194
        ip_mc_destroy_dev+0x4e/0x190 net/ipv4/igmp.c:1736
      
      We miss a spin_lock_init() in igmpv3_add_delrec(), probably
      because previously we never use it on this code path. Since
      we already unlink it from the global mc_tomb list, it is
      probably safe not to acquire this spinlock here. It does not
      harm to have it although, to avoid conditional locking.
      
      Fixes: c38b7d32 ("igmp: acquire pmc lock for ip_mc_clear_src()")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b4846fc3
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2017-06-20' of... · afd64631
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2017-06-20' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.12
      
      Two important fixes for brcmfmac. The rest of the brcmfmac patches are
      either code preparation and fixing a new build warning.
      
      brcmfmac
      
      * fix a NULL pointer dereference during resume
      
      * fix a NULL pointer dereference with USB devices, a regression from
        v4.12-rc1
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      afd64631
    • Niklas Cassel's avatar
      net: stmmac: free an skb first when there are no longer any descriptors using it · 05cf0d1b
      Niklas Cassel authored
      When having the skb pointer in the first descriptor, stmmac_tx_clean
      can get called at a moment where the IP has only cleared the own bit
      of the first descriptor, thus freeing the skb, even though there can
      be several descriptors whose buffers point into the same skb.
      
      By simply moving the skb pointer from the first descriptor to the last
      descriptor, a skb will get freed only when the IP has cleared the
      own bit of all the descriptors that are using that skb.
      Signed-off-by: default avatarNiklas Cassel <niklas.cassel@axis.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      05cf0d1b
    • Edward Cree's avatar
      sfc: remove duplicate up_write on VF filter_sem · 57f0c9cf
      Edward Cree authored
      Somehow two copies of the line 'up_write(&vf->efx->filter_sem);' got into
       efx_ef10_sriov_set_vf_vlan().  This would put the mutex in a bad state and
       cause all subsequent down attempts to hang.
      
      Fixes: 671b53ee ("sfc: Ensure down_write(&filter_sem) and up_write() are matched before calling efx_net_open()")
      Signed-off-by: default avatarEdward Cree <ecree@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      57f0c9cf