1. 28 Jul, 2018 1 commit
  2. 27 Jul, 2018 2 commits
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · d0fdb366
      David S. Miller authored
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2018-07-27
      
      1) Fix PMTU handling of vti6. We update the PMTU on
         the xfrm dst_entry which is not cached anymore
         after the flowchache removal. So update the
         PMTU of the original dst_entry instead.
         From Eyal Birger.
      
      2) Fix a leak of kernel memory to userspace.
         From Eric Dumazet.
      
      3) Fix a possible dst_entry memleak in xfrm_lookup_route.
         From Tommi Rantala.
      
      4) Fix a skb leak in case we can't call nlmsg_multicast
         from xfrm_nlmsg_multicast. From Florian Westphal.
      
      5) Fix a leak of a temporary buffer in the error path of
         esp6_input. From Zhen Lei.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0fdb366
    • Gal Pressman's avatar
      net: ena: Fix use of uninitialized DMA address bits field · 101f0cd4
      Gal Pressman authored
      UBSAN triggers the following undefined behaviour warnings:
      [...]
      [   13.236124] UBSAN: Undefined behaviour in drivers/net/ethernet/amazon/ena/ena_eth_com.c:468:22
      [   13.240043] shift exponent 64 is too large for 64-bit type 'long long unsigned int'
      [...]
      [   13.744769] UBSAN: Undefined behaviour in drivers/net/ethernet/amazon/ena/ena_eth_com.c:373:4
      [   13.748694] shift exponent 64 is too large for 64-bit type 'long long unsigned int'
      [...]
      
      When splitting the address to high and low, GENMASK_ULL is used to generate
      a bitmask with dma_addr_bits field from io_sq (in ena_com_prepare_tx and
      ena_com_add_single_rx_desc).
      The problem is that dma_addr_bits is not initialized with a proper value
      (besides being cleared in ena_com_create_io_queue).
      Assign dma_addr_bits the correct value that is stored in ena_dev when
      initializing the SQ.
      
      Fixes: 1738cd3e ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
      Signed-off-by: default avatarGal Pressman <pressmangal@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      101f0cd4
  3. 26 Jul, 2018 5 commits
    • Avinash Repaka's avatar
      RDS: RDMA: Fix the NULL-ptr deref in rds_ib_get_mr · 9e630bcb
      Avinash Repaka authored
      Registration of a memory region(MR) through FRMR/fastreg(unlike FMR)
      needs a connection/qp. With a proxy qp, this dependency on connection
      will be removed, but that needs more infrastructure patches, which is a
      work in progress.
      
      As an intermediate fix, the get_mr returns EOPNOTSUPP when connection
      details are not populated. The MR registration through sendmsg() will
      continue to work even with fast registration, since connection in this
      case is formed upfront.
      
      This patch fixes the following crash:
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Modules linked in:
      CPU: 1 PID: 4244 Comm: syzkaller468044 Not tainted 4.16.0-rc6+ #361
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:rds_ib_get_mr+0x5c/0x230 net/rds/ib_rdma.c:544
      RSP: 0018:ffff8801b059f890 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff8801b07e1300 RCX: ffffffff8562d96e
      RDX: 000000000000000d RSI: 0000000000000001 RDI: 0000000000000068
      RBP: ffff8801b059f8b8 R08: ffffed0036274244 R09: ffff8801b13a1200
      R10: 0000000000000004 R11: ffffed0036274243 R12: ffff8801b13a1200
      R13: 0000000000000001 R14: ffff8801ca09fa9c R15: 0000000000000000
      FS:  00007f4d050af700(0000) GS:ffff8801db300000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f4d050aee78 CR3: 00000001b0d9b006 CR4: 00000000001606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       __rds_rdma_map+0x710/0x1050 net/rds/rdma.c:271
       rds_get_mr_for_dest+0x1d4/0x2c0 net/rds/rdma.c:357
       rds_setsockopt+0x6cc/0x980 net/rds/af_rds.c:347
       SYSC_setsockopt net/socket.c:1849 [inline]
       SyS_setsockopt+0x189/0x360 net/socket.c:1828
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x4456d9
      RSP: 002b:00007f4d050aedb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 00000000004456d9
      RDX: 0000000000000007 RSI: 0000000000000114 RDI: 0000000000000004
      RBP: 00000000006dac38 R08: 00000000000000a0 R09: 0000000000000000
      R10: 0000000020000380 R11: 0000000000000246 R12: 0000000000000000
      R13: 00007fffbfb36d6f R14: 00007f4d050af9c0 R15: 0000000000000005
      Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 cc 01 00 00 4c 8b bb 80 04 00 00
      48
      b8 00 00 00 00 00 fc ff df 49 8d 7f 68 48 89 fa 48 c1 ea 03 <80> 3c 02
      00 0f
      85 9c 01 00 00 4d 8b 7f 68 48 b8 00 00 00 00 00
      RIP: rds_ib_get_mr+0x5c/0x230 net/rds/ib_rdma.c:544 RSP:
      ffff8801b059f890
      ---[ end trace 7e1cea13b85473b0 ]---
      
      Reported-by: syzbot+b51c77ef956678a65834@syzkaller.appspotmail.com
      Signed-off-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarAvinash Repaka <avinash.repaka@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e630bcb
    • Tariq Toukan's avatar
      net: rollback orig value on failure of dev_qdisc_change_tx_queue_len · 7effaf06
      Tariq Toukan authored
      Fix dev_change_tx_queue_len so it rolls back original value
      upon a failure in dev_qdisc_change_tx_queue_len.
      This is already done for notifirers' failures, share the code.
      
      In case of failure in dev_qdisc_change_tx_queue_len, some tx queues
      would still be of the new length, while they should be reverted.
      Currently, the revert is not done, and is marked with a TODO label
      in dev_qdisc_change_tx_queue_len, and should find some nice solution
      to do it.
      Yet it is still better to not apply the newly requested value.
      
      Fixes: 48bfd55e ("net_sched: plug in qdisc ops change_tx_queue_len")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Reviewed-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Reported-by: default avatarRan Rozenstein <ranro@mellanox.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7effaf06
    • tangpengpeng's avatar
      net: fix amd-xgbe flow-control issue · 7f3fc7dd
      tangpengpeng authored
      If we enable or disable xgbe flow-control by ethtool ,
      it does't work.Because the parameter is not properly
      assigned,so we need to adjust the assignment order
      of the parameters.
      
      Fixes: c1ce2f77 ("amd-xgbe: Fix flow control setting logic")
      Signed-off-by: default avatartangpengpeng <tangpengpeng@higon.com>
      Acked-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7f3fc7dd
    • Arjun Vynipadath's avatar
      cxgb4: Added missing break in ndo_udp_tunnel_{add/del} · 942a656f
      Arjun Vynipadath authored
      Break statements were missing for Geneve case in
      ndo_udp_tunnel_{add/del}, thereby raw mac matchall
      entries were not getting added.
      
      Fixes: c746fc0e("cxgb4: add geneve offload support for T6")
      Signed-off-by: default avatarArjun Vynipadath <arjun@chelsio.com>
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      942a656f
    • Jakub Kicinski's avatar
      netdevsim: don't leak devlink resources · c259b4fb
      Jakub Kicinski authored
      Devlink resources registered with devlink_resource_register() have
      to be unregistered.
      
      Fixes: 37923ed6 ("netdevsim: Add simple FIB resource controller via devlink")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarQuentin Monnet <quentin.monnet@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c259b4fb
  4. 25 Jul, 2018 6 commits
    • Wei Yongjun's avatar
      net: igmp: make function __ip_mc_inc_group() static · b87bac10
      Wei Yongjun authored
      Fixes the following sparse warnings:
      
      net/ipv4/igmp.c:1391:6: warning:
       symbol '__ip_mc_inc_group' was not declared. Should it be static?
      
      Fixes: 6e2059b5 ("ipv4/igmp: init group mode as INCLUDE when join source group")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b87bac10
    • Lawrence Brakmo's avatar
      tcp: ack immediately when a cwr packet arrives · 9aee4000
      Lawrence Brakmo authored
      We observed high 99 and 99.9% latencies when doing RPCs with DCTCP. The
      problem is triggered when the last packet of a request arrives CE
      marked. The reply will carry the ECE mark causing TCP to shrink its cwnd
      to 1 (because there are no packets in flight). When the 1st packet of
      the next request arrives, the ACK was sometimes delayed even though it
      is CWR marked, adding up to 40ms to the RPC latency.
      
      This patch insures that CWR marked data packets arriving will be acked
      immediately.
      
      Packetdrill script to reproduce the problem:
      
      0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
      0.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
      0.000 setsockopt(3, SOL_TCP, TCP_CONGESTION, "dctcp", 5) = 0
      0.000 bind(3, ..., ...) = 0
      0.000 listen(3, 1) = 0
      
      0.100 < [ect0] SEW 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
      0.100 > SE. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 8>
      0.110 < [ect0] . 1:1(0) ack 1 win 257
      0.200 accept(3, ..., ...) = 4
      
      0.200 < [ect0] . 1:1001(1000) ack 1 win 257
      0.200 > [ect01] . 1:1(0) ack 1001
      
      0.200 write(4, ..., 1) = 1
      0.200 > [ect01] P. 1:2(1) ack 1001
      
      0.200 < [ect0] . 1001:2001(1000) ack 2 win 257
      0.200 write(4, ..., 1) = 1
      0.200 > [ect01] P. 2:3(1) ack 2001
      
      0.200 < [ect0] . 2001:3001(1000) ack 3 win 257
      0.200 < [ect0] . 3001:4001(1000) ack 3 win 257
      0.200 > [ect01] . 3:3(0) ack 4001
      
      0.210 < [ce] P. 4001:4501(500) ack 3 win 257
      
      +0.001 read(4, ..., 4500) = 4500
      +0 write(4, ..., 1) = 1
      +0 > [ect01] PE. 3:4(1) ack 4501
      
      +0.010 < [ect0] W. 4501:5501(1000) ack 4 win 257
      // Previously the ACK sequence below would be 4501, causing a long RTO
      +0.040~+0.045 > [ect01] . 4:4(0) ack 5501   // delayed ack
      
      +0.311 < [ect0] . 5501:6501(1000) ack 4 win 257  // More data
      +0 > [ect01] . 4:4(0) ack 6501     // now acks everything
      
      +0.500 < F. 9501:9501(0) ack 4 win 257
      
      Modified based on comments by Neal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarLawrence Brakmo <brakmo@fb.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9aee4000
    • dann frazier's avatar
      hinic: Link the logical network device to the pci device in sysfs · 7856e861
      dann frazier authored
      Otherwise interfaces get exposed under /sys/devices/virtual, which
      doesn't give udev the context it needs for PCI-based predictable
      interface names.
      Signed-off-by: default avatardann frazier <dann.frazier@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7856e861
    • Toshiaki Makita's avatar
      virtio_net: Fix incosistent received bytes counter · ecbc42ca
      Toshiaki Makita authored
      When received packets are dropped in virtio_net driver, received packets
      counter is incremented but bytes counter is not.
      As a result, for instance if we drop all packets by XDP, only received
      is counted and bytes stays 0, which looks inconsistent.
      IMHO received packets/bytes should be counted if packets are produced by
      the hypervisor, like what common NICs on physical machines are doing.
      So fix the bytes counter.
      Signed-off-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ecbc42ca
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_4.18_4' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 9981b4fb
      Linus Torvalds authored
      Pull MIPS fixes from Paul Burton:
       "A couple more MIPS fixes for 4.18:
      
         - Fix an off-by-one in reporting PCI resource sizes to userland which
           regressed in v3.12.
      
         - Fix writes to DDR controller registers used to flush write buffers,
           which regressed with some refactoring in v4.2"
      
      * tag 'mips_fixes_4.18_4' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: ath79: fix register address in ath79_ddr_wb_flush()
        MIPS: Fix off-by-one in pci_resource_to_user()
      9981b4fb
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 07230906
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Handle stations tied to AP_VLANs properly during mac80211 hw
          reconfig. From Manikanta Pubbisetty.
      
       2) Fix jump stack depth validation in nf_tables, from Taehee Yoo.
      
       3) Fix quota handling in aRFS flow expiration of mlx5 driver, from Eran
          Ben Elisha.
      
       4) Exit path handling fix in powerpc64 BPF JIT, from Daniel Borkmann.
      
       5) Use ptr_ring_consume_bh() in page pool code, from Tariq Toukan.
      
       6) Fix cached netdev name leak in nf_tables, from Florian Westphal.
      
       7) Fix memory leaks on chain rename, also from Florian Westphal.
      
       8) Several fixes to DCTCP congestion control ACK handling, from Yuchunk
          Cheng.
      
       9) Missing rcu_read_unlock() in CAIF protocol code, from Yue Haibing.
      
      10) Fix link local address handling with VRF, from David Ahern.
      
      11) Don't clobber 'err' on a successful call to __skb_linearize() in
          skb_segment(). From Eric Dumazet.
      
      12) Fix vxlan fdb notification races, from Roopa Prabhu.
      
      13) Hash UDP fragments consistently, from Paolo Abeni.
      
      14) If TCP receives lots of out of order tiny packets, we do really
          silly stuff. Make the out-of-order queue ending more robust to this
          kind of behavior, from Eric Dumazet.
      
      15) Don't leak netlink dump state in nf_tables, from Florian Westphal.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (76 commits)
        net: axienet: Fix double deregister of mdio
        qmi_wwan: fix interface number for DW5821e production firmware
        ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull
        bnx2x: Fix invalid memory access in rss hash config path.
        net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper
        r8169: restore previous behavior to accept BIOS WoL settings
        cfg80211: never ignore user regulatory hint
        sock: fix sg page frag coalescing in sk_alloc_sg
        netfilter: nf_tables: move dumper state allocation into ->start
        tcp: add tcp_ooo_try_coalesce() helper
        tcp: call tcp_drop() from tcp_data_queue_ofo()
        tcp: detect malicious patterns in tcp_collapse_ofo_queue()
        tcp: avoid collapses in tcp_prune_queue() if possible
        tcp: free batches of packets in tcp_prune_ofo_queue()
        ip: hash fragments consistently
        ipv6: use fib6_info_hold_safe() when necessary
        can: xilinx_can: fix power management handling
        can: xilinx_can: fix incorrect clear of non-processed interrupts
        can: xilinx_can: fix RX overflow interrupt not being enabled
        can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting
        ...
      07230906
  5. 24 Jul, 2018 13 commits
    • Shubhrajyoti Datta's avatar
      net: axienet: Fix double deregister of mdio · 03bc7cab
      Shubhrajyoti Datta authored
      If the registration fails then mdio_unregister is called.
      However at unbind the unregister ia attempted again resulting
      in the below crash
      
      [   73.544038] kernel BUG at drivers/net/phy/mdio_bus.c:415!
      [   73.549362] Internal error: Oops - BUG: 0 [#1] SMP
      [   73.554127] Modules linked in:
      [   73.557168] CPU: 0 PID: 2249 Comm: sh Not tainted 4.14.0 #183
      [   73.562895] Hardware name: xlnx,zynqmp (DT)
      [   73.567062] task: ffffffc879e41180 task.stack: ffffff800cbe0000
      [   73.572973] PC is at mdiobus_unregister+0x84/0x88
      [   73.577656] LR is at axienet_mdio_teardown+0x18/0x30
      [   73.582601] pc : [<ffffff80085fa4cc>] lr : [<ffffff8008616858>]
      pstate: 20000145
      [   73.589981] sp : ffffff800cbe3c30
      [   73.593277] x29: ffffff800cbe3c30 x28: ffffffc879e41180
      [   73.598573] x27: ffffff8008a21000 x26: 0000000000000040
      [   73.603868] x25: 0000000000000124 x24: ffffffc879efe920
      [   73.609164] x23: 0000000000000060 x22: ffffffc879e02000
      [   73.614459] x21: ffffffc879e02800 x20: ffffffc87b0b8870
      [   73.619754] x19: ffffffc879e02800 x18: 000000000000025d
      [   73.625050] x17: 0000007f9a719ad0 x16: ffffff8008195bd8
      [   73.630345] x15: 0000007f9a6b3d00 x14: 0000000000000010
      [   73.635640] x13: 74656e7265687465 x12: 0000000000000030
      [   73.640935] x11: 0000000000000030 x10: 0101010101010101
      [   73.646231] x9 : 241f394f42533300 x8 : ffffffc8799f6e98
      [   73.651526] x7 : ffffffc8799f6f18 x6 : ffffffc87b0ba318
      [   73.656822] x5 : ffffffc87b0ba498 x4 : 0000000000000000
      [   73.662117] x3 : 0000000000000000 x2 : 0000000000000008
      [   73.667412] x1 : 0000000000000004 x0 : ffffffc8799f4000
      [   73.672708] Process sh (pid: 2249, stack limit = 0xffffff800cbe0000)
      
      Fix the same by making the bus NULL on unregister.
      Signed-off-by: default avatarShubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      03bc7cab
    • Aleksander Morgado's avatar
      qmi_wwan: fix interface number for DW5821e production firmware · f25e1392
      Aleksander Morgado authored
      The original mapping for the DW5821e was done using a development
      version of the firmware. Confirmed with the vendor that the final
      USB layout ends up exposing the QMI control/data ports in USB
      config #1, interface #0, not in interface #1 (which is now a HID
      interface).
      
      T:  Bus=01 Lev=03 Prnt=04 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  2
      P:  Vendor=413c ProdID=81d7 Rev=03.18
      S:  Manufacturer=DELL
      S:  Product=DW5821e Snapdragon X20 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      
      Fixes: e7e197ed ("qmi_wwan: add support for the Dell Wireless 5821e module")
      Signed-off-by: default avatarAleksander Morgado <aleksander@aleksander.es>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f25e1392
    • Willem de Bruijn's avatar
      ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull · 2efd4fca
      Willem de Bruijn authored
      Syzbot reported a read beyond the end of the skb head when returning
      IPV6_ORIGDSTADDR:
      
        BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
        CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
        Google 01/01/2011
        Call Trace:
          __dump_stack lib/dump_stack.c:77 [inline]
          dump_stack+0x185/0x1d0 lib/dump_stack.c:113
          kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
          kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219
          kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261
          copy_to_user include/linux/uaccess.h:184 [inline]
          put_cmsg+0x5ef/0x860 net/core/scm.c:242
          ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719
          ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
          rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
          [..]
      
      This logic and its ipv4 counterpart read the destination port from
      the packet at skb_transport_offset(skb) + 4.
      
      With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a
      packet that stores headers exactly up to skb_transport_offset(skb) in
      the head and the remainder in a frag.
      
      Call pskb_may_pull before accessing the pointer to ensure that it lies
      in skb head.
      
      Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com
      Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2efd4fca
    • Sudarsana Reddy Kalluru's avatar
      bnx2x: Fix invalid memory access in rss hash config path. · ae2dcb28
      Sudarsana Reddy Kalluru authored
      Rx hash/filter table configuration uses rss_conf_obj to configure filters
      in the hardware. This object is initialized only when the interface is
      brought up.
      This patch adds driver changes to configure rss params only when the device
      is in opened state. In port disabled case, the config will be cached in the
      driver structure which will be applied in the successive load path.
      
      Please consider applying it to 'net' branch.
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae2dcb28
    • Jack Morgenstein's avatar
      net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper · 958c696f
      Jack Morgenstein authored
      Function mlx4_RST2INIT_QP_wrapper saved the qp number passed in the qp
      context, rather than the one passed in the input modifier.
      
      However, the qp number in the qp context is not defined as a
      required parameter by the FW. Therefore, drivers may choose to not
      specify the qp number in the qp context for the reset-to-init transition.
      
      Thus, we must save the qp number passed in the command input modifier --
      which is always present. (This saved qp number is used as the input
      modifier for command 2RST_QP when a slave's qp's are destroyed).
      
      Fixes: c82e9aa0 ("mlx4_core: resource tracking for HCA resources used by guests")
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      958c696f
    • Heiner Kallweit's avatar
      r8169: restore previous behavior to accept BIOS WoL settings · 18041b52
      Heiner Kallweit authored
      Commit 7edf6d31 tried to resolve an inconsistency (BIOS WoL
      settings are accepted, but device isn't wakeup-enabled) resulting
      from a previous broken-BIOS workaround by making disabled WoL the
      default.
      This however had some side effects, most likely due to a broken BIOS
      some systems don't properly resume from suspend when the MagicPacket
      WoL bit isn't set in the chip, see
      https://bugzilla.kernel.org/show_bug.cgi?id=200195
      Therefore restore the WoL behavior from 4.16.
      Reported-by: default avatarAlbert Astals Cid <aacid@kde.org>
      Fixes: 7edf6d31 ("r8169: disable WOL per default")
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      18041b52
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · f89ed2f8
      Linus Torvalds authored
      Pull s390 fix from Martin Schwidefsky.
      
      Guenter Roeck reports that the s390 allmodconfig build fails because of
      a gcc plugin problem.  The fix won't be in-tree until 4.19, so for now
      disable the gcc plugins on s390.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: disable gcc plugins
      f89ed2f8
    • Guenter Roeck's avatar
      media: staging: omap4iss: Include asm/cacheflush.h after generic includes · 0894da84
      Guenter Roeck authored
      Including asm/cacheflush.h first results in the following build error
      when trying to build sparc32:allmodconfig, because 'struct page' has not
      been declared, and the function declaration ends up creating a separate
      (private) declaration of struct page (as a result of function arguments
      being in the scope of the function declaration and definition, not in
      global scope).
      
      The C scoping rules do not just affect variable visibility, they also
      affect type declaration visibility.
      
      The end result is that when the actual call site is seen in
      <linux/highmem.h>, the 'struct page' type in the caller is not the same
      'struct page' that the function was declared with, resulting in:
      
        In file included from arch/sparc/include/asm/page.h:10:0,
                         ...
                         from drivers/staging/media/omap4iss/iss_video.c:15:
        include/linux/highmem.h: In function 'clear_user_highpage':
        include/linux/highmem.h:137:31: error:
      	passing argument 1 of 'sparc_flush_page_to_ram' from incompatible
      	pointer type
      
      Include generic includes files first to fix the problem.
      
      Fixes: fc96d58c ("[media] v4l: omap4iss: Add support for OMAP4 camera interface - Video devices")
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      [ Added explanation of C scope rules - Linus ]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0894da84
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 049f5604
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Make sure we don't go over the maximum jump stack boundary,
         from Taehee Yoo.
      
      2) Missing rcu_barrier() in hash and rbtree sets, also from Taehee.
      
      3) Missing check to nul-node in rbtree timeout routine, from Taehee.
      
      4) Use dev->name from flowtable to fix a memleak, from Florian.
      
      5) Oneliner to free flowtable object on removal, from Florian.
      
      6) Memleak in chain rename transaction, again from Florian.
      
      7) Don't allow two chains to use the same name in the same
         transaction, from Florian.
      
      8) handle DCCP SYNC/SYNCACK as invalid, this triggers an
         uninitialized timer in conntrack reported by syzbot, from Florian.
      
      9) Fix leak in case netlink_dump_start() fails, from Florian.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      049f5604
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2018-07-24' of... · e1adf314
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2018-07-24' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Only a few fixes:
       * always keep regulatory user hint
       * add missing break statement in station flags parsing
       * fix non-linear SKBs in port-control-over-nl80211
       * reconfigure VLAN stations during HW restart
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e1adf314
    • Amar Singhal's avatar
      cfg80211: never ignore user regulatory hint · e31f6456
      Amar Singhal authored
      Currently user regulatory hint is ignored if all wiphys
      in the system are self managed. But the hint is not ignored
      if there is no wiphy in the system. This affects the global
      regulatory setting. Global regulatory setting needs to be
      maintained so that it can be applied to a new wiphy entering
      the system. Therefore, do not ignore user regulatory setting
      even if all wiphys in the system are self managed.
      Signed-off-by: default avatarAmar Singhal <asinghal@codeaurora.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      e31f6456
    • Martin Schwidefsky's avatar
      s390: disable gcc plugins · 2fba3573
      Martin Schwidefsky authored
      The s390 build currently fails with the latent entropy plugin:
      
      arch/s390/kernel/als.o: In function `verify_facilities':
      als.c:(.init.text+0x24): undefined reference to `latent_entropy'
      als.c:(.init.text+0xae): undefined reference to `latent_entropy'
      make[3]: *** [arch/s390/boot/compressed/vmlinux] Error 1
      make[2]: *** [arch/s390/boot/compressed/vmlinux] Error 2
      make[1]: *** [bzImage] Error 2
      
      This will be fixed with the early boot rework from Vasily, which
      is planned for the 4.19 merge window.
      
      For 4.18 the simplest solution is to disable the gcc plugins and
      reenable them after the early boot rework is upstream.
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      2fba3573
    • Daniel Borkmann's avatar
      sock: fix sg page frag coalescing in sk_alloc_sg · 144fe2bf
      Daniel Borkmann authored
      Current sg coalescing logic in sk_alloc_sg() (latter is used by tls and
      sockmap) is not quite correct in that we do fetch the previous sg entry,
      however the subsequent check whether the refilled page frag from the
      socket is still the same as from the last entry with prior offset and
      length matching the start of the current buffer is comparing always the
      first sg list entry instead of the prior one.
      
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarDave Watson <davejwatson@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      144fe2bf
  6. 23 Jul, 2018 13 commits
    • Florian Westphal's avatar
      netfilter: nf_tables: move dumper state allocation into ->start · 90fd131a
      Florian Westphal authored
      Shaochun Chen points out we leak dumper filter state allocations
      stored in dump_control->data in case there is an error before netlink sets
      cb_running (after which ->done will be called at some point).
      
      In order to fix this, add .start functions and do the allocations
      there.
      
      ->done is going to clean up, and in case error occurs before
      ->start invocation no cleanups need to be done anymore.
      Reported-by: default avatarshaochun chen <cscnull@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      90fd131a
    • David S. Miller's avatar
      Merge branch 'tcp-robust-ooo' · 1a4f14ba
      David S. Miller authored
      Eric Dumazet says:
      
      ====================
      Juha-Matti Tilli reported that malicious peers could inject tiny
      packets in out_of_order_queue, forcing very expensive calls
      to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for
      every incoming packet.
      
      With tcp_rmem[2] default of 6MB, the ooo queue could
      contain ~7000 nodes.
      
      This patch series makes sure we cut cpu cycles enough to
      render the attack not critical.
      
      We might in the future go further, like disconnecting
      or black-holing proven malicious flows.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1a4f14ba
    • Eric Dumazet's avatar
      tcp: add tcp_ooo_try_coalesce() helper · 58152ecb
      Eric Dumazet authored
      In case skb in out_or_order_queue is the result of
      multiple skbs coalescing, we would like to get a proper gso_segs
      counter tracking, so that future tcp_drop() can report an accurate
      number.
      
      I chose to not implement this tracking for skbs in receive queue,
      since they are not dropped, unless socket is disconnected.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58152ecb
    • Eric Dumazet's avatar
      tcp: call tcp_drop() from tcp_data_queue_ofo() · 8541b21e
      Eric Dumazet authored
      In order to be able to give better diagnostics and detect
      malicious traffic, we need to have better sk->sk_drops tracking.
      
      Fixes: 9f5afeae ("tcp: use an RB tree for ooo receive queue")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8541b21e
    • Eric Dumazet's avatar
      tcp: detect malicious patterns in tcp_collapse_ofo_queue() · 3d4bf93a
      Eric Dumazet authored
      In case an attacker feeds tiny packets completely out of order,
      tcp_collapse_ofo_queue() might scan the whole rb-tree, performing
      expensive copies, but not changing socket memory usage at all.
      
      1) Do not attempt to collapse tiny skbs.
      2) Add logic to exit early when too many tiny skbs are detected.
      
      We prefer not doing aggressive collapsing (which copies packets)
      for pathological flows, and revert to tcp_prune_ofo_queue() which
      will be less expensive.
      
      In the future, we might add the possibility of terminating flows
      that are proven to be malicious.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d4bf93a
    • Eric Dumazet's avatar
      tcp: avoid collapses in tcp_prune_queue() if possible · f4a3313d
      Eric Dumazet authored
      Right after a TCP flow is created, receiving tiny out of order
      packets allways hit the condition :
      
      if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
      	tcp_clamp_window(sk);
      
      tcp_clamp_window() increases sk_rcvbuf to match sk_rmem_alloc
      (guarded by tcp_rmem[2])
      
      Calling tcp_collapse_ofo_queue() in this case is not useful,
      and offers a O(N^2) surface attack to malicious peers.
      
      Better not attempt anything before full queue capacity is reached,
      forcing attacker to spend lots of resource and allow us to more
      easily detect the abuse.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4a3313d
    • Eric Dumazet's avatar
      tcp: free batches of packets in tcp_prune_ofo_queue() · 72cd43ba
      Eric Dumazet authored
      Juha-Matti Tilli reported that malicious peers could inject tiny
      packets in out_of_order_queue, forcing very expensive calls
      to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for
      every incoming packet. out_of_order_queue rb-tree can contain
      thousands of nodes, iterating over all of them is not nice.
      
      Before linux-4.9, we would have pruned all packets in ofo_queue
      in one go, every XXXX packets. XXXX depends on sk_rcvbuf and skbs
      truesize, but is about 7000 packets with tcp_rmem[2] default of 6 MB.
      
      Since we plan to increase tcp_rmem[2] in the future to cope with
      modern BDP, can not revert to the old behavior, without great pain.
      
      Strategy taken in this patch is to purge ~12.5 % of the queue capacity.
      
      Fixes: 36a6503f ("tcp: refine tcp_prune_ofo_queue() to not drop all packets")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarJuha-Matti Tilli <juha-matti.tilli@iki.fi>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72cd43ba
    • Paolo Abeni's avatar
      ip: hash fragments consistently · 3dd1c9a1
      Paolo Abeni authored
      The skb hash for locally generated ip[v6] fragments belonging
      to the same datagram can vary in several circumstances:
      * for connected UDP[v6] sockets, the first fragment get its hash
        via set_owner_w()/skb_set_hash_from_sk()
      * for unconnected IPv6 UDPv6 sockets, the first fragment can get
        its hash via ip6_make_flowlabel()/skb_get_hash_flowi6(), if
        auto_flowlabel is enabled
      
      For the following frags the hash is usually computed via
      skb_get_hash().
      The above can cause OoO for unconnected IPv6 UDPv6 socket: in that
      scenario the egress tx queue can be selected on a per packet basis
      via the skb hash.
      It may also fool flow-oriented schedulers to place fragments belonging
      to the same datagram in different flows.
      
      Fix the issue by copying the skb hash from the head frag into
      the others at fragmentation time.
      
      Before this commit:
      perf probe -a "dev_queue_xmit skb skb->hash skb->l4_hash:b1@0/8 skb->sw_hash:b1@1/8"
      netperf -H $IPV4 -t UDP_STREAM -l 5 -- -m 2000 -n &
      perf record -e probe:dev_queue_xmit -e probe:skb_set_owner_w -a sleep 0.1
      perf script
      probe:dev_queue_xmit: (ffffffff8c6b1b20) hash=3713014309 l4_hash=1 sw_hash=0
      probe:dev_queue_xmit: (ffffffff8c6b1b20) hash=0 l4_hash=0 sw_hash=0
      
      After this commit:
      probe:dev_queue_xmit: (ffffffff8c6b1b20) hash=2171763177 l4_hash=1 sw_hash=0
      probe:dev_queue_xmit: (ffffffff8c6b1b20) hash=2171763177 l4_hash=1 sw_hash=0
      
      Fixes: b73c3d0e ("net: Save TX flow hash in sock and set in skbuf on xmit")
      Fixes: 67800f9b ("ipv6: Call skb_get_hash_flowi6 to get skb->hash in ip6_make_flowlabel")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3dd1c9a1
    • Wei Wang's avatar
      ipv6: use fib6_info_hold_safe() when necessary · e873e4b9
      Wei Wang authored
      In the code path where only rcu read lock is held, e.g. in the route
      lookup code path, it is not safe to directly call fib6_info_hold()
      because the fib6_info may already have been deleted but still exists
      in the rcu grace period. Holding reference to it could cause double
      free and crash the kernel.
      
      This patch adds a new function fib6_info_hold_safe() and replace
      fib6_info_hold() in all necessary places.
      
      Syzbot reported 3 crash traces because of this. One of them is:
      8021q: adding VLAN 0 to HW filter on device team0
      IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
      dst_release: dst:(____ptrval____) refcnt:-1
      dst_release: dst:(____ptrval____) refcnt:-2
      WARNING: CPU: 1 PID: 4845 at include/net/dst.h:239 dst_hold include/net/dst.h:239 [inline]
      WARNING: CPU: 1 PID: 4845 at include/net/dst.h:239 ip6_setup_cork+0xd66/0x1830 net/ipv6/ip6_output.c:1204
      dst_release: dst:(____ptrval____) refcnt:-1
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 1 PID: 4845 Comm: syz-executor493 Not tainted 4.18.0-rc3+ #10
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       panic+0x238/0x4e7 kernel/panic.c:184
      dst_release: dst:(____ptrval____) refcnt:-2
      dst_release: dst:(____ptrval____) refcnt:-3
       __warn.cold.8+0x163/0x1ba kernel/panic.c:536
      dst_release: dst:(____ptrval____) refcnt:-4
       report_bug+0x252/0x2d0 lib/bug.c:186
       fixup_bug arch/x86/kernel/traps.c:178 [inline]
       do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
      dst_release: dst:(____ptrval____) refcnt:-5
       do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
       invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
      RIP: 0010:dst_hold include/net/dst.h:239 [inline]
      RIP: 0010:ip6_setup_cork+0xd66/0x1830 net/ipv6/ip6_output.c:1204
      Code: c1 ed 03 89 9d 18 ff ff ff 48 b8 00 00 00 00 00 fc ff df 41 c6 44 05 00 f8 e9 2d 01 00 00 4c 8b a5 c8 fe ff ff e8 1a f6 e6 fa <0f> 0b e9 6a fc ff ff e8 0e f6 e6 fa 48 8b 85 d0 fe ff ff 48 8d 78
      RSP: 0018:ffff8801a8fcf178 EFLAGS: 00010293
      RAX: ffff8801a8eba5c0 RBX: 0000000000000000 RCX: ffffffff869511e6
      RDX: 0000000000000000 RSI: ffffffff869515b6 RDI: 0000000000000005
      RBP: ffff8801a8fcf2c8 R08: ffff8801a8eba5c0 R09: ffffed0035ac8338
      R10: ffffed0035ac8338 R11: ffff8801ad6419c3 R12: ffff8801a8fcf720
      R13: ffff8801a8fcf6a0 R14: ffff8801ad6419c0 R15: ffff8801ad641980
       ip6_make_skb+0x2c8/0x600 net/ipv6/ip6_output.c:1768
       udpv6_sendmsg+0x2c90/0x35f0 net/ipv6/udp.c:1376
       inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
       sock_sendmsg_nosec net/socket.c:641 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:651
       ___sys_sendmsg+0x51d/0x930 net/socket.c:2125
       __sys_sendmmsg+0x240/0x6f0 net/socket.c:2220
       __do_sys_sendmmsg net/socket.c:2249 [inline]
       __se_sys_sendmmsg net/socket.c:2246 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2246
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x446ba9
      Code: e8 cc bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fb39a469da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
      RAX: ffffffffffffffda RBX: 00000000006dcc54 RCX: 0000000000446ba9
      RDX: 00000000000000b8 RSI: 0000000020001b00 RDI: 0000000000000003
      RBP: 00000000006dcc50 R08: 00007fb39a46a700 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 45c828efc7a64843
      R13: e6eeb815b9d8a477 R14: 5068caf6f713c6fc R15: 0000000000000001
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Kernel Offset: disabled
      Rebooting in 86400 seconds..
      
      Fixes: 93531c67 ("net/ipv6: separate handling of FIB entries from dst based routes")
      Reported-by: syzbot+902e2a1bcd4f7808cef5@syzkaller.appspotmail.com
      Reported-by: syzbot+8ae62d67f647abeeceb9@syzkaller.appspotmail.com
      Reported-by: syzbot+3f08feb14086930677d0@syzkaller.appspotmail.com
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e873e4b9
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-4.18-20180723' of... · 5302a84e
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-4.18-20180723' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2018-07-23
      
      this is a pull request of 12 patches for net/master.
      
      The patch by Stephane Grosjean for the peak_canfd CAN driver fixes a problem
      with older firmware. The next patch is by Roman Fietze and fixes the setup of
      the CCCR register in the m_can driver. Nicholas Mc Guire's patch for the
      mpc5xxx_can driver adds missing error checking. The two patches by Faiz Abbas
      fix the runtime resume and clean up the probe function in the m_can driver. The
      last 7 patches by Anssi Hannula fix several problem in the xilinx_can driver.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5302a84e
    • Anssi Hannula's avatar
      can: xilinx_can: fix power management handling · 8ebd83bd
      Anssi Hannula authored
      There are several issues with the suspend/resume handling code of the
      driver:
      
      - The device is attached and detached in the runtime_suspend() and
        runtime_resume() callbacks if the interface is running. However,
        during xcan_chip_start() the interface is considered running,
        causing the resume handler to incorrectly call netif_start_queue()
        at the beginning of xcan_chip_start(), and on xcan_chip_start() error
        return the suspend handler detaches the device leaving the user
        unable to bring-up the device anymore.
      
      - The device is not brought properly up on system resume. A reset is
        done and the code tries to determine the bus state after that.
        However, after reset the device is always in Configuration mode
        (down), so the state checking code does not make sense and
        communication will also not work.
      
      - The suspend callback tries to set the device to sleep mode (low-power
        mode which monitors the bus and brings the device back to normal mode
        on activity), but then immediately disables the clocks (possibly
        before the device reaches the sleep mode), which does not make sense
        to me. If a clean shutdown is wanted before disabling clocks, we can
        just bring it down completely instead of only sleep mode.
      
      Reorganize the PM code so that only the clock logic remains in the
      runtime PM callbacks and the system PM callbacks contain the device
      bring-up/down logic. This makes calling the runtime PM callbacks during
      e.g. xcan_chip_start() safe.
      
      The system PM callbacks now simply call common code to start/stop the
      HW if the interface was running, replacing the broken code from before.
      
      xcan_chip_stop() is updated to use the common reset code so that it will
      wait for the reset to complete. Reset also disables all interrupts so do
      not do that separately.
      
      Also, the device_may_wakeup() checks are removed as the driver does not
      have wakeup support.
      
      Tested on Zynq-7000 integrated CAN.
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@bitwise.fi>
      Cc: Michal Simek <michal.simek@xilinx.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      8ebd83bd
    • Anssi Hannula's avatar
      can: xilinx_can: fix incorrect clear of non-processed interrupts · 2f4f0f33
      Anssi Hannula authored
      xcan_interrupt() clears ERROR|RXOFLV|BSOFF|ARBLST interrupts if any of
      them is asserted. This does not take into account that some of them
      could have been asserted between interrupt status read and interrupt
      clear, therefore clearing them without handling them.
      
      Fix the code to only clear those interrupts that it knows are asserted
      and therefore going to be processed in xcan_err_interrupt().
      
      Fixes: b1201e44 ("can: xilinx CAN controller support")
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@bitwise.fi>
      Cc: Michal Simek <michal.simek@xilinx.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      2f4f0f33
    • Anssi Hannula's avatar
      can: xilinx_can: fix RX overflow interrupt not being enabled · 83997997
      Anssi Hannula authored
      RX overflow interrupt (RXOFLW) is disabled even though xcan_interrupt()
      processes it. This means that an RX overflow interrupt will only be
      processed when another interrupt gets asserted (e.g. for RX/TX).
      
      Fix that by enabling the RXOFLW interrupt.
      
      Fixes: b1201e44 ("can: xilinx CAN controller support")
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@bitwise.fi>
      Cc: Michal Simek <michal.simek@xilinx.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      83997997