1. 18 Aug, 2019 14 commits
  2. 17 Aug, 2019 2 commits
  3. 16 Aug, 2019 4 commits
  4. 15 Aug, 2019 11 commits
    • David S. Miller's avatar
      Merge tag 'rxrpc-fixes-20190814' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 480fd998
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Fix local endpoint handling
      
      Here's a pair of patches that fix two issues in the handling of local
      endpoints (rxrpc_local structs):
      
       (1) Use list_replace_init() rather than list_replace() if we're going to
           unconditionally delete the replaced item later, lest the list get
           corrupted.
      
       (2) Don't access the rxrpc_local object after passing our ref to the
           workqueue, not even to illuminate tracepoints, as the work function
           may cause the object to be freed.  We have to cache the information
           beforehand.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      480fd998
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 12ed6015
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      This patchset contains Netfilter fixes for net:
      
      1) Extend selftest to cover flowtable with ipsec, from Florian Westphal.
      
      2) Fix interaction of ipsec with flowtable, also from Florian.
      
      3) User-after-free with bound set to rule that fails to load.
      
      4) Adjust state and timeout for flows that expire.
      
      5) Timeout update race with flows in teardown state.
      
      6) Ensure conntrack id hash calculation use invariants as input,
         from Dirk Morris.
      
      7) Do not push flows into flowtable for TCP fin/rst packets.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12ed6015
    • Eric Dumazet's avatar
      net/packet: fix race in tpacket_snd() · 32d3182c
      Eric Dumazet authored
      packet_sendmsg() checks tx_ring.pg_vec to decide
      if it must call tpacket_snd().
      
      Problem is that the check is lockless, meaning another thread
      can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
      tx_ring.pg_vec back to NULL.
      
      Given that tpacket_snd() grabs pg_vec_lock mutex, we can
      perform the check again to solve the race.
      
      syzbot reported :
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
      Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
      RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
      RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
      R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
      R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
      FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       packet_current_frame net/packet/af_packet.c:487 [inline]
       tpacket_snd net/packet/af_packet.c:2667 [inline]
       packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:657
       ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
       __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg net/socket.c:2439 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
       do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 69e3c75f ("net: TX_RING and packet mmap")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32d3182c
    • Wenwen Wang's avatar
      net: myri10ge: fix memory leaks · 20fb7c7a
      Wenwen Wang authored
      In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices
      related structures. Later on, myri10ge_request_irq() is used to get an irq.
      However, if this process fails, the allocated slices related structures are
      not deallocated, leading to memory leaks. To fix this issue, revise the
      target label of the goto statement to 'abort_with_slices'.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20fb7c7a
    • John Fastabend's avatar
      net: tls, fix sk_write_space NULL write when tx disabled · d85f0177
      John Fastabend authored
      The ctx->sk_write_space pointer is only set when TLS tx mode is enabled.
      When running without TX mode its a null pointer but we still set the
      sk sk_write_space pointer on close().
      
      Fix the close path to only overwrite sk->sk_write_space when the current
      pointer is to the tls_write_space function indicating the tls module should
      clean it up properly as well.
      Reported-by: default avatarHillf Danton <hdanton@sina.com>
      Cc: Ying Xue <ying.xue@windriver.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Fixes: 57c722e9 ("net/tls: swap sk_write_space on close")
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d85f0177
    • Wenwen Wang's avatar
      liquidio: add cleanup in octeon_setup_iq() · 6f967f8b
      Wenwen Wang authored
      If oct->fn_list.enable_io_queues() fails, no cleanup is executed, leading
      to memory/resource leaks. To fix this issue, invoke
      octeon_delete_instr_queue() before returning from the function.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f967f8b
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-08-15' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 0b24a441
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-08-15
      
      This series introduces two fixes to mlx5 driver.
      
      1) Eran fixes a compatibility issue with ethtool flash.
      2) Maxim fixes a race in XSK wakeup flow.
      
      Please pull and let me know if there is any problem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b24a441
    • Eran Ben Elisha's avatar
      net/mlx5e: Fix compatibility issue with ethtool flash device · f43d48d1
      Eran Ben Elisha authored
      Cited patch deleted ethtool flash device support, as ethtool core can
      fallback into devlink flash callback. However, this is supported only if
      there is a devlink port registered over the corresponding netdevice.
      
      As mlx5e do not have devlink port support over native netdevice, it broke
      the ability to flash device via ethtool.
      
      This patch re-add the ethtool callback to avoid user functionality breakage
      when trying to flash device via ethtool.
      
      Fixes: 9c8bca26 ("mlx5: Move firmware flash implementation to devlink")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      f43d48d1
    • Maxim Mikityanskiy's avatar
      net/mlx5e: Fix a race with XSKICOSQ in XSK wakeup flow · e0d57d9c
      Maxim Mikityanskiy authored
      Add a missing spinlock around XSKICOSQ usage at the activation stage,
      because there is a race between a configuration change and the
      application calling sendto().
      
      Fixes: db05815b ("net/mlx5e: Add XSK zero-copy support")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      e0d57d9c
    • Anders Roxell's avatar
      selftests: net: tcp_fastopen_backup_key.sh: fix shellcheck issue · 2aafdf5a
      Anders Roxell authored
      When running tcp_fastopen_backup_key.sh the following issue was seen in
      a busybox environment.
      ./tcp_fastopen_backup_key.sh: line 33: [: -ne: unary operator expected
      
      Shellcheck showed the following issue.
      $ shellcheck tools/testing/selftests/net/tcp_fastopen_backup_key.sh
      
      In tools/testing/selftests/net/tcp_fastopen_backup_key.sh line 33:
              if [ $val -ne 0 ]; then
                   ^-- SC2086: Double quote to prevent globbing and word splitting.
      
      Rework to do a string comparison instead.
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2aafdf5a
    • Wenwen Wang's avatar
      cxgb4: fix a memory leak bug · c554336e
      Wenwen Wang authored
      In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails,
      leading to a memory leak bug. To fix this issue, free t before returning
      the error.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c554336e
  5. 14 Aug, 2019 9 commits
    • Rocky Liao's avatar
      Bluetooth: hci_qca: Skip 1 error print in device_want_to_sleep() · 6600c080
      Rocky Liao authored
      Don't fall through to print error message when receive sleep indication
      in HCI_IBS_RX_ASLEEP state, this is allowed behavior.
      Signed-off-by: default avatarRocky Liao <rjliao@codeaurora.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      6600c080
    • David Howells's avatar
      rxrpc: Fix read-after-free in rxrpc_queue_local() · 06d9532f
      David Howells authored
      rxrpc_queue_local() attempts to queue the local endpoint it is given and
      then, if successful, prints a trace line.  The trace line includes the
      current usage count - but we're not allowed to look at the local endpoint
      at this point as we passed our ref on it to the workqueue.
      
      Fix this by reading the usage count before queuing the work item.
      
      Also fix the reading of local->debug_id for trace lines, which must be done
      with the same consideration as reading the usage count.
      
      Fixes: 09d2bf59 ("rxrpc: Add a tracepoint to track rxrpc_local refcounting")
      Reported-by: syzbot+78e71c5bab4f76a6a719@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      06d9532f
    • David Howells's avatar
      rxrpc: Fix local endpoint replacement · b00df840
      David Howells authored
      When a local endpoint (struct rxrpc_local) ceases to be in use by any
      AF_RXRPC sockets, it starts the process of being destroyed, but this
      doesn't cause it to be removed from the namespace endpoint list immediately
      as tearing it down isn't trivial and can't be done in softirq context, so
      it gets deferred.
      
      If a new socket comes along that wants to bind to the same endpoint, a new
      rxrpc_local object will be allocated and rxrpc_lookup_local() will use
      list_replace() to substitute the new one for the old.
      
      Then, when the dying object gets to rxrpc_local_destroyer(), it is removed
      unconditionally from whatever list it is on by calling list_del_init().
      
      However, list_replace() doesn't reset the pointers in the replaced
      list_head and so the list_del_init() will likely corrupt the local
      endpoints list.
      
      Fix this by using list_replace_init() instead.
      
      Fixes: 730c5fd4 ("rxrpc: Fix local endpoint refcounting")
      Reported-by: syzbot+193e29e9387ea5837f1d@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      b00df840
    • Pablo Neira Ayuso's avatar
      netfilter: nft_flow_offload: skip tcp rst and fin packets · dfe42be1
      Pablo Neira Ayuso authored
      TCP rst and fin packets do not qualify to place a flow into the
      flowtable. Most likely there will be no more packets after connection
      closure. Without this patch, this flow entry expires and connection
      tracking picks up the entry in ESTABLISHED state using the fixup
      timeout, which makes this look inconsistent to the user for a connection
      that is actually already closed.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      dfe42be1
    • zhengbin's avatar
      sctp: fix memleak in sctp_send_reset_streams · 6d5afe20
      zhengbin authored
      If the stream outq is not empty, need to kfree nstr_list.
      
      Fixes: d570a59c ("sctp: only allow the out stream reset when the stream outq is empty")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarzhengbin <zhengbin13@huawei.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      6d5afe20
    • David Ahern's avatar
      netlink: Fix nlmsg_parse as a wrapper for strict message parsing · d00ee64e
      David Ahern authored
      Eric reported a syzbot warning:
      
      BUG: KMSAN: uninit-value in nh_valid_get_del_req+0x6f1/0x8c0 net/ipv4/nexthop.c:1510
      CPU: 0 PID: 11812 Comm: syz-executor444 Not tainted 5.3.0-rc3+ #17
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x191/0x1f0 lib/dump_stack.c:113
       kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
       __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
       nh_valid_get_del_req+0x6f1/0x8c0 net/ipv4/nexthop.c:1510
       rtm_del_nexthop+0x1b1/0x610 net/ipv4/nexthop.c:1543
       rtnetlink_rcv_msg+0x115a/0x1580 net/core/rtnetlink.c:5223
       netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5241
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf6c/0x1050 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x110f/0x1330 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       ___sys_sendmsg+0x14ff/0x1590 net/socket.c:2311
       __sys_sendmmsg+0x53a/0xae0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2439
       __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2439
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The root cause is nlmsg_parse calling __nla_parse which means the
      header struct size is not checked.
      
      nlmsg_parse should be a wrapper around __nlmsg_parse with
      NL_VALIDATE_STRICT for the validate argument very much like
      nlmsg_parse_deprecated is for NL_VALIDATE_LIBERAL.
      
      Fixes: 3de64403 ("netlink: re-add parse/validate functions in strict mode")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      d00ee64e
    • Heiner Kallweit's avatar
      net: phy: consider AN_RESTART status when reading link status · c36757eb
      Heiner Kallweit authored
      After configuring and restarting aneg we immediately try to read the
      link status. On some systems the PHY may not yet have cleared the
      "aneg complete" and "link up" bits, resulting in a false link-up
      signal. See [0] for a report.
      Clause 22 and 45 both require the PHY to keep the AN_RESTART
      bit set until the PHY actually starts auto-negotiation.
      Let's consider this in the generic functions for reading link status.
      The commit marked as fixed is the first one where the patch applies
      cleanly.
      
      [0] https://marc.info/?t=156518400300003&r=1&w=2
      
      Fixes: c1164bb1 ("net: phy: check PMAPMD link status only in genphy_c45_read_link")
      Tested-by: default avatarYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      c36757eb
    • Wenwen Wang's avatar
      net/mlx4_en: fix a memory leak bug · 48ec7014
      Wenwen Wang authored
      In mlx4_en_config_rss_steer(), 'rss_map->indir_qp' is allocated through
      kzalloc(). After that, mlx4_qp_alloc() is invoked to configure RSS
      indirection. However, if mlx4_qp_alloc() fails, the allocated
      'rss_map->indir_qp' is not deallocated, leading to a memory leak bug.
      
      To fix the above issue, add the 'qp_alloc_err' label to free
      'rss_map->indir_qp'.
      
      Fixes: 4931c6ef ("net/mlx4_en: Optimized single ring steering")
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      48ec7014
    • Thomas Falcon's avatar
      ibmveth: Convert multicast list size for little-endian system · 66cf4710
      Thomas Falcon authored
      The ibm,mac-address-filters property defines the maximum number of
      addresses the hypervisor's multicast filter list can support. It is
      encoded as a big-endian integer in the OF device tree, but the virtual
      ethernet driver does not convert it for use by little-endian systems.
      As a result, the driver is not behaving as it should on affected systems
      when a large number of multicast addresses are assigned to the device.
      Reported-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.ibm.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      66cf4710