1. 22 Sep, 2018 7 commits
    • YueHaibing's avatar
      net: wiznet: fix return type of ndo_start_xmit function · f0f25516
      YueHaibing authored
      The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
      which is a typedef for an enum type, so make sure the implementation in
      this driver has returns 'netdev_tx_t' value, and change the function
      return type to netdev_tx_t.
      
      Found by coccinelle.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0f25516
    • YueHaibing's avatar
      net: sgi: fix return type of ndo_start_xmit function · 28d304ef
      YueHaibing authored
      The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
      which is a typedef for an enum type, so make sure the implementation in
      this driver has returns 'netdev_tx_t' value, and change the function
      return type to netdev_tx_t.
      
      Found by coccinelle.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      28d304ef
    • YueHaibing's avatar
      net: cirrus: fix return type of ndo_start_xmit function · f3bf939f
      YueHaibing authored
      The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
      which is a typedef for an enum type, so make sure the implementation in
      this driver has returns 'netdev_tx_t' value, and change the function
      return type to netdev_tx_t.
      
      Found by coccinelle.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f3bf939f
    • YueHaibing's avatar
      net: seeq: fix return type of ndo_start_xmit function · 72b46279
      YueHaibing authored
      The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
      which is a typedef for an enum type, so make sure the implementation in
      this driver has returns 'netdev_tx_t' value, and change the function
      return type to netdev_tx_t.
      
      Found by coccinelle.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72b46279
    • Wei Yongjun's avatar
      PCI: hv: Fix return value check in hv_pci_assign_slots() · 54be5b8c
      Wei Yongjun authored
      In case of error, the function pci_create_slot() returns ERR_PTR() and
      never returns NULL. The NULL test in the return value check should be
      replaced with IS_ERR().
      
      Fixes: a15f2c08 ("PCI: hv: support reporting serial number as slot information")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      54be5b8c
    • Jeff Barnhill's avatar
      net/ipv6: Display all addresses in output of /proc/net/if_inet6 · 86f9bd1f
      Jeff Barnhill authored
      The backend handling for /proc/net/if_inet6 in addrconf.c doesn't properly
      handle starting/stopping the iteration.  The problem is that at some point
      during the iteration, an overflow is detected and the process is
      subsequently stopped.  The item being shown via seq_printf() when the
      overflow occurs is not actually shown, though.  When start() is
      subsequently called to resume iterating, it returns the next item, and
      thus the item that was being processed when the overflow occurred never
      gets printed.
      
      Alter the meaning of the private data member "offset".  Currently, when it
      is not 0 (which only happens at the very beginning), "offset" represents
      the next hlist item to be printed.  After this change, "offset" always
      represents the current item.
      
      This is also consistent with the private data member "bucket", which
      represents the current bucket, and also the use of "pos" as defined in
      seq_file.txt:
          The pos passed to start() will always be either zero, or the most
          recent pos used in the previous session.
      Signed-off-by: default avatarJeff Barnhill <0xeffeff@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86f9bd1f
    • Sean Tranchetti's avatar
      netlabel: check for IPV4MASK in addrinfo_get · f88b4c01
      Sean Tranchetti authored
      netlbl_unlabel_addrinfo_get() assumes that if it finds the
      NLBL_UNLABEL_A_IPV4ADDR attribute, it must also have the
      NLBL_UNLABEL_A_IPV4MASK attribute as well. However, this is
      not necessarily the case as the current checks in
      netlbl_unlabel_staticadd() and friends are not sufficent to
      enforce this.
      
      If passed a netlink message with NLBL_UNLABEL_A_IPV4ADDR,
      NLBL_UNLABEL_A_IPV6ADDR, and NLBL_UNLABEL_A_IPV6MASK attributes,
      these functions will all call netlbl_unlabel_addrinfo_get() which
      will then attempt dereference NULL when fetching the non-existent
      NLBL_UNLABEL_A_IPV4MASK attribute:
      
      Unable to handle kernel NULL pointer dereference at virtual address 0
      Process unlab (pid: 31762, stack limit = 0xffffff80502d8000)
      Call trace:
      	netlbl_unlabel_addrinfo_get+0x44/0xd8
      	netlbl_unlabel_staticremovedef+0x98/0xe0
      	genl_rcv_msg+0x354/0x388
      	netlink_rcv_skb+0xac/0x118
      	genl_rcv+0x34/0x48
      	netlink_unicast+0x158/0x1f0
      	netlink_sendmsg+0x32c/0x338
      	sock_sendmsg+0x44/0x60
      	___sys_sendmsg+0x1d0/0x2a8
      	__sys_sendmsg+0x64/0xb4
      	SyS_sendmsg+0x34/0x4c
      	el0_svc_naked+0x34/0x38
      Code: 51001149 7100113f 540000a0 f9401508 (79400108)
      ---[ end trace f6438a488e737143 ]---
      Kernel panic - not syncing: Fatal exception
      Signed-off-by: default avatarSean Tranchetti <stranche@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f88b4c01
  2. 21 Sep, 2018 2 commits
  3. 20 Sep, 2018 11 commits
    • Xin Long's avatar
      sctp: update dst pmtu with the correct daddr · d7ab5cdc
      Xin Long authored
      When processing pmtu update from an icmp packet, it calls .update_pmtu
      with sk instead of skb in sctp_transport_update_pmtu.
      
      However for sctp, the daddr in the transport might be different from
      inet_sock->inet_daddr or sk->sk_v6_daddr, which is used to update or
      create the route cache. The incorrect daddr will cause a different
      route cache created for the path.
      
      So before calling .update_pmtu, inet_sock->inet_daddr/sk->sk_v6_daddr
      should be updated with the daddr in the transport, and update it back
      after it's done.
      
      The issue has existed since route exceptions introduction.
      
      Fixes: 4895c771 ("ipv4: Add FIB nexthop exceptions.")
      Reported-by: ian.periam@dialogic.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d7ab5cdc
    • Davide Caratti's avatar
      bnxt_en: don't try to offload VLAN 'modify' action · 8c6ec361
      Davide Caratti authored
      bnxt offload code currently supports only 'push' and 'pop' operation: let
      .ndo_setup_tc() return -EOPNOTSUPP if VLAN 'modify' action is configured.
      
      Fixes: 2ae7408f ("bnxt_en: bnxt: add TC flower filter offload support")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Acked-by: default avatarSathya Perla <sathya.perla@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c6ec361
    • Johannes Berg's avatar
      smc: generic netlink family should be __ro_after_init · 56ce3c5a
      Johannes Berg authored
      The generic netlink family is only initialized during module init,
      so it should be __ro_after_init like all other generic netlink
      families.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      56ce3c5a
    • Petr Machata's avatar
      mlxsw: spectrum: Bump required firmware version · f9d5b1d5
      Petr Machata authored
      MC-aware mode was introduced to mlxsw in commit 7b819530 ("mlxsw: spectrum:
      Configure MC-aware mode on mlxsw ports") and fixed up later in commit
      3a3539cd ("mlxsw: spectrum_buffers: Set up a dedicated pool for BUM
      traffic"). As the final piece of puzzle, a firmware issue whereby a wrong
      priority was assigned to BUM traffic was corrected in FW version 13.1703.4.
      Therefore require this FW version in the driver.
      
      Fixes: 7b819530 ("mlxsw: spectrum: Configure MC-aware mode on mlxsw ports")
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9d5b1d5
    • David S. Miller's avatar
      Merge branch 'qed-fixes' · bffd5e86
      David S. Miller authored
      Sudarsana Reddy Kalluru says:
      
      ====================
      qed: Fix series for multi-function mode implementation.
      
      The patch series addresses few issues in the switch dependent multi-function modes.
      Please consider applying it to 'net' tree.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bffd5e86
    • Sudarsana Reddy Kalluru's avatar
      qed: Add missing device config for RoCE EDPM in UFP mode. · 7e3e375c
      Sudarsana Reddy Kalluru authored
      This patch adds support to configure the DORQ to use vlan-id/priority for
      roce EDPM.
      
      Fixes: cac6f691 ("qed: Add support for Unified Fabric Port")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarTomer Tayar <Tomer.Tayar@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7e3e375c
    • Sudarsana Reddy Kalluru's avatar
      qed: Do not add VLAN 0 tag to untagged frames in multi-function mode. · 0216da94
      Sudarsana Reddy Kalluru authored
      In certain multi-function switch dependent modes, firmware adds vlan tag 0
      to the untagged frames. This leads to double tagging for the traffic
      if the dcbx is enabled, which is not the desired behavior. To avoid this,
      driver needs to set "dcb_dont_add_vlan0" flag.
      
      Fixes: cac6f691 ("qed: Add support for Unified Fabric Port")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarTomer Tayar <Tomer.Tayar@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0216da94
    • Sudarsana Reddy Kalluru's avatar
      qed: Fix populating the invalid stag value in multi function mode. · 50fdf601
      Sudarsana Reddy Kalluru authored
      In multi-function mode, driver receives the stag value (outer vlan)
      for a PF from management FW (MFW). If the stag value is negotiated prior to
      the driver load, then the stag is not notified to the driver and hence
      driver will have the invalid stag value.
      The fix is to request the MFW for STAG value during the driver load time.
      
      Fixes: cac6f691 ("qed: Add support for Unified Fabric Port")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarTomer Tayar <Tomer.Tayar@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50fdf601
    • Antoine Tenart's avatar
      net: mvneta: fix the Rx desc buffer DMA unmapping · cf5cca6e
      Antoine Tenart authored
      With CONFIG_DMA_API_DEBUG enabled we now get a warning when using the
      mvneta driver:
      
        mvneta d0030000.ethernet: DMA-API: device driver frees DMA memory with
        wrong function [device address=0x000000001165b000] [size=4096 bytes]
        [mapped as page] [unmapped as single]
      
      This is because when using the s/w buffer management, the Rx descriptor
      buffer is mapped with dma_map_page but unmapped with dma_unmap_single.
      This patch fixes this by using the right unmapping function.
      
      Fixes: 562e2f46 ("net: mvneta: Improve the buffer allocation method for SWBM")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cf5cca6e
    • Paolo Abeni's avatar
      ip6_tunnel: be careful when accessing the inner header · 76c0ddd8
      Paolo Abeni authored
      the ip6 tunnel xmit ndo assumes that the processed skb always
      contains an ip[v6] header, but syzbot has found a way to send
      frames that fall short of this assumption, leading to the following splat:
      
      BUG: KMSAN: uninit-value in ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1307
      [inline]
      BUG: KMSAN: uninit-value in ip6_tnl_start_xmit+0x7d2/0x1ef0
      net/ipv6/ip6_tunnel.c:1390
      CPU: 0 PID: 4504 Comm: syz-executor558 Not tainted 4.16.0+ #87
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:17 [inline]
        dump_stack+0x185/0x1d0 lib/dump_stack.c:53
        kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
        __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
        ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1307 [inline]
        ip6_tnl_start_xmit+0x7d2/0x1ef0 net/ipv6/ip6_tunnel.c:1390
        __netdev_start_xmit include/linux/netdevice.h:4066 [inline]
        netdev_start_xmit include/linux/netdevice.h:4075 [inline]
        xmit_one net/core/dev.c:3026 [inline]
        dev_hard_start_xmit+0x5f1/0xc70 net/core/dev.c:3042
        __dev_queue_xmit+0x27ee/0x3520 net/core/dev.c:3557
        dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
        packet_snd net/packet/af_packet.c:2944 [inline]
        packet_sendmsg+0x7c70/0x8a30 net/packet/af_packet.c:2969
        sock_sendmsg_nosec net/socket.c:630 [inline]
        sock_sendmsg net/socket.c:640 [inline]
        ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
        __sys_sendmmsg+0x42d/0x800 net/socket.c:2136
        SYSC_sendmmsg+0xc4/0x110 net/socket.c:2167
        SyS_sendmmsg+0x63/0x90 net/socket.c:2162
        do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x441819
      RSP: 002b:00007ffe58ee8268 EFLAGS: 00000213 ORIG_RAX: 0000000000000133
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441819
      RDX: 0000000000000002 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000402510
      R13: 00000000004025a0 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
        kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
        kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
        kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
        kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
        slab_post_alloc_hook mm/slab.h:445 [inline]
        slab_alloc_node mm/slub.c:2737 [inline]
        __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
        __kmalloc_reserve net/core/skbuff.c:138 [inline]
        __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
        alloc_skb include/linux/skbuff.h:984 [inline]
        alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
        sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
        packet_alloc_skb net/packet/af_packet.c:2803 [inline]
        packet_snd net/packet/af_packet.c:2894 [inline]
        packet_sendmsg+0x6454/0x8a30 net/packet/af_packet.c:2969
        sock_sendmsg_nosec net/socket.c:630 [inline]
        sock_sendmsg net/socket.c:640 [inline]
        ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
        __sys_sendmmsg+0x42d/0x800 net/socket.c:2136
        SYSC_sendmmsg+0xc4/0x110 net/socket.c:2167
        SyS_sendmmsg+0x63/0x90 net/socket.c:2162
        do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      This change addresses the issue adding the needed check before
      accessing the inner header.
      
      The ipv4 side of the issue is apparently there since the ipv4 over ipv6
      initial support, and the ipv6 side predates git history.
      
      Fixes: c4d3efaf ("[IPV6] IP6TUNNEL: Add support to IPv4 over IPv6 tunnel.")
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: syzbot+3fde91d4d394747d6db4@syzkaller.appspotmail.com
      Tested-by: default avatarAlexander Potapenko <glider@google.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      76c0ddd8
    • David S. Miller's avatar
      Merge tag 'batadv-net-for-davem-20180919' of git://git.open-mesh.org/linux-merge · aa86b03c
      David S. Miller authored
      Simon Wunderlich says:
      
      ====================
      pull request for net: batman-adv 2018-09-19
      
      here are some bugfixes which we would like to see integrated into net.
      
      We forgot to bump the version number in the last round for net-next, so
      the belated patch to do that is included - we hope you can adopt it.
      This will most likely create a merge conflict later when merging into
      net-next with this rounds net-next patchset, but net-next should keep
      the 2018.4 version[1].
      
      [1] resolution:
      
      --- a/net/batman-adv/main.h
      +++ b/net/batman-adv/main.h
      @@ -25,11 +25,7 @@
       #define BATADV_DRIVER_DEVICE "batman-adv"
      
       #ifndef BATADV_SOURCE_VERSION
      -<<<<<<<
      -#define BATADV_SOURCE_VERSION "2018.3"
      -=======
       #define BATADV_SOURCE_VERSION "2018.4"
      ->>>>>>>
       #endif
      
       /* B.A.T.M.A.N. parameters */
      
      Please pull or let me know of any problem!
      
      Here are some batman-adv bugfixes:
      
       - Avoid ELP information leak, by Sven Eckelmann
      
       - Fix sysfs segfault issues, by Sven Eckelmann (2 patches)
      
       - Fix locking when adding entries in various lists,
         by Sven Eckelmann (5 patches)
      
       - Fix refcount if queue_work() fails, by Marek Lindner (2 patches)
      
       - Fixup forgotten version bump, by Sven Eckelmann
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa86b03c
  4. 19 Sep, 2018 20 commits
    • David S. Miller's avatar
      Merge branch 'ipv6-fix-issues-on-accessing-fib6_metrics' · 69ba423d
      David S. Miller authored
      Wei Wang says:
      
      ====================
      ipv6: fix issues on accessing fib6_metrics
      
      The latest fix on the memory leak of fib6_metrics still causes
      use-after-free.
      This patch series first revert the previous fix and propose a new fix
      that is more inline with ipv4 logic and is tested to fix the
      use-after-free issue reported.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69ba423d
    • Wei Wang's avatar
      ipv6: fix memory leak on dst->_metrics · ce7ea4af
      Wei Wang authored
      When dst->_metrics and f6i->fib6_metrics share the same memory, both
      take reference count on the dst_metrics structure. However, when dst is
      destroyed, ip6_dst_destroy() only invokes dst_destroy_metrics_generic()
      which does not take care of READONLY metrics and does not release refcnt.
      This causes memory leak.
      Similar to ipv4 logic, the fix is to properly release refcnt and free
      the memory space pointed by dst->_metrics if refcnt becomes 0.
      
      Fixes: 93531c67 ("net/ipv6: separate handling of FIB entries from dst based routes")
      Reported-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce7ea4af
    • Wei Wang's avatar
      Revert "ipv6: fix double refcount of fib6_metrics" · 86758605
      Wei Wang authored
      This reverts commit e70a3aad.
      
      This change causes use-after-free on dst->_metrics.
      The crash trace looks like this:
      [   97.763269] BUG: KASAN: use-after-free in ip6_mtu+0x116/0x140
      [   97.769038] Read of size 4 at addr ffff881781d2cf84 by task svw_NetThreadEv/8801
      
      [   97.777954] CPU: 76 PID: 8801 Comm: svw_NetThreadEv Not tainted 4.15.0-smp-DEV #11
      [   97.777956] Hardware name: Default string Default string/Indus_QC_02, BIOS 5.46.4 03/29/2018
      [   97.777957] Call Trace:
      [   97.777971]  [<ffffffff895709db>] dump_stack+0x4d/0x72
      [   97.777985]  [<ffffffff881651df>] print_address_description+0x6f/0x260
      [   97.777997]  [<ffffffff88165747>] kasan_report+0x257/0x370
      [   97.778001]  [<ffffffff894488e6>] ? ip6_mtu+0x116/0x140
      [   97.778004]  [<ffffffff881658b9>] __asan_report_load4_noabort+0x19/0x20
      [   97.778008]  [<ffffffff894488e6>] ip6_mtu+0x116/0x140
      [   97.778013]  [<ffffffff892bb91e>] tcp_current_mss+0x12e/0x280
      [   97.778016]  [<ffffffff892bb7f0>] ? tcp_mtu_to_mss+0x2d0/0x2d0
      [   97.778022]  [<ffffffff887b45b8>] ? depot_save_stack+0x138/0x4a0
      [   97.778037]  [<ffffffff87c38985>] ? __mmdrop+0x145/0x1f0
      [   97.778040]  [<ffffffff881643b1>] ? save_stack+0xb1/0xd0
      [   97.778046]  [<ffffffff89264c82>] tcp_send_mss+0x22/0x220
      [   97.778059]  [<ffffffff89273a49>] tcp_sendmsg_locked+0x4f9/0x39f0
      [   97.778062]  [<ffffffff881642b4>] ? kasan_check_write+0x14/0x20
      [   97.778066]  [<ffffffff89273550>] ? tcp_sendpage+0x60/0x60
      [   97.778070]  [<ffffffff881cb359>] ? rw_copy_check_uvector+0x69/0x280
      [   97.778075]  [<ffffffff8873c65f>] ? import_iovec+0x9f/0x430
      [   97.778078]  [<ffffffff88164be7>] ? kasan_slab_free+0x87/0xc0
      [   97.778082]  [<ffffffff8873c5c0>] ? memzero_page+0x140/0x140
      [   97.778085]  [<ffffffff881642b4>] ? kasan_check_write+0x14/0x20
      [   97.778088]  [<ffffffff89276f6c>] tcp_sendmsg+0x2c/0x50
      [   97.778092]  [<ffffffff89276f6c>] ? tcp_sendmsg+0x2c/0x50
      [   97.778098]  [<ffffffff89352d43>] inet_sendmsg+0x103/0x480
      [   97.778102]  [<ffffffff89352c40>] ? inet_gso_segment+0x15b0/0x15b0
      [   97.778105]  [<ffffffff890294da>] sock_sendmsg+0xba/0xf0
      [   97.778108]  [<ffffffff8902ab6a>] ___sys_sendmsg+0x6ca/0x8e0
      [   97.778113]  [<ffffffff87dccac1>] ? hrtimer_try_to_cancel+0x71/0x3b0
      [   97.778116]  [<ffffffff8902a4a0>] ? copy_msghdr_from_user+0x3d0/0x3d0
      [   97.778119]  [<ffffffff881646d1>] ? memset+0x31/0x40
      [   97.778123]  [<ffffffff87a0cff5>] ? schedule_hrtimeout_range_clock+0x165/0x380
      [   97.778127]  [<ffffffff87a0ce90>] ? hrtimer_nanosleep_restart+0x250/0x250
      [   97.778130]  [<ffffffff87dcc700>] ? __hrtimer_init+0x180/0x180
      [   97.778133]  [<ffffffff87dd1f82>] ? ktime_get_ts64+0x172/0x200
      [   97.778137]  [<ffffffff8822b8ec>] ? __fget_light+0x8c/0x2f0
      [   97.778141]  [<ffffffff8902d5c6>] __sys_sendmsg+0xe6/0x190
      [   97.778144]  [<ffffffff8902d5c6>] ? __sys_sendmsg+0xe6/0x190
      [   97.778147]  [<ffffffff8902d4e0>] ? SyS_shutdown+0x20/0x20
      [   97.778152]  [<ffffffff87cd4370>] ? wake_up_q+0xe0/0xe0
      [   97.778155]  [<ffffffff8902d670>] ? __sys_sendmsg+0x190/0x190
      [   97.778158]  [<ffffffff8902d683>] SyS_sendmsg+0x13/0x20
      [   97.778162]  [<ffffffff87a1600c>] do_syscall_64+0x2ac/0x430
      [   97.778166]  [<ffffffff87c17515>] ? do_page_fault+0x35/0x3d0
      [   97.778171]  [<ffffffff8960131f>] ? page_fault+0x2f/0x50
      [   97.778174]  [<ffffffff89600071>] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      [   97.778177] RIP: 0033:0x7f83fa36000d
      [   97.778178] RSP: 002b:00007f83ef9229e0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
      [   97.778180] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f83fa36000d
      [   97.778182] RDX: 0000000000004000 RSI: 00007f83ef922f00 RDI: 0000000000000036
      [   97.778183] RBP: 00007f83ef923040 R08: 00007f83ef9231f8 R09: 00007f83ef923168
      [   97.778184] R10: 0000000000000000 R11: 0000000000000293 R12: 00007f83f69c5b40
      [   97.778185] R13: 000000000000001c R14: 0000000000000001 R15: 0000000000004000
      
      [   97.779684] Allocated by task 5919:
      [   97.783185]  save_stack+0x46/0xd0
      [   97.783187]  kasan_kmalloc+0xad/0xe0
      [   97.783189]  kmem_cache_alloc_trace+0xdf/0x580
      [   97.783190]  ip6_convert_metrics.isra.79+0x7e/0x190
      [   97.783192]  ip6_route_info_create+0x60a/0x2480
      [   97.783193]  ip6_route_add+0x1d/0x80
      [   97.783195]  inet6_rtm_newroute+0xdd/0xf0
      [   97.783198]  rtnetlink_rcv_msg+0x641/0xb10
      [   97.783200]  netlink_rcv_skb+0x27b/0x3e0
      [   97.783202]  rtnetlink_rcv+0x15/0x20
      [   97.783203]  netlink_unicast+0x4be/0x720
      [   97.783204]  netlink_sendmsg+0x7bc/0xbf0
      [   97.783205]  sock_sendmsg+0xba/0xf0
      [   97.783207]  ___sys_sendmsg+0x6ca/0x8e0
      [   97.783208]  __sys_sendmsg+0xe6/0x190
      [   97.783209]  SyS_sendmsg+0x13/0x20
      [   97.783211]  do_syscall_64+0x2ac/0x430
      [   97.783213]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      [   97.784709] Freed by task 0:
      [   97.785056] knetbase: Error: /proc/sys/net/core/txcs_enable does not exist
      [   97.794497]  save_stack+0x46/0xd0
      [   97.794499]  kasan_slab_free+0x71/0xc0
      [   97.794500]  kfree+0x7c/0xf0
      [   97.794501]  fib6_info_destroy_rcu+0x24f/0x310
      [   97.794504]  rcu_process_callbacks+0x38b/0x1730
      [   97.794506]  __do_softirq+0x1c8/0x5d0
      Reported-by: default avatarJohn Sperbeck <jsperbeck@google.com>
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86758605
    • Russell King's avatar
      sfp: fix oops with ethtool -m · 126d6848
      Russell King authored
      If a network interface is created prior to the SFP socket being
      available, ethtool can request module information.  This unfortunately
      leads to an oops:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000008
      pgd = (ptrval)
      [00000008] *pgd=7c400831, *pte=00000000, *ppte=00000000
      Internal error: Oops: 17 [#1] SMP ARM
      Modules linked in:
      CPU: 0 PID: 1480 Comm: ethtool Not tainted 4.19.0-rc3 #138
      Hardware name: Broadcom Northstar Plus SoC
      PC is at sfp_get_module_info+0x8/0x10
      LR is at dev_ethtool+0x218c/0x2afc
      
      Fix this by not filling in the network device's SFP bus pointer until
      SFP is fully bound, thereby avoiding the core calling into the SFP bus
      code.
      
      Fixes: ce0aa27f ("sfp: add sfp-bus to bridge between network devices and sfp cages")
      Reported-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Tested-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      126d6848
    • Antoine Tenart's avatar
      net: mvpp2: fix a txq_done race condition · 774268f3
      Antoine Tenart authored
      When no Tx IRQ is available, the txq_done() routine (called from
      tx_done()) shouldn't be called from the polling function, as in such
      case it is already called in the Tx path thanks to an hrtimer. This
      mostly occurred when using PPv2.1, as the engine then do not have Tx
      IRQs.
      
      Fixes: edc660fa ("net: mvpp2: replace TX coalescing interrupts with hrtimer")
      Reported-by: default avatarStefan Chulski <stefanc@marvell.com>
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      774268f3
    • David S. Miller's avatar
      Merge branch 'net-smc-fixes' · 81d0b759
      David S. Miller authored
      Ursula Braun says:
      
      ====================
      net/smc: fixes 2018-09-18
      
      here are some fixes in different areas of the smc code for the net
      tree.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81d0b759
    • YueHaibing's avatar
      net/smc: fix sizeof to int comparison · 38189779
      YueHaibing authored
      Comparing an int to a size, which is unsigned, causes the int to become
      unsigned, giving the wrong result. kernel_sendmsg can return a negative
      error code.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      38189779
    • Karsten Graul's avatar
      net/smc: no urgent data check for listen sockets · 71d117f5
      Karsten Graul authored
      Don't check a listen socket for pending urgent data in smc_poll().
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      71d117f5
    • Ursula Braun's avatar
      net/smc: enable fallback for connection abort in state INIT · dd65d87a
      Ursula Braun authored
      If a linkgroup is terminated abnormally already due to failing
      LLC CONFIRM LINK or LLC ADD LINK, fallback to TCP is still possible.
      In this case do not switch to state SMC_PEERABORTWAIT and do not set
      sk_err.
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dd65d87a
    • Ursula Braun's avatar
      net/smc: remove duplicate mutex_unlock · 1ca52fcf
      Ursula Braun authored
      For a failing smc_listen_rdma_finish() smc_listen_decline() is
      called. If fallback is possible, the new socket is already enqueued
      to be accepted in smc_listen_decline(). Avoid enqueuing a second time
      afterwards in this case, otherwise the smc_create_lgr_pending lock
      is released twice:
      [  373.463976] WARNING: bad unlock balance detected!
      [  373.463978] 4.18.0-rc7+ #123 Tainted: G           O
      [  373.463979] -------------------------------------
      [  373.463980] kworker/1:1/30 is trying to release lock (smc_create_lgr_pending) at:
      [  373.463990] [<000003ff801205fc>] smc_listen_work+0x22c/0x5d0 [smc]
      [  373.463991] but there are no more locks to release!
      [  373.463991]
      other info that might help us debug this:
      [  373.463993] 2 locks held by kworker/1:1/30:
      [  373.463994]  #0: 00000000772cbaed ((wq_completion)"events"){+.+.}, at: process_one_work+0x1ec/0x6b0
      [  373.464000]  #1: 000000003ad0894a ((work_completion)(&new_smc->smc_listen_work)){+.+.}, at: process_one_work+0x1ec/0x6b0
      [  373.464003]
      stack backtrace:
      [  373.464005] CPU: 1 PID: 30 Comm: kworker/1:1 Kdump: loaded Tainted: G           O      4.18.0-rc7uschi+ #123
      [  373.464007] Hardware name: IBM 2827 H43 738 (LPAR)
      [  373.464010] Workqueue: events smc_listen_work [smc]
      [  373.464011] Call Trace:
      [  373.464015] ([<0000000000114100>] show_stack+0x60/0xd8)
      [  373.464019]  [<0000000000a8c9bc>] dump_stack+0x9c/0xd8
      [  373.464021]  [<00000000001dcaf8>] print_unlock_imbalance_bug+0xf8/0x108
      [  373.464022]  [<00000000001e045c>] lock_release+0x114/0x4f8
      [  373.464025]  [<0000000000aa87fa>] __mutex_unlock_slowpath+0x4a/0x300
      [  373.464027]  [<000003ff801205fc>] smc_listen_work+0x22c/0x5d0 [smc]
      [  373.464029]  [<0000000000197a68>] process_one_work+0x2a8/0x6b0
      [  373.464030]  [<0000000000197ec2>] worker_thread+0x52/0x410
      [  373.464033]  [<000000000019fd0e>] kthread+0x15e/0x178
      [  373.464035]  [<0000000000aaf58a>] kernel_thread_starter+0x6/0xc
      [  373.464052]  [<0000000000aaf584>] kernel_thread_starter+0x0/0xc
      [  373.464054] INFO: lockdep is turned off.
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ca52fcf
    • Ursula Braun's avatar
      net/smc: fix non-blocking connect problem · 648a5a7a
      Ursula Braun authored
      In state SMC_INIT smc_poll() delegates polling to the internal
      CLC socket. This means, once the connect worker has finished
      its kernel_connect() step, the poll wake-up may occur. This is not
      intended. The wake-up should occur from the wake up call in
      smc_connect_work() after __smc_connect() has finished.
      Thus in state SMC_INIT this patch now calls sock_poll_wait() on the
      main SMC socket.
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      648a5a7a
    • Kazuya Mizuguchi's avatar
      ravb: do not write 1 to reserved bits · 2fe397a3
      Kazuya Mizuguchi authored
      EtherAVB hardware requires 0 to be written to status register bits in
      order to clear them, however, care must be taken not to:
      
      1. Clear other bits, by writing zero to them
      2. Write one to reserved bits
      
      This patch corrects the ravb driver with respect to the second point above.
      This is done by defining reserved bit masks for the affected registers and,
      after auditing the code, ensure all sites that may write a one to a
      reserved bit use are suitably masked.
      Signed-off-by: default avatarKazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
      Signed-off-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2fe397a3
    • zhong jiang's avatar
      net: bnxt: Fix a uninitialized variable warning. · 65fac4fe
      zhong jiang authored
      Fix the following compile warning:
      
      drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c:49:5: warning: ‘nvm_param.dir_type’ may be used uninitialized in this function [-Wmaybe-uninitialized]
        if (nvm_param.dir_type == BNXT_NVM_PORT_CFG)
      Signed-off-by: default avatarzhong jiang <zhongjiang@huawei.com>
      Acked-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65fac4fe
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2018-09-17' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 6344244c
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2018-09-17
      
      Sorry about the previous submission of this series which was mistakenly
      marked for net-next, here I am resending with 'net' mark.
      
      This series provides three fixes to mlx5 core and mlx5e netdevice
      driver.
      
      Please pull and let me know if there's any problem.
      
      For -stable v4.16:
      ('net/mlx5: Check for SQ and not RQ state when modifying hairpin SQ')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6344244c
    • Christian Lamparter's avatar
      net: emac: fix fixed-link setup for the RTL8363SB switch · 08e39982
      Christian Lamparter authored
      On the Netgear WNDAP620, the emac ethernet isn't receiving nor
      xmitting any frames from/to the RTL8363SB (identifies itself
      as a RTL8367RB).
      
      This is caused by the emac hardware not knowing the forced link
      parameters for speed, duplex, pause, etc.
      
      This begs the question, how this was working on the original
      driver code, when it was necessary to set the phy_address and
      phy_map to 0xffffffff. But I guess without access to the old
      PPC405/440/460 hardware, it's not possible to know.
      Signed-off-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      08e39982
    • Suren Baghdasaryan's avatar
      NFC: Fix the number of pipes · e285d5bf
      Suren Baghdasaryan authored
      According to ETSI TS 102 622 specification chapter 4.4 pipe identifier
      is 7 bits long which allows for 128 unique pipe IDs. Because
      NFC_HCI_MAX_PIPES is used as the number of pipes supported and not
      as the max pipe ID, its value should be 128 instead of 127.
      
      nfc_hci_recv_from_llc extracts pipe ID from packet header using
      NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127.
      Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With
      pipes array having only 127 elements and pipe ID of 127 the OOB memory
      access will result.
      
      Cc: Samuel Ortiz <sameo@linux.intel.com>
      Cc: Allen Pais <allen.pais@oracle.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Suggested-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarSuren Baghdasaryan <surenb@google.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e285d5bf
    • Suren Baghdasaryan's avatar
      NFC: Fix possible memory corruption when handling SHDLC I-Frame commands · 674d9de0
      Suren Baghdasaryan authored
      When handling SHDLC I-Frame commands "pipe" field used for indexing
      into an array should be checked before usage. If left unchecked it
      might access memory outside of the array of size NFC_HCI_MAX_PIPES(127).
      
      Malformed NFC HCI frames could be injected by a malicious NFC device
      communicating with the device being attacked (remote attack vector),
      or even by an attacker with physical access to the I2C bus such that
      they could influence the data transfers on that bus (local attack vector).
      skb->data is controlled by the attacker and has only been sanitized in
      the most trivial ways (CRC check), therefore we can consider the
      create_info struct and all of its members to tainted. 'create_info->pipe'
      with max value of 255 (uint8) is used to take an offset of the
      hdev->pipes array of 127 elements which can lead to OOB write.
      
      Cc: Samuel Ortiz <sameo@linux.intel.com>
      Cc: Allen Pais <allen.pais@oracle.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Suggested-by: default avatarKevin Deus <kdeus@google.com>
      Signed-off-by: default avatarSuren Baghdasaryan <surenb@google.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      674d9de0
    • Sabrina Dubroca's avatar
      selftests: pmtu: properly redirect stderr to /dev/null · 0a286afe
      Sabrina Dubroca authored
      The cleanup function uses "$CMD 2 > /dev/null", which doesn't actually
      send stderr to /dev/null, so when the netns doesn't exist, the error
      message is shown. Use "2> /dev/null" instead, so that those messages
      disappear, as was intended.
      
      Fixes: d1f1b9cb ("selftests: net: Introduce first PMTU test")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Acked-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0a286afe
    • David S. Miller's avatar
      Merge branch 'stmmac-Coalesce-and-tail-addr-fixes' · 87ebcffd
      David S. Miller authored
      Jose Abreu says:
      
      ====================
      net: stmmac: Coalesce and tail addr fixes
      
      The fix for coalesce timer and a fix in tail address setting that impacts
      XGMAC2 operation.
      
      The series is:
      Tested-by: default avatarJerome Brunet <jbrunet@baylibre.com>
      	on a113 s400 board (single queue)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      87ebcffd
    • Jose Abreu's avatar
      net: stmmac: Fixup the tail addr setting in xmit path · 0431100b
      Jose Abreu authored
      Currently we are always setting the tail address of descriptor list to
      the end of the pre-allocated list.
      
      According to databook this is not correct. Tail address should point to
      the last available descriptor + 1, which means we have to update the
      tail address everytime we call the xmit function.
      
      This should make no impact in older versions of MAC but in newer
      versions there are some DMA features which allows the IP to fetch
      descriptors in advance and in a non sequential order so its critical
      that we set the tail address correctly.
      Signed-off-by: default avatarJose Abreu <joabreu@synopsys.com>
      Fixes: f748be53 ("stmmac: support new GMAC4")
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Joao Pinto <jpinto@synopsys.com>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0431100b