- 18 Nov, 2017 7 commits
-
-
Desnes Augusto Nunes do Rosario authored
This patch fixes the dma_mapping_error call to use the correct dma_addr which is inside the ibmvnic_vpd struct. Moreover, it fixes an uninitialized warning regarding a local dma_addr variable which is not used anymore. Fixes: 4e6759be ("ibmvnic: Feature implementation of VPD for the ibmvnic driver") Reported-by:
Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by:
Desnes A. Nunes do Rosario <desnesn@linux.vnet.ibm.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Girish Moodalbail authored
When call to register_netdevice() (called from ipvlan_link_new()) fails, we call ipvlan_uninit() (through ndo_uninit()) to destroy the ipvlan port. After returning unsuccessfully from register_netdevice() we go ahead and call ipvlan_port_destroy() again which causes NULL pointer dereference panic. Fix the issue by making ipvlan_init() and ipvlan_uninit() call symmetric. The ipvlan port will now be created inside ipvlan_init() and will be destroyed in ipvlan_uninit(). Fixes: 2ad7bf36 (ipvlan: Initial check-in of the IPVLAN driver) Signed-off-by:
Girish Moodalbail <girish.moodalbail@oracle.com> Signed-off-by:
-
Xin Long authored
Now when ip route flush cache and it turn out all fnhe_genid != genid. If a redirect/pmtu icmp packet comes and the old fnhe is found and all it's members but fnhe_genid will be updated. Then next time when it looks up route and tries to rebind this fnhe to the new dst, the fnhe will be flushed due to fnhe_genid != genid. It causes this redirect/pmtu icmp packet acutally not to be applied. This patch is to also reset fnhe_genid when updating a route cache. Fixes: 5aad1de5 ("ipv4: use separate genid for next hop exceptions") Acked-by:
Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by:
Xin Long <lucien.xin@gmail.com> Signed-off-by:
-
Xin Long authored
Now when creating fnhe for redirect, it sets fnhe_expires for this new route cache. But when updating the exist one, it doesn't do it. It will cause this fnhe never to be expired. Paolo already noticed it before, in Jianlin's test case, it became even worse: When ip route flush cache, the old fnhe is not to be removed, but only clean it's members. When redirect comes again, this fnhe will be found and updated, but never be expired due to fnhe_expires not being set. So fix it by simply updating fnhe_expires even it's for redirect. Fixes: aee06da6 ("ipv4: use seqlock for nh_exceptions") Reported-by:
Jianlin Shi <jishi@redhat.com> Acked-by:
-
Xin Long authored
Now in sctp_setsockopt_maxseg user_frag or frag_point can be set with val >= 8 and val <= SCTP_MAX_CHUNK_LEN. But both checks are incorrect. val >= 8 means frag_point can even be less than SCTP_DEFAULT_MINSEGMENT. Then in sctp_datamsg_from_user(), when it's value is greater than cookie echo len and trying to bundle with cookie echo chunk, the first_len will overflow. The worse case is when it's value is equal as cookie echo len, first_len becomes 0, it will go into a dead loop for fragment later on. In Hangbin syzkaller testing env, oom was even triggered due to consecutive memory allocation in that loop. Besides, SCTP_MAX_CHUNK_LEN is the max size of the whole chunk, it should deduct the data header for frag_point or user_frag check. This patch does a proper check with SCTP_DEFAULT_MINSEGMENT subtracting the sctphdr and datahdr, SCTP_MAX_CHUNK_LEN subtracting datahdr when setting frag_point via sockopt. It also improves sctp_setsockopt_maxseg codes. Suggested-by:
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Reported-by:
Hangbin Liu <liuhangbin@gmail.com> Signed-off-by:
-
Colin Ian King authored
In the cases where len is too long, the error return path fails to kfree allocated buffers buf and usb_reg_buf. The simplest fix is to perform the sanity check on len before the allocations to avoid having to do the kfree'ing in the first place. Detected by CoverityScan, CID#1452258,1452259 ("Resource Leak") Fixes: 59f73e2a ("rsi: check length before USB read/write register") Signed-off-by:Colin Ian King <colin.king@canonical.com> Signed-off-by:
-
Tim Hansen authored
Add list_next_rcu() for fetching next list in rcu_deference safely. Found with sparse in linux-next tree on tag next-20171116. Signed-off-by:
Tim Hansen <devtimhansen@gmail.com> Signed-off-by:
-
- 17 Nov, 2017 7 commits
-
-
David S. Miller authored
Jakub Kicinski says: ==================== nfp: flower fixes and typo in ethtool stats name This set comes from the flower offload team. From Pieter we have a fix to the semantics of the flag telling FW whether to allocate or free a mask and correction of a typo in name of one of the MAC statistics (reveive -> received, we use past participle to match HW docs). Dirk fixes propagation of max MTU to representors. John improves VXLAN offload. The old code was not using egress_dev at all, so Jiri missed it in his conversion. The validation of ingress port is still not perfect, we will have to wait for shared block dust to settle to tackle it. This is how John explains the cases: The following example rule is now correctly offloaded in net-next kernel: tc filter add dev vxlan0 ... enc_dst_port 4789 ... skip_sw \ action redirect dev nfp_p0 The following rule will not be offloaded to the NFP (previously it incorrectly matched vxlan packets - it shouldn't as ingress dev is not a vxlan netdev): tc filter add dev nfp_p0 ... enc_dst_port 4789 ... skip_sw \ action redirect dev nfp_p0 Rules that are not matching on tunnels and are an egress offload are rejected. The standard match code assumes the offloaded repr is the ingress port. Rejecting egress offloads removes the chances of false interpretation of the rules on the NFP. A know issue is that the following rule example could still be offloaded and incorrectly match tunnel data: tc filter add dev dummy ... enc_dst_port 4789 ... skip_sw \ action redirect dev nfp_p0 Because the egress register callback does not give information on the ingress netdev, the patch assumes that if it is not a repr then it is the correct tunnel netdev. This may not be the case. The chances of this happening is reduced as it is enforced that the rule match on the well known vxlan port but it is still possible. ==================== Signed-off-by: -
John Hurley authored
Pass information to the match offload on whether or not the repr is the ingress or egress dev. Only accept tunnel matches if repr is the egress dev. This means rules such as the following are successfully offloaded: tc .. add dev vxlan0 .. enc_dst_port 4789 .. action redirect dev nfp_p0 While rules such as the following are rejected: tc .. add dev nfp_p0 .. enc_dst_port 4789 .. action redirect dev vxlan0 Also reject non tunnel flows that are offloaded to an egress dev. Non tunnel matches assume that the offload dev is the ingress port and offload a match accordingly. Fixes: 611aec10 ("nfp: compile flower vxlan tunnel metadata match fields") Signed-off-by:
John Hurley <john.hurley@netronome.com> Reviewed-by:
Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by:
-
John Hurley authored
Register a callback for offloading flows that have a repr as their egress device. The new egdev_register function is added to net-next for the 4.15 release. Signed-off-by:
-
Dirk van der Merwe authored
The PF netdev is used for data transfer for reprs, so reprs inherit the maximum MTU settings of the PF netdev. Fixes: 5de73ee4 ("nfp: general representor implementation") Signed-off-by:
Dirk van der Merwe <dirk.vandermerwe@netronome.com> Reviewed-by:
-
Pieter Jansen van Vuuren authored
Correct typo in vlan receive MAC stats. Previously the MAC statistics reported in ethtool for vlan receive contained a typo resulting in ethtool reporting rx_vlan_reveive_ok instead of rx_vlan_received_ok. Fixes: a5950182 ("nfp: map mac_stats and vf_cfg BARs") Fixes: 098ce840 ("nfp: report MAC statistics in ethtool") Reported-by:
Brendan Galloway <brendan.galloway@netronome.com> Signed-off-by:
Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com> Reviewed-by:
Simon Horman <simon.horman@netronome.com> Signed-off-by:
-
Pieter Jansen van Vuuren authored
Hardware has no notion of new or last mask id, instead it makes use of the message type (i.e. add flow or del flow) in combination with a single bit in metadata flags to determine when to add or delete a mask id. Previously we made use of the new or last flags to indicate that a new mask should be allocated or deallocated, respectively. This incorrect behaviour is fixed by making use single bit in metadata flags to indicate mask allocation or deallocation. Fixes: 43f84b72 ("nfp: add metadata to each flow offload") Signed-off-by:
-
Joel Stanley authored
Looks like this was mistakenly added to the tree as part of commit 186b3c99 ("virtio-net: support XDP_REDIRECT"). Signed-off-by:
Joel Stanley <joel@jms.id.au> Acked-by:
Jason Wang <jasowang@redhat.com> Acked-by:
Michael S. Tsirkin <mst@redhat.com> Signed-off-by:
-
- 16 Nov, 2017 26 commits
-
-
Eric W. Biederman authored
Alexandar Potapenko while testing the kernel with KMSAN and syzkaller discovered that in some configurations sctp would leak 4 bytes of kernel stack. Working with his reproducer I discovered that those 4 bytes that are leaked is the scope id of an ipv6 address returned by recvmsg. With a little code inspection and a shrewd guess I discovered that sctp_inet6_skb_msgname only initializes the scope_id field for link local ipv6 addresses to the interface index the link local address pertains to instead of initializing the scope_id field for all ipv6 addresses. That is almost reasonable as scope_id's are meaniningful only for link local addresses. Set the scope_id in all other cases to 0 which is not a valid interface index to make it clear there is nothing useful in the scope_id field. There should be no danger of breaking userspace as the stack leak guaranteed that previously meaningless random data was being returned. Fixes: 372f525b ("SCTP: Resync with LKSCTP tree.") History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.gitReported-by:
Alexander Potapenko <glider@google.com> Tested-by:
"Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by:
-
Huacai Chen authored
This patch try to fix the building error on MIPS. The reason is MIPS has already defined the LONG macro, which conflicts with the LONG enum in drivers/net/ethernet/fealnx.c. Signed-off-by:
Huacai Chen <chenhc@lemote.com> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsecDavid S. Miller authored
Steffen Klassert says: ==================== 1) Copy policy family in clone_policy, otherwise this can trigger a BUG_ON in af_key. From Herbert Xu. 2) Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find." This added a regression with transport mode when no addresses are configured on the policy template. Both patches are stable candidates. ==================== Signed-off-by: -
David S. Miller authored
Arvind Yadav says: ==================== isdn: hisax: Fix pnp_irq's error checking The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. ==================== Signed-off-by: -
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
Arvind Yadav <arvind.yadav.cs@gmail.com> Signed-off-by:
-
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
-
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
-
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
-
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
-
Arvind Yadav authored
pnp_irq() and pnp_port_start() can fail here and we must check its return value. Signed-off-by:
-
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
-
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
-
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
-
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
-
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
-
Arvind Yadav authored
The pnp_irq() function returns -1 if an error occurs. pnp_irq() error checking for zero is not correct. Signed-off-by:
-
Jon Maloy authored
The socket level flow control is based on the assumption that incoming buffers meet the condition (skb->truesize / roundup(skb->len) <= 4), where the latter value is rounded off upwards to the nearest 1k number. This does empirically hold true for the device drivers we know, but we cannot trust that it will always be so, e.g., in a system with jumbo frames and very small packets. We now introduce a check for this condition at packet arrival, and if we find it to be false, we copy the packet to a new, smaller buffer, where the condition will be true. We expect this to affect only a small fraction of all incoming packets, if at all. Acked-by:
Ying Xue <ying.xue@windriver.com> Signed-off-by:
Jon Maloy <jon.maloy@ericsson.com> Signed-off-by:
-
Arnd Bergmann authored
This function is no longer marked 'inline', so we now get a warning when it is unused: net/netfilter/nf_conntrack_netlink.c:536:15: error: 'ctnetlink_proto_size' defined but not used [-Werror=unused-function] We could mark it inline again, mark it __maybe_unused, or add an #ifdef around the definition. I'm picking the third approach here since that seems to be what the rest of the file has. Fixes: 5caaed15 ("netfilter: conntrack: don't cache nlattr_tuple_size result in nla_size") Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by:
-
Grygorii Strashko authored
Now CPSW driver configures min eth packet size to 60 octets (ETH_ZLEN) which works in most of cases, but when port VLAN is configured on some switch port, it also can be configured to force all egress packets to be VLAN untagged. And in this case, CPSW driver will pad small packets to 60 octets, but final packet size on port egress can became less than 60 octets due to VLAN tag removal and packet will be dropped. Hence, fix it by accounting VLAN header in CPSW min eth packet size. While here, use proper defines for CPSW_MAX_PACKET_SIZE also, instead of open coding. Signed-off-by:
Grygorii Strashko <grygorii.strashko@ti.com> Signed-off-by:
-
Ahmed Abdelsalam authored
The IPv6 Segment Routing Header (SRH) format has been updated (revision 6 of the SRH ietf draft). The update includes the following SRH fields: (1) The "First Segment" field changed to be "Last Entry" which contains the index, in the Segment List, of the last element of the Segment List. (2) The 16 bit "reserved" field now is used as a "tag" which tags a packet as part of a class or group of packets, e.g.,packets sharing the same set of properties. This patch updates the struct ipv6_sr_hdr, so it complies with the updated SRH draft. The 16 bit "reserved" field is changed to be "tag", In addition a comment is added to the "first_segment" field, showing that it represents the "Last Entry" field of the SRH. Signed-off-by:
Ahmed Abdelsalam <amsalam20@gmail.com> Signed-off-by:
-
Vitaly Kuznetsov authored
rndis_filter_device_add() is called both from netvsc_probe() when we initially create the device and from set channels/mtu/ringparam routines where we basically remove the device and add it back. hw_features is reset in rndis_filter_device_add() and filled with host data. However, we lose all additional flags which are set outside of the driver, e.g. register_netdevice() adds NETIF_F_SOFT_FEATURES and many others. Unfortunately, calls to rndis_{query_hwcaps(), _set_offload_params()} calls cannot be avoided on every RNDIS reset: host expects us to set required features explicitly. Moreover, in theory hardware capabilities can change and we need to reflect the change in hw_features. Reset net->hw_features bits according to host data in rndis_netdev_set_hwcaps(), clear corresponding feature bits from net->features in case some features went missing (will never happen in real life I guess but let's be consistent). Signed-off-by:Vitaly Kuznetsov <vkuznets@redhat.com> Reviewed-by:
Haiyang Zhang <haiyangz@microsoft.com> Signed-off-by:
-
Colin Ian King authored
Replace kmalloc followed by a memset with kzalloc Signed-off-by:
Ariel Elior <aelior@cavium.com> Signed-off-by:
-
Michal Kubecek authored
According to the description, first argument of genlmsg_nlhdr() points to what genlmsg_put() returns, i.e. beginning of user header. Therefore we should only subtract size of genetlink header and netlink message header, not user header. This also means we don't need to pass the pointer to genetlink family and the same is true for genl_dump_check_consistent() which is the only caller of genlmsg_nlhdr(). (Note that at the moment, these functions are only used for families which do not have user header so that they are not affected.) Fixes: 670dc283 ("netlink: advertise incomplete dumps") Signed-off-by:
Michal Kubecek <mkubecek@suse.cz> Reviewed-by:
Johannes Berg <johannes@sipsolutions.net> Signed-off-by:
-
Xin Long authored
Now when resetting stream, if both in and out flags are set, the info len can reach: sizeof(struct sctp_strreset_outreq) + SCTP_MAX_STREAM(65535) + sizeof(struct sctp_strreset_inreq) + SCTP_MAX_STREAM(65535) even without duplicated stream no, this value is far greater than the chunk's max size. _sctp_make_chunk doesn't do any check for this, which would cause the skb it allocs is huge, syzbot even reported a crash due to this. This patch is to check stream reset info len before making reconf chunk and return EINVAL if the len exceeds chunk's capacity. Thanks Marcelo and Neil for making this clear. v1->v2: - move the check into sctp_send_reset_streams instead. Fixes: cc16f00f ("sctp: add support for generating stream reconf ssn reset request chunk") Reported-by:
Dmitry Vyukov <dvyukov@google.com> Signed-off-by:
Neil Horman <nhorman@tuxdriver.com> Signed-off-by:
-
Xin Long authored
Commit dfcb9f4f ("sctp: deny peeloff operation on asocs with threads sleeping on it") fixed the race between peeloff and wait sndbuf by checking waitqueue_active(&asoc->wait) in sctp_do_peeloff(). But it actually doesn't work, as even if waitqueue_active returns false the waiting sndbuf thread may still not yet hold sk lock. After asoc is peeled off, sk is not asoc->base.sk any more, then to hold the old sk lock couldn't make assoc safe to access. This patch is to fix this by changing to hold the new sk lock if sk is not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the new sk. With this fix, there is no more race between peeloff and waitbuf, the check 'waitqueue_active' in sctp_do_peeloff can be removed. Thanks Marcelo and Neil for making this clear. v1->v2: fix it by changing to lock the new sock instead of adding a flag in asoc. Suggested-by:
-
Xin Long authored
Now in sctp_sendmsg sctp_wait_for_sndbuf could schedule out without holding sock sk. It means the current asoc can be freed elsewhere, like when receiving an abort packet. If the asoc is just created in sctp_sendmsg and sctp_wait_for_sndbuf returns err, the asoc will be freed again due to new_asoc is not nil. An use-after-free issue would be triggered by this. This patch is to fix it by setting new_asoc with nil if the asoc is already dead when cpu schedules back, so that it will not be freed again in sctp_sendmsg. v1->v2: set new_asoc as nil in sctp_sendmsg instead of sctp_wait_for_sndbuf. Suggested-by:
-
