1. 23 Jun, 2018 11 commits
    • Eric Dumazet's avatar
      net: dccp: avoid crash in ccid3_hc_rx_send_feedback() · 74174fe5
      Eric Dumazet authored
      On fast hosts or malicious bots, we trigger a DCCP_BUG() which
      seems excessive.
      
      syzbot reported :
      
      BUG: delta (-6195) <= 0 at net/dccp/ccids/ccid3.c:628/ccid3_hc_rx_send_feedback()
      CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.18.0-rc1+ #112
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       ccid3_hc_rx_send_feedback net/dccp/ccids/ccid3.c:628 [inline]
       ccid3_hc_rx_packet_recv.cold.16+0x38/0x71 net/dccp/ccids/ccid3.c:793
       ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
       dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
       dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
       dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
       sk_backlog_rcv include/net/sock.h:914 [inline]
       __sk_receive_skb+0x3ba/0xd80 net/core/sock.c:517
       dccp_v4_rcv+0x10f9/0x1f58 net/dccp/ipv4.c:875
       ip_local_deliver_finish+0x2eb/0xda0 net/ipv4/ip_input.c:215
       NF_HOOK include/linux/netfilter.h:287 [inline]
       ip_local_deliver+0x1e9/0x750 net/ipv4/ip_input.c:256
       dst_input include/net/dst.h:450 [inline]
       ip_rcv_finish+0x823/0x2220 net/ipv4/ip_input.c:396
       NF_HOOK include/linux/netfilter.h:287 [inline]
       ip_rcv+0xa18/0x1284 net/ipv4/ip_input.c:492
       __netif_receive_skb_core+0x2488/0x3680 net/core/dev.c:4628
       __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693
       process_backlog+0x219/0x760 net/core/dev.c:5373
       napi_poll net/core/dev.c:5771 [inline]
       net_rx_action+0x7da/0x1980 net/core/dev.c:5837
       __do_softirq+0x2e8/0xb17 kernel/softirq.c:284
       run_ksoftirqd+0x86/0x100 kernel/softirq.c:645
       smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
       kthread+0x345/0x410 kernel/kthread.c:240
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
      Cc: dccp@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      74174fe5
    • Geert Uytterhoeven's avatar
      net: Remove depends on HAS_DMA in case of platform dependency · e020797b
      Geert Uytterhoeven authored
      Remove dependencies on HAS_DMA where a Kconfig symbol depends on another
      symbol that implies HAS_DMA, and, optionally, on "|| COMPILE_TEST".
      In most cases this other symbol is an architecture or platform specific
      symbol, or PCI.
      
      Generic symbols and drivers without platform dependencies keep their
      dependencies on HAS_DMA, to prevent compiling subsystems or drivers that
      cannot work anyway.
      
      This simplifies the dependencies, and allows to improve compile-testing.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Reviewed-by: default avatarMark Brown <broonie@kernel.org>
      Acked-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e020797b
    • Geert Uytterhoeven's avatar
      MAINTAINERS: Add file patterns for dsa device tree bindings · 935c5e3e
      Geert Uytterhoeven authored
      Submitters of device tree binding documentation may forget to CC
      the subsystem maintainer if this is missing.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      935c5e3e
    • Antoine Tenart's avatar
      net: mscc: make sparse happy · c2cd650b
      Antoine Tenart authored
      This patch fixes a sparse warning about using an incorrect type in
      argument 2 of ocelot_write_rix(), as an u32 was expected but a __be32
      was given. The conversion to u32 is forced, which is safe as the value
      will be written as-is in the hardware without any modification.
      
      Fixes: 08d02364 ("net: mscc: fix the injection header")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2cd650b
    • Antoine Tenart's avatar
      net: mvneta: fix the Rx desc DMA address in the Rx path · 271f7ff5
      Antoine Tenart authored
      When using s/w buffer management, buffers are allocated and DMA mapped.
      When doing so on an arm64 platform, an offset correction is applied on
      the DMA address, before storing it in an Rx descriptor. The issue is
      this DMA address is then used later in the Rx path without removing the
      offset correction. Thus the DMA address is wrong, which can led to
      various issues.
      
      This patch fixes this by removing the offset correction from the DMA
      address retrieved from the Rx descriptor before using it in the Rx path.
      
      Fixes: 8d5047cf ("net: mvneta: Convert to be 64 bits compatible")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      271f7ff5
    • Tobin C. Harding's avatar
      Documentation: e1000: Fix docs build error · 805f16a5
      Tobin C. Harding authored
      Recent patch updated e1000 docs to rst format.  Docs build (`make
      htmldocs`) is currently failing due to this file with error:
      
              (SEVERE/4) Unexpected section title.
      
      This is because a section of the file is indented 2 spaces.  Build error
      can be cleared by aligning the text with column 0.  While we are changing
      these lines we can make sure line length does not exceed 72, that
      newlines following headings are uniform, and that full stops are
      followed by two spaces.
      
      Align text with column 0, limit line length to 72, ensure two spaces
      follow all full stops, ensure uniform use of newlines after heading.
      
      Fixes commit (228046e7 Documentation: e1000: Update kernel documentation)
      
      CC: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      Acked-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      805f16a5
    • Tobin C. Harding's avatar
      Documentation: e100: Fix docs build error · 3b0c3ebe
      Tobin C. Harding authored
      Recent patch updated e100 docs to rst format.  Docs build (`make
      htmldocs`) is currently failing due to this file with error:
      
      	(SEVERE/4) Unexpected section title.
      
      This is because a section of the file is indented 2 spaces.  Build error
      can be cleared by aligning the text with column 0.  While we are changing
      these lines we can make sure line length does not exceed 72, that
      newlines following headings are uniform, and that full stops are
      followed by two spaces.
      
      Align text with column 0, limit line length to 72, ensure two spaces
      follow all full stops, ensure uniform use of newlines after heading.
      
      Fixes commit (85d63445 Documentation: e100: Update the Intel 10/100 driver doc)
      
      CC: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      Acked-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b0c3ebe
    • Tobin C. Harding's avatar
      Documentation: e1000: Use correct heading adornment · 3be40e54
      Tobin C. Harding authored
      Recently documentation file was converted to rst.  The document title
      has the incorrect heading adornment.  From kernel docs:
      
      	* Please stick to this order of heading adornments:
      
      	  1. ``=`` with overline for document title::
      
      	       ==============
      	       Document title
      	       ==============
      
      Add  overline heading adornment to document title.
      
      Fixes commit (228046e7 Documentation: e1000: Update kernel documentation)
      
      CC: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      Acked-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3be40e54
    • Tobin C. Harding's avatar
      Documentation: e100: Use correct heading adornment · 32e6996c
      Tobin C. Harding authored
      Recently documentation file was converted to rst.  The document title
      has the incorrect heading adornment.  From kernel docs:
      
      	* Please stick to this order of heading adornments:
      
      	  1. ``=`` with overline for document title::
      
      	       ==============
      	       Document title
      	       ==============
      
      Add  overline heading adornment to document title.
      
      Fixes commit (85d63445 Documentation: e100: Update the Intel 10/100 driver doc)
      
      CC: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      Acked-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32e6996c
    • Hangbin Liu's avatar
      ipv6: mcast: fix unsolicited report interval after receiving querys · 6c6da928
      Hangbin Liu authored
      After recieving MLD querys, we update idev->mc_maxdelay with max_delay
      from query header. This make the later unsolicited reports have the same
      interval with mc_maxdelay, which means we may send unsolicited reports with
      long interval time instead of default configured interval time.
      
      Also as we will not call ipv6_mc_reset() after device up. This issue will
      be there even after leave the group and join other groups.
      
      Fixes: fc4eba58 ("ipv6: make unsolicited report intervals configurable for mld")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c6da928
    • Jason Wang's avatar
      vhost_net: validate sock before trying to put its fd · b8f1f658
      Jason Wang authored
      Sock will be NULL if we pass -1 to vhost_net_set_backend(), but when
      we meet errors during ubuf allocation, the code does not check for
      NULL before calling sockfd_put(), this will lead NULL
      dereferencing. Fixing by checking sock pointer before.
      
      Fixes: bab632d6 ("vhost: vhost TX zero-copy support")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8f1f658
  2. 22 Jun, 2018 2 commits
  3. 21 Jun, 2018 16 commits
    • David S. Miller's avatar
      Merge branch 'xen-netfront-fixes' · 962c661f
      David S. Miller authored
      Ross Lagerwall says:
      
      ====================
      xen-netfront: Fix issues with commit f599c64f
      
      Fix a couple of issues with commit f599c64f ("xen-netfront: Fix race
      between device setup and open").
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      962c661f
    • Ross Lagerwall's avatar
      xen-netfront: Update features after registering netdev · 45c8184c
      Ross Lagerwall authored
      Update the features after calling register_netdev() otherwise the
      device features are not set up correctly and it not possible to change
      the MTU of the device. After this change, the features reported by
      ethtool match the device's features before the commit which introduced
      the issue and it is possible to change the device's MTU.
      
      Fixes: f599c64f ("xen-netfront: Fix race between device setup and open")
      Reported-by: default avatarLiam Shepherd <liam@dancer.es>
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45c8184c
    • Ross Lagerwall's avatar
      xen-netfront: Fix mismatched rtnl_unlock · cb257783
      Ross Lagerwall authored
      Fixes: f599c64f ("xen-netfront: Fix race between device setup and open")
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cb257783
    • Paolo Abeni's avatar
      cls_flower: fix use after free in flower S/W path · 44a5cd43
      Paolo Abeni authored
      If flower filter is created without the skip_sw flag, fl_mask_put()
      can race with fl_classify() and we can destroy the mask rhashtable
      while a lookup operation is accessing it.
      
       BUG: unable to handle kernel paging request at 00000000000911d1
       PGD 0 P4D 0
       SMP PTI
       CPU: 3 PID: 5582 Comm: vhost-5541 Not tainted 4.18.0-rc1.vanilla+ #1950
       Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.1.7 06/16/2016
       RIP: 0010:rht_bucket_nested+0x20/0x60
       Code: 31 c8 c1 c1 18 29 c8 c3 66 90 8b 4f 04 ba 01 00 00 00 8b 07 48 8b bf 80 00 00 0
       RSP: 0018:ffffafc5cfbb7a48 EFLAGS: 00010206
       RAX: 0000000000001978 RBX: ffff9f12dff88a00 RCX: 00000000ffff9f12
       RDX: 00000000000911d1 RSI: 0000000000000148 RDI: 0000000000000001
       RBP: ffff9f12dff88a00 R08: 000000005f1cc119 R09: 00000000a715fae2
       R10: ffffafc5cfbb7aa8 R11: ffff9f1cb4be804e R12: ffff9f1265e13000
       R13: 0000000000000000 R14: ffffafc5cfbb7b48 R15: ffff9f12dff88b68
       FS:  0000000000000000(0000) GS:ffff9f1d3f0c0000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00000000000911d1 CR3: 0000001575a94006 CR4: 00000000001626e0
       Call Trace:
        fl_lookup+0x134/0x140 [cls_flower]
        fl_classify+0xf3/0x180 [cls_flower]
        tcf_classify+0x78/0x150
        __netif_receive_skb_core+0x69e/0xa50
        netif_receive_skb_internal+0x42/0xf0
        tun_get_user+0xdd5/0xfd0 [tun]
        tun_sendmsg+0x52/0x70 [tun]
        handle_tx+0x2b3/0x5f0 [vhost_net]
        vhost_worker+0xab/0x100 [vhost]
        kthread+0xf8/0x130
        ret_from_fork+0x35/0x40
       Modules linked in: act_mirred act_gact cls_flower vhost_net vhost tap sch_ingress
       CR2: 00000000000911d1
      
      Fix the above waiting for a RCU grace period before destroying the
      rhashtable: we need to use tcf_queue_work(), as rhashtable_destroy()
      must run in process context, as pointed out by Cong Wang.
      
      v1 -> v2: use tcf_queue_work to run rhashtable_destroy().
      
      Fixes: 05cd271f ("cls_flower: Support multiple masks per priority")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44a5cd43
    • Eric Dumazet's avatar
      net/packet: fix use-after-free · 945d015e
      Eric Dumazet authored
      We should put copy_skb in receive_queue only after
      a successful call to virtio_net_hdr_from_skb().
      
      syzbot report :
      
      BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:1843 [inline]
      BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:1863 [inline]
      BUG: KASAN: use-after-free in skb_dequeue+0x16a/0x180 net/core/skbuff.c:2815
      Read of size 8 at addr ffff8801b044ecc0 by task syz-executor217/4553
      
      CPU: 0 PID: 4553 Comm: syz-executor217 Not tainted 4.18.0-rc1+ #111
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
       __skb_unlink include/linux/skbuff.h:1843 [inline]
       __skb_dequeue include/linux/skbuff.h:1863 [inline]
       skb_dequeue+0x16a/0x180 net/core/skbuff.c:2815
       skb_queue_purge+0x26/0x40 net/core/skbuff.c:2852
       packet_set_ring+0x675/0x1da0 net/packet/af_packet.c:4331
       packet_release+0x630/0xd90 net/packet/af_packet.c:2991
       __sock_release+0xd7/0x260 net/socket.c:603
       sock_close+0x19/0x20 net/socket.c:1186
       __fput+0x35b/0x8b0 fs/file_table.c:209
       ____fput+0x15/0x20 fs/file_table.c:243
       task_work_run+0x1ec/0x2a0 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x1b08/0x2750 kernel/exit.c:865
       do_group_exit+0x177/0x440 kernel/exit.c:968
       __do_sys_exit_group kernel/exit.c:979 [inline]
       __se_sys_exit_group kernel/exit.c:977 [inline]
       __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x4448e9
      Code: Bad RIP value.
      RSP: 002b:00007ffd5f777ca8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004448e9
      RDX: 00000000004448e9 RSI: 000000000000fcfb RDI: 0000000000000001
      RBP: 00000000006cf018 R08: 00007ffd0000a45b R09: 0000000000000000
      R10: 00007ffd5f777e48 R11: 0000000000000202 R12: 00000000004021f0
      R13: 0000000000402280 R14: 0000000000000000 R15: 0000000000000000
      
      Allocated by task 4553:
       save_stack+0x43/0xd0 mm/kasan/kasan.c:448
       set_track mm/kasan/kasan.c:460 [inline]
       kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
       kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
       kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
       skb_clone+0x1f5/0x500 net/core/skbuff.c:1282
       tpacket_rcv+0x28f7/0x3200 net/packet/af_packet.c:2221
       deliver_skb net/core/dev.c:1925 [inline]
       deliver_ptype_list_skb net/core/dev.c:1940 [inline]
       __netif_receive_skb_core+0x1bfb/0x3680 net/core/dev.c:4611
       __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693
       netif_receive_skb_internal+0x12e/0x7d0 net/core/dev.c:4767
       netif_receive_skb+0xbf/0x420 net/core/dev.c:4791
       tun_rx_batched.isra.55+0x4ba/0x8c0 drivers/net/tun.c:1571
       tun_get_user+0x2af1/0x42f0 drivers/net/tun.c:1981
       tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:2009
       call_write_iter include/linux/fs.h:1795 [inline]
       new_sync_write fs/read_write.c:474 [inline]
       __vfs_write+0x6c6/0x9f0 fs/read_write.c:487
       vfs_write+0x1f8/0x560 fs/read_write.c:549
       ksys_write+0x101/0x260 fs/read_write.c:598
       __do_sys_write fs/read_write.c:610 [inline]
       __se_sys_write fs/read_write.c:607 [inline]
       __x64_sys_write+0x73/0xb0 fs/read_write.c:607
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 4553:
       save_stack+0x43/0xd0 mm/kasan/kasan.c:448
       set_track mm/kasan/kasan.c:460 [inline]
       __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
       kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
       __cache_free mm/slab.c:3498 [inline]
       kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
       kfree_skbmem+0x154/0x230 net/core/skbuff.c:582
       __kfree_skb net/core/skbuff.c:642 [inline]
       kfree_skb+0x1a5/0x580 net/core/skbuff.c:659
       tpacket_rcv+0x189e/0x3200 net/packet/af_packet.c:2385
       deliver_skb net/core/dev.c:1925 [inline]
       deliver_ptype_list_skb net/core/dev.c:1940 [inline]
       __netif_receive_skb_core+0x1bfb/0x3680 net/core/dev.c:4611
       __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693
       netif_receive_skb_internal+0x12e/0x7d0 net/core/dev.c:4767
       netif_receive_skb+0xbf/0x420 net/core/dev.c:4791
       tun_rx_batched.isra.55+0x4ba/0x8c0 drivers/net/tun.c:1571
       tun_get_user+0x2af1/0x42f0 drivers/net/tun.c:1981
       tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:2009
       call_write_iter include/linux/fs.h:1795 [inline]
       new_sync_write fs/read_write.c:474 [inline]
       __vfs_write+0x6c6/0x9f0 fs/read_write.c:487
       vfs_write+0x1f8/0x560 fs/read_write.c:549
       ksys_write+0x101/0x260 fs/read_write.c:598
       __do_sys_write fs/read_write.c:610 [inline]
       __se_sys_write fs/read_write.c:607 [inline]
       __x64_sys_write+0x73/0xb0 fs/read_write.c:607
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8801b044ecc0
       which belongs to the cache skbuff_head_cache of size 232
      The buggy address is located 0 bytes inside of
       232-byte region [ffff8801b044ecc0, ffff8801b044eda8)
      The buggy address belongs to the page:
      page:ffffea0006c11380 count:1 mapcount:0 mapping:ffff8801d9be96c0 index:0x0
      flags: 0x2fffc0000000100(slab)
      raw: 02fffc0000000100 ffffea0006c17988 ffff8801d9bec248 ffff8801d9be96c0
      raw: 0000000000000000 ffff8801b044e040 000000010000000c 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8801b044eb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff8801b044ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
      >ffff8801b044ec80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                 ^
       ffff8801b044ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8801b044ed80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
      
      Fixes: 58d19b19 ("packet: vnet_hdr support for tpacket_rcv")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      945d015e
    • Anders Roxell's avatar
      selftests: net: add tcp_inq to gitignore · 3739a21e
      Anders Roxell authored
      sha: 702353b5 ("selftest: add test for TCP_INQ") forgot to add
      tcp_inq to .gitignore.
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3739a21e
    • Harini Katakam's avatar
      net: macb: Fix ptp time adjustment for large negative delta · 64d7839a
      Harini Katakam authored
      When delta passed to gem_ptp_adjtime is negative, the sign is
      maintained in the ns_to_timespec64 conversion. Hence timespec_add
      should be used directly. timespec_sub will just subtract the negative
      value thus increasing the time difference.
      Signed-off-by: default avatarHarini Katakam <harini.katakam@xilinx.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      64d7839a
    • Xin Long's avatar
      ipvlan: fix IFLA_MTU ignored on NEWLINK · 30877961
      Xin Long authored
      Commit 296d4856 ("ipvlan: inherit MTU from master device") adjusted
      the mtu from the master device when creating a ipvlan device, but it
      would also override the mtu value set in rtnl_create_link. It causes
      IFLA_MTU param not to take effect.
      
      So this patch is to not adjust the mtu if IFLA_MTU param is set when
      creating a ipvlan device.
      
      Fixes: 296d4856 ("ipvlan: inherit MTU from master device")
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      30877961
    • Marcelo Ricardo Leitner's avatar
      sctp: fix erroneous inc of snmp SctpFragUsrMsgs · fedb1bd3
      Marcelo Ricardo Leitner authored
      Currently it is incrementing SctpFragUsrMsgs when the user message size
      is of the exactly same size as the maximum fragment size, which is wrong.
      
      The fix is to increment it only when user message is bigger than the
      maximum fragment size.
      
      Fixes: bfd2e4b8 ("sctp: refactor sctp_datamsg_from_user")
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fedb1bd3
    • Eric Dumazet's avatar
      bpf: enforce correct alignment for instructions · 92624782
      Eric Dumazet authored
      After commit 9facc336 ("bpf: reject any prog that failed read-only lock")
      offsetof(struct bpf_binary_header, image) became 3 instead of 4,
      breaking powerpc BPF badly, since instructions need to be word aligned.
      
      Fixes: 9facc336 ("bpf: reject any prog that failed read-only lock")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Martin KaFai Lau <kafai@fb.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      92624782
    • Antoine Tenart's avatar
      net: mscc: fix the injection header · 08d02364
      Antoine Tenart authored
      When injecting frames in the Ocelot switch driver an injection header
      (IFH) should be used to configure various parameters related to a given
      frame, such as the port onto which the frame should be departed or its
      vlan id. Other parameters in the switch configuration can led to an
      injected frame being sent without an IFH but this led to various issues
      as the per-frame parameters are then not used. This is especially true
      when using multiple ports for injection.
      
      The IFH was injected with the wrong endianness which led to the switch
      not taking it into account as the IFH_INJ_BYPASS bit was then unset.
      (The bit tells the switch to use the IFH over its internal
      configuration). This patch fixes it.
      
      In addition to the endianness fix, the IFH is also fixed. As it was
      (unwillingly) unused, some of its fields were not configured the right
      way.
      
      Fixes: a556c76a ("net: mscc: Add initial Ocelot switch support")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Reviewed-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      08d02364
    • Bartosz Golaszewski's avatar
      net: davinci_emac: match the mdio device against its compatible if possible · ea0820bb
      Bartosz Golaszewski authored
      Device tree based systems without of_dev_auxdata will have the mdio
      device named differently than "davinci_mdio(.0)". In this case use the
      device's parent's compatible string for matching
      Signed-off-by: default avatarBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ea0820bb
    • Ville Syrjälä's avatar
      r8169: Fix netpoll oops · 6d8b8349
      Ville Syrjälä authored
      Pass the correct thing to rtl8169_interrupt() from netpoll.
      
      Cc: Realtek linux nic maintainers <nic_swsd@realtek.com>
      Cc: netdev@vger.kernel.org
      Cc: Heiner Kallweit <hkallweit1@gmail.com>
      Cc: David S. Miller <davem@davemloft.net>
      Fixes: ebcd5daa ("r8169: change interrupt handler argument type")
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6d8b8349
    • Vakul Garg's avatar
      strparser: Don't schedule in workqueue in paused state · 456488cd
      Vakul Garg authored
      In function strp_data_ready(), it is useless to call queue_work if
      the state of strparser is already paused. The state checking should
      be done before calling queue_work. The change reduces the context
      switches and improves the ktls-rx throughput by approx 20% (measured
      on cortex-a53 based platform).
      Signed-off-by: default avatarVakul Garg <vakul.garg@nxp.com>
      Acked-by: default avatarDave Watson <davejwatson@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      456488cd
    • Anders Roxell's avatar
      selftests: net: add config fragments · 73f9c33b
      Anders Roxell authored
      Add fragments to pass bridge and vlan tests.
      
      Fixes: 33b01b7b ("selftests: add rtnetlink test script")
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      73f9c33b
    • Matteo Croce's avatar
      bpfilter: fix user mode helper cross compilation · c24fb5e6
      Matteo Croce authored
      Use $(OBJDUMP) instead of literal 'objdump' to avoid
      using host toolchain when cross compiling.
      
      Fixes: 421780fd ("bpfilter: fix build error")
      Signed-off-by: default avatarMatteo Croce <mcroce@redhat.com>
      Reported-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c24fb5e6
  4. 20 Jun, 2018 11 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 1abd8a8f
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Here are eight fairly small fixes collected over the last two weeks.
      
        Regression and crashing bug fixes:
      
         - mlx4/5: Fixes for issues found from various checkers
      
         - A resource tracking and uverbs regression in the core code
      
         - qedr: NULL pointer regression found during testing
      
         - rxe: Various small bugs"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        IB/rxe: Fix missing completion for mem_reg work requests
        RDMA/core: Save kernel caller name when creating CQ using ib_create_cq()
        IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write
        IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'
        RDMA/qedr: Fix NULL pointer dereference when running over iWARP without RDMA-CM
        IB/mlx5: Fix return value check in flow_counters_set_data()
        IB/mlx5: Fix memory leak in mlx5_ib_create_flow
        IB/rxe: avoid double kfree skb
      1abd8a8f
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · d8894a08
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix crash on bpf_prog_load() errors, from Daniel Borkmann.
      
       2) Fix ATM VCC memory accounting, from David Woodhouse.
      
       3) fib6_info objects need RCU freeing, from Eric Dumazet.
      
       4) Fix SO_BINDTODEVICE handling for TCP sockets, from David Ahern.
      
       5) Fix clobbered error code in enic_open() failure path, from
          Govindarajulu Varadarajan.
      
       6) Propagate dev_get_valid_name() error returns properly, from Li
          RongQing.
      
       7) Fix suspend/resume in davinci_emac driver, from Bartosz Golaszewski.
      
       8) Various act_ife fixes (recursive locking, IDR leaks, etc.) from
          Davide Caratti.
      
       9) Fix buggy checksum handling in sungem driver, from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (40 commits)
        ip: limit use of gso_size to udp
        stmmac: fix DMA channel hang in half-duplex mode
        net: stmmac: socfpga: add additional ocp reset line for Stratix10
        net: sungem: fix rx checksum support
        bpfilter: ignore binary files
        bpfilter: fix build error
        net/usb/drivers: Remove useless hrtimer_active check
        net/sched: act_ife: preserve the action control in case of error
        net/sched: act_ife: fix recursive lock and idr leak
        net: ethernet: fix suspend/resume in davinci_emac
        net: propagate dev_get_valid_name return code
        enic: do not overwrite error code
        net/tcp: Fix socket lookups with SO_BINDTODEVICE
        ptp: replace getnstimeofday64() with ktime_get_real_ts64()
        net/ipv6: respect rcu grace period before freeing fib6_info
        net: net_failover: fix typo in net_failover_slave_register()
        ipvlan: use ETH_MAX_MTU as max mtu
        net: hamradio: use eth_broadcast_addr
        enic: initialize enic->rfs_h.lock in enic_probe
        MAINTAINERS: Add Sam as the maintainer for NCSI
        ...
      d8894a08
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · 81e97f01
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - Wacom 2nd-gen Intuos Pro large Y axis handling fix from Jason Gerecke
      
       - fix for hibernation in Intel ISH driver, from Even Xu
      
       - crash fix for hid-steam driver, from Rodrigo Rivas Costa
      
       - new device ID addition to google-hammer driver
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large
        HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation
        HID: steam: use hid_device.driver_data instead of hid_set_drvdata()
        HID: google: Add support for whiskers
      81e97f01
    • Linus Torvalds's avatar
      Merge tag 'dma-rename-4.18' of git://git.infradead.org/users/hch/dma-mapping · 6d90eb7b
      Linus Torvalds authored
      Pull dma-mapping rename from Christoph Hellwig:
       "Move all the dma-mapping code to kernel/dma and lose their dma-*
        prefixes"
      
      * tag 'dma-rename-4.18' of git://git.infradead.org/users/hch/dma-mapping:
        dma-mapping: move all DMA mapping code to kernel/dma
        dma-mapping: use obj-y instead of lib-y for generic dma ops
      6d90eb7b
    • Jason Gerecke's avatar
      HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large · d471b6b2
      Jason Gerecke authored
      The HID descriptor for the 2nd-gen Intuos Pro large (PTH-860) contains
      a typo which defines an incorrect logical maximum Y value. This causes
      a small portion of the bottom of the tablet to become unusable (both
      because the area is below the "bottom" of the tablet and because
      'wacom_wac_event' ignores out-of-range values). It also results in a
      skewed aspect ratio.
      
      To fix this, we add a quirk to 'wacom_usage_mapping' which overwrites
      the data with the correct value.
      Signed-off-by: default avatarJason Gerecke <jason.gerecke@wacom.com>
      CC: stable@vger.kernel.org # v4.10+
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      d471b6b2
    • Even Xu's avatar
      HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation · ebeaa367
      Even Xu authored
      Current ISH driver only registers suspend/resume PM callbacks which don't
      support hibernation (suspend to disk). Basically after hiberation, the ISH
      can't resume properly and user may not see sensor events (for example: screen
      		rotation may not work).
      
      User will not see a crash or panic or anything except the following message
      in log:
      
      	hid-sensor-hub 001F:8086:22D8.0001: timeout waiting for response from ISHTP device
      
      So this patch adds support for S4/hiberbation to ISH by using the
      SIMPLE_DEV_PM_OPS() MACRO instead of struct dev_pm_ops directly. The suspend
      and resume functions will now be used for both suspend to RAM and hibernation.
      
      If power management is disabled, SIMPLE_DEV_PM_OPS will do nothing, the suspend
      and resume related functions won't be used, so mark them as __maybe_unused to
      clarify that this is the intended behavior, and remove #ifdefs for power
      management.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEven Xu <even.xu@intel.com>
      Acked-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      ebeaa367
    • Rodrigo Rivas Costa's avatar
      HID: steam: use hid_device.driver_data instead of hid_set_drvdata() · 4bff980f
      Rodrigo Rivas Costa authored
      When creating the low-level hidraw device, the reference to steam_device
      was stored using hid_set_drvdata(). But this value is not guaranteed to
      be kept when set before calling probe. If this pointer is reset, it
      crashes when opening the emulated hidraw device.
      
      It looks like hid_set_drvdata() is for users "avobe" this hid_device,
      while hid_device.driver_data it for users "below" this one.
      
      In this case, we are creating a virtual hidraw device, so we must use
      hid_device.driver_data.
      Signed-off-by: default avatarRodrigo Rivas Costa <rodrigorivascosta@gmail.com>
      Tested-by: default avatarMariusz Ceier <mceier+kernel@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      4bff980f
    • Linus Torvalds's avatar
      proc: fix missing final NUL in get_mm_cmdline() rewrite · f5b65348
      Linus Torvalds authored
      The rewrite of the cmdline fetching missed the fact that we used to also
      return the final terminating NUL character of the last argument.  I
      hadn't noticed, and none of the tools I tested cared, but something
      obviously must care, because Michal Kubecek noticed the change in
      behavior.
      
      Tweak the "find the end" logic to actually include the NUL character,
      and once past the eend of argv, always start the strnlen() at the
      expected (original) argument end.
      
      This whole "allow people to rewrite their arguments in place" is a nasty
      hack and requires that odd slop handling at the end of the argv array,
      but it's our traditional model, so we continue to support it.
      Repored-and-bisected-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Reviewed-and-tested-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f5b65348
    • Willem de Bruijn's avatar
      ip: limit use of gso_size to udp · 9887cba1
      Willem de Bruijn authored
      The ipcm(6)_cookie field gso_size is set only in the udp path. The ip
      layer copies this to cork only if sk_type is SOCK_DGRAM. This check
      proved too permissive. Ping and l2tp sockets have the same type.
      
      Limit to sockets of type SOCK_DGRAM and protocol IPPROTO_UDP to
      exclude ping sockets.
      
      v1 -> v2
      - remove irrelevant whitespace changes
      
      Fixes: bec1f6f6 ("udp: generate gso with UDP_SEGMENT")
      Reported-by: default avatarMaciej Żenczykowski <maze@google.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9887cba1
    • Bhadram Varka's avatar
      stmmac: fix DMA channel hang in half-duplex mode · b6cfffa7
      Bhadram Varka authored
      HW does not support Half-duplex mode in multi-queue
      scenario. Fix it by not advertising the Half-Duplex
      mode if multi-queue enabled.
      Signed-off-by: default avatarBhadram Varka <vbhadram@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6cfffa7
    • Dinh Nguyen's avatar
      net: stmmac: socfpga: add additional ocp reset line for Stratix10 · bc8a2d9b
      Dinh Nguyen authored
      The Stratix10 platform has an additional reset line, OCP(Open Core Protocol),
      that also needs to get deasserted for the stmmac ethernet controller to work.
      Thus we need to update the Kconfig to include ARCH_STRATIX10 in order to build
      dwmac-socfpga.
      
      Also, remove the redundant check for the reset controller pointer. The
      reset driver already checks for the pointer and returns 0 if the pointer
      is NULL.
      Signed-off-by: default avatarDinh Nguyen <dinguyen@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc8a2d9b