1. 24 May, 2019 2 commits
  2. 23 May, 2019 15 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 71e15f76
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      The following patchset contains Netfilter/IPVS fixes for your net tree:
      
      1) Fix crash when dumping rules after conversion to RCU,
         from Florian Westphal.
      
      2) Fix incorrect hook reinjection from nf_queue in case NF_REPEAT,
         from Jagdish Motwani.
      
      3) Fix check for route existence in fib extension, from Phil Sutter.
      
      4) Fix use after free in ip_vs_in() hook, from YueHaibing.
      
      5) Check for veth existence from netfilter selftests,
         from Jeffrin Jose T.
      
      6) Checksum corruption in UDP NAT helpers due to typo,
         from Florian Westphal.
      
      7) Pass up packets to classic forwarding path regardless of
         IPv4 DF bit, patch for the flowtable infrastructure from Florian.
      
      8) Set liberal TCP tracking for flows that are placed in the
         flowtable, in case they need to go back to classic forwarding path,
         also from Florian.
      
      9) Don't add flow with sequence adjustment to flowtable, from Florian.
      
      10) Skip IPv4 options from IPv6 datapath in flowtable, from Florian.
      
      11) Add selftest for the flowtable infrastructure, from Florian.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      71e15f76
    • Raju Rangoju's avatar
      cxgb4: offload VLAN flows regardless of VLAN ethtype · b5730061
      Raju Rangoju authored
      VLAN flows never get offloaded unless ivlan_vld is set in filter spec.
      It's not compulsory for vlan_ethtype to be set.
      
      So, always enable ivlan_vld bit for offloading VLAN flows regardless of
      vlan_ethtype is set or not.
      
      Fixes: ad9af3e0 (cxgb4: add tc flower match support for vlan)
      Signed-off-by: default avatarRaju Rangoju <rajur@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b5730061
    • Andreas Oetken's avatar
      hsr: fix don't prune the master node from the node_db · d2daa127
      Andreas Oetken authored
      Don't prune the master node in the hsr_prune_nodes function.
      Neither time_in[HSR_PT_SLAVE_A] nor time_in[HSR_PT_SLAVE_B]
      will ever be updated by hsr_register_frame_in for the master port.
      Thus, the master node will be repeatedly pruned leading to
      repeated packet loss.
      This bug never appeared because the hsr_prune_nodes function
      was only called once. Since commit 5150b45f
      ("net: hsr: Fix node prune function for forget time expiry") this issue
      is fixed unveiling the issue described above.
      
      Fixes: 5150b45f ("net: hsr: Fix node prune function for forget time expiry")
      Signed-off-by: default avatarAndreas Oetken <andreas.oetken@siemens.com>
      Tested-by: default avatarMurali Karicheri <m-karicheri2@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2daa127
    • Maxime Chevallier's avatar
      net: mvpp2: cls: Fix leaked ethtool_rx_flow_rule · 3f6f7a17
      Maxime Chevallier authored
      The flow_rule is only used when configuring the classification tables,
      and should be free'd once we're done using it. The current code only
      frees it in the error path.
      
      Fixes: 90b509b3 ("net: mvpp2: cls: Add Classification offload support")
      Signed-off-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f6f7a17
    • Eric Dumazet's avatar
      ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST · 903869bd
      Eric Dumazet authored
      ip_sf_list_clear_all() needs to be defined even if !CONFIG_IP_MULTICAST
      
      Fixes: 3580d04a ("ipv4/igmp: fix another memory leak in igmpv3_del_delrec()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      903869bd
    • Eric Dumazet's avatar
      ipv4/igmp: fix another memory leak in igmpv3_del_delrec() · 3580d04a
      Eric Dumazet authored
      syzbot reported memory leaks [1] that I have back tracked to
      a missing cleanup from igmpv3_del_delrec() when
      (im->sfmode != MCAST_INCLUDE)
      
      Add ip_sf_list_clear_all() and kfree_pmc() helpers to explicitely
      handle the cleanups before freeing.
      
      [1]
      
      BUG: memory leak
      unreferenced object 0xffff888123e32b00 (size 64):
        comm "softirq", pid 0, jiffies 4294942968 (age 8.010s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 e0 00 00 01 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<000000006105011b>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
          [<000000006105011b>] slab_post_alloc_hook mm/slab.h:439 [inline]
          [<000000006105011b>] slab_alloc mm/slab.c:3326 [inline]
          [<000000006105011b>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
          [<000000004bba8073>] kmalloc include/linux/slab.h:547 [inline]
          [<000000004bba8073>] kzalloc include/linux/slab.h:742 [inline]
          [<000000004bba8073>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline]
          [<000000004bba8073>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085
          [<00000000a46a65a0>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475
          [<000000005956ca89>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:957
          [<00000000848e2d2f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246
          [<00000000b9db185c>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616
          [<000000003028e438>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130
          [<0000000015b65589>] __sys_setsockopt+0x98/0x120 net/socket.c:2078
          [<00000000ac198ef0>] __do_sys_setsockopt net/socket.c:2089 [inline]
          [<00000000ac198ef0>] __se_sys_setsockopt net/socket.c:2086 [inline]
          [<00000000ac198ef0>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086
          [<000000000a770437>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
          [<00000000d3adb93b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 9c8bb163 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Hangbin Liu <liuhangbin@gmail.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3580d04a
    • David S. Miller's avatar
      Merge branch 'bnxt_en-Bug-fixes' · db51a732
      David S. Miller authored
      Michael Chan says:
      
      ===================
      bnxt_en: Bug fixes.
      
      There are 4 driver fixes in this series:
      
      1. Fix RX buffer leak during OOM condition.
      2. Call pci_disable_msix() under correct conditions to prevent hitting BUG.
      3. Reduce unneeded mmeory allocation in kdump kernel to prevent OOM.
      4. Don't read device serial number on VFs because it is not supported.
      
      Please queue #1, #2, #3 for -stable as well.  Thanks.
      ===================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      db51a732
    • Vasundhara Volam's avatar
      bnxt_en: Device serial number is supported only for PFs. · 2e9217d1
      Vasundhara Volam authored
      Don't read DSN on VFs that do not have the PCI capability.
      
      Fixes: 03213a99 ("bnxt: move bp->switch_id initialization to PF probe")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2e9217d1
    • Michael Chan's avatar
      bnxt_en: Reduce memory usage when running in kdump kernel. · d629522e
      Michael Chan authored
      Skip RDMA context memory allocations, reduce to 1 ring, and disable
      TPA when running in the kdump kernel.  Without this patch, the driver
      fails to initialize with memory allocation errors when running in a
      typical kdump kernel.
      
      Fixes: cf6daed0 ("bnxt_en: Increase context memory allocations on 57500 chips for RDMA.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d629522e
    • Michael Chan's avatar
      bnxt_en: Fix possible BUG() condition when calling pci_disable_msix(). · 1b3f0b75
      Michael Chan authored
      When making configuration changes, the driver calls bnxt_close_nic()
      and then bnxt_open_nic() for the changes to take effect.  A parameter
      irq_re_init is passed to the call sequence to indicate if IRQ
      should be re-initialized.  This irq_re_init parameter needs to
      be included in the bnxt_reserve_rings() call.  bnxt_reserve_rings()
      can only call pci_disable_msix() if the irq_re_init parameter is
      true, otherwise it may hit BUG() because some IRQs may not have been
      freed yet.
      
      Fixes: 41e8d798 ("bnxt_en: Modify the ring reservation functions for 57500 series chips.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b3f0b75
    • Michael Chan's avatar
      bnxt_en: Fix aggregation buffer leak under OOM condition. · 296d5b54
      Michael Chan authored
      For every RX packet, the driver replenishes all buffers used for that
      packet and puts them back into the RX ring and RX aggregation ring.
      In one code path where the RX packet has one RX buffer and one or more
      aggregation buffers, we missed recycling the aggregation buffer(s) if
      we are unable to allocate a new SKB buffer.  This leads to the
      aggregation ring slowly running out of buffers over time.  Fix it
      by properly recycling the aggregation buffers.
      
      Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.")
      Reported-by: default avatarRakesh Hemnani <rhemnani@fb.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      296d5b54
    • David Ahern's avatar
      ipv6: Fix redirect with VRF · 31680ac2
      David Ahern authored
      IPv6 redirect is broken for VRF. __ip6_route_redirect walks the FIB
      entries looking for an exact match on ifindex. With VRF the flowi6_oif
      is updated by l3mdev_update_flow to the l3mdev index and the
      FLOWI_FLAG_SKIP_NH_OIF set in the flags to tell the lookup to skip the
      device match. For redirects the device match is requires so use that
      flag to know when the oif needs to be reset to the skb device index.
      
      Fixes: ca254490 ("net: Add VRF support to IPv6 stack")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31680ac2
    • Jisheng Zhang's avatar
      net: stmmac: fix reset gpio free missing · 49ce881c
      Jisheng Zhang authored
      Commit 984203ce ("net: stmmac: mdio: remove reset gpio free")
      removed the reset gpio free, when the driver is unbinded or rmmod,
      we miss the gpio free.
      
      This patch uses managed API to request the reset gpio, so that the
      gpio could be freed properly.
      
      Fixes: 984203ce ("net: stmmac: mdio: remove reset gpio free")
      Signed-off-by: default avatarJisheng Zhang <Jisheng.Zhang@synaptics.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49ce881c
    • Dan Carpenter's avatar
      mISDN: make sure device name is NUL terminated · ccfb62f2
      Dan Carpenter authored
      The user can change the device_name with the IMSETDEVNAME ioctl, but we
      need to ensure that the user's name is NUL terminated.  Otherwise it
      could result in a buffer overflow when we copy the name back to the user
      with IMGETDEVINFO ioctl.
      
      I also changed two strcpy() calls which handle the name to strscpy().
      Hopefully, there aren't any other ways to create a too long name, but
      it's nice to do this as a kernel hardening measure.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ccfb62f2
    • Claudiu Beznea's avatar
      net: macb: save/restore the remaining registers and features · c1e85c6c
      Claudiu Beznea authored
      SAMA5D2 SoC has a suspend mode where SoC's power is cut off. Due to this
      the registers content is lost after a suspend/resume cycle. The current
      suspend/resume implementation covers some of these registers. However
      there are few which were not treated (e.g. SCRT2 and USRIO). Apart
      from this, netdev features are not restored. Treat these issues.
      Signed-off-by: default avatarClaudiu Beznea <claudiu.beznea@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1e85c6c
  3. 22 May, 2019 21 commits
  4. 21 May, 2019 2 commits
    • Michael Lass's avatar
      dm: make sure to obey max_io_len_target_boundary · 51b86f9a
      Michael Lass authored
      Commit 61697a6a ("dm: eliminate 'split_discard_bios' flag from DM
      target interface") incorrectly removed code from
      __send_changing_extent_only() that is required to impose a per-target IO
      boundary on IO that exceeds max_io_len_target_boundary().  Otherwise
      "special" IO (e.g. DISCARD, WRITE SAME, WRITE ZEROES) can write beyond
      where allowed.
      
      Fix this by restoring the max_io_len_target_boundary() limit in
      __send_changing_extent_only()
      
      Fixes: 61697a6a ("dm: eliminate 'split_discard_bios' flag from DM target interface")
      Cc: stable@vger.kernel.org # 5.1+
      Signed-off-by: default avatarMichael Lass <bevan@bi-co.net>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      51b86f9a
    • Kloetzke Jan's avatar
      usbnet: fix kernel crash after disconnect · ad70411a
      Kloetzke Jan authored
      When disconnecting cdc_ncm the kernel sporadically crashes shortly
      after the disconnect:
      
        [   57.868812] Unable to handle kernel NULL pointer dereference at virtual address 00000000
        ...
        [   58.006653] PC is at 0x0
        [   58.009202] LR is at call_timer_fn+0xec/0x1b4
        [   58.013567] pc : [<0000000000000000>] lr : [<ffffff80080f5130>] pstate: 00000145
        [   58.020976] sp : ffffff8008003da0
        [   58.024295] x29: ffffff8008003da0 x28: 0000000000000001
        [   58.029618] x27: 000000000000000a x26: 0000000000000100
        [   58.034941] x25: 0000000000000000 x24: ffffff8008003e68
        [   58.040263] x23: 0000000000000000 x22: 0000000000000000
        [   58.045587] x21: 0000000000000000 x20: ffffffc68fac1808
        [   58.050910] x19: 0000000000000100 x18: 0000000000000000
        [   58.056232] x17: 0000007f885aff8c x16: 0000007f883a9f10
        [   58.061556] x15: 0000000000000001 x14: 000000000000006e
        [   58.066878] x13: 0000000000000000 x12: 00000000000000ba
        [   58.072201] x11: ffffffc69ff1db30 x10: 0000000000000020
        [   58.077524] x9 : 8000100008001000 x8 : 0000000000000001
        [   58.082847] x7 : 0000000000000800 x6 : ffffff8008003e70
        [   58.088169] x5 : ffffffc69ff17a28 x4 : 00000000ffff138b
        [   58.093492] x3 : 0000000000000000 x2 : 0000000000000000
        [   58.098814] x1 : 0000000000000000 x0 : 0000000000000000
        ...
        [   58.205800] [<          (null)>]           (null)
        [   58.210521] [<ffffff80080f5298>] expire_timers+0xa0/0x14c
        [   58.215937] [<ffffff80080f542c>] run_timer_softirq+0xe8/0x128
        [   58.221702] [<ffffff8008081120>] __do_softirq+0x298/0x348
        [   58.227118] [<ffffff80080a6304>] irq_exit+0x74/0xbc
        [   58.232009] [<ffffff80080e17dc>] __handle_domain_irq+0x78/0xac
        [   58.237857] [<ffffff8008080cf4>] gic_handle_irq+0x80/0xac
        ...
      
      The crash happens roughly 125..130ms after the disconnect. This
      correlates with the 'delay' timer that is started on certain USB tx/rx
      errors in the URB completion handler.
      
      The problem is a race of usbnet_stop() with usbnet_start_xmit(). In
      usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in
      flight. This only makes sense if no new URBs are submitted
      concurrently, though. But the usbnet_start_xmit() can run at the same
      time on another CPU which almost unconditionally submits an URB. The
      error callback of the new URB will then schedule the timer after it was
      already stopped.
      
      The fix adds a check if the tx queue is stopped after the tx list lock
      has been taken. This should reliably prevent the submission of new URBs
      while usbnet_terminate_urbs() does its job. The same thing is done on
      the rx side even though it might be safe due to other flags that are
      checked there.
      Signed-off-by: default avatarJan Klötzke <Jan.Kloetzke@preh.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad70411a