1. 26 Sep, 2019 7 commits
    • Xin Long's avatar
      macsec: drop skb sk before calling gro_cells_receive · ba56d8ce
      Xin Long authored
      Fei Liu reported a crash when doing netperf on a topo of macsec
      dev over veth:
      
        [  448.919128] refcount_t: underflow; use-after-free.
        [  449.090460] Call trace:
        [  449.092895]  refcount_sub_and_test+0xb4/0xc0
        [  449.097155]  tcp_wfree+0x2c/0x150
        [  449.100460]  ip_rcv+0x1d4/0x3a8
        [  449.103591]  __netif_receive_skb_core+0x554/0xae0
        [  449.108282]  __netif_receive_skb+0x28/0x78
        [  449.112366]  netif_receive_skb_internal+0x54/0x100
        [  449.117144]  napi_gro_complete+0x70/0xc0
        [  449.121054]  napi_gro_flush+0x6c/0x90
        [  449.124703]  napi_complete_done+0x50/0x130
        [  449.128788]  gro_cell_poll+0x8c/0xa8
        [  449.132351]  net_rx_action+0x16c/0x3f8
        [  449.136088]  __do_softirq+0x128/0x320
      
      The issue was caused by skb's true_size changed without its sk's
      sk_wmem_alloc increased in tcp/skb_gro_receive(). Later when the
      skb is being freed and the skb's truesize is subtracted from its
      sk's sk_wmem_alloc in tcp_wfree(), underflow occurs.
      
      macsec is calling gro_cells_receive() to receive a packet, which
      actually requires skb->sk to be NULL. However when macsec dev is
      over veth, it's possible the skb->sk is still set if the skb was
      not unshared or expanded from the peer veth.
      
      ip_rcv() is calling skb_orphan() to drop the skb's sk for tproxy,
      but it is too late for macsec's calling gro_cells_receive(). So
      fix it by dropping the skb's sk earlier on rx path of macsec.
      
      Fixes: 5491e7c6 ("macsec: enable GRO and RPS on macsec devices")
      Reported-by: default avatarXiumei Mu <xmu@redhat.com>
      Reported-by: default avatarFei Liu <feliu@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ba56d8ce
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-09-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 2dbf45d1
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-09-24
      
      This series introduces some fixes to mlx5 driver.
      For more information please see tag log below.
      
      Please pull and let me know if there is any problem.
      
      For -stable v4.20:
       ('net/mlx5e: Fix traffic duplication in ethtool steering')
      
      For -stable v4.19:
       ('net/mlx5: Add device ID of upcoming BlueField-2')
      
      For -stable v5.3:
       ('net/mlx5e: Fix matching on tunnel addresses type')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2dbf45d1
    • Jason A. Donenfeld's avatar
      net: print proper warning on dst underflow · adecda5b
      Jason A. Donenfeld authored
      Proper warnings with stack traces make it much easier to figure out
      what's doing the double free and create more meaningful bug reports from
      users.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      adecda5b
    • Vinicius Costa Gomes's avatar
      net/sched: cbs: Fix not adding cbs instance to list · 3e8b9bfa
      Vinicius Costa Gomes authored
      When removing a cbs instance when offloading is enabled, the crash
      below can be observed.
      
      The problem happens because that when offloading is enabled, the cbs
      instance is not added to the list.
      
      Also, the current code doesn't handle correctly the case when offload
      is disabled without removing the qdisc: if the link speed changes the
      credit calculations will be wrong. When we create the cbs instance
      with offloading enabled, it's not added to the notification list, when
      later we disable offloading, it's not in the list, so link speed
      changes will not affect it.
      
      The solution for both issues is the same, add the cbs instance being
      created unconditionally to the global list, even if the link state
      notification isn't useful "right now".
      
      Crash log:
      
      [518758.189866] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [518758.189870] #PF: supervisor read access in kernel mode
      [518758.189871] #PF: error_code(0x0000) - not-present page
      [518758.189872] PGD 0 P4D 0
      [518758.189874] Oops: 0000 [#1] SMP PTI
      [518758.189876] CPU: 3 PID: 4825 Comm: tc Not tainted 5.2.9 #1
      [518758.189877] Hardware name: Gigabyte Technology Co., Ltd. Z390 AORUS ULTRA/Z390 AORUS ULTRA-CF, BIOS F7 03/14/2019
      [518758.189881] RIP: 0010:__list_del_entry_valid+0x29/0xa0
      [518758.189883] Code: 90 48 b8 00 01 00 00 00 00 ad de 55 48 8b 17 4c 8b 47 08 48 89 e5 48 39 c2 74 27 48 b8 00 02 00 00 00 00 ad de 49 39 c0 74 2d <49> 8b 30 48 39 fe 75 3d 48 8b 52 08 48 39 f2 75 4c b8 01 00 00 00
      [518758.189885] RSP: 0018:ffffa27e43903990 EFLAGS: 00010207
      [518758.189887] RAX: dead000000000200 RBX: ffff8bce69f0f000 RCX: 0000000000000000
      [518758.189888] RDX: 0000000000000000 RSI: ffff8bce69f0f064 RDI: ffff8bce69f0f1e0
      [518758.189890] RBP: ffffa27e43903990 R08: 0000000000000000 R09: ffff8bce69e788c0
      [518758.189891] R10: ffff8bce62acd400 R11: 00000000000003cb R12: ffff8bce69e78000
      [518758.189892] R13: ffff8bce69f0f140 R14: 0000000000000000 R15: 0000000000000000
      [518758.189894] FS:  00007fa1572c8f80(0000) GS:ffff8bce6e0c0000(0000) knlGS:0000000000000000
      [518758.189895] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [518758.189896] CR2: 0000000000000000 CR3: 000000040a398006 CR4: 00000000003606e0
      [518758.189898] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [518758.189899] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [518758.189900] Call Trace:
      [518758.189904]  cbs_destroy+0x32/0xa0 [sch_cbs]
      [518758.189906]  qdisc_destroy+0x45/0x120
      [518758.189907]  qdisc_put+0x25/0x30
      [518758.189908]  qdisc_graft+0x2c1/0x450
      [518758.189910]  tc_get_qdisc+0x1c8/0x310
      [518758.189912]  ? get_page_from_freelist+0x91a/0xcb0
      [518758.189914]  rtnetlink_rcv_msg+0x293/0x360
      [518758.189916]  ? kmem_cache_alloc_node_trace+0x178/0x260
      [518758.189918]  ? __kmalloc_node_track_caller+0x38/0x50
      [518758.189920]  ? rtnl_calcit.isra.0+0xf0/0xf0
      [518758.189922]  netlink_rcv_skb+0x48/0x110
      [518758.189923]  rtnetlink_rcv+0x10/0x20
      [518758.189925]  netlink_unicast+0x15b/0x1d0
      [518758.189926]  netlink_sendmsg+0x1ea/0x380
      [518758.189929]  sock_sendmsg+0x2f/0x40
      [518758.189930]  ___sys_sendmsg+0x295/0x2f0
      [518758.189932]  ? ___sys_recvmsg+0x151/0x1e0
      [518758.189933]  ? do_wp_page+0x7e/0x450
      [518758.189935]  __sys_sendmsg+0x48/0x80
      [518758.189937]  __x64_sys_sendmsg+0x1a/0x20
      [518758.189939]  do_syscall_64+0x53/0x1f0
      [518758.189941]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [518758.189942] RIP: 0033:0x7fa15755169a
      [518758.189944] Code: 48 c7 c0 ff ff ff ff eb be 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 18 b8 2e 00 00 00 c5 fc 77 0f 05 <48> 3d 00 f0 ff ff 77 5e c3 0f 1f 44 00 00 48 83 ec 28 89 54 24 1c
      [518758.189946] RSP: 002b:00007ffda58b60b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [518758.189948] RAX: ffffffffffffffda RBX: 000055e4b836d9a0 RCX: 00007fa15755169a
      [518758.189949] RDX: 0000000000000000 RSI: 00007ffda58b6128 RDI: 0000000000000003
      [518758.189951] RBP: 00007ffda58b6190 R08: 0000000000000001 R09: 000055e4b9d848a0
      [518758.189952] R10: 0000000000000000 R11: 0000000000000246 R12: 000000005d654b49
      [518758.189953] R13: 0000000000000000 R14: 00007ffda58b6230 R15: 00007ffda58b6210
      [518758.189955] Modules linked in: sch_cbs sch_etf sch_mqprio netlink_diag unix_diag e1000e igb intel_pch_thermal thermal video backlight pcc_cpufreq
      [518758.189960] CR2: 0000000000000000
      [518758.189961] ---[ end trace 6a13f7aaf5376019 ]---
      [518758.189963] RIP: 0010:__list_del_entry_valid+0x29/0xa0
      [518758.189964] Code: 90 48 b8 00 01 00 00 00 00 ad de 55 48 8b 17 4c 8b 47 08 48 89 e5 48 39 c2 74 27 48 b8 00 02 00 00 00 00 ad de 49 39 c0 74 2d <49> 8b 30 48 39 fe 75 3d 48 8b 52 08 48 39 f2 75 4c b8 01 00 00 00
      [518758.189967] RSP: 0018:ffffa27e43903990 EFLAGS: 00010207
      [518758.189968] RAX: dead000000000200 RBX: ffff8bce69f0f000 RCX: 0000000000000000
      [518758.189969] RDX: 0000000000000000 RSI: ffff8bce69f0f064 RDI: ffff8bce69f0f1e0
      [518758.189971] RBP: ffffa27e43903990 R08: 0000000000000000 R09: ffff8bce69e788c0
      [518758.189972] R10: ffff8bce62acd400 R11: 00000000000003cb R12: ffff8bce69e78000
      [518758.189973] R13: ffff8bce69f0f140 R14: 0000000000000000 R15: 0000000000000000
      [518758.189975] FS:  00007fa1572c8f80(0000) GS:ffff8bce6e0c0000(0000) knlGS:0000000000000000
      [518758.189976] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [518758.189977] CR2: 0000000000000000 CR3: 000000040a398006 CR4: 00000000003606e0
      [518758.189979] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [518758.189980] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      Fixes: e0a7683d ("net/sched: cbs: fix port_rate miscalculation")
      Signed-off-by: default avatarVinicius Costa Gomes <vinicius.gomes@intel.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3e8b9bfa
    • Krzysztof Kozlowski's avatar
      drivers: net: Fix Kconfig indentation · 02bc5eb9
      Krzysztof Kozlowski authored
      Adjust indentation from spaces to tab (+optional two spaces) as in
      coding style with command like:
          $ sed -e 's/^        /\t/' -i */Kconfig
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Acked-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02bc5eb9
    • Krzysztof Kozlowski's avatar
      net: Fix Kconfig indentation · bf69abad
      Krzysztof Kozlowski authored
      Adjust indentation from spaces to tab (+optional two spaces) as in
      coding style with command like:
          $ sed -e 's/^        /\t/' -i */Kconfig
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Acked-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf69abad
    • Rain River's avatar
      MAINTAINERS: add Yanjun to FORCEDETH maintainers list · 34b7bb29
      Rain River authored
      Yanjun has been spending quite a lot of time fixing bugs
      in FORCEDETH source code. I'd like to add Yanjun to maintainers
      list.
      Signed-off-by: default avatarRain River <rain.1986.08.12@gmail.com>
      Acked-by: default avatarZhu Yanjun <yanjun.zhu@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34b7bb29
  2. 25 Sep, 2019 8 commits
    • Shubhrajyoti Datta's avatar
      net: macb: Remove dead code · 99dcb843
      Shubhrajyoti Datta authored
      macb_64b_desc is always called when HW_DMA_CAP_64B is defined.
      So the return NULL can never be reached. Remove the dead code.
      Signed-off-by: default avatarShubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
      Reviewed-by: default avatarClaudiu Beznea <claudiu.beznea@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99dcb843
    • Jose Abreu's avatar
      net: stmmac: selftests: Flow Control test can also run with ASYM Pause · b0ce902f
      Jose Abreu authored
      The Flow Control selftest is also available with ASYM Pause. Lets add
      this check to the test and fix eventual false positive failures.
      
      Fixes: 091810db ("net: stmmac: Introduce selftests support")
      Signed-off-by: default avatarJose Abreu <Jose.Abreu@synopsys.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b0ce902f
    • YueHaibing's avatar
      gianfar: Make reset_gfar static · 9f5c44cf
      YueHaibing authored
      Fix sparse warning:
      
      drivers/net/ethernet/freescale/gianfar.c:2070:6:
       warning: symbol 'reset_gfar' was not declared. Should it be static?
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9f5c44cf
    • Colin Ian King's avatar
      atm: he: clean up an indentation issue · 5c94ad17
      Colin Ian King authored
      There is a statement that is indented one level too many, remove
      the extraneous tab.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c94ad17
    • Takeshi Misawa's avatar
      ppp: Fix memory leak in ppp_write · 4c247de5
      Takeshi Misawa authored
      When ppp is closing, __ppp_xmit_process() failed to enqueue skb
      and skb allocated in ppp_write() is leaked.
      
      syzbot reported :
      BUG: memory leak
      unreferenced object 0xffff88812a17bc00 (size 224):
        comm "syz-executor673", pid 6952, jiffies 4294942888 (age 13.040s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<00000000d110fff9>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
          [<00000000d110fff9>] slab_post_alloc_hook mm/slab.h:522 [inline]
          [<00000000d110fff9>] slab_alloc_node mm/slab.c:3262 [inline]
          [<00000000d110fff9>] kmem_cache_alloc_node+0x163/0x2f0 mm/slab.c:3574
          [<000000002d616113>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:197
          [<000000000167fc45>] alloc_skb include/linux/skbuff.h:1055 [inline]
          [<000000000167fc45>] ppp_write+0x48/0x120 drivers/net/ppp/ppp_generic.c:502
          [<000000009ab42c0b>] __vfs_write+0x43/0xa0 fs/read_write.c:494
          [<00000000086b2e22>] vfs_write fs/read_write.c:558 [inline]
          [<00000000086b2e22>] vfs_write+0xee/0x210 fs/read_write.c:542
          [<00000000a2b70ef9>] ksys_write+0x7c/0x130 fs/read_write.c:611
          [<00000000ce5e0fdd>] __do_sys_write fs/read_write.c:623 [inline]
          [<00000000ce5e0fdd>] __se_sys_write fs/read_write.c:620 [inline]
          [<00000000ce5e0fdd>] __x64_sys_write+0x1e/0x30 fs/read_write.c:620
          [<00000000d9d7b370>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296
          [<0000000006e6d506>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fix this by freeing skb, if ppp is closing.
      
      Fixes: 6d066734 ("ppp: avoid loop in xmit recursion detection code")
      Reported-and-tested-by: syzbot+d9c8bf24e56416d7ce2c@syzkaller.appspotmail.com
      Signed-off-by: default avatarTakeshi Misawa <jeliantsurux@gmail.com>
      Reviewed-by: default avatarGuillaume Nault <gnault@redhat.com>
      Tested-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4c247de5
    • David S. Miller's avatar
      Merge branch 'ibmvnic-serialization-fixes' · 8875cf9c
      David S. Miller authored
      Juliet Kim says:
      
      ====================
      net/ibmvnic: serialization fixes
      
      This series includes two fixes. The first improves reset code to allow
      linkwatch_event to proceed during reset. The second ensures that no more
      than one thread runs in reset at a time.
      
      v2:
      - Separate change param reset from do_reset()
      - Return IBMVNIC_OPEN_FAILED if __ibmvnic_open fails
      - Remove setting wait_for_reset to false from __ibmvnic_reset(), this
        is done in wait_for_reset()
      - Move the check for force_reset_recovery from patch 1 to patch 2
      
      v3:
      - Restore reset’s successful return in open failure case
      
      v4:
      - Change resetting flag access to atomic
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8875cf9c
    • Juliet Kim's avatar
      net/ibmvnic: prevent more than one thread from running in reset · 7ed5b31f
      Juliet Kim authored
      The current code allows more than one thread to run in reset. This can
      corrupt struct adapter data. Check adapter->resetting before performing
      a reset, if there is another reset running delay (100 msec) before trying
      again.
      Signed-off-by: default avatarJuliet Kim <julietk@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7ed5b31f
    • Juliet Kim's avatar
      net/ibmvnic: unlock rtnl_lock in reset so linkwatch_event can run · b27507bb
      Juliet Kim authored
      Commit a5681e20 ("net/ibmnvic: Fix deadlock problem in reset")
      made the change to hold the RTNL lock during a reset to avoid deadlock
      but linkwatch_event is fired during the reset and needs the RTNL lock.
      That keeps linkwatch_event process from proceeding until the reset
      is complete. The reset process cannot tolerate the linkwatch_event
      processing after reset completes, so release the RTNL lock during the
      process to allow a chance for linkwatch_event to run during reset.
      This does not guarantee that the linkwatch_event will be processed as
      soon as link state changes, but is an improvement over the current code
      where linkwatch_event processing is always delayed, which prevents
      transmissions on the device from being deactivated leading transmit
      watchdog timer to time-out.
      
      Release the RTNL lock before link state change and re-acquire after
      the link state change to allow linkwatch_event to grab the RTNL lock
      and run during the reset.
      
      Fixes: a5681e20 ("net/ibmnvic: Fix deadlock problem in reset")
      Signed-off-by: default avatarJuliet Kim <julietk@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b27507bb
  3. 24 Sep, 2019 16 commits
  4. 22 Sep, 2019 9 commits