1. 04 May, 2020 13 commits
    • Qiushi Wu's avatar
      nfp: abm: fix a memory leak bug · bd4af432
      Qiushi Wu authored
      In function nfp_abm_vnic_set_mac, pointer nsp is allocated by nfp_nsp_open.
      But when nfp_nsp_has_hwinfo_lookup fail, the pointer is not released,
      which can lead to a memory leak bug. Fix this issue by adding
      nfp_nsp_close(nsp) in the error path.
      
      Fixes: f6e71efd ("nfp: abm: look up MAC addresses via management FW")
      Signed-off-by: default avatarQiushi Wu <wu000273@umn.edu>
      Acked-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bd4af432
    • Cong Wang's avatar
      atm: fix a memory leak of vcc->user_back · 8d9f73c0
      Cong Wang authored
      In lec_arp_clear_vccs() only entry->vcc is freed, but vcc
      could be installed on entry->recv_vcc too in lec_vcc_added().
      
      This fixes the following memory leak:
      
      unreferenced object 0xffff8880d9266b90 (size 16):
        comm "atm2", pid 425, jiffies 4294907980 (age 23.488s)
        hex dump (first 16 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5  ............kkk.
        backtrace:
          [<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151
          [<(____ptrval____)>] lane_ioctl+0x4b3/0x569
          [<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236
          [<(____ptrval____)>] svc_ioctl+0x17d/0x198
          [<(____ptrval____)>] sock_do_ioctl+0x47/0x12f
          [<(____ptrval____)>] sock_ioctl+0x2f9/0x322
          [<(____ptrval____)>] vfs_ioctl+0x1e/0x2b
          [<(____ptrval____)>] ksys_ioctl+0x61/0x80
          [<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19
          [<(____ptrval____)>] do_syscall_64+0x57/0x65
          [<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      Cc: Gengming Liu <l.dmxcsnsbh@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d9f73c0
    • Cong Wang's avatar
      atm: fix a UAF in lec_arp_clear_vccs() · 93a2014a
      Cong Wang authored
      Gengming reported a UAF in lec_arp_clear_vccs(),
      where we add a vcc socket to an entry in a per-device
      list but free the socket without removing it from the
      list when vcc->dev is NULL.
      
      We need to call lec_vcc_close() to search and remove
      those entries contain the vcc being destroyed. This can
      be done by calling vcc->push(vcc, NULL) unconditionally
      in vcc_destroy_socket().
      
      Another issue discovered by Gengming's reproducer is
      the vcc->dev may point to the static device lecatm_dev,
      for which we don't need to register/unregister device,
      so we can just check for vcc->dev->ops->owner.
      Reported-by: default avatarGengming Liu <l.dmxcsnsbh@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      93a2014a
    • Colin Ian King's avatar
      net: stmmac: gmac5+: fix potential integer overflow on 32 bit multiply · 44d95cc6
      Colin Ian King authored
      The multiplication of cfg->ctr[1] by 1000000000 is performed using a
      32 bit multiplication (since cfg->ctr[1] is a u32) and this can lead
      to a potential overflow. Fix this by making the constant a ULL to
      ensure a 64 bit multiply occurs.
      
      Fixes: 504723af ("net: stmmac: Add basic EST support for GMAC5+")
      Addresses-Coverity: ("Unintentional integer overflow")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44d95cc6
    • Cong Wang's avatar
      net_sched: fix tcm_parent in tc filter dump · a7df4870
      Cong Wang authored
      When we tell kernel to dump filters from root (ffff:ffff),
      those filters on ingress (ffff:0000) are matched, but their
      true parents must be dumped as they are. However, kernel
      dumps just whatever we tell it, that is either ffff:ffff
      or ffff:0000:
      
       $ nl-cls-list --dev=dummy0 --parent=root
       cls basic dev dummy0 id none parent root prio 49152 protocol ip match-all
       cls basic dev dummy0 id :1 parent root prio 49152 protocol ip match-all
       $ nl-cls-list --dev=dummy0 --parent=ffff:
       cls basic dev dummy0 id none parent ffff: prio 49152 protocol ip match-all
       cls basic dev dummy0 id :1 parent ffff: prio 49152 protocol ip match-all
      
      This is confusing and misleading, more importantly this is
      a regression since 4.15, so the old behavior must be restored.
      
      And, when tc filters are installed on a tc class, the parent
      should be the classid, rather than the qdisc handle. Commit
      edf6711c ("net: sched: remove classid and q fields from tcf_proto")
      removed the classid we save for filters, we can just restore
      this classid in tcf_block.
      
      Steps to reproduce this:
       ip li set dev dummy0 up
       tc qd add dev dummy0 ingress
       tc filter add dev dummy0 parent ffff: protocol arp basic action pass
       tc filter show dev dummy0 root
      
      Before this patch:
       filter protocol arp pref 49152 basic
       filter protocol arp pref 49152 basic handle 0x1
      	action order 1: gact action pass
      	 random type none pass val 0
      	 index 1 ref 1 bind 1
      
      After this patch:
       filter parent ffff: protocol arp pref 49152 basic
       filter parent ffff: protocol arp pref 49152 basic handle 0x1
       	action order 1: gact action pass
       	 random type none pass val 0
      	 index 1 ref 1 bind 1
      
      Fixes: a10fa201 ("net: sched: propagate q and parent from caller down to tcf_fill_node")
      Fixes: edf6711c ("net: sched: remove classid and q fields from tcf_proto")
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7df4870
    • Arnd Bergmann's avatar
      cxgb4/chcr: avoid -Wreturn-local-addr warning · 071a43e6
      Arnd Bergmann authored
      gcc-10 warns about functions that return a pointer to a stack
      variable. In chcr_write_cpl_set_tcb_ulp(), this does not actually
      happen, but it's too hard to see for the compiler:
      
      drivers/crypto/chelsio/chcr_ktls.c: In function 'chcr_write_cpl_set_tcb_ulp.constprop':
      drivers/crypto/chelsio/chcr_ktls.c:760:9: error: function may return address of local variable [-Werror=return-local-addr]
        760 |  return pos;
            |         ^~~
      drivers/crypto/chelsio/chcr_ktls.c:712:5: note: declared here
        712 |  u8 buf[48] = {0};
            |     ^~~
      
      Split the middle part of the function out into a helper to make
      it easier to understand by both humans and compilers, which avoids
      the warning.
      
      Fixes: 5a4b9fe7 ("cxgb4/chcr: complete record tx handling")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      071a43e6
    • Julian Wiedmann's avatar
      s390/qeth: fix cancelling of TX timer on dev_close() · c649c41d
      Julian Wiedmann authored
      With the introduction of TX coalescing, .ndo_start_xmit now potentially
      starts the TX completion timer. So only kill the timer _after_ TX has
      been disabled.
      
      Fixes: ee1e52d1 ("s390/qeth: add TX IRQ coalescing support for IQD devices")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c649c41d
    • Dejin Zheng's avatar
      net: enetc: fix an issue about leak system resources · d975cb7e
      Dejin Zheng authored
      the related system resources were not released when enetc_hw_alloc()
      return error in the enetc_pci_mdio_probe(), add iounmap() for error
      handling label "err_hw_alloc" to fix it.
      
      Fixes: 6517798d ("enetc: Make MDIO accessors more generic and export to include/linux/fsl")
      Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
      Signed-off-by: default avatarDejin Zheng <zhengdejin5@gmail.com>
      Reviewed-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d975cb7e
    • Tariq Toukan's avatar
      net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() · 40e47307
      Tariq Toukan authored
      When ENOSPC is set the idx is still valid and gets set to the global
      MLX4_SINK_COUNTER_INDEX.  However gcc's static analysis cannot tell that
      ENOSPC is impossible from mlx4_cmd_imm() and gives this warning:
      
      drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be
      used uninitialized in this function [-Wmaybe-uninitialized]
       2552 |    priv->def_counter[port] = idx;
      
      Also, when ENOSPC is returned mlx4_allocate_default_counters should not
      fail.
      
      Fixes: 6de5f7f6 ("net/mlx4_core: Allocate default counter per port")
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40e47307
    • Aya Levin's avatar
      devlink: Fix reporter's recovery condition · bea0c5c9
      Aya Levin authored
      Devlink health core conditions the reporter's recovery with the
      expiration of the grace period. This is not relevant for the first
      recovery. Explicitly demand that the grace period will only apply to
      recoveries other than the first.
      
      Fixes: c8e1da0b ("devlink: Add health report functionality")
      Signed-off-by: default avatarAya Levin <ayal@mellanox.com>
      Reviewed-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bea0c5c9
    • Maxim Petrov's avatar
      stmmac: fix pointer check after utilization in stmmac_interrupt · f42234ff
      Maxim Petrov authored
      The paranoidal pointer check in IRQ handler looks very strange - it
      really protects us only against bogus drivers which request IRQ line
      with null pointer dev_id. However, the code fragment is incorrect
      because the dev pointer is used before the actual check which leads
      to undefined behavior. Remove the check to avoid confusing people
      with incorrect code.
      Signed-off-by: default avatarMaxim Petrov <mmrmaximuzz@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f42234ff
    • Tuong Lien's avatar
      tipc: fix partial topology connection closure · 980d6927
      Tuong Lien authored
      When an application connects to the TIPC topology server and subscribes
      to some services, a new connection is created along with some objects -
      'tipc_subscription' to store related data correspondingly...
      However, there is one omission in the connection handling that when the
      connection or application is orderly shutdown (e.g. via SIGQUIT, etc.),
      the connection is not closed in kernel, the 'tipc_subscription' objects
      are not freed too.
      This results in:
      - The maximum number of subscriptions (65535) will be reached soon, new
      subscriptions will be rejected;
      - TIPC module cannot be removed (unless the objects  are somehow forced
      to release first);
      
      The commit fixes the issue by closing the connection if the 'recvmsg()'
      returns '0' i.e. when the peer is shutdown gracefully. It also includes
      the other unexpected cases.
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarTuong Lien <tuong.t.lien@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      980d6927
    • Florian Fainelli's avatar
      net: dsa: Do not make user port errors fatal · 86f8b1c0
      Florian Fainelli authored
      Prior to 1d27732f ("net: dsa: setup and teardown ports"), we would
      not treat failures to set-up an user port as fatal, but after this
      commit we would, which is a regression for some systems where interfaces
      may be declared in the Device Tree, but the underlying hardware may not
      be present (pluggable daughter cards for instance).
      
      Fixes: 1d27732f ("net: dsa: setup and teardown ports")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86f8b1c0
  2. 03 May, 2020 3 commits
  3. 01 May, 2020 24 commits
    • Arnd Bergmann's avatar
      drop_monitor: work around gcc-10 stringop-overflow warning · dc30b405
      Arnd Bergmann authored
      The current gcc-10 snapshot produces a false-positive warning:
      
      net/core/drop_monitor.c: In function 'trace_drop_common.constprop':
      cc1: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=]
      In file included from net/core/drop_monitor.c:23:
      include/uapi/linux/net_dropmon.h:36:8: note: at offset 0 to object 'entries' with size 4 declared here
         36 |  __u32 entries;
            |        ^~~~~~~
      
      I reported this in the gcc bugzilla, but in case it does not get
      fixed in the release, work around it by using a temporary variable.
      
      Fixes: 9a8afc8d ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol")
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94881Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc30b405
    • Yoshiyuki Kurauchi's avatar
      gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() · 846c68f7
      Yoshiyuki Kurauchi authored
      In drivers/net/gtp.c, gtp_genl_dump_pdp() should set NLM_F_MULTI
      flag since it returns multipart message.
      This patch adds a new arg "flags" in gtp_genl_fill_info() so that
      flags can be set by the callers.
      Signed-off-by: default avatarYoshiyuki Kurauchi <ahochauwaaaaa@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      846c68f7
    • Jules Irenge's avatar
      cxgb4: Add missing annotation for service_ofldq() · cae9566a
      Jules Irenge authored
      Sparse reports a warning at service_ofldq()
      
      warning: context imbalance in service_ofldq() - unexpected unlock
      
      The root cause is the missing annotation at service_ofldq()
      
      Add the missing __must_hold(&q->sendq.lock) annotation
      Signed-off-by: default avatarJules Irenge <jbi.octave@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cae9566a
    • Jacob Keller's avatar
      ice: cleanup language in ice.rst for fw.app · 709e7158
      Jacob Keller authored
      The documentation for the ice driver around "fw.app" has a spelling
      mistake in variation. Additionally, the language of "shall have a unique
      name" sounds like a requirement. Reword this to read more like
      a description or property.
      Reported-by: default avatarBenjamin Fisher <benjamin.l.fisher@intel.com>
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Acked-by: default avatarJakub Kicinski <kubakici@wp.pl>
      Acked-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      709e7158
    • Clay McClure's avatar
      net: Make PTP-specific drivers depend on PTP_1588_CLOCK · b6d49cab
      Clay McClure authored
      Commit d1cbfd77 ("ptp_clock: Allow for it to be optional") changed
      all PTP-capable Ethernet drivers from `select PTP_1588_CLOCK` to `imply
      PTP_1588_CLOCK`, "in order to break the hard dependency between the PTP
      clock subsystem and ethernet drivers capable of being clock providers."
      As a result it is possible to build PTP-capable Ethernet drivers without
      the PTP subsystem by deselecting PTP_1588_CLOCK. Drivers are required to
      handle the missing dependency gracefully.
      
      Some PTP-capable Ethernet drivers (e.g., TI_CPSW) factor their PTP code
      out into separate drivers (e.g., TI_CPTS_MOD). The above commit also
      changed these PTP-specific drivers to `imply PTP_1588_CLOCK`, making it
      possible to build them without the PTP subsystem. But as Grygorii
      Strashko noted in [1]:
      
      On Wed, Apr 22, 2020 at 02:16:11PM +0300, Grygorii Strashko wrote:
      
      > Another question is that CPTS completely nonfunctional in this case and
      > it was never expected that somebody will even try to use/run such
      > configuration (except for random build purposes).
      
      In my view, enabling a PTP-specific driver without the PTP subsystem is
      a configuration error made possible by the above commit. Kconfig should
      not allow users to create a configuration with missing dependencies that
      results in "completely nonfunctional" drivers.
      
      I audited all network drivers that call ptp_clock_register() but merely
      `imply PTP_1588_CLOCK` and found five PTP-specific drivers that are
      likely nonfunctional without PTP_1588_CLOCK:
      
          NET_DSA_MV88E6XXX_PTP
          NET_DSA_SJA1105_PTP
          MACB_USE_HWSTAMP
          CAVIUM_PTP
          TI_CPTS_MOD
      
      Note how these symbols all reference PTP or timestamping in their name;
      this is a clue that they depend on PTP_1588_CLOCK.
      
      Change them from `imply PTP_1588_CLOCK` [2] to `depends on PTP_1588_CLOCK`.
      I'm not using `select PTP_1588_CLOCK` here because PTP_1588_CLOCK has
      its own dependencies, which `select` would not transitively apply.
      
      Additionally, remove the `select NET_PTP_CLASSIFY` from CPTS_TI_MOD;
      PTP_1588_CLOCK already selects that.
      
      [1]: https://lore.kernel.org/lkml/c04458ed-29ee-1797-3a11-7f3f560553e6@ti.com/
      
      [2]: NET_DSA_SJA1105_PTP had never declared any type of dependency on
      PTP_1588_CLOCK (`imply` or otherwise); adding a `depends on PTP_1588_CLOCK`
      here seems appropriate.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Richard Cochran <richardcochran@gmail.com>
      Cc: Nicolas Pitre <nico@fluxnic.net>
      Cc: Grygorii Strashko <grygorii.strashko@ti.com>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Fixes: d1cbfd77 ("ptp_clock: Allow for it to be optional")
      Signed-off-by: default avatarClay McClure <clay@daemons.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6d49cab
    • Jakub Kicinski's avatar
      devlink: fix return value after hitting end in region read · 610a9346
      Jakub Kicinski authored
      Commit d5b90e99 ("devlink: report 0 after hitting end in region read")
      fixed region dump, but region read still returns a spurious error:
      
      $ devlink region read netdevsim/netdevsim1/dummy snapshot 0 addr 0 len 128
      0000000000000000 a6 f4 c4 1c 21 35 95 a6 9d 34 c3 5b 87 5b 35 79
      0000000000000010 f3 a0 d7 ee 4f 2f 82 7f c6 dd c4 f6 a5 c3 1b ae
      0000000000000020 a4 fd c8 62 07 59 48 03 70 3b c7 09 86 88 7f 68
      0000000000000030 6f 45 5d 6d 7d 0e 16 38 a9 d0 7a 4b 1e 1e 2e a6
      0000000000000040 e6 1d ae 06 d6 18 00 85 ca 62 e8 7e 11 7e f6 0f
      0000000000000050 79 7e f7 0f f3 94 68 bd e6 40 22 85 b6 be 6f b1
      0000000000000060 af db ef 5e 34 f0 98 4b 62 9a e3 1b 8b 93 fc 17
      devlink answers: Invalid argument
      0000000000000070 61 e8 11 11 66 10 a5 f7 b1 ea 8d 40 60 53 ed 12
      
      This is a minimal fix, I'll follow up with a restructuring
      so we don't have two checks for the same condition.
      
      Fixes: fdd41ec2 ("devlink: Return right error code in case of errors for region read")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      610a9346
    • Nathan Chancellor's avatar
      hv_netvsc: Fix netvsc_start_xmit's return type · 7fdc66de
      Nathan Chancellor authored
      netvsc_start_xmit is used as a callback function for the ndo_start_xmit
      function pointer. ndo_start_xmit's return type is netdev_tx_t but
      netvsc_start_xmit's return type is int.
      
      This causes a failure with Control Flow Integrity (CFI), which requires
      function pointer prototypes and callback function definitions to match
      exactly. When CFI is in enforcing, the kernel panics. When booting a
      CFI kernel with WSL 2, the VM is immediately terminated because of this.
      
      The splat when CONFIG_CFI_PERMISSIVE is used:
      
      [    5.916765] CFI failure (target: netvsc_start_xmit+0x0/0x10):
      [    5.916771] WARNING: CPU: 8 PID: 0 at kernel/cfi.c:29 __cfi_check_fail+0x2e/0x40
      [    5.916772] Modules linked in:
      [    5.916774] CPU: 8 PID: 0 Comm: swapper/8 Not tainted 5.7.0-rc3-next-20200424-microsoft-cbl-00001-ged4eb37d2c69-dirty #1
      [    5.916776] RIP: 0010:__cfi_check_fail+0x2e/0x40
      [    5.916777] Code: 48 c7 c7 70 98 63 a9 48 c7 c6 11 db 47 a9 e8 69 55 59 00 85 c0 75 02 5b c3 48 c7 c7 73 c6 43 a9 48 89 de 31 c0 e8 12 2d f0 ff <0f> 0b 5b c3 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 00 85 f6 74 25
      [    5.916778] RSP: 0018:ffffa803c0260b78 EFLAGS: 00010246
      [    5.916779] RAX: 712a1af25779e900 RBX: ffffffffa8cf7950 RCX: ffffffffa962cf08
      [    5.916779] RDX: ffffffffa9c36b60 RSI: 0000000000000082 RDI: ffffffffa9c36b5c
      [    5.916780] RBP: ffff8ffc4779c2c0 R08: 0000000000000001 R09: ffffffffa9c3c300
      [    5.916781] R10: 0000000000000151 R11: ffffffffa9c36b60 R12: ffff8ffe39084000
      [    5.916782] R13: ffffffffa8cf7950 R14: ffffffffa8d12cb0 R15: ffff8ffe39320140
      [    5.916784] FS:  0000000000000000(0000) GS:ffff8ffe3bc00000(0000) knlGS:0000000000000000
      [    5.916785] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    5.916786] CR2: 00007ffef5749408 CR3: 00000002f4f5e000 CR4: 0000000000340ea0
      [    5.916787] Call Trace:
      [    5.916788]  <IRQ>
      [    5.916790]  __cfi_check+0x3ab58/0x450e0
      [    5.916793]  ? dev_hard_start_xmit+0x11f/0x160
      [    5.916795]  ? sch_direct_xmit+0xf2/0x230
      [    5.916796]  ? __dev_queue_xmit.llvm.11471227737707190958+0x69d/0x8e0
      [    5.916797]  ? neigh_resolve_output+0xdf/0x220
      [    5.916799]  ? neigh_connected_output.cfi_jt+0x8/0x8
      [    5.916801]  ? ip6_finish_output2+0x398/0x4c0
      [    5.916803]  ? nf_nat_ipv6_out+0x10/0xa0
      [    5.916804]  ? nf_hook_slow+0x84/0x100
      [    5.916807]  ? ip6_input_finish+0x8/0x8
      [    5.916807]  ? ip6_output+0x6f/0x110
      [    5.916808]  ? __ip6_local_out.cfi_jt+0x8/0x8
      [    5.916810]  ? mld_sendpack+0x28e/0x330
      [    5.916811]  ? ip_rt_bug+0x8/0x8
      [    5.916813]  ? mld_ifc_timer_expire+0x2db/0x400
      [    5.916814]  ? neigh_proxy_process+0x8/0x8
      [    5.916816]  ? call_timer_fn+0x3d/0xd0
      [    5.916817]  ? __run_timers+0x2a9/0x300
      [    5.916819]  ? rcu_core_si+0x8/0x8
      [    5.916820]  ? run_timer_softirq+0x14/0x30
      [    5.916821]  ? __do_softirq+0x154/0x262
      [    5.916822]  ? native_x2apic_icr_write+0x8/0x8
      [    5.916824]  ? irq_exit+0xba/0xc0
      [    5.916825]  ? hv_stimer0_vector_handler+0x99/0xe0
      [    5.916826]  ? hv_stimer0_callback_vector+0xf/0x20
      [    5.916826]  </IRQ>
      [    5.916828]  ? hv_stimer_global_cleanup.cfi_jt+0x8/0x8
      [    5.916829]  ? raw_setsockopt+0x8/0x8
      [    5.916830]  ? default_idle+0xe/0x10
      [    5.916832]  ? do_idle.llvm.10446269078108580492+0xb7/0x130
      [    5.916833]  ? raw_setsockopt+0x8/0x8
      [    5.916833]  ? cpu_startup_entry+0x15/0x20
      [    5.916835]  ? cpu_hotplug_enable.cfi_jt+0x8/0x8
      [    5.916836]  ? start_secondary+0x188/0x190
      [    5.916837]  ? secondary_startup_64+0xa5/0xb0
      [    5.916838] ---[ end trace f2683fa869597ba5 ]---
      
      Avoid this by using the right return type for netvsc_start_xmit.
      
      Fixes: fceaf24a ("Staging: hv: add the Hyper-V virtual network driver")
      Link: https://github.com/ClangBuiltLinux/linux/issues/1009Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Reviewed-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7fdc66de
    • David S. Miller's avatar
      Merge branch 'WoL-fixes-for-DP83822-and-DP83tc811' · 384649e7
      David S. Miller authored
      Dan Murphy says:
      
      ====================
      WoL fixes for DP83822 and DP83tc811
      
      The WoL feature for each device was enabled during boot or when the PHY was
      brought up which may be undesired.  These patches disable the WoL in the
      config_init.  The disabling and enabling of the WoL is now done though the
      set_wol call.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      384649e7
    • Dan Murphy's avatar
      net: phy: DP83TC811: Fix WoL in config init to be disabled · 6c599044
      Dan Murphy authored
      The WoL feature should be disabled when config_init is called and the
      feature should turned on or off  when set_wol is called.
      
      In addition updated the calls to modify the registers to use the set_bit
      and clear_bit function calls.
      
      Fixes: 6d749428788b ("net: phy: DP83TC811: Introduce support for the
      DP83TC811 phy")
      Signed-off-by: default avatarDan Murphy <dmurphy@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c599044
    • Dan Murphy's avatar
      net: phy: DP83822: Fix WoL in config init to be disabled · 600ac36b
      Dan Murphy authored
      The WoL feature should be disabled when config_init is called and the
      feature should turned on or off  when set_wol is called.
      
      In addition updated the calls to modify the registers to use the set_bit
      and clear_bit function calls.
      
      Fixes: 3b427751a9d0 ("net: phy: DP83822 initial driver submission")
      Signed-off-by: default avatarDan Murphy <dmurphy@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      600ac36b
    • David Ahern's avatar
      ipv6: Use global sernum for dst validation with nexthop objects · 8f34e53b
      David Ahern authored
      Nik reported a bug with pcpu dst cache when nexthop objects are
      used illustrated by the following:
          $ ip netns add foo
          $ ip -netns foo li set lo up
          $ ip -netns foo addr add 2001:db8:11::1/128 dev lo
          $ ip netns exec foo sysctl net.ipv6.conf.all.forwarding=1
          $ ip li add veth1 type veth peer name veth2
          $ ip li set veth1 up
          $ ip addr add 2001:db8:10::1/64 dev veth1
          $ ip li set dev veth2 netns foo
          $ ip -netns foo li set veth2 up
          $ ip -netns foo addr add 2001:db8:10::2/64 dev veth2
          $ ip -6 nexthop add id 100 via 2001:db8:10::2 dev veth1
          $ ip -6 route add 2001:db8:11::1/128 nhid 100
      
          Create a pcpu entry on cpu 0:
          $ taskset -a -c 0 ip -6 route get 2001:db8:11::1
      
          Re-add the route entry:
          $ ip -6 ro del 2001:db8:11::1
          $ ip -6 route add 2001:db8:11::1/128 nhid 100
      
          Route get on cpu 0 returns the stale pcpu:
          $ taskset -a -c 0 ip -6 route get 2001:db8:11::1
          RTNETLINK answers: Network is unreachable
      
          While cpu 1 works:
          $ taskset -a -c 1 ip -6 route get 2001:db8:11::1
          2001:db8:11::1 from :: via 2001:db8:10::2 dev veth1 src 2001:db8:10::1 metric 1024 pref medium
      
      Conversion of FIB entries to work with external nexthop objects
      missed an important difference between IPv4 and IPv6 - how dst
      entries are invalidated when the FIB changes. IPv4 has a per-network
      namespace generation id (rt_genid) that is bumped on changes to the FIB.
      Checking if a dst_entry is still valid means comparing rt_genid in the
      rtable to the current value of rt_genid for the namespace.
      
      IPv6 also has a per network namespace counter, fib6_sernum, but the
      count is saved per fib6_node. With the per-node counter only dst_entries
      based on fib entries under the node are invalidated when changes are
      made to the routes - limiting the scope of invalidations. IPv6 uses a
      reference in the rt6_info, 'from', to track the corresponding fib entry
      used to create the dst_entry. When validating a dst_entry, the 'from'
      is used to backtrack to the fib6_node and check the sernum of it to the
      cookie passed to the dst_check operation.
      
      With the inline format (nexthop definition inline with the fib6_info),
      dst_entries cached in the fib6_nh have a 1:1 correlation between fib
      entries, nexthop data and dst_entries. With external nexthops, IPv6
      looks more like IPv4 which means multiple fib entries across disparate
      fib6_nodes can all reference the same fib6_nh. That means validation
      of dst_entries based on external nexthops needs to use the IPv4 format
      - the per-network namespace counter.
      
      Add sernum to rt6_info and set it when creating a pcpu dst entry. Update
      rt6_get_cookie to return sernum if it is set and update dst_check for
      IPv6 to look for sernum set and based the check on it if so. Finally,
      rt6_get_pcpu_route needs to validate the cached entry before returning
      a pcpu entry (similar to the rt_cache_valid calls in __mkroute_input and
      __mkroute_output for IPv4).
      
      This problem only affects routes using the new, external nexthops.
      
      Thanks to the kbuild test robot for catching the IS_ENABLED needed
      around rt_genid_ipv6 before I sent this out.
      
      Fixes: 5b98324e ("ipv6: Allow routes to use nexthop objects")
      Reported-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Tested-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8f34e53b
    • Rahul Lakkireddy's avatar
      cxgb4: fix EOTID leak when disabling TC-MQPRIO offload · 69422a7e
      Rahul Lakkireddy authored
      Under heavy load, the EOTID termination FLOWC request fails to get
      enqueued to the end of the Tx ring due to lack of credits. This
      results in EOTID leak.
      
      When disabling TC-MQPRIO offload, the link is already brought down
      to cleanup EOTIDs. So, flush any pending enqueued skbs that can't be
      sent outside the wire, to make room for FLOWC request. Also, move the
      FLOWC descriptor consumption logic closer to when the FLOWC request is
      actually posted to hardware.
      
      Fixes: 0e395b3c ("cxgb4: add FLOWC based QoS offload")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69422a7e
    • Andy Shevchenko's avatar
      stmmac: intel: Fix kernel crash due to wrong error path · ab1c637c
      Andy Shevchenko authored
      Unfortunately sometimes ->probe() may fail. The commit b9663b7c
      ("net: stmmac: Enable SERDES power up/down sequence")
      messed up with error handling and thus:
      
      [   12.811311] ------------[ cut here ]------------
      [   12.811993] kernel BUG at net/core/dev.c:9937!
      
      Fix this by properly crafted error path.
      
      Fixes: b9663b7c ("net: stmmac: Enable SERDES power up/down sequence")
      Cc: Voon Weifeng <weifeng.voon@intel.com>
      Cc: Ong Boon Leong <boon.leong.ong@intel.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab1c637c
    • Jiri Pirko's avatar
      mlxsw: spectrum_acl_tcam: Position vchunk in a vregion list properly · 6ef4889f
      Jiri Pirko authored
      Vregion helpers to get min and max priority depend on the correct
      ordering of vchunks in the vregion list. However, the current code
      always adds new chunk to the end of the list, no matter what the
      priority is. Fix this by finding the correct place in the list and put
      vchunk there.
      
      Fixes: 22a67766 ("mlxsw: spectrum: Introduce ACL core with simple TCAM implementation")
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ef4889f
    • Toke Høiland-Jørgensen's avatar
      tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040 · b7237487
      Toke Høiland-Jørgensen authored
      RFC 6040 recommends propagating an ECT(1) mark from an outer tunnel header
      to the inner header if that inner header is already marked as ECT(0). When
      RFC 6040 decapsulation was implemented, this case of propagation was not
      added. This simply appears to be an oversight, so let's fix that.
      
      Fixes: eccc1bb8 ("tunnel: drop packet if ECN present with not-ECT")
      Reported-by: default avatarBob Briscoe <ietf@bobbriscoe.net>
      Reported-by: default avatarOlivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
      Cc: Dave Taht <dave.taht@gmail.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7237487
    • Andy Shevchenko's avatar
      net: macb: Fix runtime PM refcounting · 0ce205d4
      Andy Shevchenko authored
      The commit e6a41c23, while trying to fix an issue,
      
          ("net: macb: ensure interface is not suspended on at91rm9200")
      
      introduced a refcounting regression, because in error case refcounter
      must be balanced. Fix it by calling pm_runtime_put_noidle() in error case.
      
      While here, fix the same mistake in other couple of places.
      
      Fixes: e6a41c23 ("net: macb: ensure interface is not suspended on at91rm9200")
      Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
      Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0ce205d4
    • Christophe JAILLET's avatar
      net: moxa: Fix a potential double 'free_irq()' · ee8d2267
      Christophe JAILLET authored
      Should an irq requested with 'devm_request_irq' be released explicitly,
      it should be done by 'devm_free_irq()', not 'free_irq()'.
      
      Fixes: 6c821bd9 ("net: Add MOXA ART SoCs ethernet driver")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee8d2267
    • Scott Dial's avatar
      net: macsec: preserve ingress frame ordering · ab046a5d
      Scott Dial authored
      MACsec decryption always occurs in a softirq context. Since
      the FPU may not be usable in the softirq context, the call to
      decrypt may be scheduled on the cryptd work queue. The cryptd
      work queue does not provide ordering guarantees. Therefore,
      preserving order requires masking out ASYNC implementations
      of gcm(aes).
      
      For instance, an Intel CPU with AES-NI makes available the
      generic-gcm-aesni driver from the aesni_intel module to
      implement gcm(aes). However, this implementation requires
      the FPU, so it is not always available to use from a softirq
      context, and will fallback to the cryptd work queue, which
      does not preserve frame ordering. With this change, such a
      system would select gcm_base(ctr(aes-aesni),ghash-generic).
      While the aes-aesni implementation prefers to use the FPU, it
      will fallback to the aes-asm implementation if unavailable.
      
      By using a synchronous version of gcm(aes), the decryption
      will complete before returning from crypto_aead_decrypt().
      Therefore, the macsec_decrypt_done() callback will be called
      before returning from macsec_decrypt(). Thus, the order of
      calls to macsec_post_decrypt() for the frames is preserved.
      
      While it's presumable that the pure AES-NI version of gcm(aes)
      is more performant, the hybrid solution is capable of gigabit
      speeds on modest hardware. Regardless, preserving the order
      of frames is paramount for many network protocols (e.g.,
      triggering TCP retries). Within the MACsec driver itself, the
      replay protection is tripped by the out-of-order frames, and
      can cause frames to be dropped.
      
      This bug has been present in this code since it was added in
      v4.6, however it may not have been noticed since not all CPUs
      have FPU offload available. Additionally, the bug manifests
      as occasional out-of-order packets that are easily
      misattributed to other network phenomena.
      
      When this code was added in v4.6, the crypto/gcm.c code did
      not restrict selection of the ghash function based on the
      ASYNC flag. For instance, x86 CPUs with PCLMULQDQ would
      select the ghash-clmulni driver instead of ghash-generic,
      which submits to the cryptd work queue if the FPU is busy.
      However, this bug was was corrected in v4.8 by commit
      b30bdfa8, and was backported
      all the way back to the v3.14 stable branch, so this patch
      should be applicable back to the v4.6 stable branch.
      Signed-off-by: default avatarScott Dial <scott@scottdial.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab046a5d
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · b6f875a8
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Do not update the UDP checksum when it's zero, from Guillaume Nault.
      
      2) Fix return of local variable in nf_osf, from Arnd Bergmann.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6f875a8
    • David S. Miller's avatar
      Merge branch 'net-ipa-three-bug-fixes' · c778980a
      David S. Miller authored
      Alex Elder says:
      
      ====================
      net: ipa: three bug fixes
      
      This series fixes three bugs in the Qualcomm IPA code.  The third
      adds a missing error code initialization step.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c778980a
    • Alex Elder's avatar
      net: ipa: zero return code before issuing generic EE command · 0b1ba18a
      Alex Elder authored
      Zero the result code stored in a field of the scratch 0 register
      before issuing a generic EE command.  This just guarantees that
      the value we read later was actually written as a result of the
      command.
      
      Also add the definitions of two more possible result codes that can
      be returned when issuing flow control enable or disable commands:
        INCORRECT_CHANNEL_STATE: - channel must be in started state
        INCORRECT_DIRECTION - flow control is only valid for TX channels
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b1ba18a
    • Alex Elder's avatar
      net: ipa: fix an error message in gsi_channel_init_one() · 0721999f
      Alex Elder authored
      An error message about limiting the number of TREs used prints the
      wrong value.  Fix this bug.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0721999f
    • Alex Elder's avatar
      net: ipa: fix a bug in ipa_endpoint_stop() · 713b6ebb
      Alex Elder authored
      In ipa_endpoint_stop(), for TX endpoints we set the number of retries
      to 0.  When we break out of the loop, retries being 0 means we return
      EIO rather than the value of ret (which should be 0).
      
      Fix this by using a non-zero retry count for both RX and TX
      channels, and just break out of the loop after calling
      gsi_channel_stop() for TX channels.  This way only RX channels
      will retry, and the retry count will be non-zero at the end
      for TX channels (so the proper value gets returned).
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      713b6ebb
    • David S. Miller's avatar
      Merge branch 'ionic-fw-upgrade-bug-fixes' · de04604e
      David S. Miller authored
      Shannon Nelson says:
      
      ====================
      ionic: fw upgrade bug fixes
      
      These patches address issues found in additional internal
      fw-upgrade testing.
      
      v2:
       - replaced extra state flag with postponing first link check
       - added device reset patch
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      de04604e