1. 19 Dec, 2019 1 commit
    • Maxim Mikityanskiy's avatar
      xsk: Add rcu_read_lock around the XSK wakeup · 06870682
      Maxim Mikityanskiy authored
      The XSK wakeup callback in drivers makes some sanity checks before
      triggering NAPI. However, some configuration changes may occur during
      this function that affect the result of those checks. For example, the
      interface can go down, and all the resources will be destroyed after the
      checks in the wakeup function, but before it attempts to use these
      resources. Wrap this callback in rcu_read_lock to allow driver to
      synchronize_rcu before actually destroying the resources.
      
      xsk_wakeup is a new function that encapsulates calling ndo_xsk_wakeup
      wrapped into the RCU lock. After this commit, xsk_poll starts using
      xsk_wakeup and checks xs->zc instead of ndo_xsk_wakeup != NULL to decide
      ndo_xsk_wakeup should be called. It also fixes a bug introduced with the
      need_wakeup feature: a non-zero-copy socket may be used with a driver
      supporting zero-copy, and in this case ndo_xsk_wakeup should not be
      called, so the xs->zc check is the correct one.
      
      Fixes: 77cd0d7b ("xsk: add support for need_wakeup flag in AF_XDP rings")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@mellanox.com>
      Signed-off-by: default avatarBjörn Töpel <bjorn.topel@intel.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20191217162023.16011-2-maximmi@mellanox.com
      06870682
  2. 17 Dec, 2019 1 commit
  3. 16 Dec, 2019 1 commit
  4. 13 Dec, 2019 1 commit
  5. 12 Dec, 2019 3 commits
  6. 11 Dec, 2019 22 commits
  7. 10 Dec, 2019 1 commit
  8. 09 Dec, 2019 10 commits
    • Davide Caratti's avatar
      tc-testing: unbreak full listing of tdc testcases · 991a3459
      Davide Caratti authored
      the following command currently fails:
      
       [root@fedora tc-testing]# ./tdc.py -l
       The following test case IDs are not unique:
       {'6f5e'}
       Please correct them before continuing.
      
      this happens because there are two tests having the same id:
      
       [root@fedora tc-testing]# grep -r 6f5e tc-tests/*
       tc-tests/actions/pedit.json:        "id": "6f5e",
       tc-tests/filters/basic.json:        "id": "6f5e",
      
      fix it replacing the latest duplicate id with a brand new one:
      
       [root@fedora tc-testing]# sed -i 's/6f5e//1' tc-tests/filters/basic.json
       [root@fedora tc-testing]# ./tdc.py -i
      
      Fixes: 4717b053 ("tc-testing: Introduced tdc tests for basic filter")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      991a3459
    • Chuhong Yuan's avatar
      fjes: fix missed check in fjes_acpi_add · a288f105
      Chuhong Yuan authored
      fjes_acpi_add() misses a check for platform_device_register_simple().
      Add a check to fix it.
      
      Fixes: 658d439b ("fjes: Introduce FUJITSU Extended Socket Network Device driver")
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a288f105
    • Mao Wenan's avatar
      af_packet: set defaule value for tmo · b43d1f9f
      Mao Wenan authored
      There is softlockup when using TPACKET_V3:
      ...
      NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms!
      (__irq_svc) from [<c0558a0c>] (_raw_spin_unlock_irqrestore+0x44/0x54)
      (_raw_spin_unlock_irqrestore) from [<c027b7e8>] (mod_timer+0x210/0x25c)
      (mod_timer) from [<c0549c30>]
      (prb_retire_rx_blk_timer_expired+0x68/0x11c)
      (prb_retire_rx_blk_timer_expired) from [<c027a7ac>]
      (call_timer_fn+0x90/0x17c)
      (call_timer_fn) from [<c027ab6c>] (run_timer_softirq+0x2d4/0x2fc)
      (run_timer_softirq) from [<c021eaf4>] (__do_softirq+0x218/0x318)
      (__do_softirq) from [<c021eea0>] (irq_exit+0x88/0xac)
      (irq_exit) from [<c0240130>] (msa_irq_exit+0x11c/0x1d4)
      (msa_irq_exit) from [<c0209cf0>] (handle_IPI+0x650/0x7f4)
      (handle_IPI) from [<c02015bc>] (gic_handle_irq+0x108/0x118)
      (gic_handle_irq) from [<c0558ee4>] (__irq_usr+0x44/0x5c)
      ...
      
      If __ethtool_get_link_ksettings() is failed in
      prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies
      is zero and the timer expire for retire_blk_timer is turn to
      mod_timer(&pkc->retire_blk_timer, jiffies + 0),
      which will trigger cpu usage of softirq is 100%.
      
      Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.")
      Tested-by: default avatarXiao Jiangfeng <xiaojiangfeng@huawei.com>
      Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b43d1f9f
    • Grygorii Strashko's avatar
      net: ethernet: ti: davinci_cpdma: fix warning "device driver frees DMA memory with different size" · 8a2b2220
      Grygorii Strashko authored
      The TI CPSW(s) driver produces warning with DMA API debug options enabled:
      
      WARNING: CPU: 0 PID: 1033 at kernel/dma/debug.c:1025 check_unmap+0x4a8/0x968
      DMA-API: cpsw 48484000.ethernet: device driver frees DMA memory with different size
       [device address=0x00000000abc6aa02] [map size=64 bytes] [unmap size=42 bytes]
      CPU: 0 PID: 1033 Comm: ping Not tainted 5.3.0-dirty #41
      Hardware name: Generic DRA72X (Flattened Device Tree)
      [<c0112c60>] (unwind_backtrace) from [<c010d270>] (show_stack+0x10/0x14)
      [<c010d270>] (show_stack) from [<c09bc564>] (dump_stack+0xd8/0x110)
      [<c09bc564>] (dump_stack) from [<c013b93c>] (__warn+0xe0/0x10c)
      [<c013b93c>] (__warn) from [<c013b9ac>] (warn_slowpath_fmt+0x44/0x6c)
      [<c013b9ac>] (warn_slowpath_fmt) from [<c01e0368>] (check_unmap+0x4a8/0x968)
      [<c01e0368>] (check_unmap) from [<c01e08a8>] (debug_dma_unmap_page+0x80/0x90)
      [<c01e08a8>] (debug_dma_unmap_page) from [<c0752414>] (__cpdma_chan_free+0x114/0x16c)
      [<c0752414>] (__cpdma_chan_free) from [<c07525c4>] (__cpdma_chan_process+0x158/0x17c)
      [<c07525c4>] (__cpdma_chan_process) from [<c0753690>] (cpdma_chan_process+0x3c/0x5c)
      [<c0753690>] (cpdma_chan_process) from [<c0758660>] (cpsw_tx_mq_poll+0x48/0x94)
      [<c0758660>] (cpsw_tx_mq_poll) from [<c0803018>] (net_rx_action+0x108/0x4e4)
      [<c0803018>] (net_rx_action) from [<c010230c>] (__do_softirq+0xec/0x598)
      [<c010230c>] (__do_softirq) from [<c0143914>] (do_softirq.part.4+0x68/0x74)
      [<c0143914>] (do_softirq.part.4) from [<c0143a44>] (__local_bh_enable_ip+0x124/0x17c)
      [<c0143a44>] (__local_bh_enable_ip) from [<c0871590>] (ip_finish_output2+0x294/0xb7c)
      [<c0871590>] (ip_finish_output2) from [<c0875440>] (ip_output+0x210/0x364)
      [<c0875440>] (ip_output) from [<c0875e2c>] (ip_send_skb+0x1c/0xf8)
      [<c0875e2c>] (ip_send_skb) from [<c08a7fd4>] (raw_sendmsg+0x9a8/0xc74)
      [<c08a7fd4>] (raw_sendmsg) from [<c07d6b90>] (sock_sendmsg+0x14/0x24)
      [<c07d6b90>] (sock_sendmsg) from [<c07d8260>] (__sys_sendto+0xbc/0x100)
      [<c07d8260>] (__sys_sendto) from [<c01011ac>] (__sys_trace_return+0x0/0x14)
      Exception stack(0xea9a7fa8 to 0xea9a7ff0)
      ...
      
      The reason is that cpdma_chan_submit_si() now stores original buffer length
      (sw_len) in CPDMA descriptor instead of adjusted buffer length (hw_len)
      used to map the buffer.
      
      Hence, fix an issue by passing correct buffer length in CPDMA descriptor.
      
      Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Fixes: 6670acac ("net: ethernet: ti: davinci_cpdma: add dma mapped submit")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Reviewed-by: default avatarIvan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a2b2220
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 7da538c1
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Wait for rcu grace period after releasing netns in ctnetlink,
         from Florian Westphal.
      
      2) Incorrect command type in flowtable offload ndo invocation,
         from wenxu.
      
      3) Incorrect callback type in flowtable offload flow tuple
         updates, also from wenxu.
      
      4) Fix compile warning on flowtable offload infrastructure due to
         possible reference to uninitialized variable, from Nathan Chancellor.
      
      5) Do not inline nf_ct_resolve_clash(), this is called from slow
         path / stress situations. From Florian Westphal.
      
      6) Missing IPv6 flow selector description in flowtable offload.
      
      7) Missing check for NETDEV_UNREGISTER in nf_tables offload
         infrastructure, from wenxu.
      
      8) Update NAT selftest to use randomized netns names, from
         Florian Westphal.
      
      9) Restore nfqueue bridge support, from Marco Oliverio.
      
      10) Compilation warning in SCTP_CHUNKMAP_*() on xt_sctp header.
          From Phil Sutter.
      
      11) Fix bogus lookup/get match for non-anonymous rbtree sets.
      
      12) Missing netlink validation for NFT_SET_ELEM_INTERVAL_END
          elements.
      
      13) Missing netlink validation for NFT_DATA_VALUE after
          nft_data_init().
      
      14) If rule specifies no actions, offload infrastructure returns
          EOPNOTSUPP.
      
      15) Module refcount leak in object updates.
      
      16) Missing sanitization for ARP traffic from br_netfilter, from
          Eric Dumazet.
      
      17) Compilation breakage on big-endian due to incorrect memcpy()
          size in the flowtable offload infrastructure.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7da538c1
    • Pablo Neira Ayuso's avatar
      netfilter: nf_flow_table_offload: Correct memcpy size for flow_overload_mangle() · 7acd9378
      Pablo Neira Ayuso authored
      In function 'memcpy',
           inlined from 'flow_offload_mangle' at net/netfilter/nf_flow_table_offload.c:112:2,
           inlined from 'flow_offload_port_dnat' at net/netfilter/nf_flow_table_offload.c:373:2,
           inlined from 'nf_flow_rule_route_ipv4' at net/netfilter/nf_flow_table_offload.c:424:3:
      ./include/linux/string.h:376:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
         376 |    __read_overflow2();
             |    ^~~~~~~~~~~~~~~~~~
      
      The original u8* was done in the hope to make this more adaptable but
      consensus is to keep this like it is in tc pedit.
      
      Fixes: c29f74e0 ("netfilter: nf_flow_table: hardware offload support")
      Reported-by: default avatarLaura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7acd9378
    • Martin Schiller's avatar
      net/x25: add new state X25_STATE_5 · f8fc57e8
      Martin Schiller authored
      This is needed, because if the flag X25_ACCPT_APPRV_FLAG is not set on a
      socket (manual call confirmation) and the channel is cleared by remote
      before the manual call confirmation was sent, this situation needs to
      be handled.
      Signed-off-by: default avatarMartin Schiller <ms@dev.tdt.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8fc57e8
    • Ido Schimmel's avatar
      selftests: forwarding: Delete IPv6 address at the end · 65cb1398
      Ido Schimmel authored
      When creating the second host in h2_create(), two addresses are assigned
      to the interface, but only one is deleted. When running the test twice
      in a row the following error is observed:
      
      $ ./router_bridge_vlan.sh
      TEST: ping                                                          [ OK ]
      TEST: ping6                                                         [ OK ]
      TEST: vlan                                                          [ OK ]
      $ ./router_bridge_vlan.sh
      RTNETLINK answers: File exists
      TEST: ping                                                          [ OK ]
      TEST: ping6                                                         [ OK ]
      TEST: vlan                                                          [ OK ]
      
      Fix this by deleting the address during cleanup.
      
      Fixes: 5b1e7f9e ("selftests: forwarding: Test routed bridge interface")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65cb1398
    • Ido Schimmel's avatar
      mlxsw: spectrum_router: Remove unlikely user-triggerable warning · 62201c00
      Ido Schimmel authored
      In case the driver vetoes the addition of an IPv6 multipath route, the
      IPv6 stack will emit delete notifications for the sibling routes that
      were already added to the FIB trie. Since these siblings are not present
      in hardware, a warning will be generated.
      
      Have the driver ignore notifications for routes it does not have.
      
      Fixes: ebee3cad ("ipv6: Add IPv6 multipath notifications for add / replace")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62201c00
    • Xin Long's avatar
      sctp: fully initialize v4 addr in some functions · b6f3320b
      Xin Long authored
      Syzbot found a crash:
      
        BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline]
        BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
        BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
        Call Trace:
          crc32_body lib/crc32.c:112 [inline]
          crc32_le_generic lib/crc32.c:179 [inline]
          __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
          chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90
          crypto_shash_update+0x4c5/0x530 crypto/shash.c:107
          crc32c+0x150/0x220 lib/libcrc32c.c:47
          sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36
          __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640
          sctp_compute_cksum include/net/sctp/checksum.h:59 [inline]
          sctp_packet_pack net/sctp/output.c:528 [inline]
          sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597
          sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline]
          sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194
          sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757
          sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline]
          sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline]
          sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155
          sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185
          sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433
          sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline]
          sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672
      
      The issue was caused by transport->ipaddr set with uninit addr param, which
      was passed by:
      
        sctp_transport_init net/sctp/transport.c:47 [inline]
        sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100
        sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611
        sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline]
      
      where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize
      the padding of addr->v4.
      
      Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr)
      will become the part of skb, and the issue occurs.
      
      This patch is to fix it by initializing the padding of addr->v4 in
      sctp_v4_from_addr_param(), as well as other functions that do the similar
      thing, and these functions shouldn't trust that the caller initializes the
      memory, as Marcelo suggested.
      
      Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6f3320b