- 27 May, 2019 7 commits
-
-
Igor Russkikh authored
In case no other traffic happening on the ring, full tx cleanup may not be completed. That may cause socket buffer to overflow and tx traffic to stuck until next activity on the ring happens. This is due to logic error in budget variable decrementor. Variable is compared with zero, and then post decremented, causing it to become MAX_INT. Solution is remove decrementor from the `for` statement and rewrite it in a clear way. Fixes: b647d398 ("net: aquantia: Add tx clean budget and valid budget handling logic") Signed-off-by:
Igor Russkikh <igor.russkikh@aquantia.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Kees Cook authored
Building with Clang reports the redundant use of MODULE_DEVICE_TABLE(): drivers/net/ethernet/dec/tulip/de4x5.c:2110:1: error: redefinition of '__mod_eisa__de4x5_eisa_ids_device_table' MODULE_DEVICE_TABLE(eisa, de4x5_eisa_ids); ^ ./include/linux/module.h:229:21: note: expanded from macro 'MODULE_DEVICE_TABLE' extern typeof(name) __mod_##type##__##name##_device_table \ ^ <scratch space>:90:1: note: expanded from here __mod_eisa__de4x5_eisa_ids_device_table ^ drivers/net/ethernet/dec/tulip/de4x5.c:2100:1: note: previous definition is here MODULE_DEVICE_TABLE(eisa, de4x5_eisa_ids); ^ ./include/linux/module.h:229:21: note: expanded from macro 'MODULE_DEVICE_TABLE' extern typeof(name) __mod_##type##__##name##_device_table \ ^ <scratch space>:85:1: note: expanded from here __mod_eisa__de4x5_eisa_ids_device_table ^ This drops the one further from the table definition to match the common use of MODULE_DEVICE_TABLE(). Fixes: 07563c71 ("EISA bus MODALIAS attributes support") Signed-off-by:Kees Cook <keescook@chromium.org> Signed-off-by:
-
David S. Miller authored
Jakub Kicinski says: ==================== net/tls: two fixes for rx_list pre-handling tls_sw_recvmsg() had been modified to cater better to async decrypt. Partially read records now live on the rx_list. Data is copied from this list before the old do {} while loop, and the not included correctly in deciding whether to sleep or not and lowat threshold handling. These modifications, unfortunately, added some bugs. First patch fixes lowat - we need to calculate the threshold early and make sure all copied data is compared to the threshold, not just the freshly decrypted data. Third patch fixes sleep - if data is picked up from rx_list and no flags are set, we should not put the process to sleep, but rather return the partial read. Patches 2 and 4 add test cases for these bugs, both will cause a sleep and test timeout before the fix. ==================== Signed-off-by: -
Jakub Kicinski authored
Add a test which sends 15 bytes of data, and then tries to read 10 byes twice. Previously the second read would sleep indifinitely, since the record was already decrypted and there is only 5 bytes left, not full 10. Signed-off-by:
Jakub Kicinski <jakub.kicinski@netronome.com> Reviewed-by:
Dirk van der Merwe <dirk.vandermerwe@netronome.com> Signed-off-by:
-
Jakub Kicinski authored
When tls_sw_recvmsg() partially copies a record it pops that record from ctx->recv_pkt and places it on rx_list. Next iteration of tls_sw_recvmsg() reads from rx_list via process_rx_list() before it enters the decryption loop. If there is no more records to be read tls_wait_data() will put the process on the wait queue and got to sleep. This is incorrect, because some data was already copied in process_rx_list(). In case of RPC connections process may never get woken up, because peer also simply blocks in read(). I think this may also fix a similar issue when BPF is at play, because after __tcp_bpf_recvmsg() returns some data we subtract it from len and use continue to restart the loop, but len could have just reached 0, so again we'd sleep unnecessarily. That's added by: commit d3b18ad3 ("tls: add bpf support to sk_msg handling") Fixes: 692d7b5d ("tls: Fix recvmsg() to be able to peek across multiple records") Reported-by:
David Beckett <david.beckett@netronome.com> Signed-off-by:
-
Jakub Kicinski authored
Set SO_RCVLOWAT and test it gets respected when gathering data from multiple records. Signed-off-by:
-
Jakub Kicinski authored
If some of the data came from the previous record, i.e. from the rx_list it had already been decrypted, so it's not counted towards the "decrypted" variable, but the "copied" variable. Take that into account when checking lowat. When calculating lowat target we need to pass the original len. E.g. if lowat is at 80, len is 100 and we had 30 bytes on rx_list target would currently be incorrectly calculated as 70, even though we only need 50 more bytes to make up the 80. Fixes: 692d7b5d ("tls: Fix recvmsg() to be able to peek across multiple records") Signed-off-by:
-
- 26 May, 2019 5 commits
-
-
David S. Miller authored
Ioana Radulescu says: ==================== dpaa2-eth: Fix smatch warnings Fix a couple of warnings reported by smatch. ==================== Signed-off-by: -
Ioana Radulescu authored
Function dpaa2_eth_cls_key_size() expects a 64bit argument, but DPAA2_ETH_DIST_ALL is defined as UINT_MAX. Fix this. Signed-off-by:
Ioana Radulescu <ruxandra.radulescu@nxp.com> Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Ioana Radulescu authored
Use PTR_ERR_OR_ZERO instead of PTR_ERR in cases where zero is a valid input. Reported by smatch. Signed-off-by:
-
Ioana Radulescu authored
Smatch reports a potential spectre vulnerability in the dpaa2-eth driver, where the value of rxnfc->fs.location (which is provided from user-space) is used as index in an array. Add a call to array_index_nospec() to sanitize the access. Signed-off-by:
-
Jarod Wilson authored
Once in a while, with just the right timing, 802.3ad slaves will fail to properly initialize, winding up in a weird state, with a partner system mac address of 00:00:00:00:00:00. This started happening after a fix to properly track link_failure_count tracking, where an 802.3ad slave that reported itself as link up in the miimon code, but wasn't able to get a valid speed/duplex, started getting set to BOND_LINK_FAIL instead of BOND_LINK_DOWN. That was the proper thing to do for the general "my link went down" case, but has created a link initialization race that can put the interface in this odd state. The simple fix is to instead set the slave link to BOND_LINK_DOWN again, if the link has never been up (last_link_up == 0), so the link state doesn't bounce from BOND_LINK_DOWN to BOND_LINK_FAIL -- it hasn't failed in this case, it simply hasn't been up yet, and this prevents the unnecessary state change from DOWN to FAIL and getting stuck in an init failure w/o a partner mac. Fixes: ea53abfa ("bonding/802.3ad: fix link_failure_count tracking") CC: Jay Vosburgh <j.vosburgh@gmail.com> CC: Veaceslav Falico <vfalico@gmail.com> CC: Andy Gospodarek <andy@greyhouse.net> CC: "David S. Miller" <davem@davemloft.net> CC: netdev@vger.kernel.org Tested-by:
Heesoon Kim <Heesoon.Kim@stratus.com> Signed-off-by:
Jarod Wilson <jarod@redhat.com> Acked-by:
Jay Vosburgh <jay.vosburgh@canonical.com> Signed-off-by:
-
- 25 May, 2019 7 commits
-
-
Maxime Chevallier authored
ethtool ops get_rxfh_context and set_rxfh_context are used to create, remove and access parameters associated to RSS contexts, in a similar fashion to get_rxfh and set_rxfh. Add a small descritopn of these callbacks in the struct ethtool_ops doc. Signed-off-by:
Maxime Chevallier <maxime.chevallier@bootlin.com> Signed-off-by:
-
David S. Miller authored
Biao Huang says: ==================== fix some bugs in stmmac changes in v4: since MTL_OPERATION_MODE write back issue has be fixed in the latest driver, remove original patch#3 changes in v3: add a Fixes:tag for each patch changes in v2: 1. update rx_tail_addr as Jose's comment 2. changes clk_csr condition as Alex's proposition 3. remove init lines in dwmac-mediatek, get clk_csr from dts instead. v1: This series fix some bugs in stmmac driver 3 patches are for common stmmac or dwmac4: 1. update rx tail pointer to fix rx dma hang issue. 2. change condition for mdc clock to fix csr_clk can't be zero issue. 3. write the modified value back to MTL_OPERATION_MODE. 1 patch is for dwmac-mediatek: modify csr_clk value to fix mdio read/write fail issue for dwmac-mediatek ==================== Signed-off-by: -
Biao Huang authored
1. the frequency of csr clock is 66.5MHz, so the csr_clk value should be 0 other than 5. 2. the csr_clk can be got from device tree, so remove initialization here. Fixes: 9992f37e ("stmmac: dwmac-mediatek: add support for mt2712") Signed-off-by:
Biao Huang <biao.huang@mediatek.com> Signed-off-by:
-
Biao Huang authored
The specific clk_csr value can be zero, and stmmac_clk is necessary for MDC clock which can be set dynamically. So, change the condition from plat->clk_csr to plat->stmmac_clk to fix clk_csr can't be zero issue. Fixes: cd7201f4 ("stmmac: MDC clock dynamically based on the csr clock input") Signed-off-by:
Alexandre TORGUE <alexandre.torgue@st.com> Signed-off-by:
-
Biao Huang authored
Currently we will not update the receive descriptor tail pointer in stmmac_rx_refill. Rx dma will think no available descriptors and stop once received packets exceed DMA_RX_SIZE, so that the rx only test will fail. Update the receive tail pointer in stmmac_rx_refill to add more descriptors to the rx channel, so packets can be received continually Fixes: 54139cf3 ("net: stmmac: adding multiple buffers for rx") Signed-off-by:
-
Gen Zhang authored
In function ip_ra_control(), the pointer new_ra is allocated a memory space via kmalloc(). And it is used in the following codes. However, when there is a memory allocation error, kmalloc() fails. Thus null pointer dereference may happen. And it will cause the kernel to crash. Therefore, we should check the return value and handle the error. Signed-off-by:
Gen Zhang <blackgod016574@gmail.com> Signed-off-by:
-
Gen Zhang authored
In function ip6_ra_control(), the pointer new_ra is allocated a memory space via kmalloc(). And it is used in the following codes. However, when there is a memory allocation error, kmalloc() fails. Thus null pointer dereference may happen. And it will cause the kernel to crash. Therefore, we should check the return value and handle the error. Signed-off-by:
-
- 24 May, 2019 3 commits
-
-
Vlad Buslov authored
Function tcf_action_dump() relies on tc_action->order field when starting nested nla to send action data to userspace. This approach breaks in several cases: - When multiple filters point to same shared action, tc_action->order field is overwritten each time it is attached to filter. This causes filter dump to output action with incorrect attribute for all filters that have the action in different position (different order) from the last set tc_action->order value. - When action data is displayed using tc action API (RTM_GETACTION), action order is overwritten by tca_action_gd() according to its position in resulting array of nl attributes, which will break filter dump for all filters attached to that shared action that expect it to have different order value. Don't rely on tc_action->order when dumping actions. Set nla according to action position in resulting array of actions instead. Signed-off-by:
Vlad Buslov <vladbu@mellanox.com> Acked-by:
Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by:
-
Vishal Kulkarni authored
This reverts commit 2391b003 which has introduced regression. Now SGE's BAR2 Doorbell/GTS Page Size is interpreted correctly in the firmware itself by using actual host page size. Hence previous commit needs to be reverted. Signed-off-by:
Vishal Kulkarni <vishal@chelsio.com> Signed-off-by:
-
Andy Duan authored
Fix the clk mismatch in the error path "failed_reset" because below error path will disable clk_ahb and clk_ipg directly, it should use pm_runtime_put_noidle() instead of pm_runtime_put() to avoid to call runtime resume callback. Reported-by:
Baruch Siach <baruch@tkos.co.il> Signed-off-by:
Fugang Duan <fugang.duan@nxp.com> Tested-by:
-
- 23 May, 2019 15 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nfDavid S. Miller authored
Pablo Neira Ayuso says: ==================== Netfilter/IPVS fixes for net The following patchset contains Netfilter/IPVS fixes for your net tree: 1) Fix crash when dumping rules after conversion to RCU, from Florian Westphal. 2) Fix incorrect hook reinjection from nf_queue in case NF_REPEAT, from Jagdish Motwani. 3) Fix check for route existence in fib extension, from Phil Sutter. 4) Fix use after free in ip_vs_in() hook, from YueHaibing. 5) Check for veth existence from netfilter selftests, from Jeffrin Jose T. 6) Checksum corruption in UDP NAT helpers due to typo, from Florian Westphal. 7) Pass up packets to classic forwarding path regardless of IPv4 DF bit, patch for the flowtable infrastructure from Florian. 8) Set liberal TCP tracking for flows that are placed in the flowtable, in case they need to go back to classic forwarding path, also from Florian. 9) Don't add flow with sequence adjustment to flowtable, from Florian. 10) Skip IPv4 options from IPv6 datapath in flowtable, from Florian. 11) Add selftest for the flowtable infrastructure, from Florian. ==================== Signed-off-by: -
Raju Rangoju authored
VLAN flows never get offloaded unless ivlan_vld is set in filter spec. It's not compulsory for vlan_ethtype to be set. So, always enable ivlan_vld bit for offloading VLAN flows regardless of vlan_ethtype is set or not. Fixes: ad9af3e0 (cxgb4: add tc flower match support for vlan) Signed-off-by:
Raju Rangoju <rajur@chelsio.com> Signed-off-by:
-
Andreas Oetken authored
Don't prune the master node in the hsr_prune_nodes function. Neither time_in[HSR_PT_SLAVE_A] nor time_in[HSR_PT_SLAVE_B] will ever be updated by hsr_register_frame_in for the master port. Thus, the master node will be repeatedly pruned leading to repeated packet loss. This bug never appeared because the hsr_prune_nodes function was only called once. Since commit 5150b45f ("net: hsr: Fix node prune function for forget time expiry") this issue is fixed unveiling the issue described above. Fixes: 5150b45f ("net: hsr: Fix node prune function for forget time expiry") Signed-off-by:
Andreas Oetken <andreas.oetken@siemens.com> Tested-by:
Murali Karicheri <m-karicheri2@ti.com> Signed-off-by:
-
Maxime Chevallier authored
The flow_rule is only used when configuring the classification tables, and should be free'd once we're done using it. The current code only frees it in the error path. Fixes: 90b509b3 ("net: mvpp2: cls: Add Classification offload support") Signed-off-by:
-
Eric Dumazet authored
ip_sf_list_clear_all() needs to be defined even if !CONFIG_IP_MULTICAST Fixes: 3580d04a ("ipv4/igmp: fix another memory leak in igmpv3_del_delrec()") Signed-off-by:
Eric Dumazet <edumazet@google.com> Reported-by:
kbuild test robot <lkp@intel.com> Signed-off-by:
-
Eric Dumazet authored
syzbot reported memory leaks [1] that I have back tracked to a missing cleanup from igmpv3_del_delrec() when (im->sfmode != MCAST_INCLUDE) Add ip_sf_list_clear_all() and kfree_pmc() helpers to explicitely handle the cleanups before freeing. [1] BUG: memory leak unreferenced object 0xffff888123e32b00 (size 64): comm "softirq", pid 0, jiffies 4294942968 (age 8.010s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 e0 00 00 01 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000006105011b>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<000000006105011b>] slab_post_alloc_hook mm/slab.h:439 [inline] [<000000006105011b>] slab_alloc mm/slab.c:3326 [inline] [<000000006105011b>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 [<000000004bba8073>] kmalloc include/linux/slab.h:547 [inline] [<000000004bba8073>] kzalloc include/linux/slab.h:742 [inline] [<000000004bba8073>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline] [<000000004bba8073>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085 [<00000000a46a65a0>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475 [<000000005956ca89>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:957 [<00000000848e2d2f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246 [<00000000b9db185c>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616 [<000000003028e438>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130 [<0000000015b65589>] __sys_setsockopt+0x98/0x120 net/socket.c:2078 [<00000000ac198ef0>] __do_sys_setsockopt net/socket.c:2089 [inline] [<00000000ac198ef0>] __se_sys_setsockopt net/socket.c:2086 [inline] [<00000000ac198ef0>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086 [<000000000a770437>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 [<00000000d3adb93b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 9c8bb163 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()") Signed-off-by:syzbot <syzkaller@googlegroups.com> Signed-off-by:
-
David S. Miller authored
Michael Chan says: =================== bnxt_en: Bug fixes. There are 4 driver fixes in this series: 1. Fix RX buffer leak during OOM condition. 2. Call pci_disable_msix() under correct conditions to prevent hitting BUG. 3. Reduce unneeded mmeory allocation in kdump kernel to prevent OOM. 4. Don't read device serial number on VFs because it is not supported. Please queue #1, #2, #3 for -stable as well. Thanks. =================== Signed-off-by: -
Vasundhara Volam authored
Don't read DSN on VFs that do not have the PCI capability. Fixes: 03213a99 ("bnxt: move bp->switch_id initialization to PF probe") Signed-off-by:
Vasundhara Volam <vasundhara-v.volam@broadcom.com> Signed-off-by:
Michael Chan <michael.chan@broadcom.com> Signed-off-by:
-
Michael Chan authored
Skip RDMA context memory allocations, reduce to 1 ring, and disable TPA when running in the kdump kernel. Without this patch, the driver fails to initialize with memory allocation errors when running in a typical kdump kernel. Fixes: cf6daed0 ("bnxt_en: Increase context memory allocations on 57500 chips for RDMA.") Signed-off-by:
-
Michael Chan authored
When making configuration changes, the driver calls bnxt_close_nic() and then bnxt_open_nic() for the changes to take effect. A parameter irq_re_init is passed to the call sequence to indicate if IRQ should be re-initialized. This irq_re_init parameter needs to be included in the bnxt_reserve_rings() call. bnxt_reserve_rings() can only call pci_disable_msix() if the irq_re_init parameter is true, otherwise it may hit BUG() because some IRQs may not have been freed yet. Fixes: 41e8d798 ("bnxt_en: Modify the ring reservation functions for 57500 series chips.") Signed-off-by:
-
Michael Chan authored
For every RX packet, the driver replenishes all buffers used for that packet and puts them back into the RX ring and RX aggregation ring. In one code path where the RX packet has one RX buffer and one or more aggregation buffers, we missed recycling the aggregation buffer(s) if we are unable to allocate a new SKB buffer. This leads to the aggregation ring slowly running out of buffers over time. Fix it by properly recycling the aggregation buffers. Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.") Reported-by:
Rakesh Hemnani <rhemnani@fb.com> Signed-off-by:
-
David Ahern authored
IPv6 redirect is broken for VRF. __ip6_route_redirect walks the FIB entries looking for an exact match on ifindex. With VRF the flowi6_oif is updated by l3mdev_update_flow to the l3mdev index and the FLOWI_FLAG_SKIP_NH_OIF set in the flags to tell the lookup to skip the device match. For redirects the device match is requires so use that flag to know when the oif needs to be reset to the skb device index. Fixes: ca254490 ("net: Add VRF support to IPv6 stack") Signed-off-by:
David Ahern <dsahern@gmail.com> Signed-off-by:
-
Jisheng Zhang authored
Commit 984203ce ("net: stmmac: mdio: remove reset gpio free") removed the reset gpio free, when the driver is unbinded or rmmod, we miss the gpio free. This patch uses managed API to request the reset gpio, so that the gpio could be freed properly. Fixes: 984203ce ("net: stmmac: mdio: remove reset gpio free") Signed-off-by:
Jisheng Zhang <Jisheng.Zhang@synaptics.com> Signed-off-by:
-
Dan Carpenter authored
The user can change the device_name with the IMSETDEVNAME ioctl, but we need to ensure that the user's name is NUL terminated. Otherwise it could result in a buffer overflow when we copy the name back to the user with IMGETDEVINFO ioctl. I also changed two strcpy() calls which handle the name to strscpy(). Hopefully, there aren't any other ways to create a too long name, but it's nice to do this as a kernel hardening measure. Signed-off-by:
-
Claudiu Beznea authored
SAMA5D2 SoC has a suspend mode where SoC's power is cut off. Due to this the registers content is lost after a suspend/resume cycle. The current suspend/resume implementation covers some of these registers. However there are few which were not treated (e.g. SCRT2 and USRIO). Apart from this, netdev features are not restored. Treat these issues. Signed-off-by:
Claudiu Beznea <claudiu.beznea@microchip.com> Signed-off-by:
-
- 22 May, 2019 3 commits
-
-
David S. Miller authored
Jakub Kicinski says: ==================== net/tls: fix device surprise removal with offload This series fixes two issues with device surprise removal. First we need to take a read lock around resync, otherwise netdev notifier handler may clear the structures from under our feet. Secondly we need to be careful about the interpretation of device features. Offload has to be properly cleaned up even if the TLS device features got cleared after connection state was installed. ==================== Signed-off-by: -
Jakub Kicinski authored
On device surprise removal path (the notifier) we can't bail just because the features are disabled. They may have been enabled during the lifetime of the device. This bug leads to leaking netdev references and use-after-frees if there are active connections while device features are cleared. Fixes: e8f69799 ("net/tls: Add generic NIC offload infrastructure") Signed-off-by:
-
Jakub Kicinski authored
TLS offload drivers shouldn't (and currently don't) block the TLS offload feature changes based on whether there are active offloaded connections or not. This seems to be a good idea, because we want the admin to be able to disable the TLS offload at any time, and there is no clean way of disabling it for active connections (TX side is quite problematic). So if features are cleared existing connections will stay offloaded until they close, and new connections will not attempt offload to a given device. However, the offload state removal handling is currently broken if feature flags get cleared while there are active TLS offloads. RX side will completely bail from cleanup, even on normal remove path, leaving device state dangling, potentially causing issues when the 5-tuple is reused. It will also fail to release the netdev reference. Remove the RX-side warning message, in next release cycle it should be printed when features are disabled, rather than when connection dies, but for that we need a more efficient method of finding connection of a given netdev (a'la BPF offload code). Fixes: 4799ac81 ("tls: Add rx inline crypto offload") Signed-off-by:
-
