1. 11 Dec, 2019 12 commits
    • Tuong Lien's avatar
      tipc: fix use-after-free in tipc_disc_rcv() · 31e4ccc9
      Tuong Lien authored
      In the function 'tipc_disc_rcv()', the 'msg_peer_net_hash()' is called
      to read the header data field but after the message skb has been freed,
      that might result in a garbage value...
      
      This commit fixes it by defining a new local variable to store the data
      first, just like the other header fields' handling.
      
      Fixes: f73b1281 ("tipc: improve throughput between nodes in netns")
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarTuong Lien <tuong.t.lien@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31e4ccc9
    • Tuong Lien's avatar
      tipc: fix retrans failure due to wrong destination · abc9b4e0
      Tuong Lien authored
      When a user message is sent, TIPC will check if the socket has faced a
      congestion at link layer. If that happens, it will make a sleep to wait
      for the congestion to disappear. This leaves a gap for other users to
      take over the socket (e.g. multi threads) since the socket is released
      as well. Also, in case of connectionless (e.g. SOCK_RDM), user is free
      to send messages to various destinations (e.g. via 'sendto()'), then
      the socket's preformatted header has to be updated correspondingly
      prior to the actual payload message building.
      
      Unfortunately, the latter action is done before the first action which
      causes a condition issue that the destination of a certain message can
      be modified incorrectly in the middle, leading to wrong destination
      when that message is built. Consequently, when the message is sent to
      the link layer, it gets stuck there forever because the peer node will
      simply reject it. After a number of retransmission attempts, the link
      is eventually taken down and the retransmission failure is reported.
      
      This commit fixes the problem by rearranging the order of actions to
      prevent the race condition from occurring, so the message building is
      'atomic' and its header will not be modified by anyone.
      
      Fixes: 365ad353 ("tipc: reduce risk of user starvation during link congestion")
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarTuong Lien <tuong.t.lien@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      abc9b4e0
    • Tuong Lien's avatar
      tipc: fix potential hanging after b/rcast changing · dca4a17d
      Tuong Lien authored
      In commit c55c8eda ("tipc: smooth change between replicast and
      broadcast"), we allow instant switching between replicast and broadcast
      by sending a dummy 'SYN' packet on the last used link to synchronize
      packets on the links. The 'SYN' message is an object of link congestion
      also, so if that happens, a 'SOCK_WAKEUP' will be scheduled to be sent
      back to the socket...
      However, in that commit, we simply use the same socket 'cong_link_cnt'
      counter for both the 'SYN' & normal payload message sending. Therefore,
      if both the replicast & broadcast links are congested, the counter will
      be not updated correctly but overwritten by the latter congestion.
      Later on, when the 'SOCK_WAKEUP' messages are processed, the counter is
      reduced one by one and eventually overflowed. Consequently, further
      activities on the socket will only wait for the false congestion signal
      to disappear but never been met.
      
      Because sending the 'SYN' message is vital for the mechanism, it should
      be done anyway. This commit fixes the issue by marking the message with
      an error code e.g. 'TIPC_ERR_NO_PORT', so its sending should not face a
      link congestion, there is no need to touch the socket 'cong_link_cnt'
      either. In addition, in the event of any error (e.g. -ENOBUFS), we will
      purge the entire payload message queue and make a return immediately.
      
      Fixes: c55c8eda ("tipc: smooth change between replicast and broadcast")
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarTuong Lien <tuong.t.lien@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dca4a17d
    • Tuong Lien's avatar
      tipc: fix name table rbtree issues · d5162f34
      Tuong Lien authored
      The current rbtree for service ranges in the name table is built based
      on the 'lower' & 'upper' range values resulting in a flaw in the rbtree
      searching. Some issues have been observed in case of range overlapping:
      
      Case #1: unable to withdraw a name entry:
      After some name services are bound, all of them are withdrawn by user
      but one remains in the name table forever. This corrupts the table and
      that service becomes dummy i.e. no real port.
      E.g.
      
                      /
                 {22, 22}
                    /
                   /
         --->  {10, 50}
                 /  \
                /    \
          {10, 30}  {20, 60}
      
      The node {10, 30} cannot be removed since the rbtree searching stops at
      the node's ancestor i.e. {10, 50}, so starting from it will never reach
      the finding node.
      
      Case #2: failed to send data in some cases:
      E.g. Two service ranges: {20, 60}, {10, 50} are bound. The rbtree for
      this service will be one of the two cases below depending on the order
      of the bindings:
      
              {20, 60}             {10, 50} <--
                /  \                 /  \
               /    \               /    \
          {10, 50}  NIL <--       NIL  {20, 60}
      
                (a)                    (b)
      
      Now, try to send some data to service {30}, there will be two results:
      (a): Failed, no route to host.
      (b): Ok.
      
      The reason is that the rbtree searching will stop at the pointing node
      as shown above.
      
      Case #3: Same as case #2b above but if the data sending's scope is
      local and the {10, 50} is published by a peer node, then it will result
      in 'no route to host' even though the other {20, 60} is for example on
      the local node which should be able to get the data.
      
      The issues are actually due to the way we built the rbtree. This commit
      fixes it by introducing an additional field to each node - named 'max',
      which is the largest 'upper' of that node subtree. The 'max' value for
      each subtrees will be propagated correctly whenever a node is inserted/
      removed or the tree is rebalanced by the augmented rbtree callbacks.
      
      By this way, we can change the rbtree searching appoarch to solve the
      issues above. Another benefit from this is that we can now improve the
      searching for a next range matching e.g. in case of multicast, so get
      rid of the unneeded looping over all nodes in the tree.
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarTuong Lien <tuong.t.lien@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d5162f34
    • David S. Miller's avatar
      Merge branch 'bnxt_en-Error-recovery-fixes' · ac397934
      David S. Miller authored
      Michael Chan says:
      
      ====================
      bnxt_en: Error recovery fixes.
      
      This patch series contains fixes mostly for the error recovery feature
      and related areas.  Please queue the series for -stable also.  Thanks.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac397934
    • Vasundhara Volam's avatar
      bnxt_en: Add missing devlink health reporters for VFs. · 7e334fc8
      Vasundhara Volam authored
      The VF driver also needs to create the health reporters since
      VFs are also involved in firmware reset and recovery.  Modify
      bnxt_dl_register() and bnxt_dl_unregister() so that they can
      be called by the VFs to register/unregister devlink.  Only the PF
      will register the devlink parameters.  With devlink registered,
      we can now create the health reporters on the VFs.
      
      Fixes: 6763c779 ("bnxt_en: Add new FW devlink_health_reporter")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7e334fc8
    • Vasundhara Volam's avatar
      bnxt_en: Fix the logic that creates the health reporters. · 937f188c
      Vasundhara Volam authored
      Fix the logic to properly check the fw capabilities and create the
      devlink health reporters only when needed.  The current code creates
      the reporters unconditionally as long as bp->fw_health is valid, and
      that's not correct.
      
      Call bnxt_dl_fw_reporters_create() directly from the init and reset
      code path instead of from bnxt_dl_register().  This allows the
      reporters to be adjusted when capabilities change.  The same
      applies to bnxt_dl_fw_reporters_destroy().
      
      Fixes: 6763c779 ("bnxt_en: Add new FW devlink_health_reporter")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      937f188c
    • Vasundhara Volam's avatar
      bnxt_en: Remove unnecessary NULL checks for fw_health · 0797c10d
      Vasundhara Volam authored
      After fixing the allocation of bp->fw_health in the previous patch,
      the driver will not go through the fw reset and recovery code paths
      if bp->fw_health allocation fails.  So we can now remove the
      unnecessary NULL checks.
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0797c10d
    • Vasundhara Volam's avatar
      bnxt_en: Fix bp->fw_health allocation and free logic. · 8280b38e
      Vasundhara Volam authored
      bp->fw_health needs to be allocated for either the firmware initiated
      reset feature or the driver initiated error recovery feature.  The
      current code is not allocating bp->fw_health for all the necessary cases.
      This patch corrects the logic to allocate bp->fw_health correctly when
      needed.  If allocation fails, we clear the feature flags.
      
      We also add the the missing kfree(bp->fw_health) when the driver is
      unloaded.  If we get an async reset message from the firmware, we also
      need to make sure that we have a valid bp->fw_health before proceeding.
      
      Fixes: 07f83d72 ("bnxt_en: Discover firmware error recovery capabilities.")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8280b38e
    • Vasundhara Volam's avatar
      bnxt_en: Return error if FW returns more data than dump length · c74751f4
      Vasundhara Volam authored
      If any change happened in the configuration of VF in VM while
      collecting live dump, there could be a race and firmware can return
      more data than allocated dump length. Fix it by keeping track of
      the accumulated core dump length copied so far and abort the copy
      with error code if the next chunk of core dump will exceed the
      original dump length.
      
      Fixes: 6c5657d0 ("bnxt_en: Add support for ethtool get dump.")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c74751f4
    • Michael Chan's avatar
      bnxt_en: Free context memory in the open path if firmware has been reset. · 325f85f3
      Michael Chan authored
      This will trigger new context memory to be rediscovered and allocated
      during the re-probe process after a firmware reset.  Without this, the
      newly reset firmware does not have valid context memory and the driver
      will eventually fail to allocate some resources.
      
      Fixes: ec5d31e3 ("bnxt_en: Handle firmware reset status during IF_UP.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      325f85f3
    • Michael Chan's avatar
      bnxt_en: Fix MSIX request logic for RDMA driver. · 0c722ec0
      Michael Chan authored
      The logic needs to check both bp->total_irqs and the reserved IRQs in
      hw_resc->resv_irqs if applicable and see if both are enough to cover
      the L2 and RDMA requested vectors.  The current code is only checking
      bp->total_irqs and can fail in some code paths, such as the TX timeout
      code path with the RDMA driver requesting vectors after recovery.  In
      this code path, we have not reserved enough MSIX resources for the
      RDMA driver yet.
      
      Fixes: 75720e63 ("bnxt_en: Keep track of reserved IRQs.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c722ec0
  2. 10 Dec, 2019 1 commit
  3. 09 Dec, 2019 20 commits
    • Davide Caratti's avatar
      tc-testing: unbreak full listing of tdc testcases · 991a3459
      Davide Caratti authored
      the following command currently fails:
      
       [root@fedora tc-testing]# ./tdc.py -l
       The following test case IDs are not unique:
       {'6f5e'}
       Please correct them before continuing.
      
      this happens because there are two tests having the same id:
      
       [root@fedora tc-testing]# grep -r 6f5e tc-tests/*
       tc-tests/actions/pedit.json:        "id": "6f5e",
       tc-tests/filters/basic.json:        "id": "6f5e",
      
      fix it replacing the latest duplicate id with a brand new one:
      
       [root@fedora tc-testing]# sed -i 's/6f5e//1' tc-tests/filters/basic.json
       [root@fedora tc-testing]# ./tdc.py -i
      
      Fixes: 4717b053 ("tc-testing: Introduced tdc tests for basic filter")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      991a3459
    • Chuhong Yuan's avatar
      fjes: fix missed check in fjes_acpi_add · a288f105
      Chuhong Yuan authored
      fjes_acpi_add() misses a check for platform_device_register_simple().
      Add a check to fix it.
      
      Fixes: 658d439b ("fjes: Introduce FUJITSU Extended Socket Network Device driver")
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a288f105
    • Mao Wenan's avatar
      af_packet: set defaule value for tmo · b43d1f9f
      Mao Wenan authored
      There is softlockup when using TPACKET_V3:
      ...
      NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms!
      (__irq_svc) from [<c0558a0c>] (_raw_spin_unlock_irqrestore+0x44/0x54)
      (_raw_spin_unlock_irqrestore) from [<c027b7e8>] (mod_timer+0x210/0x25c)
      (mod_timer) from [<c0549c30>]
      (prb_retire_rx_blk_timer_expired+0x68/0x11c)
      (prb_retire_rx_blk_timer_expired) from [<c027a7ac>]
      (call_timer_fn+0x90/0x17c)
      (call_timer_fn) from [<c027ab6c>] (run_timer_softirq+0x2d4/0x2fc)
      (run_timer_softirq) from [<c021eaf4>] (__do_softirq+0x218/0x318)
      (__do_softirq) from [<c021eea0>] (irq_exit+0x88/0xac)
      (irq_exit) from [<c0240130>] (msa_irq_exit+0x11c/0x1d4)
      (msa_irq_exit) from [<c0209cf0>] (handle_IPI+0x650/0x7f4)
      (handle_IPI) from [<c02015bc>] (gic_handle_irq+0x108/0x118)
      (gic_handle_irq) from [<c0558ee4>] (__irq_usr+0x44/0x5c)
      ...
      
      If __ethtool_get_link_ksettings() is failed in
      prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies
      is zero and the timer expire for retire_blk_timer is turn to
      mod_timer(&pkc->retire_blk_timer, jiffies + 0),
      which will trigger cpu usage of softirq is 100%.
      
      Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.")
      Tested-by: default avatarXiao Jiangfeng <xiaojiangfeng@huawei.com>
      Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b43d1f9f
    • Grygorii Strashko's avatar
      net: ethernet: ti: davinci_cpdma: fix warning "device driver frees DMA memory with different size" · 8a2b2220
      Grygorii Strashko authored
      The TI CPSW(s) driver produces warning with DMA API debug options enabled:
      
      WARNING: CPU: 0 PID: 1033 at kernel/dma/debug.c:1025 check_unmap+0x4a8/0x968
      DMA-API: cpsw 48484000.ethernet: device driver frees DMA memory with different size
       [device address=0x00000000abc6aa02] [map size=64 bytes] [unmap size=42 bytes]
      CPU: 0 PID: 1033 Comm: ping Not tainted 5.3.0-dirty #41
      Hardware name: Generic DRA72X (Flattened Device Tree)
      [<c0112c60>] (unwind_backtrace) from [<c010d270>] (show_stack+0x10/0x14)
      [<c010d270>] (show_stack) from [<c09bc564>] (dump_stack+0xd8/0x110)
      [<c09bc564>] (dump_stack) from [<c013b93c>] (__warn+0xe0/0x10c)
      [<c013b93c>] (__warn) from [<c013b9ac>] (warn_slowpath_fmt+0x44/0x6c)
      [<c013b9ac>] (warn_slowpath_fmt) from [<c01e0368>] (check_unmap+0x4a8/0x968)
      [<c01e0368>] (check_unmap) from [<c01e08a8>] (debug_dma_unmap_page+0x80/0x90)
      [<c01e08a8>] (debug_dma_unmap_page) from [<c0752414>] (__cpdma_chan_free+0x114/0x16c)
      [<c0752414>] (__cpdma_chan_free) from [<c07525c4>] (__cpdma_chan_process+0x158/0x17c)
      [<c07525c4>] (__cpdma_chan_process) from [<c0753690>] (cpdma_chan_process+0x3c/0x5c)
      [<c0753690>] (cpdma_chan_process) from [<c0758660>] (cpsw_tx_mq_poll+0x48/0x94)
      [<c0758660>] (cpsw_tx_mq_poll) from [<c0803018>] (net_rx_action+0x108/0x4e4)
      [<c0803018>] (net_rx_action) from [<c010230c>] (__do_softirq+0xec/0x598)
      [<c010230c>] (__do_softirq) from [<c0143914>] (do_softirq.part.4+0x68/0x74)
      [<c0143914>] (do_softirq.part.4) from [<c0143a44>] (__local_bh_enable_ip+0x124/0x17c)
      [<c0143a44>] (__local_bh_enable_ip) from [<c0871590>] (ip_finish_output2+0x294/0xb7c)
      [<c0871590>] (ip_finish_output2) from [<c0875440>] (ip_output+0x210/0x364)
      [<c0875440>] (ip_output) from [<c0875e2c>] (ip_send_skb+0x1c/0xf8)
      [<c0875e2c>] (ip_send_skb) from [<c08a7fd4>] (raw_sendmsg+0x9a8/0xc74)
      [<c08a7fd4>] (raw_sendmsg) from [<c07d6b90>] (sock_sendmsg+0x14/0x24)
      [<c07d6b90>] (sock_sendmsg) from [<c07d8260>] (__sys_sendto+0xbc/0x100)
      [<c07d8260>] (__sys_sendto) from [<c01011ac>] (__sys_trace_return+0x0/0x14)
      Exception stack(0xea9a7fa8 to 0xea9a7ff0)
      ...
      
      The reason is that cpdma_chan_submit_si() now stores original buffer length
      (sw_len) in CPDMA descriptor instead of adjusted buffer length (hw_len)
      used to map the buffer.
      
      Hence, fix an issue by passing correct buffer length in CPDMA descriptor.
      
      Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Fixes: 6670acac ("net: ethernet: ti: davinci_cpdma: add dma mapped submit")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Reviewed-by: default avatarIvan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a2b2220
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 7da538c1
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Wait for rcu grace period after releasing netns in ctnetlink,
         from Florian Westphal.
      
      2) Incorrect command type in flowtable offload ndo invocation,
         from wenxu.
      
      3) Incorrect callback type in flowtable offload flow tuple
         updates, also from wenxu.
      
      4) Fix compile warning on flowtable offload infrastructure due to
         possible reference to uninitialized variable, from Nathan Chancellor.
      
      5) Do not inline nf_ct_resolve_clash(), this is called from slow
         path / stress situations. From Florian Westphal.
      
      6) Missing IPv6 flow selector description in flowtable offload.
      
      7) Missing check for NETDEV_UNREGISTER in nf_tables offload
         infrastructure, from wenxu.
      
      8) Update NAT selftest to use randomized netns names, from
         Florian Westphal.
      
      9) Restore nfqueue bridge support, from Marco Oliverio.
      
      10) Compilation warning in SCTP_CHUNKMAP_*() on xt_sctp header.
          From Phil Sutter.
      
      11) Fix bogus lookup/get match for non-anonymous rbtree sets.
      
      12) Missing netlink validation for NFT_SET_ELEM_INTERVAL_END
          elements.
      
      13) Missing netlink validation for NFT_DATA_VALUE after
          nft_data_init().
      
      14) If rule specifies no actions, offload infrastructure returns
          EOPNOTSUPP.
      
      15) Module refcount leak in object updates.
      
      16) Missing sanitization for ARP traffic from br_netfilter, from
          Eric Dumazet.
      
      17) Compilation breakage on big-endian due to incorrect memcpy()
          size in the flowtable offload infrastructure.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7da538c1
    • Pablo Neira Ayuso's avatar
      netfilter: nf_flow_table_offload: Correct memcpy size for flow_overload_mangle() · 7acd9378
      Pablo Neira Ayuso authored
      In function 'memcpy',
           inlined from 'flow_offload_mangle' at net/netfilter/nf_flow_table_offload.c:112:2,
           inlined from 'flow_offload_port_dnat' at net/netfilter/nf_flow_table_offload.c:373:2,
           inlined from 'nf_flow_rule_route_ipv4' at net/netfilter/nf_flow_table_offload.c:424:3:
      ./include/linux/string.h:376:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
         376 |    __read_overflow2();
             |    ^~~~~~~~~~~~~~~~~~
      
      The original u8* was done in the hope to make this more adaptable but
      consensus is to keep this like it is in tc pedit.
      
      Fixes: c29f74e0 ("netfilter: nf_flow_table: hardware offload support")
      Reported-by: default avatarLaura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7acd9378
    • Martin Schiller's avatar
      net/x25: add new state X25_STATE_5 · f8fc57e8
      Martin Schiller authored
      This is needed, because if the flag X25_ACCPT_APPRV_FLAG is not set on a
      socket (manual call confirmation) and the channel is cleared by remote
      before the manual call confirmation was sent, this situation needs to
      be handled.
      Signed-off-by: default avatarMartin Schiller <ms@dev.tdt.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8fc57e8
    • Ido Schimmel's avatar
      selftests: forwarding: Delete IPv6 address at the end · 65cb1398
      Ido Schimmel authored
      When creating the second host in h2_create(), two addresses are assigned
      to the interface, but only one is deleted. When running the test twice
      in a row the following error is observed:
      
      $ ./router_bridge_vlan.sh
      TEST: ping                                                          [ OK ]
      TEST: ping6                                                         [ OK ]
      TEST: vlan                                                          [ OK ]
      $ ./router_bridge_vlan.sh
      RTNETLINK answers: File exists
      TEST: ping                                                          [ OK ]
      TEST: ping6                                                         [ OK ]
      TEST: vlan                                                          [ OK ]
      
      Fix this by deleting the address during cleanup.
      
      Fixes: 5b1e7f9e ("selftests: forwarding: Test routed bridge interface")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65cb1398
    • Ido Schimmel's avatar
      mlxsw: spectrum_router: Remove unlikely user-triggerable warning · 62201c00
      Ido Schimmel authored
      In case the driver vetoes the addition of an IPv6 multipath route, the
      IPv6 stack will emit delete notifications for the sibling routes that
      were already added to the FIB trie. Since these siblings are not present
      in hardware, a warning will be generated.
      
      Have the driver ignore notifications for routes it does not have.
      
      Fixes: ebee3cad ("ipv6: Add IPv6 multipath notifications for add / replace")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62201c00
    • Xin Long's avatar
      sctp: fully initialize v4 addr in some functions · b6f3320b
      Xin Long authored
      Syzbot found a crash:
      
        BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline]
        BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
        BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
        Call Trace:
          crc32_body lib/crc32.c:112 [inline]
          crc32_le_generic lib/crc32.c:179 [inline]
          __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
          chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90
          crypto_shash_update+0x4c5/0x530 crypto/shash.c:107
          crc32c+0x150/0x220 lib/libcrc32c.c:47
          sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36
          __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640
          sctp_compute_cksum include/net/sctp/checksum.h:59 [inline]
          sctp_packet_pack net/sctp/output.c:528 [inline]
          sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597
          sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline]
          sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194
          sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757
          sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline]
          sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline]
          sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155
          sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185
          sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433
          sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline]
          sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672
      
      The issue was caused by transport->ipaddr set with uninit addr param, which
      was passed by:
      
        sctp_transport_init net/sctp/transport.c:47 [inline]
        sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100
        sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611
        sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline]
      
      where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize
      the padding of addr->v4.
      
      Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr)
      will become the part of skb, and the issue occurs.
      
      This patch is to fix it by initializing the padding of addr->v4 in
      sctp_v4_from_addr_param(), as well as other functions that do the similar
      thing, and these functions shouldn't trust that the caller initializes the
      memory, as Marcelo suggested.
      
      Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6f3320b
    • Eric Dumazet's avatar
      bonding: fix bond_neigh_init() · 9e99bfef
      Eric Dumazet authored
      1) syzbot reported an uninit-value in bond_neigh_setup() [1]
      
       bond_neigh_setup() uses a temporary on-stack 'struct neigh_parms parms',
       but only clears parms.neigh_setup field.
      
       A stacked bonding device would then enter bond_neigh_setup()
       and read garbage from parms->dev.
      
       If we get really unlucky and garbage is matching @dev, then we
       could recurse and eventually crash.
      
       Let's make sure the whole structure is cleared to avoid surprises.
      
      2) bond_neigh_setup() can be called while another cpu manipulates
       the master device, removing or adding a slave.
       We need at least rcu protection to prevent use-after-free.
      
      Note: Prior code does not support a stack of bonding devices,
            this patch does not attempt to fix this, and leave a comment instead.
      
      [1]
      
      BUG: KMSAN: uninit-value in bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655
      CPU: 0 PID: 11256 Comm: syz-executor.0 Not tainted 5.4.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
       __msan_warning+0x57/0xa0 mm/kmsan/kmsan_instr.c:245
       bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655
       bond_neigh_init+0x216/0x4b0 drivers/net/bonding/bond_main.c:3626
       ___neigh_create+0x169e/0x2c40 net/core/neighbour.c:613
       __neigh_create+0xbd/0xd0 net/core/neighbour.c:674
       ip6_finish_output2+0x149a/0x2670 net/ipv6/ip6_output.c:113
       __ip6_finish_output+0x83d/0x8f0 net/ipv6/ip6_output.c:142
       ip6_finish_output+0x2db/0x420 net/ipv6/ip6_output.c:152
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:175
       dst_output include/net/dst.h:436 [inline]
       NF_HOOK include/linux/netfilter.h:305 [inline]
       mld_sendpack+0xebd/0x13d0 net/ipv6/mcast.c:1682
       mld_send_cr net/ipv6/mcast.c:1978 [inline]
       mld_ifc_timer_expire+0x116b/0x1680 net/ipv6/mcast.c:2477
       call_timer_fn+0x232/0x530 kernel/time/timer.c:1404
       expire_timers kernel/time/timer.c:1449 [inline]
       __run_timers+0xd60/0x1270 kernel/time/timer.c:1773
       run_timer_softirq+0x2d/0x50 kernel/time/timer.c:1786
       __do_softirq+0x4a1/0x83a kernel/softirq.c:293
       invoke_softirq kernel/softirq.c:375 [inline]
       irq_exit+0x230/0x280 kernel/softirq.c:416
       exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:536
       smp_apic_timer_interrupt+0x48/0x70 arch/x86/kernel/apic/apic.c:1138
       apic_timer_interrupt+0x2e/0x40 arch/x86/entry/entry_64.S:835
       </IRQ>
      RIP: 0010:kmsan_free_page+0x18d/0x1c0 mm/kmsan/kmsan_shadow.c:439
      Code: 4c 89 ff 44 89 f6 e8 82 0d ee ff 65 ff 0d 9f 26 3b 60 65 8b 05 98 26 3b 60 85 c0 75 24 e8 5b f6 35 ff 4c 89 6d d0 ff 75 d0 9d <48> 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 0f 0b 0f 0b 0f
      RSP: 0018:ffffb328034af818 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
      RAX: 0000000000000000 RBX: ffffe2d7471f8360 RCX: 0000000000000000
      RDX: ffffffffadea7000 RSI: 0000000000000004 RDI: ffff93496fcda104
      RBP: ffffb328034af850 R08: ffff934a47e86d00 R09: ffff93496fc41900
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
      R13: 0000000000000246 R14: 0000000000000000 R15: ffffe2d7472225c0
       free_pages_prepare mm/page_alloc.c:1138 [inline]
       free_pcp_prepare mm/page_alloc.c:1230 [inline]
       free_unref_page_prepare+0x1d9/0x770 mm/page_alloc.c:3025
       free_unref_page mm/page_alloc.c:3074 [inline]
       free_the_page mm/page_alloc.c:4832 [inline]
       __free_pages+0x154/0x230 mm/page_alloc.c:4840
       __vunmap+0xdac/0xf20 mm/vmalloc.c:2277
       __vfree mm/vmalloc.c:2325 [inline]
       vfree+0x7c/0x170 mm/vmalloc.c:2355
       copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:883 [inline]
       get_entries net/ipv6/netfilter/ip6_tables.c:1041 [inline]
       do_ip6t_get_ctl+0xfa4/0x1030 net/ipv6/netfilter/ip6_tables.c:1709
       nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
       nf_getsockopt+0x481/0x4e0 net/netfilter/nf_sockopt.c:122
       ipv6_getsockopt+0x264/0x510 net/ipv6/ipv6_sockglue.c:1400
       tcp_getsockopt+0x1c6/0x1f0 net/ipv4/tcp.c:3688
       sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3110
       __sys_getsockopt+0x533/0x7b0 net/socket.c:2129
       __do_sys_getsockopt net/socket.c:2144 [inline]
       __se_sys_getsockopt+0xe1/0x100 net/socket.c:2141
       __x64_sys_getsockopt+0x62/0x80 net/socket.c:2141
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45d20a
      Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 8d 8b fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 6a 8b fb ff c3 66 0f 1f 84 00 00 00 00 00
      RSP: 002b:0000000000a6f618 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
      RAX: ffffffffffffffda RBX: 0000000000a6f640 RCX: 000000000045d20a
      RDX: 0000000000000041 RSI: 0000000000000029 RDI: 0000000000000003
      RBP: 0000000000717cc0 R08: 0000000000a6f63c R09: 0000000000004000
      R10: 0000000000a6f740 R11: 0000000000000212 R12: 0000000000000003
      R13: 0000000000000000 R14: 0000000000000029 R15: 0000000000715b00
      
      Local variable description: ----parms@bond_neigh_init
      Variable was created at:
       bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617
       bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617
      
      Fixes: 9918d5bf ("bonding: modify only neigh_parms owned by us")
      Fixes: 234bcf8a ("net/bonding: correctly proxy slave neigh param setup ndo function")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e99bfef
    • Eric Dumazet's avatar
      neighbour: remove neigh_cleanup() method · f394722f
      Eric Dumazet authored
      neigh_cleanup() has not been used for seven years, and was a wrong design.
      
      Messing with shared pointer in bond_neigh_init() without proper
      memory barriers would at least trigger syzbot complains eventually.
      
      It is time to remove this stuff.
      
      Fixes: b63b70d8 ("IPoIB: Use a private hash table for path lookup in xmit path")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f394722f
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-5.5-20191208' of... · 43aad810
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-5.5-20191208' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-12-08
      
      this is a pull request of 13 patches for net/master.
      
      The first two patches are by Dan Murphy. He adds himself as a maintainer to the
      m-can MMIO and tcan SPI driver.
      
      The next two patches the j1939 stack. The first one is by Oleksij Rempel and
      fixes a locking problem found by the syzbot, the second one is by me an fixes a
      mistake in the documentation.
      
      Srinivas Neeli fixes missing RX CAN packets on CANFD2.0 in the xilinx driver.
      
      Sean Nyekjaer fixes a possible deadlock in the the flexcan driver after
      suspend/resume. Joakim Zhang contributes two patches for the flexcan driver
      that fix problems with the low power enter/exit.
      
      The next 4 patches all target the tcan part of the m_can driver. Sean Nyekjaer
      adds the required delay after reset and fixes the device tree binding example.
      Dan Murphy's patches make the wake-gpio optional.
      
      In the last patch Xiaolong Huang fixes several kernel memory info leaks to the
      USB device in the kvaser_usb_leaf driver.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43aad810
    • Eric Dumazet's avatar
      netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() · 56042858
      Eric Dumazet authored
      syzbot is kind enough to remind us we need to call skb_may_pull()
      
      BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
      CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
       __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
       br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
       nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
       nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512
       nf_hook include/linux/netfilter.h:260 [inline]
       NF_HOOK include/linux/netfilter.h:303 [inline]
       __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109
       br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234
       br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162
       nf_hook_bridge_pre net/bridge/br_input.c:245 [inline]
       br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348
       __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830
       __netif_receive_skb_one_core net/core/dev.c:4927 [inline]
       __netif_receive_skb net/core/dev.c:5043 [inline]
       process_backlog+0x610/0x13c0 net/core/dev.c:5874
       napi_poll net/core/dev.c:6311 [inline]
       net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379
       __do_softirq+0x4a1/0x83a kernel/softirq.c:293
       do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091
       </IRQ>
       do_softirq kernel/softirq.c:338 [inline]
       __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190
       local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
       rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline]
       __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819
       dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825
       packet_snd net/packet/af_packet.c:2959 [inline]
       packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       __sys_sendto+0xc44/0xc70 net/socket.c:1952
       __do_sys_sendto net/socket.c:1964 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1960
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45a679
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679
      RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003
      RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4
      R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
       kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
       kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
       slab_alloc_node mm/slub.c:2773 [inline]
       __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
       __kmalloc_reserve net/core/skbuff.c:141 [inline]
       __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
       alloc_skb include/linux/skbuff.h:1049 [inline]
       alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662
       sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244
       packet_alloc_skb net/packet/af_packet.c:2807 [inline]
       packet_snd net/packet/af_packet.c:2902 [inline]
       packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       __sys_sendto+0xc44/0xc70 net/socket.c:1952
       __do_sys_sendto net/socket.c:1964 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1960
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: c4e70a87 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      56042858
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables_offload: return EOPNOTSUPP if rule specifies no actions · 81ec6107
      Pablo Neira Ayuso authored
      If the rule only specifies the matching side, return EOPNOTSUPP.
      Otherwise, the front-end relies on the drivers to reject this rule.
      
      Fixes: c9626a2c ("netfilter: nf_tables: add hardware offload support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      81ec6107
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: skip module reference count bump on object updates · fd57d0cb
      Pablo Neira Ayuso authored
      Use __nft_obj_type_get() instead, otherwise there is a module reference
      counter leak.
      
      Fixes: d62d0ba9 ("netfilter: nf_tables: Introduce stateful object update operation")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      fd57d0cb
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init() · 0d2c96af
      Pablo Neira Ayuso authored
      Userspace might bogusly sent NFT_DATA_VERDICT in several netlink
      attributes that assume NFT_DATA_VALUE. Moreover, make sure that error
      path invokes nft_data_release() to decrement the reference count on the
      chain object.
      
      Fixes: 96518518 ("netfilter: add nftables")
      Fixes: 0f3cd9b3 ("netfilter: nf_tables: add range expression")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0d2c96af
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END · bffc124b
      Pablo Neira Ayuso authored
      Only NFTA_SET_ELEM_KEY and NFTA_SET_ELEM_FLAGS make sense for elements
      whose NFT_SET_ELEM_INTERVAL_END flag is set on.
      
      Fixes: 96518518 ("netfilter: add nftables")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      bffc124b
    • Pablo Neira Ayuso's avatar
      netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets · db3b665d
      Pablo Neira Ayuso authored
      The existing rbtree implementation might store consecutive elements
      where the closing element and the opening element might overlap, eg.
      
      	[ a, a+1) [ a+1, a+2)
      
      This patch removes the optimization for non-anonymous sets in the exact
      matching case, where it is assumed to stop searching in case that the
      closing element is found. Instead, invalidate candidate interval and
      keep looking further in the tree.
      
      The lookup/get operation might return false, while there is an element
      in the rbtree. Moreover, the get operation returns true as if a+2 would
      be in the tree. This happens with named sets after several set updates.
      
      The existing lookup optimization (that only works for the anonymous
      sets) might not reach the opening [ a+1,... element if the closing
      ...,a+1) is found in first place when walking over the rbtree. Hence,
      walking the full tree in that case is needed.
      
      This patch fixes the lookup and get operations.
      
      Fixes: e701001e ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates")
      Fixes: ba0e4d99 ("netfilter: nf_tables: get set elements via netlink")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      db3b665d
    • Phil Sutter's avatar
      netfilter: uapi: Avoid undefined left-shift in xt_sctp.h · 16416655
      Phil Sutter authored
      With 'bytes(__u32)' being 32, a left-shift of 31 may happen which is
      undefined for the signed 32-bit value 1. Avoid this by declaring 1 as
      unsigned.
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      16416655
  4. 08 Dec, 2019 7 commits
    • Linus Torvalds's avatar
      Linux 5.5-rc1 · e42617b8
      Linus Torvalds authored
      e42617b8
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 95e6ba51
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) More jumbo frame fixes in r8169, from Heiner Kallweit.
      
       2) Fix bpf build in minimal configuration, from Alexei Starovoitov.
      
       3) Use after free in slcan driver, from Jouni Hogander.
      
       4) Flower classifier port ranges don't work properly in the HW offload
          case, from Yoshiki Komachi.
      
       5) Use after free in hns3_nic_maybe_stop_tx(), from Yunsheng Lin.
      
       6) Out of bounds access in mqprio_dump(), from Vladyslav Tarasiuk.
      
       7) Fix flow dissection in dsa TX path, from Alexander Lobakin.
      
       8) Stale syncookie timestampe fixes from Guillaume Nault.
      
      [ Did an evil merge to silence a warning introduced by this pull - Linus ]
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits)
        r8169: fix rtl_hw_jumbo_disable for RTL8168evl
        net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add()
        r8169: add missing RX enabling for WoL on RTL8125
        vhost/vsock: accept only packets with the right dst_cid
        net: phy: dp83867: fix hfs boot in rgmii mode
        net: ethernet: ti: cpsw: fix extra rx interrupt
        inet: protect against too small mtu values.
        gre: refetch erspan header from skb->data after pskb_may_pull()
        pppoe: remove redundant BUG_ON() check in pppoe_pernet
        tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE()
        tcp: tighten acceptance of ACKs not matching a child socket
        tcp: fix rejected syncookies due to stale timestamps
        lpc_eth: kernel BUG on remove
        tcp: md5: fix potential overestimation of TCP option space
        net: sched: allow indirect blocks to bind to clsact in TC
        net: core: rename indirect block ingress cb function
        net-sysfs: Call dev_hold always in netdev_queue_add_kobject
        net: dsa: fix flow dissection on Tx path
        net/tls: Fix return values to avoid ENOTSUPP
        net: avoid an indirect call in ____sys_recvmsg()
        ...
      95e6ba51
    • Linus Torvalds's avatar
      Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 138f371d
      Linus Torvalds authored
      Pull more SCSI updates from James Bottomley:
       "Eleven patches, all in drivers (no core changes) that are either minor
        cleanups or small fixes.
      
        They were late arriving, but still safe for -rc1"
      
      * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: MAINTAINERS: Add the linux-scsi mailing list to the ISCSI entry
        scsi: megaraid_sas: Make poll_aen_lock static
        scsi: sd_zbc: Improve report zones error printout
        scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI
        scsi: qla2xxx: unregister ports after GPN_FT failure
        scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan
        scsi: pm80xx: Remove unused include of linux/version.h
        scsi: pm80xx: fix logic to break out of loop when register value is 2 or 3
        scsi: scsi_transport_sas: Fix memory leak when removing devices
        scsi: lpfc: size cpu map by last cpu id set
        scsi: ibmvscsi_tgt: Remove unneeded variable rc
      138f371d
    • Linus Torvalds's avatar
      Merge tag '5.5-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · a78f7cdd
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Nine cifs/smb3 fixes:
      
         - one fix for stable (oops during oplock break)
      
         - two timestamp fixes including important one for updating mtime at
           close to avoid stale metadata caching issue on dirty files (also
           improves perf by using SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB over the
           wire)
      
         - two fixes for "modefromsid" mount option for file create (now
           allows mode bits to be set more atomically and accurately on create
           by adding "sd_context" on create when modefromsid specified on
           mount)
      
         - two fixes for multichannel found in testing this week against
           different servers
      
         - two small cleanup patches"
      
      * tag '5.5-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: improve check for when we send the security descriptor context on create
        smb3: fix mode passed in on create for modetosid mount option
        cifs: fix possible uninitialized access and race on iface_list
        cifs: Fix lookup of SMB connections on multichannel
        smb3: query attributes on file close
        smb3: remove unused flag passed into close functions
        cifs: remove redundant assignment to pointer pneg_ctxt
        fs: cifs: Fix atime update check vs mtime
        CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
      a78f7cdd
    • Linus Torvalds's avatar
      Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 5bf9a06a
      Linus Torvalds authored
      Pull misc vfs cleanups from Al Viro:
       "No common topic, just three cleanups".
      
      * 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        make __d_alloc() static
        fs/namespace: add __user to open_tree and move_mount syscalls
        fs/fnctl: fix missing __user in fcntl_rw_hint()
      5bf9a06a
    • Xiaolong Huang's avatar
      can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices · da2311a6
      Xiaolong Huang authored
      Uninitialized Kernel memory can leak to USB devices.
      
      Fix this by using kzalloc() instead of kmalloc().
      Signed-off-by: default avatarXiaolong Huang <butterflyhuangxx@gmail.com>
      Fixes: 7259124e ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c")
      Cc: linux-stable <stable@vger.kernel.org> # >= v4.19
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      da2311a6
    • Dan Murphy's avatar
      can: tcan45x: Make wake-up GPIO an optional GPIO · 2de49735
      Dan Murphy authored
      The device has the ability to disable the wake-up pin option. The
      wake-up pin can be either force to GND or Vsup and does not have to be
      tied to a GPIO. In order for the device to not use the wake-up feature
      write the register to disable the WAKE_CONFIG option.
      Signed-off-by: default avatarDan Murphy <dmurphy@ti.com>
      Cc: Sean Nyekjaer <sean@geanix.com>
      Reviewed-by: default avatarSean Nyekjaer <sean@geanix.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      2de49735