- 08 Jun, 2020 1 commit
-
-
Martin Blumenstingl authored
While trying to use the lantiq_gswip driver on one of my boards I made a mistake when specifying the phy-mode (because the out-of-tree driver wants phy-mode "gmii" or "mii" for the internal PHYs). In this case the following error is printed multiple times: Unsupported interface: 3 While it gives at least a hint at what may be wrong it is not very user friendly. Print the human readable phy-mode and also which port is configured incorrectly (this hardware supports ports 0..6) to improve the cases where someone made a mistake. Fixes: 14fceff4 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200") Signed-off-by:
Martin Blumenstingl <martin.blumenstingl@googlemail.com> Acked-by:
Hauke Mehrtens <hauke@hauke-m.de> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 07 Jun, 2020 1 commit
-
-
Vadim Pasternak authored
The driver registers three different types of thermal zones: For the ASIC itself, for port modules and for gearboxes. Currently, all three types use the same get_trend() callback which does not work correctly for the ASIC thermal zone. The callback assumes that the device data is of type 'struct mlxsw_thermal_module', whereas for the ASIC thermal zone 'struct mlxsw_thermal' is passed as device data. Fix this by using one get_trend() callback for the ASIC thermal zone and another for the other two types. Fixes: 6f73862f ("mlxsw: core: Add the hottest thermal zone detection") Signed-off-by:
Vadim Pasternak <vadimp@mellanox.com> Reviewed-by:
Jiri Pirko <jiri@mellanox.com> Signed-off-by:
Ido Schimmel <idosch@mellanox.com> Signed-off-by:
-
- 06 Jun, 2020 2 commits
-
-
Dan Murphy authored
When the PHY's strap register is read to determine if lane swapping is needed the phy_read_mmd returns the value back into the ret variable. If the call to read the strap fails the failed value is returned. If the call to read the strap is successful then ret is possibly set to a non-zero positive number. Without reseting the ret value to 0 this will cause the parse DT function to return a failure. Fixes: c4566aec ("net: phy: dp83869: Update port-mirroring to read straps") Signed-off-by:
Dan Murphy <dmurphy@ti.com> Reviewed-by:
Florian Fainelli <f.fainelli@gmail.com> Signed-off-by:
-
Herbert Xu authored
This patch replaces some unnecessary uses of rcu_dereference_raw in the rhashtable code with rcu_dereference_protected. The top-level nested table entry is only marked as RCU because it shares the same type as the tree entries underneath it. So it doesn't need any RCU protection. We also don't need RCU protection when we're freeing a nested RCU table because by this stage we've long passed a memory barrier when anyone could change the nested table. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
- 05 Jun, 2020 12 commits
-
-
Denis Efremov authored
Use kfree(buf) in blocked_fl_read() because the memory is allocated with kzalloc(). Use kfree(t) in blocked_fl_write() because the memory is allocated with kcalloc(). Signed-off-by:
Denis Efremov <efremov@linux.com> Signed-off-by:
-
Alok Prasad authored
This fixes a crash introduced by recent is_kdump_kernel() check. The source of the crash is that kdump kernel can be loaded on a system with already created VFs. But for such VFs, it will follow a logic path of PF and eventually crash. Thus, we are partially reverting back previous changes and instead use is_kdump_kernel is a single init point of PF init, where we disable SRIOV explicitly. Fixes: 37d4f8a6 ("net: qed: Disable SRIOV functionality inside kdump kernel") Cc: Bhupesh Sharma <bhsharma@redhat.com> Signed-off-by:
Igor Russkikh <irusskikh@marvell.com> Signed-off-by:
Alok Prasad <palok@marvell.com> Signed-off-by:
-
Stefano Garzarella authored
Fix the following gcc-9.3 warning when building with 'make W=1': net/vmw_vsock/vmci_transport.c:2058:6: warning: no previous prototype for ‘vmci_vsock_transport_cb’ [-Wmissing-prototypes] 2058 | void vmci_vsock_transport_cb(bool is_host) | ^~~~~~~~~~~~~~~~~~~~~~~ Fixes: b1bba80a ("vsock/vmci: register vmci_transport only when VMCI guest/host are active") Reported-by:kernel test robot <lkp@intel.com> Signed-off-by:
Stefano Garzarella <sgarzare@redhat.com> Signed-off-by:
-
Kees Cook authored
This has no code changes, but it's a typo noticed in other clean-ups, so we might as well fix it. IS_ENABLED() takes full names, and should have the "CONFIG_" prefix. Reported-by:
Joe Perches <joe@perches.com> Link: https://lore.kernel.org/lkml/b08611018fdb6d88757c6008a5c02fa0e07b32fb.camel@perches.comSigned-off-by:
Kees Cook <keescook@chromium.org> Signed-off-by:
-
Antoine Tenart authored
When converting the MSCC PHY driver to shared PHY packages, the Serdes configuration in vsc8584_config_init was modified to use 'base_addr' instead of 'base' as the port number. But 'base_addr' isn't equal to 'addr' for all PHYs inside the package, which leads to the Serdes still being enabled on those ports. This patch fixes it. Fixes: deb04e9c ("net: phy: mscc: use phy_package_shared") Signed-off-by:
Antoine Tenart <antoine.tenart@bootlin.com> Reviewed-by:
-
David S. Miller authored
Dan Murphy says: ==================== Fixes for OF_MDIO flag There are some residual drivers that check the CONFIG_OF_MDIO flag using the if defs. Using this check does not work when the OF_MDIO is configured as a module. Using the IS_ENABLED macro checks if the flag is declared as built-in or as a module. ==================== Signed-off-by: -
Dan Murphy authored
When CONFIG_OF_MDIO is set to be a module the code block is not compiled. Use the IS_ENABLED macro that checks for both built in as well as module. Fixes: 4f58e6dc ("net: phy: Cleanup the Edge-Rate feature in Microsemi PHYs.") Signed-off-by:
-
Dan Murphy authored
When CONFIG_OF_MDIO is set to be a module the code block is not compiled. Use the IS_ENABLED macro that checks for both built in as well as module. Fixes: cf41a51d ("of/phylib: Use device tree properties to initialize Marvell PHYs.") Signed-off-by:
-
Dan Murphy authored
When CONFIG_OF_MDIO is set to be a module the code block is not compiled. Use the IS_ENABLED macro that checks for both built in as well as module. Fixes: 2a10154a ("net: phy: dp83867: Add TI dp83867 phy") Signed-off-by:
-
Dan Murphy authored
When CONFIG_OF_MDIO is set to be a module the code block is not compiled. Use the IS_ENABLED macro that checks for both built in as well as module. Fixes: 01db923e ("net: phy: dp83869: Add TI dp83869 phy") Signed-off-by:
-
Alexander Lobakin authored
Commit ca23cb0b ("mvneta: MVNETA_SKB_HEADROOM set last 3 bits to zero") added headroom alignment check against 8. Hovewer (if we imagine that NET_SKB_PAD or XDP_PACKET_HEADROOM is not aligned to cacheline size), it actually aligns headroom down, while skb/xdp_buff headroom should be *at least* equal to one of the values (depending on XDP prog presence). So, fix the check to align the value up. This satisfies both hardware/driver and network stack requirements. Fixes: ca23cb0b ("mvneta: MVNETA_SKB_HEADROOM set last 3 bits to zero") Signed-off-by:
Alexander Lobakin <bloodyreaper@yandex.ru> Signed-off-by:
-
Dan Carpenter authored
This code generates a Smatch warning: net/ethtool/linkinfo.c:143 ethnl_set_linkinfo() warn: variable dereferenced before check 'info' (see line 119) Fortunately, the "info" pointer is never NULL so the check can be removed. Signed-off-by:Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by:
Michal Kubecek <mkubecek@suse.cz> Signed-off-by:
-
- 04 Jun, 2020 21 commits
-
-
Pavel Machek authored
64bit division is kind of expensive, and shift should do the job here. Signed-off-by:
Pavel Machek (CIP) <pavel@denx.de> Signed-off-by:
-
Vinay Kumar Yadav authored
Fix compile errors,warnings when CONFIG_IPV6 is disabled and inconsistent indenting. v1->v2: - Corrected errors/warnings reported when used newer gcc version, unused array. Fixes: 6abde0b2 ("crypto/chtls: IPv6 support for inline TLS") Signed-off-by:
Vinay Kumar Yadav <vinay.yadav@chelsio.com> Signed-off-by:
-
Paolo Abeni authored
Clearing the 'inet_num' field is necessary and safe if and only if the socket is not bound. The MPTCP protocol calls the destroy helper on bound sockets, as tcp_v{4,6}_syn_recv_sock completed successfully. Move the clearing of such field out of the common code, otherwise the MPTCP MP_JOIN error path will find the wrong 'inet_num' value on socket disposal, __inet_put_port() will acquire the wrong lock and bind_node removal could race with other modifiers possibly corrupting the bind hash table. Reported-and-tested-by:Christoph Paasch <cpaasch@apple.com> Fixes: 729cd643 ("mptcp: cope better with MP_JOIN failure") Signed-off-by:
Paolo Abeni <pabeni@redhat.com> Reviewed-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
-
Wang Hai authored
If register_netdev(dev) fails, free_netdev(dev) needs to be called, otherwise a memory leak will occur. Fixes: 1da177e4 ("Linux-2.6.12-rc2") Reported-by:
Hulk Robot <hulkci@huawei.com> Signed-off-by:
Wang Hai <wanghai38@huawei.com> Signed-off-by:
-
Roelof Berg authored
Corrected the MAC_CR configuration bits for 1 GBit operation. The data sheet allows MAC_CR(2:1) to be 10 and also 11 for 1 GBit/s speed, but only 10 works correctly. Devices tested: Microchip Lan7431, fixed-phy mode Microchip Lan7430, normal phy mode Fixes: 6f197fb6 ("lan743x: Added fixed link and RGMII support") Signed-off-by:
Roelof Berg <rberg@berg-solutions.de> Reviewed-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
-
Valentin Longchamp authored
net/sch_generic.h does not need to be included, remove it. Signed-off-by:
Valentin Longchamp <valentin@longchamp.me> Signed-off-by:
-
Heiner Kallweit authored
Th referenced change added an extra hw reset to rtl8169_net_suspend() what makes WoL fail on few chip versions. Therefore skip the extra reset if we're going down and WoL is enabled. In rtl_shutdown() rtl8169_hw_reset() is called by rtl8169_net_suspend() already if needed, therefore avoid issues issue by removing the extra call. The fix was tested on a system with RTL8168g. Meanwhile rtl8169_hw_reset() does more than a hw reset and should be renamed. But that's net-next material. Fixes: 8ac8e8c6 ("r8169: make rtl8169_down central chip quiesce function") Signed-off-by:
Heiner Kallweit <hkallweit1@gmail.com> Signed-off-by:
-
Dan Carpenter authored
The code is return PTR_ERR(NULL) which is zero or success. We should return -ENOMEM instead. Fixes: 94abdad6 ("net: ethernet: dwmac: add ethernet glue logic for NXP imx8 chip") Signed-off-by:
Fugang Duan <fugang.duan@nxp.com> Signed-off-by:
-
Ahmed S. Darwish authored
The u64_stats mechanism uses sequence counters to protect against 64-bit values tearing on 32-bit architectures. Updating u64_stats is thus a sequence counter write side critical section where preemption must be disabled. For mdiobus_stats_acct(), disable preemption upon the u64_stats update. It is called from process context through mdiobus_read() and mdiobus_write(). Reported-by:
Ahmed S. Darwish <a.darwish@linutronix.de> Reviewed-by:
Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by:
-
Ahmed S. Darwish authored
The u64_stats mechanism uses sequence counters to protect against 64-bit values tearing on 32-bit architectures. Updating such statistics is a sequence counter write side critical section. Preemption must be disabled before entering this seqcount write critical section. Failing to do so, the seqcount read side can preempt the write side section and spin for the entire scheduler tick. If that reader belongs to a real-time scheduling class, it can spin forever and the kernel will livelock. Document this statistics update side non-preemptibility requirement. Reword the introductory paragraph to highlight u64_stats raison d'être: 64-bit values tearing protection on 32-bit architectures. Divide documentation on a basis of internal design vs. usage constraints. Reword the u64_stats header file top comment to always mention "Reader" or "Writer" at the start of each bullet point, making it easier to follow which side each point is actually for. Clarify the statement "whole thing is a NOOP on 64bit arches or UP kernels". For 32-bit UP kernels, preemption is always disabled for the statistics read side section. Signed-off-by:
-
Ahmed S. Darwish authored
Commit bf7afb29 ("phy: improve safety of fixed-phy MII register reading") protected the fixed PHY status with a sequence counter. Two years later, commit d2b97793 ("net: phy: fixed-phy: remove fixed_phy_update_state()") removed the sequence counter's write side critical section -- neutralizing its read side retry loop. Remove the unused seqcount. Signed-off-by:
-
Ahmed S. Darwish authored
Sequence counters write paths are critical sections that must never be preempted, and blocking, even for CONFIG_PREEMPTION=n, is not allowed. Commit 5dbe7c17 ("net: fix kernel deadlock with interface rename and netdev name retrieval.") handled a deadlock, observed with CONFIG_PREEMPTION=n, where the devnet_rename seqcount read side was infinitely spinning: it got scheduled after the seqcount write side blocked inside its own critical section. To fix that deadlock, among other issues, the commit added a cond_resched() inside the read side section. While this will get the non-preemptible kernel eventually unstuck, the seqcount reader is fully exhausting its slice just spinning -- until TIF_NEED_RESCHED is set. The fix is also still broken: if the seqcount reader belongs to a real-time scheduling policy, it can spin forever and the kernel will livelock. Disabling preemption over the seqcount write side critical section will not work: inside it are a number of GFP_KERNEL allocations and mutex locking through the drivers/base/ :: device_rename() call chain. >From all the above, replace the seqcount with a rwsem. Fixes: 5dbe7c17 (net: fix kernel deadlock with interface rename and netdev name retrieval.) Fixes: 30e6c9fa (net: devnet_rename_seq should be a seqcount) Fixes: c91f6df2 (sockopt: Change getsockopt() of SO_BINDTODEVICE to return an interface name) Cc: <stable@vger.kernel.org> Reported-by: kbuild test robot <lkp@intel.com> [ v1 missing up_read() on error exit ] Reported-by: Dan Carpenter <dan.carpenter@oracle.com> [ v1 missing up_read() on error exit ] Signed-off-by:
-
Michal Vokáč authored
Commit 7e99e347 ("net: dsa: remove dsa_switch_alloc helper") replaced the dsa_switch_alloc helper by devm_kzalloc in all DSA drivers. Unfortunately it introduced a typo in qca8k.c driver and wrong argument is passed to the devm_kzalloc function. This fix mitigates the following kernel exception: Unexpected gfp: 0x6 (__GFP_HIGHMEM|GFP_DMA32). Fixing up to gfp: 0x101 (GFP_DMA|__GFP_ZERO). Fix your code! CPU: 1 PID: 44 Comm: kworker/1:1 Not tainted 5.5.9-yocto-ua #1 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) Workqueue: events deferred_probe_work_func [<c0014924>] (unwind_backtrace) from [<c00123bc>] (show_stack+0x10/0x14) [<c00123bc>] (show_stack) from [<c04c8fb4>] (dump_stack+0x90/0xa4) [<c04c8fb4>] (dump_stack) from [<c00e1b10>] (new_slab+0x20c/0x214) [<c00e1b10>] (new_slab) from [<c00e1cd0>] (___slab_alloc.constprop.0+0x1b8/0x540) [<c00e1cd0>] (___slab_alloc.constprop.0) from [<c00e2074>] (__slab_alloc.constprop.0+0x1c/0x24) [<c00e2074>] (__slab_alloc.constprop.0) from [<c00e4538>] (__kmalloc_track_caller+0x1b0/0x298) [<c00e4538>] (__kmalloc_track_caller) from [<c02cccac>] (devm_kmalloc+0x24/0x70) [<c02cccac>] (devm_kmalloc) from [<c030d888>] (qca8k_sw_probe+0x94/0x1ac) [<c030d888>] (qca8k_sw_probe) from [<c0304788>] (mdio_probe+0x30/0x54) [<c0304788>] (mdio_probe) from [<c02c93bc>] (really_probe+0x1e0/0x348) [<c02c93bc>] (really_probe) from [<c02c9884>] (driver_probe_device+0x60/0x16c) [<c02c9884>] (driver_probe_device) from [<c02c7fb0>] (bus_for_each_drv+0x70/0x94) [<c02c7fb0>] (bus_for_each_drv) from [<c02c9708>] (__device_attach+0xb4/0x11c) [<c02c9708>] (__device_attach) from [<c02c8148>] (bus_probe_device+0x84/0x8c) [<c02c8148>] (bus_probe_device) from [<c02c8cec>] (deferred_probe_work_func+0x64/0x90) [<c02c8cec>] (deferred_probe_work_func) from [<c0033c14>] (process_one_work+0x1d4/0x41c) [<c0033c14>] (process_one_work) from [<c00340a4>] (worker_thread+0x248/0x528) [<c00340a4>] (worker_thread) from [<c0039148>] (kthread+0x124/0x150) [<c0039148>] (kthread) from [<c00090d8>] (ret_from_fork+0x14/0x3c) Exception stack(0xee1b5fb0 to 0xee1b5ff8) 5fa0: 00000000 00000000 00000000 00000000 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 qca8k 2188000.ethernet-1:0a: Using legacy PHYLIB callbacks. Please migrate to PHYLINK! qca8k 2188000.ethernet-1:0a eth2 (uninitialized): PHY [2188000.ethernet-1:01] driver [Generic PHY] qca8k 2188000.ethernet-1:0a eth1 (uninitialized): PHY [2188000.ethernet-1:02] driver [Generic PHY] Fixes: 7e99e347 ("net: dsa: remove dsa_switch_alloc helper") Signed-off-by:
Michal Vokáč <michal.vokac@ysoft.com> Reviewed-by:
-
Jiri Benc authored
If the geneve interface is in collect_md (external) mode, it can't send any packets submitted directly to its net interface, as such packets won't have metadata attached. This is expected. However, the kernel itself sends some packets to the interface, most notably, IPv6 DAD, IPv6 multicast listener reports, etc. This is not wrong, as tunnel metadata can be specified in routing table (although technically, that has never worked for IPv6, but hopefully will be fixed eventually) and then the interface must correctly participate in IPv6 housekeeping. The problem is that any such attempt increases the tx_error counter. Just bringing up a geneve interface with IPv6 enabled is enough to see a number of tx_errors. That causes confusion among users, prompting them to find a network error where there is none. Change the counter used to tx_dropped. That better conveys the meaning (there's nothing wrong going on, just some packets are getting dropped) and hopefully will make admins panic less. Signed-off-by:
Jiri Benc <jbenc@redhat.com> Signed-off-by:
-
David S. Miller authored
Sameeh Jubran says: ==================== Fix xdp in ena driver This patchset includes 2 XDP related bug fixes Difference from v1: * Fixed "Fixes" tag ==================== Acked-by:
Jakub Kicinski <kuba@kernel.org> Acked-by:
Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by:
-
Sameeh Jubran authored
This patch fixes two issues with XDP: 1. If the XDP verdict is XDP_ABORTED we break the loop, which results in us handling one buffer per napi cycle instead of the total budget (usually 64). To overcome this simply change the xdp_verdict check to != XDP_PASS. When the verdict is XDP_PASS, the skb is not expected to be NULL. 2. Update the residual budget for XDP_DROP and XDP_ABORTED, since packets are handled in these cases. Fixes: 548c4940 ("net: ena: Implement XDP_TX action") Signed-off-by:
Sameeh Jubran <sameehj@amazon.com> Signed-off-by:
-
Sameeh Jubran authored
When sending very high packet rate, the XDP tx queues can get full and start dropping packets. In this case we don't free the pages which results in ena driver draining the system memory. Fix: Simply free the pages when necessary. Fixes: 548c4940 ("net: ena: Implement XDP_TX action") Signed-off-by:
-
Ahmed Abdelsalam authored
The seg6_validate_srh() is used to validate SRH for three cases: case1: SRH of data-plane SRv6 packets to be processed by the Linux kernel. Case2: SRH of the netlink message received from user-space (iproute2) Case3: SRH injected into packets through setsockopt In case1, the SRH can be encoded in the Reduced way (i.e., first SID is carried in DA only and not represented as SID in the SRH) and the seg6_validate_srh() now handles this case correctly. In case2 and case3, the SRH shouldn’t be encoded in the Reduced way otherwise we lose the first segment (i.e., the first hop). The current implementation of the seg6_validate_srh() allow SRH of case2 and case3 to be encoded in the Reduced way. This leads a slab-out-of-bounds problem. This patch verifies SRH of case1, case2 and case3. Allowing case1 to be reduced while preventing SRH of case2 and case3 from being reduced . Reported-by: syzbot+e8c028b62439eac42073@syzkaller.appspotmail.com Reported-by:
YueHaibing <yuehaibing@huawei.com> Fixes: 0cb7498f ("seg6: fix SRH processing to comply with RFC8754") Signed-off-by:
Ahmed Abdelsalam <ahabdels@gmail.com> Signed-off-by:
-
Tuong Lien authored
syzbot found the following crash: general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf] CPU: 1 PID: 7060 Comm: syz-executor394 Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__tipc_sendstream+0xbde/0x11f0 net/tipc/socket.c:1591 Code: 00 00 00 00 48 39 5c 24 28 48 0f 44 d8 e8 fa 3e db f9 48 b8 00 00 00 00 00 fc ff df 48 8d bb c8 00 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 e2 04 00 00 48 8b 9b c8 00 00 00 48 b8 00 00 00 RSP: 0018:ffffc90003ef7818 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8797fd9d RDX: 0000000000000019 RSI: ffffffff8797fde6 RDI: 00000000000000c8 RBP: ffff888099848040 R08: ffff88809a5f6440 R09: fffffbfff1860b4c R10: ffffffff8c305a5f R11: fffffbfff1860b4b R12: ffff88809984857e R13: 0000000000000000 R14: ffff888086aa4000 R15: 0000000000000000 FS: 00000000009b4880(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000140 CR3: 00000000a7fdf000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tipc_sendstream+0x4c/0x70 net/tipc/socket.c:1533 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x32f/0x810 net/socket.c:2352 ___sys_sendmsg+0x100/0x170 net/socket.c:2406 __sys_sendmmsg+0x195/0x480 net/socket.c:2496 __do_sys_sendmmsg net/socket.c:2525 [inline] __se_sys_sendmmsg net/socket.c:2522 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2522 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x440199 ... This bug was bisected to commit 0a3e060f ("tipc: add test for Nagle algorithm effectiveness"). However, it is not the case, the trouble was from the base in the case of zero data length message sending, we would unexpectedly make an empty 'txq' queue after the 'tipc_msg_append()' in Nagle mode. A similar crash can be generated even without the bisected patch but at the link layer when it accesses the empty queue. We solve the issues by building at least one buffer to go with socket's header and an optional data section that may be empty like what we had with the 'tipc_msg_build()'. Note: the previous commit 4c21daae ("tipc: Fix NULL pointer dereference in __tipc_sendstream()") is obsoleted by this one since the 'txq' will be never empty and the check of 'skb != NULL' is unnecessary but it is safe anyway. Reported-by: syzbot+8eac6d030e7807c21d32@syzkaller.appspotmail.com Fixes: c0bceb97 ("tipc: add smart nagle feature") Acked-by:
Jon Maloy <jmaloy@redhat.com> Signed-off-by:
Tuong Lien <tuong.t.lien@dektech.com.au> Signed-off-by:
-
Cong Wang authored
There are two kinds of memory leaks in genl_family_rcv_msg_dumpit(): 1. Before we call ops->start(), whenever an error happens, we forget to free the memory allocated in genl_family_rcv_msg_dumpit(). 2. When ops->start() fails, the 'info' has been already installed on the per socket control block, so we should not free it here. More importantly, nlk->cb_running is still false at this point, so netlink_sock_destruct() cannot free it either. The first kind of memory leaks is easier to resolve, but the second one requires some deeper thoughts. After reviewing how netfilter handles this, the most elegant solution I find is just to use a similar way to allocate the memory, that is, moving memory allocations from caller into ops->start(). With this, we can solve both kinds of memory leaks: for 1), no memory allocation happens before ops->start(); for 2), ops->start() handles its own failures and 'info' is installed to the socket control block only when success. The only ugliness here is we have to pass all local variables on stack via a struct, but this is not hard to understand. Alternatively, we can introduce a ops->free() to solve this too, but it is overkill as only genetlink has this problem so far. Fixes: 1927f41a ("net: genetlink: introduce dump info struct to be available during dumpit op") Reported-by: syzbot+21f04f481f449c8db840@syzkaller.appspotmail.com Cc: "Jason A. Donenfeld" <Jason@zx2c4.com> Cc: Florian Westphal <fw@strlen.de> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Jiri Pirko <jiri@mellanox.com> Cc: YueHaibing <yuehaibing@huawei.com> Cc: Shaochun Chen <cscnull@gmail.com> Signed-off-by:
Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by:
-
Rohit Maheshwari authored
cxgb4_uld_in_use() is used only by cxgb4_ktls_det_feature() which is under CONFIG_CHELSIO_TLS_DEVICE macro. Fixes: a3ac249a ("cxgb4/chcr: Enable ktls settings at run time") Signed-off-by:
Rohit Maheshwari <rohitm@chelsio.com> Signed-off-by:
-
- 03 Jun, 2020 3 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-nextLinus Torvalds authored
Pull networking updates from David Miller: 1) Allow setting bluetooth L2CAP modes via socket option, from Luiz Augusto von Dentz. 2) Add GSO partial support to igc, from Sasha Neftin. 3) Several cleanups and improvements to r8169 from Heiner Kallweit. 4) Add IF_OPER_TESTING link state and use it when ethtool triggers a device self-test. From Andrew Lunn. 5) Start moving away from custom driver versions, use the globally defined kernel version instead, from Leon Romanovsky. 6) Support GRO vis gro_cells in DSA layer, from Alexander Lobakin. 7) Allow hard IRQ deferral during NAPI, from Eric Dumazet. 8) Add sriov and vf support to hinic, from Luo bin. 9) Support Media Redundancy Protocol (MRP) in the bridging code, from Horatiu Vultur. 10) Support netmap in the nft_nat code, from Pablo Neira Ayuso. 11) Allow UDPv6 encapsulation of ESP in the ipsec code, from Sabrina Dubroca. Also add ipv6 support for espintcp. 12) Lots of ReST conversions of the networking documentation, from Mauro Carvalho Chehab. 13) Support configuration of ethtool rxnfc flows in bcmgenet driver, from Doug Berger. 14) Allow to dump cgroup id and filter by it in inet_diag code, from Dmitry Yakunin. 15) Add infrastructure to export netlink attribute policies to userspace, from Johannes Berg. 16) Several optimizations to sch_fq scheduler, from Eric Dumazet. 17) Fallback to the default qdisc if qdisc init fails because otherwise a packet scheduler init failure will make a device inoperative. From Jesper Dangaard Brouer. 18) Several RISCV bpf jit optimizations, from Luke Nelson. 19) Correct the return type of the ->ndo_start_xmit() method in several drivers, it's netdev_tx_t but many drivers were using 'int'. From Yunjian Wang. 20) Add an ethtool interface for PHY master/slave config, from Oleksij Rempel. 21) Add BPF iterators, from Yonghang Song. 22) Add cable test infrastructure, including ethool interfaces, from Andrew Lunn. Marvell PHY driver is the first to support this facility. 23) Remove zero-length arrays all over, from Gustavo A. R. Silva. 24) Calculate and maintain an explicit frame size in XDP, from Jesper Dangaard Brouer. 25) Add CAP_BPF, from Alexei Starovoitov. 26) Support terse dumps in the packet scheduler, from Vlad Buslov. 27) Support XDP_TX bulking in dpaa2 driver, from Ioana Ciornei. 28) Add devm_register_netdev(), from Bartosz Golaszewski. 29) Minimize qdisc resets, from Cong Wang. 30) Get rid of kernel_getsockopt and kernel_setsockopt in order to eliminate set_fs/get_fs calls. From Christoph Hellwig. * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (2517 commits) selftests: net: ip_defrag: ignore EPERM net_failover: fixed rollback in net_failover_open() Revert "tipc: Fix potential tipc_aead refcnt leak in tipc_crypto_rcv" Revert "tipc: Fix potential tipc_node refcnt leak in tipc_rcv" vmxnet3: allow rx flow hash ops only when rss is enabled hinic: add set_channels ethtool_ops support selftests/bpf: Add a default $(CXX) value tools/bpf: Don't use $(COMPILE.c) bpf, selftests: Use bpf_probe_read_kernel s390/bpf: Use bcr 0,%0 as tail call nop filler s390/bpf: Maintain 8-byte stack alignment selftests/bpf: Fix verifier test selftests/bpf: Fix sample_cnt shared between two threads bpf, selftests: Adapt cls_redirect to call csum_level helper bpf: Add csum_level helper for fixing up csum levels bpf: Fix up bpf_skb_adjust_room helper's skb csum setting sfc: add missing annotation for efx_ef10_try_update_nic_stats_vf() crypto/chtls: IPv6 support for inline TLS Crypto/chcr: Fixes a coccinile check error Crypto/chcr: Fixes compilations warnings ... -
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfsLinus Torvalds authored
Pull comedi uaccess cleanups from Al Viro: "Comedi compat ioctls done saner - killing the single biggest pile of __get_user/__put_user outside of arch/* in the process" * 'uaccess.comedi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: comedi: get rid of compat_alloc_user_space() mess in COMEDI_CMD{,TEST} compat comedi: do_cmd_ioctl(): lift copyin/copyout into the caller comedi: do_cmdtest_ioctl(): lift copyin/copyout into the caller comedi: lift copy_from_user() into callers of __comedi_get_user_cmd() comedi: get rid of compat_alloc_user_space() mess in COMEDI_INSNLIST compat comedi: get rid of compat_alloc_user_space() mess in COMEDI_INSN compat comedi: get rid of compat_alloc_user_space() mess in COMEDI_RANGEINFO compat comedi: get rid of compat_alloc_user_space() mess in COMEDI_CHANINFO compat comedi: get rid of indirection via translated_ioctl() comedi: move compat ioctl handling to native fops
-
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfsLinus Torvalds authored
Pull splice updates from Al Viro: "Christoph's assorted splice cleanups" * 'work.splice' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fs: rename pipe_buf ->steal to ->try_steal fs: make the pipe_buf_operations ->confirm operation optional fs: make the pipe_buf_operations ->steal operation optional trace: remove tracing_pipe_buf_ops pipe: merge anon_pipe_buf*_ops fs: simplify do_splice_from fs: simplify do_splice_to
-
