1. 05 Dec, 2019 17 commits
    • Yunsheng Lin's avatar
      net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx() · d1a37ded
      Yunsheng Lin authored
      Currently, hns3_nic_maybe_stop_tx() uses skb_copy() to linearize a
      SKB if the BD num required by the SKB does not meet the hardware
      limitation, and it linearizes the SKB by allocating a new linearized SKB
      and freeing the old SKB, if hns3_nic_maybe_stop_tx() returns -EBUSY
      because there are no enough space in the ring to send the linearized
      skb to hardware, the sch_direct_xmit() still hold reference to old SKB
      and try to retransmit the old SKB when dev_hard_start_xmit() return
      TX_BUSY, which may cause use after freed problem.
      
      This patch fixes it by using __skb_linearize() to linearize the
      SKB in hns3_nic_maybe_stop_tx().
      
      Fixes: 51e8439f ("net: hns3: add 8 BD limit for tx flow")
      Signed-off-by: default avatarYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d1a37ded
    • Yunsheng Lin's avatar
      net: hns3: fix for TX queue not restarted problem · 2a597eff
      Yunsheng Lin authored
      There is timing window between ring_space checking and
      netif_stop_subqueue when transmiting a SKB, and the TX BD
      cleaning may be executed during the time window, which may
      caused TX queue not restarted problem.
      
      This patch fixes it by rechecking the ring_space after
      netif_stop_subqueue to make sure TX queue is restarted.
      
      Also, the ring->next_to_clean is updated even when pkts is
      zero, because all the TX BD cleaned may be non-SKB, so it
      needs to check if TX queue need to be restarted.
      
      Fixes: 76ad4f0e ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
      Signed-off-by: default avatarYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a597eff
    • Grygorii Strashko's avatar
      net: ethernet: ti: cpsw_switchdev: fix unmet direct dependencies detected for NET_SWITCHDEV · aacf6578
      Grygorii Strashko authored
      Replace "select NET_SWITCHDEV" vs "depends on NET_SWITCHDEV" to fix Kconfig
      warning with CONFIG_COMPILE_TEST=y
      
      WARNING: unmet direct dependencies detected for NET_SWITCHDEV
        Depends on [n]: NET [=y] && INET [=n]
        Selected by [y]:
        - TI_CPSW_SWITCHDEV [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_TI [=y] && (ARCH_DAVINCI || ARCH_OMAP2PLUS || COMPILE_TEST [=y])
      
      because TI_CPSW_SWITCHDEV blindly selects NET_SWITCHDEV even though
      INET is not set/enabled, while NET_SWITCHDEV depends on INET.
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Fixes: ed3525ed ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aacf6578
    • David S. Miller's avatar
      Merge branch 's390-fixes' · b8744052
      David S. Miller authored
      Julian Wiedmann says:
      
      ====================
      s390/qeth: fixes 2019-12-05
      
      please apply the following fixes to your net tree.
      
      The first two patches target the RX data path, the third fixes a memory
      leak when shutting down a qeth device.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8744052
    • Julian Wiedmann's avatar
      s390/qeth: fix dangling IO buffers after halt/clear · f9e50b02
      Julian Wiedmann authored
      The cio layer's intparm logic does not align itself well with how qeth
      manages cmd IOs. When an active IO gets terminated via halt/clear, the
      corresponding IRQ's intparm does not reflect the cmd buffer but rather
      the intparm that was passed to ccw_device_halt() / ccw_device_clear().
      This behaviour was recently clarified in
      commit b91d9e67 ("s390/cio: fix intparm documentation").
      
      As a result, qeth_irq() currently doesn't cancel a cmd that was
      terminated via halt/clear. This primarily causes us to leak
      card->read_cmd after the qeth device is removed, since our IO path still
      holds a refcount for this cmd.
      
      For qeth this means that we need to keep track of which IO is pending on
      a device ('active_cmd'), and use this as the intparm when calling
      halt/clear. Otherwise qeth_irq() can't match the subsequent IRQ to its
      cmd buffer.
      Since we now keep track of the _expected_ intparm, we can also detect
      any mismatch; this would constitute a bug somewhere in the lower layers.
      In this case cancel the active cmd - we effectively "lost" the IRQ and
      should not expect any further notification for this IO.
      
      Fixes: 40554895 ("s390/qeth: add support for dynamically allocated cmds")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9e50b02
    • Julian Wiedmann's avatar
      s390/qeth: ensure linear access to packet headers · f677fcb9
      Julian Wiedmann authored
      When the RX path builds non-linear skbs, the packet headers can
      currently spill over into page fragments. Depending on the packet type
      and what fields we need to access in the headers, this could cause us
      to go past the end of skb->data.
      
      So for non-linear packets, copy precisely the length of the necessary
      headers ('linear_len') into skb->data.
      And don't copy more, upper-level protocols will peel whatever additional
      packet headers they need.
      
      Fixes: 4a71df50 ("qeth: new qeth device driver")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f677fcb9
    • Julian Wiedmann's avatar
      s390/qeth: guard against runt packets · 5b55633f
      Julian Wiedmann authored
      Depending on a packet's type, the RX path needs to access fields in the
      packet headers and thus requires a minimum packet length.
      Enforce this length when building the skb.
      
      On the other hand a single runt packet is no reason to drop the whole
      RX buffer. So just skip it, and continue processing on the next packet.
      
      Fixes: 4a71df50 ("qeth: new qeth device driver")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b55633f
    • Mian Yousaf Kaukab's avatar
      net: thunderx: start phy before starting autonegotiation · a350d2e7
      Mian Yousaf Kaukab authored
      Since commit 2b3e88ea ("net: phy: improve phy state checking")
      phy_start_aneg() expects phy state to be >= PHY_UP. Call phy_start()
      before calling phy_start_aneg() during probe so that autonegotiation
      is initiated.
      
      As phy_start() takes care of calling phy_start_aneg(), drop the explicit
      call to phy_start_aneg().
      
      Network fails without this patch on Octeon TX.
      
      Fixes: 2b3e88ea ("net: phy: improve phy state checking")
      Signed-off-by: default avatarMian Yousaf Kaukab <ykaukab@suse.de>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a350d2e7
    • Taehee Yoo's avatar
      hsr: fix a NULL pointer dereference in hsr_dev_xmit() · df95467b
      Taehee Yoo authored
      hsr_dev_xmit() calls hsr_port_get_hsr() to find master node and that would
      return NULL if master node is not existing in the list.
      But hsr_dev_xmit() doesn't check return pointer so a NULL dereference
      could occur.
      
      Test commands:
          ip netns add nst
          ip link add veth0 type veth peer name veth1
          ip link add veth2 type veth peer name veth3
          ip link set veth1 netns nst
          ip link set veth3 netns nst
          ip link set veth0 up
          ip link set veth2 up
          ip link add hsr0 type hsr slave1 veth0 slave2 veth2
          ip a a 192.168.100.1/24 dev hsr0
          ip link set hsr0 up
          ip netns exec nst ip link set veth1 up
          ip netns exec nst ip link set veth3 up
          ip netns exec nst ip link add hsr1 type hsr slave1 veth1 slave2 veth3
          ip netns exec nst ip a a 192.168.100.2/24 dev hsr1
          ip netns exec nst ip link set hsr1 up
          hping3 192.168.100.2 -2 --flood &
          modprobe -rv hsr
      
      Splat looks like:
      [  217.351122][ T1635] kasan: CONFIG_KASAN_INLINE enabled
      [  217.352969][ T1635] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  217.354297][ T1635] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  217.355507][ T1635] CPU: 1 PID: 1635 Comm: hping3 Not tainted 5.4.0+ #192
      [  217.356472][ T1635] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [  217.357804][ T1635] RIP: 0010:hsr_dev_xmit+0x34/0x90 [hsr]
      [  217.373010][ T1635] Code: 48 8d be 00 0c 00 00 be 04 00 00 00 48 83 ec 08 e8 21 be ff ff 48 8d 78 10 48 ba 00 b
      [  217.376919][ T1635] RSP: 0018:ffff8880cd8af058 EFLAGS: 00010202
      [  217.377571][ T1635] RAX: 0000000000000000 RBX: ffff8880acde6840 RCX: 0000000000000002
      [  217.379465][ T1635] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000010
      [  217.380274][ T1635] RBP: ffff8880acde6840 R08: ffffed101b440d5d R09: 0000000000000001
      [  217.381078][ T1635] R10: 0000000000000001 R11: ffffed101b440d5c R12: ffff8880bffcc000
      [  217.382023][ T1635] R13: ffff8880bffcc088 R14: 0000000000000000 R15: ffff8880ca675c00
      [  217.383094][ T1635] FS:  00007f060d9d1740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
      [  217.384289][ T1635] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  217.385009][ T1635] CR2: 00007faf15381dd0 CR3: 00000000d523c001 CR4: 00000000000606e0
      [  217.385940][ T1635] Call Trace:
      [  217.386544][ T1635]  dev_hard_start_xmit+0x160/0x740
      [  217.387114][ T1635]  __dev_queue_xmit+0x1961/0x2e10
      [  217.388118][ T1635]  ? check_object+0xaf/0x260
      [  217.391466][ T1635]  ? __alloc_skb+0xb9/0x500
      [  217.392017][ T1635]  ? init_object+0x6b/0x80
      [  217.392629][ T1635]  ? netdev_core_pick_tx+0x2e0/0x2e0
      [  217.393175][ T1635]  ? __alloc_skb+0xb9/0x500
      [  217.393727][ T1635]  ? rcu_read_lock_sched_held+0x90/0xc0
      [  217.394331][ T1635]  ? rcu_read_lock_bh_held+0xa0/0xa0
      [  217.395013][ T1635]  ? kasan_unpoison_shadow+0x30/0x40
      [  217.395668][ T1635]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
      [  217.396280][ T1635]  ? __kmalloc_node_track_caller+0x3a8/0x3f0
      [  217.399007][ T1635]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
      [  217.400093][ T1635]  ? __kmalloc_reserve.isra.46+0x2e/0xb0
      [  217.401118][ T1635]  ? memset+0x1f/0x40
      [  217.402529][ T1635]  ? __alloc_skb+0x317/0x500
      [  217.404915][ T1635]  ? arp_xmit+0xca/0x2c0
      [ ... ]
      
      Fixes: 311633b6 ("hsr: switch ->dellink() to ->ndo_uninit()")
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df95467b
    • Martin Varghese's avatar
      net: Fixed updating of ethertype in skb_mpls_push() · d04ac224
      Martin Varghese authored
      The skb_mpls_push was not updating ethertype of an ethernet packet if
      the packet was originally received from a non ARPHRD_ETHER device.
      
      In the below OVS data path flow, since the device corresponding to
      port 7 is an l3 device (ARPHRD_NONE) the skb_mpls_push function does
      not update the ethertype of the packet even though the previous
      push_eth action had added an ethernet header to the packet.
      
      recirc_id(0),in_port(7),eth_type(0x0800),ipv4(tos=0/0xfc,ttl=64,frag=no),
      actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),
      push_mpls(label=13,tc=0,ttl=64,bos=1,eth_type=0x8847),4
      
      Fixes: 8822e270 ("net: core: move push MPLS functionality from OvS to core helper")
      Signed-off-by: default avatarMartin Varghese <martin.varghese@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d04ac224
    • Alexandru Ardelean's avatar
      NFC: NCI: use new `delay` structure for SPI transfer delays · 099ffd7e
      Alexandru Ardelean authored
      In a recent change to the SPI subsystem [1], a new `delay` struct was added
      to replace the `delay_usecs`. This change replaces the current `delay_secs`
      with `delay` for this driver.
      
      The `spi_transfer_delay_exec()` function [in the SPI framework] makes sure
      that both `delay_usecs` & `delay` are used (in this order to preserve
      backwards compatibility).
      
      [1] commit bebcfd27 ("spi: introduce `delay` field for
      `spi_transfer` + spi_transfer_delay_exec()")
      Signed-off-by: default avatarAlexandru Ardelean <alexandru.ardelean@analog.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      099ffd7e
    • Russell King's avatar
      net: sfp: fix hwmon · 38ecd706
      Russell King authored
      The referenced commit below allowed more than one hwmon device to be
      created per SFP, which is definitely not what we want. Avoid this by
      only creating the hwmon device just as we transition to WAITDEV state.
      
      Fixes: 139d3a21 ("net: sfp: allow modules with slow diagnostics to probe")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      38ecd706
    • Russell King's avatar
      net: sfp: fix unbind · 0cb96b57
      Russell King authored
      When unbinding, we don't correctly tear down the module state, leaving
      (for example) the hwmon registration behind. Ensure everything is
      properly removed by sending a remove event at unbind.
      
      Fixes: 6b0da5c9 ("net: sfp: track upstream's attachment state in state machine")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0cb96b57
    • Shannon Nelson's avatar
      ionic: keep users rss hash across lif reset · ffac2027
      Shannon Nelson authored
      If the user has specified their own RSS hash key, don't
      lose it across queue resets such as DOWN/UP, MTU change,
      and number of channels change.  This is fixed by moving
      the key initialization to a little earlier in the lif
      creation.
      
      Also, let's clean up the RSS config a little better on
      the way down by setting it all to 0.
      
      Fixes: aa319881 ("ionic: Add RSS support")
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ffac2027
    • Jonathan Lemon's avatar
      xdp: obtain the mem_id mutex before trying to remove an entry. · 86c76c09
      Jonathan Lemon authored
      A lockdep splat was observed when trying to remove an xdp memory
      model from the table since the mutex was obtained when trying to
      remove the entry, but not before the table walk started:
      
      Fix the splat by obtaining the lock before starting the table walk.
      
      Fixes: c3f812ce ("page_pool: do not release pool until inflight == 0.")
      Reported-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarJonathan Lemon <jonathan.lemon@gmail.com>
      Tested-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Acked-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Acked-by: default avatarIlias Apalodimas <ilias.apalodimas@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86c76c09
    • Aaron Conole's avatar
      act_ct: support asymmetric conntrack · 95219afb
      Aaron Conole authored
      The act_ct TC module shares a common conntrack and NAT infrastructure
      exposed via netfilter.  It's possible that a packet needs both SNAT and
      DNAT manipulation, due to e.g. tuple collision.  Netfilter can support
      this because it runs through the NAT table twice - once on ingress and
      again after egress.  The act_ct action doesn't have such capability.
      
      Like netfilter hook infrastructure, we should run through NAT twice to
      keep the symmetry.
      
      Fixes: b57dc7c1 ("net/sched: Introduce action ct")
      Signed-off-by: default avatarAaron Conole <aconole@redhat.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95219afb
    • Aaron Conole's avatar
      openvswitch: support asymmetric conntrack · 5d50aa83
      Aaron Conole authored
      The openvswitch module shares a common conntrack and NAT infrastructure
      exposed via netfilter.  It's possible that a packet needs both SNAT and
      DNAT manipulation, due to e.g. tuple collision.  Netfilter can support
      this because it runs through the NAT table twice - once on ingress and
      again after egress.  The openvswitch module doesn't have such capability.
      
      Like netfilter hook infrastructure, we should run through NAT twice to
      keep the symmetry.
      
      Fixes: 05752523 ("openvswitch: Interface with NAT.")
      Signed-off-by: default avatarAaron Conole <aconole@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5d50aa83
  2. 04 Dec, 2019 3 commits
  3. 03 Dec, 2019 14 commits
    • Yoshiki Komachi's avatar
      cls_flower: Fix the behavior using port ranges with hw-offload · 8ffb055b
      Yoshiki Komachi authored
      The recent commit 5c72299f ("net: sched: cls_flower: Classify
      packets using port ranges") had added filtering based on port ranges
      to tc flower. However the commit missed necessary changes in hw-offload
      code, so the feature gave rise to generating incorrect offloaded flow
      keys in NIC.
      
      One more detailed example is below:
      
      $ tc qdisc add dev eth0 ingress
      $ tc filter add dev eth0 ingress protocol ip flower ip_proto tcp \
        dst_port 100-200 action drop
      
      With the setup above, an exact match filter with dst_port == 0 will be
      installed in NIC by hw-offload. IOW, the NIC will have a rule which is
      equivalent to the following one.
      
      $ tc qdisc add dev eth0 ingress
      $ tc filter add dev eth0 ingress protocol ip flower ip_proto tcp \
        dst_port 0 action drop
      
      The behavior was caused by the flow dissector which extracts packet
      data into the flow key in the tc flower. More specifically, regardless
      of exact match or specified port ranges, fl_init_dissector() set the
      FLOW_DISSECTOR_KEY_PORTS flag in struct flow_dissector to extract port
      numbers from skb in skb_flow_dissect() called by fl_classify(). Note
      that device drivers received the same struct flow_dissector object as
      used in skb_flow_dissect(). Thus, offloaded drivers could not identify
      which of these is used because the FLOW_DISSECTOR_KEY_PORTS flag was
      set to struct flow_dissector in either case.
      
      This patch adds the new FLOW_DISSECTOR_KEY_PORTS_RANGE flag and the new
      tp_range field in struct fl_flow_key to recognize which filters are applied
      to offloaded drivers. At this point, when filters based on port ranges
      passed to drivers, drivers return the EOPNOTSUPP error because they do
      not support the feature (the newly created FLOW_DISSECTOR_KEY_PORTS_RANGE
      flag).
      
      Fixes: 5c72299f ("net: sched: cls_flower: Classify packets using port ranges")
      Signed-off-by: default avatarYoshiki Komachi <komachi.yoshiki@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ffb055b
    • Dust Li's avatar
      net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues · 2f23cd42
      Dust Li authored
      sch->q.len hasn't been set if the subqueue is a NOLOCK qdisc
       in mq_dump() and mqprio_dump().
      
      Fixes: ce679e8d ("net: sched: add support for TCQ_F_NOLOCK subqueues to sch_mqprio")
      Signed-off-by: default avatarDust Li <dust.li@linux.alibaba.com>
      Signed-off-by: default avatarTony Lu <tonylu@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f23cd42
    • Eric Dumazet's avatar
      tcp: refactor tcp_retransmit_timer() · 0d580fbd
      Eric Dumazet authored
      It appears linux-4.14 stable needs a backport of commit
      88f8598d ("tcp: exit if nothing to retransmit on RTO timeout")
      
      Since tcp_rtx_queue_empty() is not in pre 4.15 kernels,
      let's refactor tcp_retransmit_timer() to only use tcp_rtx_queue_head()
      
      I will provide to stable teams the squashed patches.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d580fbd
    • Vladimir Oltean's avatar
      net: mscc: ocelot: unregister the PTP clock on deinit · 9385973f
      Vladimir Oltean authored
      Currently a switch driver deinit frees the regmaps, but the PTP clock is
      still out there, available to user space via /dev/ptpN. Any PTP
      operation is a ticking time bomb, since it will attempt to use the freed
      regmaps and thus trigger kernel panics:
      
      [    4.291746] fsl_enetc 0000:00:00.2 eth1: error -22 setting up slave phy
      [    4.291871] mscc_felix 0000:00:00.5: Failed to register DSA switch: -22
      [    4.308666] mscc_felix: probe of 0000:00:00.5 failed with error -22
      [    6.358270] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088
      [    6.367090] Mem abort info:
      [    6.369888]   ESR = 0x96000046
      [    6.369891]   EC = 0x25: DABT (current EL), IL = 32 bits
      [    6.369892]   SET = 0, FnV = 0
      [    6.369894]   EA = 0, S1PTW = 0
      [    6.369895] Data abort info:
      [    6.369897]   ISV = 0, ISS = 0x00000046
      [    6.369899]   CM = 0, WnR = 1
      [    6.369902] user pgtable: 4k pages, 48-bit VAs, pgdp=00000020d58c7000
      [    6.369904] [0000000000000088] pgd=00000020d5912003, pud=00000020d5915003, pmd=0000000000000000
      [    6.369914] Internal error: Oops: 96000046 [#1] PREEMPT SMP
      [    6.420443] Modules linked in:
      [    6.423506] CPU: 1 PID: 262 Comm: phc_ctl Not tainted 5.4.0-03625-gb7b2a5dadd7f #204
      [    6.431273] Hardware name: LS1028A RDB Board (DT)
      [    6.435989] pstate: 40000085 (nZcv daIf -PAN -UAO)
      [    6.440802] pc : css_release+0x24/0x58
      [    6.444561] lr : regmap_read+0x40/0x78
      [    6.448316] sp : ffff800010513cc0
      [    6.451636] x29: ffff800010513cc0 x28: ffff002055873040
      [    6.456963] x27: 0000000000000000 x26: 0000000000000000
      [    6.462289] x25: 0000000000000000 x24: 0000000000000000
      [    6.467617] x23: 0000000000000000 x22: 0000000000000080
      [    6.472944] x21: ffff800010513d44 x20: 0000000000000080
      [    6.478270] x19: 0000000000000000 x18: 0000000000000000
      [    6.483596] x17: 0000000000000000 x16: 0000000000000000
      [    6.488921] x15: 0000000000000000 x14: 0000000000000000
      [    6.494247] x13: 0000000000000000 x12: 0000000000000000
      [    6.499573] x11: 0000000000000000 x10: 0000000000000000
      [    6.504899] x9 : 0000000000000000 x8 : 0000000000000000
      [    6.510225] x7 : 0000000000000000 x6 : ffff800010513cf0
      [    6.515550] x5 : 0000000000000000 x4 : 0000000fffffffe0
      [    6.520876] x3 : 0000000000000088 x2 : ffff800010513d44
      [    6.526202] x1 : ffffcada668ea000 x0 : ffffcada64d8b0c0
      [    6.531528] Call trace:
      [    6.533977]  css_release+0x24/0x58
      [    6.537385]  regmap_read+0x40/0x78
      [    6.540795]  __ocelot_read_ix+0x6c/0xa0
      [    6.544641]  ocelot_ptp_gettime64+0x4c/0x110
      [    6.548921]  ptp_clock_gettime+0x4c/0x58
      [    6.552853]  pc_clock_gettime+0x5c/0xa8
      [    6.556699]  __arm64_sys_clock_gettime+0x68/0xc8
      [    6.561331]  el0_svc_common.constprop.2+0x7c/0x178
      [    6.566133]  el0_svc_handler+0x34/0xa0
      [    6.569891]  el0_sync_handler+0x114/0x1d0
      [    6.573908]  el0_sync+0x140/0x180
      [    6.577232] Code: d503201f b00119a1 91022263 b27b7be4 (f9004663)
      [    6.583349] ---[ end trace d196b9b14cdae2da ]---
      [    6.587977] Kernel panic - not syncing: Fatal exception
      [    6.593216] SMP: stopping secondary CPUs
      [    6.597151] Kernel Offset: 0x4ada54400000 from 0xffff800010000000
      [    6.603261] PHYS_OFFSET: 0xffffd0a7c0000000
      [    6.607454] CPU features: 0x10002,21806008
      [    6.611558] Memory Limit: none
      
      And now that ocelot->ptp_clock is checked at exit, prevent a potential
      error where ptp_clock_register returned a pointer-encoded error, which
      we are keeping in the ocelot private data structure. So now,
      ocelot->ptp_clock is now either NULL or a valid pointer.
      
      Fixes: 4e3b0468 ("net: mscc: PTP Hardware Clock (PHC) support")
      Cc: Antoine Tenart <antoine.tenart@bootlin.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9385973f
    • Danit Goldberg's avatar
      net/core: Populate VF index in struct ifla_vf_guid · 9aed6ae0
      Danit Goldberg authored
      In addition to filling the node_guid and port_guid attributes,
      there is a need to populate VF index too, otherwise users of netlink
      interface will see same VF index for all VFs.
      
      Fixes: 30aad417 ("net/core: Add support for getting VF GUIDs")
      Signed-off-by: default avatarDanit Goldberg <danitg@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9aed6ae0
    • Nikolay Aleksandrov's avatar
      net: bridge: deny dev_set_mac_address() when unregistering · c4b4c421
      Nikolay Aleksandrov authored
      We have an interesting memory leak in the bridge when it is being
      unregistered and is a slave to a master device which would change the
      mac of its slaves on unregister (e.g. bond, team). This is a very
      unusual setup but we do end up leaking 1 fdb entry because
      dev_set_mac_address() would cause the bridge to insert the new mac address
      into its table after all fdbs are flushed, i.e. after dellink() on the
      bridge has finished and we call NETDEV_UNREGISTER the bond/team would
      release it and will call dev_set_mac_address() to restore its original
      address and that in turn will add an fdb in the bridge.
      One fix is to check for the bridge dev's reg_state in its
      ndo_set_mac_address callback and return an error if the bridge is not in
      NETREG_REGISTERED.
      
      Easy steps to reproduce:
       1. add bond in mode != A/B
       2. add any slave to the bond
       3. add bridge dev as a slave to the bond
       4. destroy the bridge device
      
      Trace:
       unreferenced object 0xffff888035c4d080 (size 128):
         comm "ip", pid 4068, jiffies 4296209429 (age 1413.753s)
         hex dump (first 32 bytes):
           41 1d c9 36 80 88 ff ff 00 00 00 00 00 00 00 00  A..6............
           d2 19 c9 5e 3f d7 00 00 00 00 00 00 00 00 00 00  ...^?...........
         backtrace:
           [<00000000ddb525dc>] kmem_cache_alloc+0x155/0x26f
           [<00000000633ff1e0>] fdb_create+0x21/0x486 [bridge]
           [<0000000092b17e9c>] fdb_insert+0x91/0xdc [bridge]
           [<00000000f2a0f0ff>] br_fdb_change_mac_address+0xb3/0x175 [bridge]
           [<000000001de02dbd>] br_stp_change_bridge_id+0xf/0xff [bridge]
           [<00000000ac0e32b1>] br_set_mac_address+0x76/0x99 [bridge]
           [<000000006846a77f>] dev_set_mac_address+0x63/0x9b
           [<00000000d30738fc>] __bond_release_one+0x3f6/0x455 [bonding]
           [<00000000fc7ec01d>] bond_netdev_event+0x2f2/0x400 [bonding]
           [<00000000305d7795>] notifier_call_chain+0x38/0x56
           [<0000000028885d4a>] call_netdevice_notifiers+0x1e/0x23
           [<000000008279477b>] rollback_registered_many+0x353/0x6a4
           [<0000000018ef753a>] unregister_netdevice_many+0x17/0x6f
           [<00000000ba854b7a>] rtnl_delete_link+0x3c/0x43
           [<00000000adf8618d>] rtnl_dellink+0x1dc/0x20a
           [<000000009b6395fd>] rtnetlink_rcv_msg+0x23d/0x268
      
      Fixes: 43598813 ("bridge: add local MAC address to forwarding table (v2)")
      Reported-by: syzbot+2add91c08eb181fea1bf@syzkaller.appspotmail.com
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4b4c421
    • Dan Carpenter's avatar
      net: fix a leak in register_netdevice() · 42c17fa6
      Dan Carpenter authored
      We have to free "dev->name_node" on this error path.
      
      Fixes: ff927412 ("net: introduce name_node struct to be used in hashlist")
      Reported-by: syzbot+6e13e65ffbaa33757bcb@syzkaller.appspotmail.com
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      42c17fa6
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-5.5-20191203' of... · 56e7a2f8
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-5.5-20191203' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-12-03
      
      this is a pull request of 6 patches for net/master.
      
      The first two patches are against the MAINTAINERS file and adds Appana
      Durga Kedareswara rao as maintainer for the xilinx-can driver and Sriram
      Dash for the m_can (mmio) driver.
      
      The next patch is by Jouni Hogander and fixes a use-after-free in the
      slcan driver.
      
      Johan Hovold's patch for the ucan driver fixes the non-atomic allocation
      in the completion handler.
      
      The last two patches target the xilinx-can driver. The first one is by
      Venkatesh Yadav Abbarapu and skips the error message on deferred probe,
      the second one is by Srinivas Neeli and fixes the usage of the skb after
      can_put_echo_skb().
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      56e7a2f8
    • Srinivas Neeli's avatar
      can: xilinx_can: Fix usage of skb memory · 3d3c817c
      Srinivas Neeli authored
      As per linux can framework, driver not allowed to touch the skb memory
      after can_put_echo_skb() call.
      This patch fixes the same.
      https://www.spinics.net/lists/linux-can/msg02199.htmlSigned-off-by: default avatarSrinivas Neeli <srinivas.neeli@xilinx.com>
      Reviewed-by: default avatarAppana Durga Kedareswara Rao <appana.durga.rao@xilinx.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      3d3c817c
    • Venkatesh Yadav Abbarapu's avatar
      can: xilinx_can: skip error message on deferred probe · b848238d
      Venkatesh Yadav Abbarapu authored
      When the CAN bus clock is provided from the clock wizard, clock wizard
      driver may not be available when can driver probes resulting to the
      error message "bus clock not found error".
      
      As this error message is not very useful to the end user, skip printing
      in the case of deferred probe.
      Signed-off-by: default avatarVenkatesh Yadav Abbarapu <venkatesh.abbarapu@xilinx.com>
      Signed-off-by: default avatarSrinivas Neeli <srinivas.neeli@xilinx.com>
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Reviewed-by: default avatarAppana Durga Kedareswara Rao <appana.durga.rao@xilinx.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      b848238d
    • Johan Hovold's avatar
      can: ucan: fix non-atomic allocation in completion handler · 870db5d1
      Johan Hovold authored
      USB completion handlers are called in atomic context and must
      specifically not allocate memory using GFP_KERNEL.
      
      Fixes: 9f2d3eae ("can: ucan: add driver for Theobroma Systems UCAN devices")
      Cc: stable <stable@vger.kernel.org>     # 4.19
      Cc: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
      Cc: Martin Elshuber <martin.elshuber@theobroma-systems.com>
      Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      870db5d1
    • Jouni Hogander's avatar
      can: slcan: Fix use-after-free Read in slcan_open · 9ebd796e
      Jouni Hogander authored
      Slcan_open doesn't clean-up device which registration failed from the
      slcan_devs device list. On next open this list is iterated and freed
      device is accessed. Fix this by calling slc_free_netdev in error path.
      
      Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
      identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
      trace from the Syzbot slip report:
      
      __dump_stack lib/dump_stack.c:77 [inline]
      dump_stack+0x197/0x210 lib/dump_stack.c:118
      print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
      __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
      kasan_report+0x12/0x20 mm/kasan/common.c:634
      __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
      sl_sync drivers/net/slip/slip.c:725 [inline]
      slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
      tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
      tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
      tiocsetd drivers/tty/tty_io.c:2334 [inline]
      tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
      vfs_ioctl fs/ioctl.c:46 [inline]
      file_ioctl fs/ioctl.c:509 [inline]
      do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
      ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
      __do_sys_ioctl fs/ioctl.c:720 [inline]
      __se_sys_ioctl fs/ioctl.c:718 [inline]
      __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
      do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
      entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: ed50e160 ("slcan: Fix memory leak in error path")
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Cc: Marc Kleine-Budde <mkl@pengutronix.de>
      Cc: David Miller <davem@davemloft.net>
      Cc: Oliver Hartkopp <socketcan@hartkopp.net>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: default avatarJouni Hogander <jouni.hogander@unikie.com>
      Cc: linux-stable <stable@vger.kernel.org> # >= v5.4
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      9ebd796e
    • Sriram Dash's avatar
      MAINTAINERS: add myself as maintainer of MCAN MMIO device driver · 8c2a5856
      Sriram Dash authored
      Since we are actively working on MMIO MCAN device driver,
      as discussed with Marc, I am adding myself as a maintainer.
      Signed-off-by: default avatarSriram Dash <sriram.dash@samsung.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      8c2a5856
    • Appana Durga Kedareswara rao's avatar
      MAINTAINERS: add fragment for xilinx CAN driver · 825e5601
      Appana Durga Kedareswara rao authored
      Added entry for xilinx CAN driver.
      Signed-off-by: default avatarAppana Durga Kedareswara rao <appana.durga.rao@xilinx.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      825e5601
  4. 02 Dec, 2019 6 commits
    • Martin Varghese's avatar
      Fixed updating of ethertype in function skb_mpls_pop · 040b5cfb
      Martin Varghese authored
      The skb_mpls_pop was not updating ethertype of an ethernet packet if the
      packet was originally received from a non ARPHRD_ETHER device.
      
      In the below OVS data path flow, since the device corresponding to port 7
      is an l3 device (ARPHRD_NONE) the skb_mpls_pop function does not update
      the ethertype of the packet even though the previous push_eth action had
      added an ethernet header to the packet.
      
      recirc_id(0),in_port(7),eth_type(0x8847),
      mpls(label=12/0xfffff,tc=0/0,ttl=0/0x0,bos=1/1),
      actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),
      pop_mpls(eth_type=0x800),4
      
      Fixes: ed246cee ("net: core: move pop MPLS functionality from OvS to core helper")
      Signed-off-by: default avatarMartin Varghese <martin.varghese@nokia.com>
      Acked-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      040b5cfb
    • Victorien Molle's avatar
      sch_cake: Add missing NLA policy entry TCA_CAKE_SPLIT_GSO · b3c424eb
      Victorien Molle authored
      This field has never been checked since introduction in mainline kernel
      Signed-off-by: default avatarVictorien Molle <victorien.molle@wifirst.fr>
      Signed-off-by: default avatarFlorent Fourcot <florent.fourcot@wifirst.fr>
      Fixes: 2db6dc26 "sch_cake: Make gso-splitting configurable from userspace"
      Acked-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b3c424eb
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 734c7022
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2019-12-02
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 10 non-merge commits during the last 6 day(s) which contain
      a total of 10 files changed, 60 insertions(+), 51 deletions(-).
      
      The main changes are:
      
      1) Fix vmlinux BTF generation for binutils pre v2.25, from Stanislav Fomichev.
      
      2) Fix libbpf global variable relocation to take symbol's st_value offset
         into account, from Andrii Nakryiko.
      
      3) Fix libbpf build on powerpc where check_abi target fails due to different
         readelf output format, from Aurelien Jarno.
      
      4) Don't set BPF insns RO for the case when they are JITed in order to avoid
         fragmenting the direct map, from Daniel Borkmann.
      
      5) Fix static checker warning in btf_distill_func_proto() as well as a build
         error due to empty enum when BPF is compiled out, from Alexei Starovoitov.
      
      6) Fix up generation of bpf_helper_defs.h for perf, from Arnaldo Carvalho de Melo.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      734c7022
    • Aurelien Jarno's avatar
      libbpf: Fix readelf output parsing on powerpc with recent binutils · 3464afdf
      Aurelien Jarno authored
      On powerpc with recent versions of binutils, readelf outputs an extra
      field when dumping the symbols of an object file. For example:
      
          35: 0000000000000838    96 FUNC    LOCAL  DEFAULT [<localentry>: 8]     1 btf_is_struct
      
      The extra "[<localentry>: 8]" prevents the GLOBAL_SYM_COUNT variable to
      be computed correctly and causes the check_abi target to fail.
      
      Fix that by looking for the symbol name in the last field instead of the
      8th one. This way it should also cope with future extra fields.
      Signed-off-by: default avatarAurelien Jarno <aurelien@aurel32.net>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Tested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/bpf/20191201195728.4161537-1-aurelien@aurel32.net
      3464afdf
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 596cf45c
      Linus Torvalds authored
      Merge updates from Andrew Morton:
       "Incoming:
      
         - a small number of updates to scripts/, ocfs2 and fs/buffer.c
      
         - most of MM
      
        I still have quite a lot of material (mostly not MM) staged after
        linux-next due to -next dependencies. I'll send those across next week
        as the preprequisites get merged up"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (135 commits)
        mm/page_io.c: annotate refault stalls from swap_readpage
        mm/Kconfig: fix trivial help text punctuation
        mm/Kconfig: fix indentation
        mm/memory_hotplug.c: remove __online_page_set_limits()
        mm: fix typos in comments when calling __SetPageUptodate()
        mm: fix struct member name in function comments
        mm/shmem.c: cast the type of unmap_start to u64
        mm: shmem: use proper gfp flags for shmem_writepage()
        mm/shmem.c: make array 'values' static const, makes object smaller
        userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK
        fs/userfaultfd.c: wp: clear VM_UFFD_MISSING or VM_UFFD_WP during userfaultfd_register()
        userfaultfd: wrap the common dst_vma check into an inlined function
        userfaultfd: remove unnecessary WARN_ON() in __mcopy_atomic_hugetlb()
        userfaultfd: use vma_pagesize for all huge page size calculation
        mm/madvise.c: use PAGE_ALIGN[ED] for range checking
        mm/madvise.c: replace with page_size() in madvise_inject_error()
        mm/mmap.c: make vma_merge() comment more easy to understand
        mm/hwpoison-inject: use DEFINE_DEBUGFS_ATTRIBUTE to define debugfs fops
        autonuma: reduce cache footprint when scanning page tables
        autonuma: fix watermark checking in migrate_balanced_pgdat()
        ...
      596cf45c
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · c3bfc5dd
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix several scatter gather list issues in kTLS code, from Jakub
          Kicinski.
      
       2) macb driver device remove has to kill the hresp_err_tasklet. From
          Chuhong Yuan.
      
       3) Several memory leak and reference count bug fixes in tipc, from Tung
          Nguyen.
      
       4) Fix mlx5 build error w/o ipv6, from Yue Haibing.
      
       5) Fix jumbo frame and other regressions in r8169, from Heiner
          Kallweit.
      
       6) Undo some BUG_ON()'s and replace them with WARN_ON_ONCE and proper
          error propagation/handling. From Paolo Abeni.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (24 commits)
        openvswitch: remove another BUG_ON()
        openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
        net: phy: realtek: fix using paged operations with RTL8105e / RTL8208
        r8169: fix resume on cable plug-in
        r8169: fix jumbo configuration for RTL8168evl
        net: emulex: benet: indent a Kconfig depends continuation line
        selftests: forwarding: fix race between packet receive and tc check
        net: sched: fix `tc -s class show` no bstats on class with nolock subqueues
        net: ethernet: ti: ale: ensure vlan/mdb deleted when no members
        net/mlx5e: Fix build error without IPV6
        selftests: pmtu: use -oneline for ip route list cache
        tipc: fix duplicate SYN messages under link congestion
        tipc: fix wrong timeout input for tipc_wait_for_cond()
        tipc: fix wrong socket reference counter after tipc_sk_timeout() returns
        tipc: fix potential memory leak in __tipc_sendmsg()
        net: macb: add missed tasklet_kill
        selftests: bpf: correct perror strings
        selftests: bpf: test_sockmap: handle file creation failures gracefully
        net/tls: use sg_next() to walk sg entries
        net/tls: remove the dead inplace_crypto code
        ...
      c3bfc5dd