1. 06 Feb, 2019 4 commits
    • Russell King's avatar
      MAINTAINERS: add maintainer for SFF/SFP/SFP+ support · 2b1f86bf
      Russell King authored
      Add maintainer entry for SFF/SFP/SFP+ support.
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2b1f86bf
    • Eric Dumazet's avatar
      rxrpc: bad unlock balance in rxrpc_recvmsg · 6dce3c20
      Eric Dumazet authored
      When either "goto wait_interrupted;" or "goto wait_error;"
      paths are taken, socket lock has already been released.
      
      This patch fixes following syzbot splat :
      
      WARNING: bad unlock balance detected!
      5.0.0-rc4+ #59 Not tainted
      -------------------------------------
      syz-executor223/8256 is trying to release lock (sk_lock-AF_RXRPC) at:
      [<ffffffff86651353>] rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598
      but there are no more locks to release!
      
      other info that might help us debug this:
      1 lock held by syz-executor223/8256:
       #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline]
       #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2798
      
      stack backtrace:
      CPU: 1 PID: 8256 Comm: syz-executor223 Not tainted 5.0.0-rc4+ #59
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       print_unlock_imbalance_bug kernel/locking/lockdep.c:3391 [inline]
       print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3368
       __lock_release kernel/locking/lockdep.c:3601 [inline]
       lock_release+0x67e/0xa00 kernel/locking/lockdep.c:3860
       sock_release_ownership include/net/sock.h:1471 [inline]
       release_sock+0x183/0x1c0 net/core/sock.c:2808
       rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598
       sock_recvmsg_nosec net/socket.c:794 [inline]
       sock_recvmsg net/socket.c:801 [inline]
       sock_recvmsg+0xd0/0x110 net/socket.c:797
       __sys_recvfrom+0x1ff/0x350 net/socket.c:1845
       __do_sys_recvfrom net/socket.c:1863 [inline]
       __se_sys_recvfrom net/socket.c:1859 [inline]
       __x64_sys_recvfrom+0xe1/0x1a0 net/socket.c:1859
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x446379
      Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fe5da89fd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
      RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446379
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
      R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf
      
      Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: David Howells <dhowells@redhat.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6dce3c20
    • Eric Dumazet's avatar
      mISDN: fix a race in dev_expire_timer() · bdcc5bc2
      Eric Dumazet authored
      Since mISDN_close() uses dev->pending to iterate over active
      timers, there is a chance that one timer got removed from the
      ->pending list in dev_expire_timer() but that the thread
      has not called yet wake_up_interruptible()
      
      So mISDN_close() could miss this and free dev before
      completion of at least one dev_expire_timer()
      
      syzbot was able to catch this race :
      
      BUG: KASAN: use-after-free in register_lock_class+0x140c/0x1bf0 kernel/locking/lockdep.c:827
      Write of size 8 at addr ffff88809fc18948 by task syz-executor1/24769
      
      CPU: 1 PID: 24769 Comm: syz-executor1 Not tainted 5.0.0-rc5 #60
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
       kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
       __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:140
       register_lock_class+0x140c/0x1bf0 kernel/locking/lockdep.c:827
       __lock_acquire+0x11f/0x4700 kernel/locking/lockdep.c:3224
       lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3841
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
       __wake_up_common_lock+0xc7/0x190 kernel/sched/wait.c:120
       __wake_up+0xe/0x10 kernel/sched/wait.c:145
       dev_expire_timer+0xe4/0x3b0 drivers/isdn/mISDN/timerdev.c:174
       call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
      protocol 88fb is buggy, dev hsr_slave_0
      protocol 88fb is buggy, dev hsr_slave_1
       expire_timers kernel/time/timer.c:1362 [inline]
       __run_timers kernel/time/timer.c:1681 [inline]
       __run_timers kernel/time/timer.c:1649 [inline]
       run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
       __do_softirq+0x266/0x95a kernel/softirq.c:292
       invoke_softirq kernel/softirq.c:373 [inline]
       irq_exit+0x180/0x1d0 kernel/softirq.c:413
       exiting_irq arch/x86/include/asm/apic.h:536 [inline]
       smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
       </IRQ>
      RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:101
      Code: 90 90 90 90 55 48 89 e5 48 8b 75 08 65 48 8b 04 25 40 ee 01 00 65 8b 15 98 12 92 7e 81 e2 00 01 1f 00 75 2b 8b 90 d8 12 00 00 <83> fa 02 75 20 48 8b 88 e0 12 00 00 8b 80 dc 12 00 00 48 8b 11 48
      RSP: 0018:ffff8880589b7a60 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
      RAX: ffff888087ce25c0 RBX: 0000000000000001 RCX: ffffffff818f8ca3
      RDX: 0000000000000000 RSI: ffffffff818f8b48 RDI: 0000000000000001
      RBP: ffff8880589b7a60 R08: ffff888087ce25c0 R09: ffffed1015d25bd0
      R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffffea0001ae4680
      R13: ffffea0001ae4688 R14: 0000000000000000 R15: ffffea0001b41648
       PageIdle include/linux/page-flags.h:398 [inline]
       page_is_idle include/linux/page_idle.h:29 [inline]
       mark_page_accessed+0x618/0x1140 mm/swap.c:398
       touch_buffer fs/buffer.c:59 [inline]
       __find_get_block+0x312/0xcc0 fs/buffer.c:1298
       sb_find_get_block include/linux/buffer_head.h:338 [inline]
       recently_deleted fs/ext4/ialloc.c:682 [inline]
       find_inode_bit.isra.0+0x202/0x510 fs/ext4/ialloc.c:722
       __ext4_new_inode+0x14ad/0x52c0 fs/ext4/ialloc.c:914
       ext4_symlink+0x3f8/0xbe0 fs/ext4/namei.c:3096
       vfs_symlink fs/namei.c:4126 [inline]
       vfs_symlink+0x378/0x5d0 fs/namei.c:4112
       do_symlinkat+0x22b/0x290 fs/namei.c:4153
       __do_sys_symlink fs/namei.c:4172 [inline]
       __se_sys_symlink fs/namei.c:4170 [inline]
       __x64_sys_symlink+0x59/0x80 fs/namei.c:4170
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x457b67
      Code: 0f 1f 00 b8 5c 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d bb fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4d bb fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fff045ce0f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000058
      RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000457b67
      RDX: 00007fff045ce173 RSI: 00000000004bd63f RDI: 00007fff045ce160
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      R10: 0000000000000075 R11: 0000000000000202 R12: 0000000000000000
      R13: 0000000000000001 R14: 000000000000029b R15: 0000000000000001
      
      Allocated by task 24763:
       save_stack+0x45/0xd0 mm/kasan/common.c:73
       set_track mm/kasan/common.c:85 [inline]
       __kasan_kmalloc mm/kasan/common.c:496 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
       kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
       kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3609
       kmalloc include/linux/slab.h:545 [inline]
       mISDN_open+0x9a/0x270 drivers/isdn/mISDN/timerdev.c:59
       misc_open+0x398/0x4c0 drivers/char/misc.c:141
       chrdev_open+0x247/0x6b0 fs/char_dev.c:417
       do_dentry_open+0x47d/0x1130 fs/open.c:771
       vfs_open+0xa0/0xd0 fs/open.c:880
       do_last fs/namei.c:3418 [inline]
       path_openat+0x10d7/0x4690 fs/namei.c:3534
       do_filp_open+0x1a1/0x280 fs/namei.c:3564
       do_sys_open+0x3fe/0x5d0 fs/open.c:1063
       __do_sys_openat fs/open.c:1090 [inline]
       __se_sys_openat fs/open.c:1084 [inline]
       __x64_sys_openat+0x9d/0x100 fs/open.c:1084
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 24762:
       save_stack+0x45/0xd0 mm/kasan/common.c:73
       set_track mm/kasan/common.c:85 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
       __cache_free mm/slab.c:3487 [inline]
       kfree+0xcf/0x230 mm/slab.c:3806
       mISDN_close+0x2a1/0x390 drivers/isdn/mISDN/timerdev.c:97
       __fput+0x2df/0x8d0 fs/file_table.c:278
       ____fput+0x16/0x20 fs/file_table.c:309
       task_work_run+0x14a/0x1c0 kernel/task_work.c:113
       tracehook_notify_resume include/linux/tracehook.h:188 [inline]
       exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
       prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
       do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff88809fc18900
       which belongs to the cache kmalloc-192 of size 192
      The buggy address is located 72 bytes inside of
       192-byte region [ffff88809fc18900, ffff88809fc189c0)
      The buggy address belongs to the page:
      page:ffffea00027f0600 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0xffff88809fc18000
      flags: 0x1fffc0000000200(slab)
      raw: 01fffc0000000200 ffffea000269f648 ffffea00029f7408 ffff88812c3f0040
      raw: ffff88809fc18000 ffff88809fc18000 000000010000000b 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88809fc18800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff88809fc18880: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88809fc18900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
       ffff88809fc18980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
       ffff88809fc18a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Karsten Keil <isdn@linux-pingi.de>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bdcc5bc2
    • Andrew Lunn's avatar
      net: dsa: mv88e6xxx: Fix counting of ATU violations · 75c05a74
      Andrew Lunn authored
      The ATU port vector contains a bit per port of the switch. The code
      wrongly used it as a port number, and incremented a port counter. This
      resulted in the wrong interfaces counter being incremented, and
      potentially going off the end of the array of ports.
      
      Fix this by using the source port ID for the violation, which really
      is a port number.
      Reported-by: default avatarChris Healy <Chris.Healy@zii.aero>
      Tested-by: default avatarChris Healy <Chris.Healy@zii.aero>
      Fixes: 65f60e45 ("net: dsa: mv88e6xxx: Keep ATU/VTU violation statistics")
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      75c05a74
  2. 05 Feb, 2019 9 commits
    • David S. Miller's avatar
    • Guy Shattah's avatar
      net/mlx5e: Use the inner headers to determine tc/pedit offload limitation on decap flows · 1651925d
      Guy Shattah authored
      In packets that need to be decaped the internal headers
      have to be checked, not the external ones.
      
      Fixes: bdd66ac0 ("net/mlx5e: Disallow TC offloading of unsupported match/action combinations")
      Signed-off-by: default avatarGuy Shattah <sguy@mellanox.com>
      Reviewed-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      1651925d
    • Or Gerlitz's avatar
      net/mlx5e: Properly set steering match levels for offloaded TC decap rules · 6363651d
      Or Gerlitz authored
      The match level computed by the driver gets to be wrong for decap
      rules with wildcarded inner packet match such as:
      
      tc filter add dev vxlan_sys_4789 protocol all parent ffff: prio 2 flower
             enc_dst_ip 192.168.0.9 enc_key_id 100 enc_dst_port 4789
             action tunnel_key unset
             action mirred egress redirect dev eth1
      
      The FW errs for a missing matching meta-data indicator for the outer
      headers (where we do have a match), and a wrong matching meta-data
      indicator for the inner headers (where we don't have a match).
      
      Fix that by taking into account the matching on the tunnel info and
      relating the match level of the encapsulated packet to the firmware
      inner headers indicator in case of decap.
      
      As for vxlan we mandate a match on the tunnel udp dst port, and in general
      we practically madndate a match on the source or dest ip for any IP tunnel,
      the fix was done in a minimal manner around the tunnel match parsing code.
      
      Fixes: d708f902 ('net/mlx5e: Get the required HW match level while parsing TC flow matches')
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Reported-by: default avatarSlava Ovsiienko <viacheslavo@mellanox.com>
      Reviewed-by: default avatarJianbo Liu <jianbol@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      6363651d
    • Raed Salem's avatar
      net/mlx5e: FPGA, fix Innova IPsec TX offload data path performance · 82eaa1fa
      Raed Salem authored
      At Innova IPsec TX offload data path a special software parser metadata
      is used to pass some packet attributes to the hardware, this metadata
      is passed using the Ethernet control segment of a WQE (a HW descriptor)
      header.
      
      The cited commit might nullify this header, hence the metadata is lost,
      this caused a significant performance drop during hw offloading
      operation.
      
      Fix by restoring the metadata at the Ethernet control segment in case
      it was nullified.
      
      Fixes: 37fdffb2 ("net/mlx5: WQ, fixes for fragmented WQ buffers API")
      Signed-off-by: default avatarRaed Salem <raeds@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      82eaa1fa
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · f09bef61
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Use CONFIG_NF_TABLES_INET from seltests, not NF_TABLES_INET.
         From Naresh Kamboju.
      
      2) Add a test to cover masquerading and redirect case, from Florian
         Westphal.
      
      3) Two packets coming from the same socket may race to set up NAT,
         ending up with different tuples and the packet losing race being
         dropped. Update nf_conntrack_tuple_taken() to exercise clash
         resolution for this case. From Martynas Pumputis and Florian
         Westphal.
      
      4) Unbind anonymous sets from the commit and abort path, this fixes
         a splat due to double set list removal/release in case that the
         transaction needs to be aborted.
      
      5) Do not preserve original output interface for packets that are
         redirected in the output chain when ip6_route_me_harder() is
         called. Otherwise packets end up going not going to the loopback
         device. From Eli Cooper.
      
      6) Fix bogus splat in nft_compat with CONFIG_REFCOUNT_FULL=y, this
         also simplifies the existing logic to deal with the list insertions
         of the xtables extensions. From Florian Westphal.
      
      Diffstat look rather larger than usual because of the new selftest, but
      Florian and I consider that having tests soon into the tree is good to
      improve coverage. If there's a different policy in this regard, please,
      let me know.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f09bef61
    • Florian Westphal's avatar
      netfilter: nft_compat: don't use refcount_inc on newly allocated entry · 947e492c
      Florian Westphal authored
      When I moved the refcount to refcount_t type I missed the fact that
      refcount_inc() will result in use-after-free warning with
      CONFIG_REFCOUNT_FULL=y builds.
      
      The correct fix would be to init the reference count to 1 at allocation
      time, but, unfortunately we cannot do this, as we can't undo that
      in case something else fails later in the batch.
      
      So only solution I see is to special-case the 'new entry' condition
      and replace refcount_inc() with a "delayed" refcount_set(1) in this case,
      as done here.
      
      The .activate callback can be removed to simplify things, we only
      need to make sure that deactivate() decrements/unlinks the entry
      from the list at end of transaction phase (commit or abort).
      
      Fixes: 12c44aba ("netfilter: nft_compat: use refcnt_t type for nft_xt reference count")
      Reported-by: default avatarJordan Glover <Golden_Miller83@protonmail.ch>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      947e492c
    • Eli Cooper's avatar
      netfilter: ipv6: Don't preserve original oif for loopback address · 15df03c6
      Eli Cooper authored
      Commit 508b0904 ("netfilter: ipv6: Preserve link scope traffic
      original oif") made ip6_route_me_harder() keep the original oif for
      link-local and multicast packets. However, it also affected packets
      for the loopback address because it used rt6_need_strict().
      
      REDIRECT rules in the OUTPUT chain rewrite the destination to loopback
      address; thus its oif should not be preserved. This commit fixes the bug
      that redirected local packets are being dropped. Actually the packet was
      not exactly dropped; Instead it was sent out to the original oif rather
      than lo. When a packet with daddr ::1 is sent to the router, it is
      effectively dropped.
      
      Fixes: 508b0904 ("netfilter: ipv6: Preserve link scope traffic original oif")
      Signed-off-by: default avatarEli Cooper <elicooper@gmx.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      15df03c6
    • Marc Zyngier's avatar
      net: dsa: Fix lockdep false positive splat · c8101f77
      Marc Zyngier authored
      Creating a macvtap on a DSA-backed interface results in the following
      splat when lockdep is enabled:
      
      [   19.638080] IPv6: ADDRCONF(NETDEV_CHANGE): lan0: link becomes ready
      [   23.041198] device lan0 entered promiscuous mode
      [   23.043445] device eth0 entered promiscuous mode
      [   23.049255]
      [   23.049557] ============================================
      [   23.055021] WARNING: possible recursive locking detected
      [   23.060490] 5.0.0-rc3-00013-g56c857a1b8d3 #118 Not tainted
      [   23.066132] --------------------------------------------
      [   23.071598] ip/2861 is trying to acquire lock:
      [   23.076171] 00000000f61990cb (_xmit_ETHER){+...}, at: dev_set_rx_mode+0x1c/0x38
      [   23.083693]
      [   23.083693] but task is already holding lock:
      [   23.089696] 00000000ecf0c3b4 (_xmit_ETHER){+...}, at: dev_uc_add+0x24/0x70
      [   23.096774]
      [   23.096774] other info that might help us debug this:
      [   23.103494]  Possible unsafe locking scenario:
      [   23.103494]
      [   23.109584]        CPU0
      [   23.112093]        ----
      [   23.114601]   lock(_xmit_ETHER);
      [   23.117917]   lock(_xmit_ETHER);
      [   23.121233]
      [   23.121233]  *** DEADLOCK ***
      [   23.121233]
      [   23.127325]  May be due to missing lock nesting notation
      [   23.127325]
      [   23.134315] 2 locks held by ip/2861:
      [   23.137987]  #0: 000000003b766c72 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x338/0x4e0
      [   23.146231]  #1: 00000000ecf0c3b4 (_xmit_ETHER){+...}, at: dev_uc_add+0x24/0x70
      [   23.153757]
      [   23.153757] stack backtrace:
      [   23.158243] CPU: 0 PID: 2861 Comm: ip Not tainted 5.0.0-rc3-00013-g56c857a1b8d3 #118
      [   23.166212] Hardware name: Globalscale Marvell ESPRESSOBin Board (DT)
      [   23.172843] Call trace:
      [   23.175358]  dump_backtrace+0x0/0x188
      [   23.179116]  show_stack+0x14/0x20
      [   23.182524]  dump_stack+0xb4/0xec
      [   23.185928]  __lock_acquire+0x123c/0x1860
      [   23.190048]  lock_acquire+0xc8/0x248
      [   23.193724]  _raw_spin_lock_bh+0x40/0x58
      [   23.197755]  dev_set_rx_mode+0x1c/0x38
      [   23.201607]  dev_set_promiscuity+0x3c/0x50
      [   23.205820]  dsa_slave_change_rx_flags+0x5c/0x70
      [   23.210567]  __dev_set_promiscuity+0x148/0x1e0
      [   23.215136]  __dev_set_rx_mode+0x74/0x98
      [   23.219167]  dev_uc_add+0x54/0x70
      [   23.222575]  macvlan_open+0x170/0x1d0
      [   23.226336]  __dev_open+0xe0/0x160
      [   23.229830]  __dev_change_flags+0x16c/0x1b8
      [   23.234132]  dev_change_flags+0x20/0x60
      [   23.238074]  do_setlink+0x2d0/0xc50
      [   23.241658]  __rtnl_newlink+0x5f8/0x6e8
      [   23.245601]  rtnl_newlink+0x50/0x78
      [   23.249184]  rtnetlink_rcv_msg+0x360/0x4e0
      [   23.253397]  netlink_rcv_skb+0xe8/0x130
      [   23.257338]  rtnetlink_rcv+0x14/0x20
      [   23.261012]  netlink_unicast+0x190/0x210
      [   23.265043]  netlink_sendmsg+0x288/0x350
      [   23.269075]  sock_sendmsg+0x18/0x30
      [   23.272659]  ___sys_sendmsg+0x29c/0x2c8
      [   23.276602]  __sys_sendmsg+0x60/0xb8
      [   23.280276]  __arm64_sys_sendmsg+0x1c/0x28
      [   23.284488]  el0_svc_common+0xd8/0x138
      [   23.288340]  el0_svc_handler+0x24/0x80
      [   23.292192]  el0_svc+0x8/0xc
      
      This looks fairly harmless (no actual deadlock occurs), and is
      fixed in a similar way to c6894dec ("bridge: fix lockdep
      addr_list_lock false positive splat") by putting the addr_list_lock
      in its own lockdep class.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8101f77
    • Rundong Ge's avatar
      net: dsa: slave: Don't propagate flag changes on down slave interfaces · 17ab4f61
      Rundong Ge authored
      The unbalance of master's promiscuity or allmulti will happen after ifdown
      and ifup a slave interface which is in a bridge.
      
      When we ifdown a slave interface , both the 'dsa_slave_close' and
      'dsa_slave_change_rx_flags' will clear the master's flags. The flags
      of master will be decrease twice.
      In the other hand, if we ifup the slave interface again, since the
      slave's flags were cleared the 'dsa_slave_open' won't set the master's
      flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if'
      will set the master's flags. The flags of master is increase once.
      
      Only propagating flag changes when a slave interface is up makes
      sure this does not happen. The 'vlan_dev_change_rx_flags' had the
      same problem and was fixed, and changes here follows that fix.
      
      Fixes: 91da11f8 ("net: Distributed Switch Architecture protocol support")
      Signed-off-by: default avatarRundong Ge <rdong.ge@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      17ab4f61
  3. 04 Feb, 2019 18 commits
  4. 03 Feb, 2019 7 commits
  5. 01 Feb, 2019 2 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · e7b81641
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2019-01-31
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) disable preemption in sender side of socket filters, from Alexei.
      
      2) fix two potential deadlocks in syscall bpf lookup and prog_register,
         from Martin and Alexei.
      
      3) fix BTF to allow typedef on func_proto, from Yonghong.
      
      4) two bpftool fixes, from Jiri and Paolo.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e7b81641
    • Eric Dumazet's avatar
      dccp: fool proof ccid_hc_[rt]x_parse_options() · 9b1f19d8
      Eric Dumazet authored
      Similarly to commit 276bdb82 ("dccp: check ccid before dereferencing")
      it is wise to test for a NULL ccid.
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0-rc3+ #37
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
      RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
      Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
      kobject: 'loop5' (0000000080f78fc1): kobject_uevent_env
      RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
      RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
      RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
      R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
      R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f0defa33518 CR3: 000000008db5e000 CR4: 00000000001406e0
      kobject: 'loop5' (0000000080f78fc1): fill_kobj_path: path = '/devices/virtual/block/loop5'
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       dccp_rcv_state_process+0x2b6/0x1af6 net/dccp/input.c:654
       dccp_v4_do_rcv+0x100/0x190 net/dccp/ipv4.c:688
       sk_backlog_rcv include/net/sock.h:936 [inline]
       __sk_receive_skb+0x3a9/0xea0 net/core/sock.c:473
       dccp_v4_rcv+0x10cb/0x1f80 net/dccp/ipv4.c:880
       ip_protocol_deliver_rcu+0xb6/0xa20 net/ipv4/ip_input.c:208
       ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234
       NF_HOOK include/linux/netfilter.h:289 [inline]
       NF_HOOK include/linux/netfilter.h:283 [inline]
       ip_local_deliver+0x1f0/0x740 net/ipv4/ip_input.c:255
       dst_input include/net/dst.h:450 [inline]
       ip_rcv_finish+0x1f4/0x2f0 net/ipv4/ip_input.c:414
       NF_HOOK include/linux/netfilter.h:289 [inline]
       NF_HOOK include/linux/netfilter.h:283 [inline]
       ip_rcv+0xed/0x620 net/ipv4/ip_input.c:524
       __netif_receive_skb_one_core+0x160/0x210 net/core/dev.c:4973
       __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
       process_backlog+0x206/0x750 net/core/dev.c:5923
       napi_poll net/core/dev.c:6346 [inline]
       net_rx_action+0x76d/0x1930 net/core/dev.c:6412
       __do_softirq+0x30b/0xb11 kernel/softirq.c:292
       run_ksoftirqd kernel/softirq.c:654 [inline]
       run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
       smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
       kthread+0x357/0x430 kernel/kthread.c:246
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      Modules linked in:
      ---[ end trace 58a0ba03bea2c376 ]---
      RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
      RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
      Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
      RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
      RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
      RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
      R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
      R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f0defa33518 CR3: 0000000009871000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9b1f19d8