1. 23 Apr, 2020 19 commits
    • Bo YU's avatar
      mptcp/pm_netlink.c : add check for nla_put_in/6_addr · b4e0f9a9
      Bo YU authored
      Normal there should be checked for nla_put_in6_addr like other
      usage in net.
      
      Detected by CoverityScan, CID# 1461639
      
      Fixes: 01cacb00 ("mptcp: add netlink-based PM")
      Signed-off-by: default avatarBo YU <tsu.yubo@gmail.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b4e0f9a9
    • Tang Bin's avatar
      net: ethernet: ixp4xx: Add error handling in ixp4xx_eth_probe() · 6ed79cec
      Tang Bin authored
      The function ixp4xx_eth_probe() does not perform sufficient error
      checking after executing devm_ioremap_resource(), which can result
      in crashes if a critical error path is encountered.
      
      Fixes: f458ac47 ("ARM/net: ixp4xx: Pass ethernet physical base as resource")
      Signed-off-by: default avatarZhang Shengju <zhangshengju@cmss.chinamobile.com>
      Signed-off-by: default avatarTang Bin <tangbin@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ed79cec
    • Vishal Kulkarni's avatar
      cxgb4: fix adapter crash due to wrong MC size · ce222748
      Vishal Kulkarni authored
      In the absence of MC1, the size calculation function
      cudbg_mem_region_size() was returing wrong MC size and
      resulted in adapter crash. This patch adds new argument
      to cudbg_mem_region_size() which will have actual size
      and returns error to caller in the absence of MC1.
      
      Fixes: a1c69520 ("cxgb4: collect MC memory dump")
      Signed-off-by: Vishal Kulkarni <vishal@chelsio.com>"
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce222748
    • David S. Miller's avatar
      Merge branch 'vxlan-geneve-use-the-correct-nlattr-array-for-extack' · da0afd1f
      David S. Miller authored
      Sabrina Dubroca says:
      
      ====================
      net: vxlan/geneve: use the correct nlattr array for extack
      
      The ->validate callbacks for vxlan and geneve have a couple of typos
      in extack, where the nlattr array for IFLA_* attributes is used
      instead of the link-specific one.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      da0afd1f
    • Sabrina Dubroca's avatar
      geneve: use the correct nlattr array in NL_SET_ERR_MSG_ATTR · 9a7b5b50
      Sabrina Dubroca authored
      IFLA_GENEVE_* attributes are in the data array, which is correctly
      used when fetching the value, but not when setting the extended
      ack. Because IFLA_GENEVE_MAX < IFLA_MAX, we avoid out of bounds
      array accesses, but we don't provide a pointer to the invalid
      attribute to userspace.
      
      Fixes: a025fb5f ("geneve: Allow configuration of DF behaviour")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9a7b5b50
    • Sabrina Dubroca's avatar
      vxlan: use the correct nlattr array in NL_SET_ERR_MSG_ATTR · cc8e7c69
      Sabrina Dubroca authored
      IFLA_VXLAN_* attributes are in the data array, which is correctly
      used when fetching the value, but not when setting the extended
      ack. Because IFLA_VXLAN_MAX < IFLA_MAX, we avoid out of bounds
      array accesses, but we don't provide a pointer to the invalid
      attribute to userspace.
      
      Fixes: 653ef6a3 ("vxlan: change vxlan_[config_]validate() to use netlink_ext_ack for error reporting")
      Fixes: b4d30697 ("vxlan: Allow configuration of DF behaviour")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cc8e7c69
    • Dan Carpenter's avatar
      mlxsw: Fix some IS_ERR() vs NULL bugs · c391eb83
      Dan Carpenter authored
      The mlxsw_sp_acl_rulei_create() function is supposed to return an error
      pointer from mlxsw_afa_block_create().  The problem is that these
      functions both return NULL instead of error pointers.  Half the callers
      expect NULL and half expect error pointers so it could lead to a NULL
      dereference on failure.
      
      This patch changes both of them to return error pointers and changes all
      the callers which checked for NULL to check for IS_ERR() instead.
      
      Fixes: 4cda7d8d ("mlxsw: core: Introduce flexible actions support")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c391eb83
    • Baruch Siach's avatar
      net: phy: marvell10g: limit soft reset to 88x3310 · 829e7573
      Baruch Siach authored
      The MV_V2_PORT_CTRL_SWRST bit in MV_V2_PORT_CTRL is reserved on 88E2110.
      Setting SWRST on 88E2110 breaks packets transfer after interface down/up
      cycle.
      
      Fixes: 8f48c2ac ("net: marvell10g: soft-reset the PHY when coming out of low power")
      Signed-off-by: default avatarBaruch Siach <baruch@tkos.co.il>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      829e7573
    • David Ahern's avatar
      ipv4: Update fib_select_default to handle nexthop objects · 7c74b0be
      David Ahern authored
      A user reported [0] hitting the WARN_ON in fib_info_nh:
      
          [ 8633.839816] ------------[ cut here ]------------
          [ 8633.839819] WARNING: CPU: 0 PID: 1719 at include/net/nexthop.h:251 fib_select_path+0x303/0x381
          ...
          [ 8633.839846] RIP: 0010:fib_select_path+0x303/0x381
          ...
          [ 8633.839848] RSP: 0018:ffffb04d407f7d00 EFLAGS: 00010286
          [ 8633.839850] RAX: 0000000000000000 RBX: ffff9460b9897ee8 RCX: 00000000000000fe
          [ 8633.839851] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
          [ 8633.839852] RBP: ffff946076049850 R08: 0000000059263a83 R09: ffff9460840e4000
          [ 8633.839853] R10: 0000000000000014 R11: 0000000000000000 R12: ffffb04d407f7dc0
          [ 8633.839854] R13: ffffffffa4ce3240 R14: 0000000000000000 R15: ffff9460b7681f60
          [ 8633.839857] FS:  00007fcac2e02700(0000) GS:ffff9460bdc00000(0000) knlGS:0000000000000000
          [ 8633.839858] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          [ 8633.839859] CR2: 00007f27beb77e28 CR3: 0000000077734000 CR4: 00000000000006f0
          [ 8633.839867] Call Trace:
          [ 8633.839871]  ip_route_output_key_hash_rcu+0x421/0x890
          [ 8633.839873]  ip_route_output_key_hash+0x5e/0x80
          [ 8633.839876]  ip_route_output_flow+0x1a/0x50
          [ 8633.839878]  __ip4_datagram_connect+0x154/0x310
          [ 8633.839880]  ip4_datagram_connect+0x28/0x40
          [ 8633.839882]  __sys_connect+0xd6/0x100
          ...
      
      The WARN_ON is triggered in fib_select_default which is invoked when
      there are multiple default routes. Update the function to use
      fib_info_nhc and convert the nexthop checks to use fib_nh_common.
      
      Add test case that covers the affected code path.
      
      [0] https://github.com/FRRouting/frr/issues/6089
      
      Fixes: 493ced1a ("ipv4: Allow routes to use nexthop objects")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7c74b0be
    • Salvatore Bonaccorso's avatar
      netlabel: Kconfig: Update reference for NetLabel Tools project · c0259664
      Salvatore Bonaccorso authored
      The NetLabel Tools project has moved from http://netlabel.sf.net to a
      GitHub project. Update to directly refer to the new home for the tools.
      Signed-off-by: default avatarSalvatore Bonaccorso <carnil@debian.org>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c0259664
    • Ioana Ciornei's avatar
      MAINTAINERS: update dpaa2-eth maintainer list · 31fa51ad
      Ioana Ciornei authored
      Add myself as another maintainer of dpaa2-eth.
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31fa51ad
    • Paolo Abeni's avatar
      mptcp: fix data_fin handing in RX path · 9a19371b
      Paolo Abeni authored
      The data fin flag is set only via a DSS option, but
      mptcp_incoming_options() copies it unconditionally from the
      provided RX options.
      
      Since we do not clear all the mptcp sock RX options in a
      socket free/alloc cycle, we can end-up with a stray data_fin
      value while parsing e.g. MPC packets.
      
      That would lead to mapping data corruption and will trigger
      a few WARN_ON() in the RX path.
      
      Instead of adding a costly memset(), fetch the data_fin flag
      only for DSS packets - when we always explicitly initialize
      such bit at option parsing time.
      
      Fixes: 648ef4b8 ("mptcp: Implement MPTCP receive path")
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9a19371b
    • David Ahern's avatar
      vrf: Fix IPv6 with qdisc and xfrm · a53c1028
      David Ahern authored
      When a qdisc is attached to the VRF device, the packet goes down the ndo
      xmit function which is setup to send the packet back to the VRF driver
      which does a lookup to send the packet out. The lookup in the VRF driver
      is not considering xfrm policies. Change it to use ip6_dst_lookup_flow
      rather than ip6_route_output.
      
      Fixes: 35402e31 ("net: Add IPv6 support to VRF device")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a53c1028
    • Stephen Hemminger's avatar
      Documentation: add documentation of ping_group_range · 5cc4adbc
      Stephen Hemminger authored
      Support for non-root users to send ICMP ECHO requests was added
      back in Linux 3.0 kernel, but the documentation for the sysctl
      to enable it has been missing.
      Signed-off-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5cc4adbc
    • David S. Miller's avatar
      Merge branch 'sctp-fixes' · 609120c5
      David S. Miller authored
      Jere Leppänen says:
      
      ====================
      sctp: Fix problems with peer restart when in SHUTDOWN-PENDING state and socket is closed
      
      These patches are related to the scenario described in commit
      bdf6fa52 ("sctp: handle association restarts when the socket is
      closed."). To recap, when our association is in SHUTDOWN-PENDING state
      and we've closed our one-to-one socket, while the peer crashes without
      being detected, restarts and reconnects using the same addresses and
      ports, we start association shutdown.
      
      In this case, Cumulative TSN Ack in the SHUTDOWN that we send has
      always been incorrect. Additionally, bundling of the SHUTDOWN with the
      COOKIE-ACK was broken by a later commit. This series fixes both of
      these issues.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      609120c5
    • Jere Leppänen's avatar
      sctp: Fix SHUTDOWN CTSN Ack in the peer restart case · 12dfd78e
      Jere Leppänen authored
      When starting shutdown in sctp_sf_do_dupcook_a(), get the value for
      SHUTDOWN Cumulative TSN Ack from the new association, which is
      reconstructed from the cookie, instead of the old association, which
      the peer doesn't have anymore.
      
      Otherwise the SHUTDOWN is either ignored or replied to with an ABORT
      by the peer because CTSN Ack doesn't match the peer's Initial TSN.
      
      Fixes: bdf6fa52 ("sctp: handle association restarts when the socket is closed.")
      Signed-off-by: default avatarJere Leppänen <jere.leppanen@nokia.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12dfd78e
    • Jere Leppänen's avatar
      sctp: Fix bundling of SHUTDOWN with COOKIE-ACK · 145cb2f7
      Jere Leppänen authored
      When we start shutdown in sctp_sf_do_dupcook_a(), we want to bundle
      the SHUTDOWN with the COOKIE-ACK to ensure that the peer receives them
      at the same time and in the correct order. This bundling was broken by
      commit 4ff40b86 ("sctp: set chunk transport correctly when it's a
      new asoc"), which assigns a transport for the COOKIE-ACK, but not for
      the SHUTDOWN.
      
      Fix this by passing a reference to the COOKIE-ACK chunk as an argument
      to sctp_sf_do_9_2_start_shutdown() and onward to
      sctp_make_shutdown(). This way the SHUTDOWN chunk is assigned the same
      transport as the COOKIE-ACK chunk, which allows them to be bundled.
      
      In sctp_sf_do_9_2_start_shutdown(), the void *arg parameter was
      previously unused. Now that we're taking it into use, it must be a
      valid pointer to a chunk, or NULL. There is only one call site where
      it's not, in sctp_sf_autoclose_timer_expire(). Fix that too.
      
      Fixes: 4ff40b86 ("sctp: set chunk transport correctly when it's a new asoc")
      Signed-off-by: default avatarJere Leppänen <jere.leppanen@nokia.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      145cb2f7
    • Vladimir Oltean's avatar
      net: dsa: don't fail to probe if we couldn't set the MTU · 72579e14
      Vladimir Oltean authored
      There is no reason to fail the probing of the switch if the MTU couldn't
      be configured correctly (either the switch port itself, or the host
      port) for whatever reason. MTU-sized traffic probably won't work, sure,
      but we can still probably limp on and support some form of communication
      anyway, which the users would probably appreciate more.
      
      Fixes: bfcb8132 ("net: dsa: configure the MTU for switch ports")
      Reported-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72579e14
    • Eric Dumazet's avatar
      sched: etf: do not assume all sockets are full blown · a1211bf9
      Eric Dumazet authored
      skb->sk does not always point to a full blown socket,
      we need to use sk_fullsock() before accessing fields which
      only make sense on full socket.
      
      BUG: KASAN: use-after-free in report_sock_error+0x286/0x300 net/sched/sch_etf.c:141
      Read of size 1 at addr ffff88805eb9b245 by task syz-executor.5/9630
      
      CPU: 1 PID: 9630 Comm: syz-executor.5 Not tainted 5.7.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x188/0x20d lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
       __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
       kasan_report+0x33/0x50 mm/kasan/common.c:625
       report_sock_error+0x286/0x300 net/sched/sch_etf.c:141
       etf_enqueue_timesortedlist+0x389/0x740 net/sched/sch_etf.c:170
       __dev_xmit_skb net/core/dev.c:3710 [inline]
       __dev_queue_xmit+0x154a/0x30a0 net/core/dev.c:4021
       neigh_hh_output include/net/neighbour.h:499 [inline]
       neigh_output include/net/neighbour.h:508 [inline]
       ip6_finish_output2+0xfb5/0x25b0 net/ipv6/ip6_output.c:117
       __ip6_finish_output+0x442/0xab0 net/ipv6/ip6_output.c:143
       ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153
       NF_HOOK_COND include/linux/netfilter.h:296 [inline]
       ip6_output+0x239/0x810 net/ipv6/ip6_output.c:176
       dst_output include/net/dst.h:435 [inline]
       NF_HOOK include/linux/netfilter.h:307 [inline]
       NF_HOOK include/linux/netfilter.h:301 [inline]
       ip6_xmit+0xe1a/0x2090 net/ipv6/ip6_output.c:280
       tcp_v6_send_synack+0x4e7/0x960 net/ipv6/tcp_ipv6.c:521
       tcp_rtx_synack+0x10d/0x1a0 net/ipv4/tcp_output.c:3916
       inet_rtx_syn_ack net/ipv4/inet_connection_sock.c:669 [inline]
       reqsk_timer_handler+0x4c2/0xb40 net/ipv4/inet_connection_sock.c:763
       call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1405
       expire_timers kernel/time/timer.c:1450 [inline]
       __run_timers kernel/time/timer.c:1774 [inline]
       __run_timers kernel/time/timer.c:1741 [inline]
       run_timer_softirq+0x623/0x1600 kernel/time/timer.c:1787
       __do_softirq+0x26c/0x9f7 kernel/softirq.c:292
       invoke_softirq kernel/softirq.c:373 [inline]
       irq_exit+0x192/0x1d0 kernel/softirq.c:413
       exiting_irq arch/x86/include/asm/apic.h:546 [inline]
       smp_apic_timer_interrupt+0x19e/0x600 arch/x86/kernel/apic/apic.c:1140
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
       </IRQ>
      RIP: 0010:des_encrypt+0x157/0x9c0 lib/crypto/des.c:792
      Code: 85 22 06 00 00 41 31 dc 41 8b 4d 04 44 89 e2 41 83 e4 3f 4a 8d 3c a5 60 72 72 88 81 e2 3f 3f 3f 3f 48 89 f8 48 c1 e8 03 31 d9 <0f> b6 34 28 48 89 f8 c1 c9 04 83 e0 07 83 c0 03 40 38 f0 7c 09 40
      RSP: 0018:ffffc90003b5f6c0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
      RAX: 1ffffffff10e4e55 RBX: 00000000d2f846d0 RCX: 00000000d2f846d0
      RDX: 0000000012380612 RSI: ffffffff839863ca RDI: ffffffff887272a8
      RBP: dffffc0000000000 R08: ffff888091d0a380 R09: 0000000000800081
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000012
      R13: ffff8880a8ae8078 R14: 00000000c545c93e R15: 0000000000000006
       cipher_crypt_one crypto/cipher.c:75 [inline]
       crypto_cipher_encrypt_one+0x124/0x210 crypto/cipher.c:82
       crypto_cbcmac_digest_update+0x1b5/0x250 crypto/ccm.c:830
       crypto_shash_update+0xc4/0x120 crypto/shash.c:119
       shash_ahash_update+0xa3/0x110 crypto/shash.c:246
       crypto_ahash_update include/crypto/hash.h:547 [inline]
       hash_sendmsg+0x518/0xad0 crypto/algif_hash.c:102
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:672
       ____sys_sendmsg+0x308/0x7e0 net/socket.c:2362
       ___sys_sendmsg+0x100/0x170 net/socket.c:2416
       __sys_sendmmsg+0x195/0x480 net/socket.c:2506
       __do_sys_sendmmsg net/socket.c:2535 [inline]
       __se_sys_sendmmsg net/socket.c:2532 [inline]
       __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2532
       do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      RIP: 0033:0x45c829
      Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f6d9528ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
      RAX: ffffffffffffffda RBX: 00000000004fc080 RCX: 000000000045c829
      RDX: 0000000000000001 RSI: 0000000020002640 RDI: 0000000000000004
      RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000008d7 R14: 00000000004cb7aa R15: 00007f6d9528f6d4
      
      Fixes: 4b15c707 ("net/sched: Make etf report drops on error_queue")
      Fixes: 25db26a9 ("net/sched: Introduce the ETF Qdisc")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
      Reviewed-by: default avatarVinicius Costa Gomes <vinicius.gomes@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1211bf9
  2. 22 Apr, 2020 12 commits
  3. 21 Apr, 2020 8 commits
    • Voon Weifeng's avatar
      net: stmmac: Enable SERDES power up/down sequence · b9663b7c
      Voon Weifeng authored
      This patch is to enable Intel SERDES power up/down sequence. The SERDES
      converts 8/10 bits data to SGMII signal. Below is an example of
      HW configuration for SGMII mode. The SERDES is located in the PHY IF
      in the diagram below.
      
      <-----------------GBE Controller---------->|<--External PHY chip-->
      +----------+         +----+            +---+           +----------+
      |   EQoS   | <-GMII->| DW | < ------ > |PHY| <-SGMII-> | External |
      |   MAC    |         |xPCS|            |IF |           | PHY      |
      +----------+         +----+            +---+           +----------+
             ^               ^                 ^                ^
             |               |                 |                |
             +---------------------MDIO-------------------------+
      
      PHY IF configuration and status registers are accessible through
      mdio address 0x15 which is defined as mdio_adhoc_addr. During D0,
      The driver will need to power up PHY IF by changing the power state
      to P0. Likewise, for D3, the driver sets PHY IF power state to P3.
      Signed-off-by: default avatarVoon Weifeng <weifeng.voon@intel.com>
      Signed-off-by: default avatarOng Boon Leong <boon.leong.ong@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b9663b7c
    • Dejin Zheng's avatar
      net: broadcom: convert to devm_platform_ioremap_resource_byname() · d7a5502b
      Dejin Zheng authored
      Use the function devm_platform_ioremap_resource_byname() to simplify
      source code which calls the functions platform_get_resource_byname()
      and devm_ioremap_resource(). Remove also a few error messages which
      became unnecessary with this software refactoring.
      Suggested-by: default avatarMarkus Elfring <Markus.Elfring@web.de>
      Signed-off-by: default avatarDejin Zheng <zhengdejin5@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d7a5502b
    • Taehee Yoo's avatar
      macvlan: fix null dereference in macvlan_device_event() · 4dee15b4
      Taehee Yoo authored
      In the macvlan_device_event(), the list_first_entry_or_null() is used.
      This function could return null pointer if there is no node.
      But, the macvlan module doesn't check the null pointer.
      So, null-ptr-deref would occur.
      
            bond0
              |
         +----+-----+
         |          |
      macvlan0   macvlan1
         |          |
       dummy0     dummy1
      
      The problem scenario.
      If dummy1 is removed,
      1. ->dellink() of dummy1 is called.
      2. NETDEV_UNREGISTER of dummy1 notification is sent to macvlan module.
      3. ->dellink() of macvlan1 is called.
      4. NETDEV_UNREGISTER of macvlan1 notification is sent to bond module.
      5. __bond_release_one() is called and it internally calls
         dev_set_mac_address().
      6. dev_set_mac_address() calls the ->ndo_set_mac_address() of macvlan1,
         which is macvlan_set_mac_address().
      7. macvlan_set_mac_address() calls the dev_set_mac_address() with dummy1.
      8. NETDEV_CHANGEADDR of dummy1 is sent to macvlan module.
      9. In the macvlan_device_event(), it calls list_first_entry_or_null().
      At this point, dummy1 and macvlan1 were removed.
      So, list_first_entry_or_null() will return NULL.
      
      Test commands:
          ip netns add nst
          ip netns exec nst ip link add bond0 type bond
          for i in {0..10}
          do
              ip netns exec nst ip link add dummy$i type dummy
      	ip netns exec nst ip link add macvlan$i link dummy$i \
      		type macvlan mode passthru
      	ip netns exec nst ip link set macvlan$i master bond0
          done
          ip netns del nst
      
      Splat looks like:
      [   40.585687][  T146] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEI
      [   40.587249][  T146] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
      [   40.588342][  T146] CPU: 1 PID: 146 Comm: kworker/u8:2 Not tainted 5.7.0-rc1+ #532
      [   40.589299][  T146] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   40.590469][  T146] Workqueue: netns cleanup_net
      [   40.591045][  T146] RIP: 0010:macvlan_device_event+0x4e2/0x900 [macvlan]
      [   40.591905][  T146] Code: 00 00 00 00 00 fc ff df 80 3c 06 00 0f 85 45 02 00 00 48 89 da 48 b8 00 00 00 00 00 fc ff d2
      [   40.594126][  T146] RSP: 0018:ffff88806116f4a0 EFLAGS: 00010246
      [   40.594783][  T146] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
      [   40.595653][  T146] RDX: 0000000000000000 RSI: ffff88806547ddd8 RDI: ffff8880540f1360
      [   40.596495][  T146] RBP: ffff88804011a808 R08: fffffbfff4fb8421 R09: fffffbfff4fb8421
      [   40.597377][  T146] R10: ffffffffa7dc2107 R11: 0000000000000000 R12: 0000000000000008
      [   40.598186][  T146] R13: ffff88804011a000 R14: ffff8880540f1000 R15: 1ffff1100c22de9a
      [   40.599012][  T146] FS:  0000000000000000(0000) GS:ffff888067800000(0000) knlGS:0000000000000000
      [   40.600004][  T146] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   40.600665][  T146] CR2: 00005572d3a807b8 CR3: 000000005fcf4003 CR4: 00000000000606e0
      [   40.601485][  T146] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   40.602461][  T146] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   40.603443][  T146] Call Trace:
      [   40.603871][  T146]  ? nf_tables_dump_setelem+0xa0/0xa0 [nf_tables]
      [   40.604587][  T146]  ? macvlan_uninit+0x100/0x100 [macvlan]
      [   40.605212][  T146]  ? __module_text_address+0x13/0x140
      [   40.605842][  T146]  notifier_call_chain+0x90/0x160
      [   40.606477][  T146]  dev_set_mac_address+0x28e/0x3f0
      [   40.607117][  T146]  ? netdev_notify_peers+0xc0/0xc0
      [   40.607762][  T146]  ? __module_text_address+0x13/0x140
      [   40.608440][  T146]  ? notifier_call_chain+0x90/0x160
      [   40.609097][  T146]  ? dev_set_mac_address+0x1f0/0x3f0
      [   40.609758][  T146]  dev_set_mac_address+0x1f0/0x3f0
      [   40.610402][  T146]  ? __local_bh_enable_ip+0xe9/0x1b0
      [   40.611071][  T146]  ? bond_hw_addr_flush+0x77/0x100 [bonding]
      [   40.611823][  T146]  ? netdev_notify_peers+0xc0/0xc0
      [   40.612461][  T146]  ? bond_hw_addr_flush+0x77/0x100 [bonding]
      [   40.613213][  T146]  ? bond_hw_addr_flush+0x77/0x100 [bonding]
      [   40.613963][  T146]  ? __local_bh_enable_ip+0xe9/0x1b0
      [   40.614631][  T146]  ? bond_time_in_interval.isra.31+0x90/0x90 [bonding]
      [   40.615484][  T146]  ? __bond_release_one+0x9f0/0x12c0 [bonding]
      [   40.616230][  T146]  __bond_release_one+0x9f0/0x12c0 [bonding]
      [   40.616949][  T146]  ? bond_enslave+0x47c0/0x47c0 [bonding]
      [   40.617642][  T146]  ? lock_downgrade+0x730/0x730
      [   40.618218][  T146]  ? check_flags.part.42+0x450/0x450
      [   40.618850][  T146]  ? __mutex_unlock_slowpath+0xd0/0x670
      [   40.619519][  T146]  ? trace_hardirqs_on+0x30/0x180
      [   40.620117][  T146]  ? wait_for_completion+0x250/0x250
      [   40.620754][  T146]  bond_netdev_event+0x822/0x970 [bonding]
      [   40.621460][  T146]  ? __module_text_address+0x13/0x140
      [   40.622097][  T146]  notifier_call_chain+0x90/0x160
      [   40.622806][  T146]  rollback_registered_many+0x660/0xcf0
      [   40.623522][  T146]  ? netif_set_real_num_tx_queues+0x780/0x780
      [   40.624290][  T146]  ? notifier_call_chain+0x90/0x160
      [   40.624957][  T146]  ? netdev_upper_dev_unlink+0x114/0x180
      [   40.625686][  T146]  ? __netdev_adjacent_dev_unlink_neighbour+0x30/0x30
      [   40.626421][  T146]  ? mutex_is_locked+0x13/0x50
      [   40.627016][  T146]  ? unregister_netdevice_queue+0xf2/0x240
      [   40.627663][  T146]  unregister_netdevice_many.part.134+0x13/0x1b0
      [   40.628362][  T146]  default_device_exit_batch+0x2d9/0x390
      [   40.628987][  T146]  ? unregister_netdevice_many+0x40/0x40
      [   40.629615][  T146]  ? dev_change_net_namespace+0xcb0/0xcb0
      [   40.630279][  T146]  ? prepare_to_wait_exclusive+0x2e0/0x2e0
      [   40.630943][  T146]  ? ops_exit_list.isra.9+0x97/0x140
      [   40.631554][  T146]  cleanup_net+0x441/0x890
      [ ... ]
      
      Fixes: e289fd28 ("macvlan: fix the problem when mac address changes for passthru mode")
      Reported-by: syzbot+5035b1f9dc7ea4558d5a@syzkaller.appspotmail.com
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4dee15b4
    • Jason Yan's avatar
      e1000: remove unneeded conversion to bool · c95576a3
      Jason Yan authored
      The '==' expression itself is bool, no need to convert it to bool again.
      This fixes the following coccicheck warning:
      
      drivers/net/ethernet/intel/e1000/e1000_main.c:1479:44-49: WARNING:
      conversion to bool not needed here
      Signed-off-by: default avatarJason Yan <yanaijie@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c95576a3
    • Jason Yan's avatar
      i40e: Remove unneeded conversion to bool · 7ff4f063
      Jason Yan authored
      The '==' expression itself is bool, no need to convert it to bool again.
      This fixes the following coccicheck warning:
      
      drivers/net/ethernet/intel/i40e/i40e_main.c:1614:52-57: WARNING:
      conversion to bool not needed here
      drivers/net/ethernet/intel/i40e/i40e_main.c:11439:52-57: WARNING:
      conversion to bool not needed here
      Signed-off-by: default avatarJason Yan <yanaijie@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7ff4f063
    • Jason Yan's avatar
      ptp: Remove unneeded conversion to bool · e9a9e519
      Jason Yan authored
      The '==' expression itself is bool, no need to convert it to bool again.
      This fixes the following coccicheck warning:
      
      drivers/ptp/ptp_ines.c:403:55-60: WARNING: conversion to bool not
      needed here
      drivers/ptp/ptp_ines.c:404:55-60: WARNING: conversion to bool not
      needed here
      Signed-off-by: default avatarJason Yan <yanaijie@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e9a9e519
    • Jiri Slaby's avatar
      cgroup, netclassid: remove double cond_resched · 526f3d96
      Jiri Slaby authored
      Commit 018d26fc ("cgroup, netclassid: periodically release file_lock
      on classid") added a second cond_resched to write_classid indirectly by
      update_classid_task. Remove the one in write_classid.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Dmitry Yakunin <zeil@yandex-team.ru>
      Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      526f3d96
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 76fc6a9a
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) flow_block_cb memleak in nf_flow_table_offload_del_cb(), from Roi Dayan.
      
      2) Fix error path handling in nf_nat_inet_register_fn(), from Hillf Danton.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      76fc6a9a
  4. 20 Apr, 2020 1 commit