1. 07 Mar, 2020 8 commits
    • Shannon Nelson's avatar
      ionic: fix vf op lock usage · e396ce5f
      Shannon Nelson authored
      These are a couple of read locks that should be write locks.
      
      Fixes: fbb39807 ("ionic: support sr-iov operations")
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Reviewed-by: default avatarParav Pandit <parav@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e396ce5f
    • Eric Dumazet's avatar
      bonding/alb: make sure arp header is pulled before accessing it · b7469e83
      Eric Dumazet authored
      Similar to commit 38f88c45 ("bonding/alb: properly access headers
      in bond_alb_xmit()"), we need to make sure arp header was pulled
      in skb->head before blindly accessing it in rlb_arp_xmit().
      
      Remove arp_pkt() private helper, since it is more readable/obvious
      to have the following construct back to back :
      
      	if (!pskb_network_may_pull(skb, sizeof(*arp)))
      		return NULL;
      	arp = (struct arp_pkt *)skb_network_header(skb);
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
      BUG: KMSAN: uninit-value in rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
      BUG: KMSAN: uninit-value in bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
      CPU: 0 PID: 12743 Comm: syz-executor.4 Not tainted 5.6.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
       rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
       bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
       __bond_start_xmit drivers/net/bonding/bond_main.c:4257 [inline]
       bond_start_xmit+0x85d/0x2f70 drivers/net/bonding/bond_main.c:4282
       __netdev_start_xmit include/linux/netdevice.h:4524 [inline]
       netdev_start_xmit include/linux/netdevice.h:4538 [inline]
       xmit_one net/core/dev.c:3470 [inline]
       dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3486
       __dev_queue_xmit+0x37de/0x4220 net/core/dev.c:4063
       dev_queue_xmit+0x4b/0x60 net/core/dev.c:4096
       packet_snd net/packet/af_packet.c:2967 [inline]
       packet_sendmsg+0x8347/0x93b0 net/packet/af_packet.c:2992
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg net/socket.c:672 [inline]
       __sys_sendto+0xc1b/0xc50 net/socket.c:1998
       __do_sys_sendto net/socket.c:2010 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:2006
       __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45c479
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fc77ffbbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00007fc77ffbc6d4 RCX: 000000000045c479
      RDX: 000000000000000e RSI: 00000000200004c0 RDI: 0000000000000003
      RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 0000000000000a04 R14: 00000000004cc7b0 R15: 000000000076bf2c
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2793 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
       __kmalloc_reserve net/core/skbuff.c:142 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
       alloc_skb include/linux/skbuff.h:1051 [inline]
       alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
       sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
       packet_alloc_skb net/packet/af_packet.c:2815 [inline]
       packet_snd net/packet/af_packet.c:2910 [inline]
       packet_sendmsg+0x66a0/0x93b0 net/packet/af_packet.c:2992
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg net/socket.c:672 [inline]
       __sys_sendto+0xc1b/0xc50 net/socket.c:1998
       __do_sys_sendto net/socket.c:2010 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:2006
       __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7469e83
    • David S. Miller's avatar
      Merge branch 'QorIQ-DPAA-FMan-erratum-A050385-workaround' · 172fd3eb
      David S. Miller authored
      Madalin Bucur says:
      
      ====================
      QorIQ DPAA FMan erratum A050385 workaround
      
      Changes in v2:
       - added CONFIG_DPAA_ERRATUM_A050385
       - removed unnecessary parenthesis
       - changed alignment defines to use only decimal values
      
      The patch set implements the workaround for FMan erratum A050385:
      
      FMAN DMA read or writes under heavy traffic load may cause FMAN
      internal resource leak; thus stopping further packet processing.
      To reproduce this issue when the workaround is not applied, one
      needs to ensure the FMan DMA transaction queue is already full
      when a transaction split occurs so the system must be under high
      traffic load (i.e. multiple ports at line rate). After the errata
      occurs, the traffic stops. The only SoC impacted by this is the
      LS1043A, the other ARM DPAA 1 SoC or the PPC DPAA 1 SoCs do not
      have this erratum.
      
      The FMAN internal queue can overflow when FMAN splits single
      read or write transactions into multiple smaller transactions
      such that more than 17 AXI transactions are in flight from FMAN
      to interconnect. When the FMAN internal queue overflows, it can
      stall further packet processing. The issue can occur with any one
      of the following three conditions:
      
        1. FMAN AXI transaction crosses 4K address boundary (Errata
               A010022)
        2. FMAN DMA address for an AXI transaction is not 16 byte
               aligned, i.e. the last 4 bits of an address are non-zero
        3. Scatter Gather (SG) frames have more than one SG buffer in
               the SG list and any one of the buffers, except the last
               buffer in the SG list has data size that is not a multiple
               of 16 bytes, i.e., other than 16, 32, 48, 64, etc.
      
      With any one of the above three conditions present, there is
      likelihood of stalled FMAN packet processing, especially under
      stress with multiple ports injecting line-rate traffic.
      
      To avoid situations that stall FMAN packet processing, all of the
      above three conditions must be avoided; therefore, configure the
      system with the following rules:
      
        1. Frame buffers must not span a 4KB address boundary, unless
               the frame start address is 256 byte aligned
        2. All FMAN DMA start addresses (for example, BMAN buffer
               address, FD[address] + FD[offset]) are 16B aligned
        3. SG table and buffer addresses are 16B aligned and the size
               of SG buffers are multiple of 16 bytes, except for the last
               SG buffer that can be of any size.
      
      Additional workaround notes:
      - Address alignment of 64 bytes is recommended for maximally
      efficient system bus transactions (although 16 byte alignment is
      sufficient to avoid the stall condition)
      - To support frame sizes that are larger than 4K bytes, there are
      two options:
        1. Large single buffer frames that span a 4KB page boundary can
               be converted into SG frames to avoid transaction splits at
               the 4KB boundary,
        2. Align the large single buffer to 256B address boundaries,
               ensure that the frame address plus offset is 256B aligned.
      - If software generated SG frames have buffers that are unaligned
      and with random non-multiple of 16 byte lengths, before
      transmitting such frames via FMAN, frames will need to be copied
      into a new single buffer or multiple buffer SG frame that is
      compliant with the three rules listed above.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      172fd3eb
    • Madalin Bucur's avatar
      dpaa_eth: FMan erratum A050385 workaround · 3c68b8ff
      Madalin Bucur authored
      Align buffers, data start, SG fragment length to avoid DMA splits.
      These changes prevent the A050385 erratum to manifest itself:
      
      FMAN DMA read or writes under heavy traffic load may cause FMAN
      internal resource leak; thus stopping further packet processing.
      
      The FMAN internal queue can overflow when FMAN splits single
      read or write transactions into multiple smaller transactions
      such that more than 17 AXI transactions are in flight from FMAN
      to interconnect. When the FMAN internal queue overflows, it can
      stall further packet processing. The issue can occur with any one
      of the following three conditions:
      
        1. FMAN AXI transaction crosses 4K address boundary (Errata
      	 A010022)
        2. FMAN DMA address for an AXI transaction is not 16 byte
      	 aligned, i.e. the last 4 bits of an address are non-zero
        3. Scatter Gather (SG) frames have more than one SG buffer in
      	 the SG list and any one of the buffers, except the last
      	 buffer in the SG list has data size that is not a multiple
      	 of 16 bytes, i.e., other than 16, 32, 48, 64, etc.
      
      With any one of the above three conditions present, there is
      likelihood of stalled FMAN packet processing, especially under
      stress with multiple ports injecting line-rate traffic.
      
      To avoid situations that stall FMAN packet processing, all of the
      above three conditions must be avoided; therefore, configure the
      system with the following rules:
      
        1. Frame buffers must not span a 4KB address boundary, unless
      	 the frame start address is 256 byte aligned
        2. All FMAN DMA start addresses (for example, BMAN buffer
      	 address, FD[address] + FD[offset]) are 16B aligned
        3. SG table and buffer addresses are 16B aligned and the size
      	 of SG buffers are multiple of 16 bytes, except for the last
      	 SG buffer that can be of any size.
      
      Additional workaround notes:
      - Address alignment of 64 bytes is recommended for maximally
      efficient system bus transactions (although 16 byte alignment is
      sufficient to avoid the stall condition)
      - To support frame sizes that are larger than 4K bytes, there are
      two options:
        1. Large single buffer frames that span a 4KB page boundary can
      	 be converted into SG frames to avoid transaction splits at
      	 the 4KB boundary,
        2. Align the large single buffer to 256B address boundaries,
      	 ensure that the frame address plus offset is 256B aligned.
      - If software generated SG frames have buffers that are unaligned
      and with random non-multiple of 16 byte lengths, before
      transmitting such frames via FMAN, frames will need to be copied
      into a new single buffer or multiple buffer SG frame that is
      compliant with the three rules listed above.
      Signed-off-by: default avatarMadalin Bucur <madalin.bucur@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3c68b8ff
    • Madalin Bucur's avatar
      fsl/fman: detect FMan erratum A050385 · b281f7b9
      Madalin Bucur authored
      Detect the presence of the A050385 erratum.
      Signed-off-by: default avatarMadalin Bucur <madalin.bucur@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b281f7b9
    • Madalin Bucur's avatar
      arm64: dts: ls1043a: FMan erratum A050385 · b54d3900
      Madalin Bucur authored
      The LS1043A SoC is affected by the A050385 erratum stating that
      FMAN DMA read or writes under heavy traffic load may cause FMAN
      internal resource leak thus stopping further packet processing.
      Signed-off-by: default avatarMadalin Bucur <madalin.bucur@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b54d3900
    • Madalin Bucur's avatar
      dt-bindings: net: FMan erratum A050385 · 26d5bb9e
      Madalin Bucur authored
      FMAN DMA read or writes under heavy traffic load may cause FMAN
      internal resource leak; thus stopping further packet processing.
      
      The FMAN internal queue can overflow when FMAN splits single
      read or write transactions into multiple smaller transactions
      such that more than 17 AXI transactions are in flight from FMAN
      to interconnect. When the FMAN internal queue overflows, it can
      stall further packet processing. The issue can occur with any one
      of the following three conditions:
      
        1. FMAN AXI transaction crosses 4K address boundary (Errata
           A010022)
        2. FMAN DMA address for an AXI transaction is not 16 byte
           aligned, i.e. the last 4 bits of an address are non-zero
        3. Scatter Gather (SG) frames have more than one SG buffer in
           the SG list and any one of the buffers, except the last
           buffer in the SG list has data size that is not a multiple
           of 16 bytes, i.e., other than 16, 32, 48, 64, etc.
      
      With any one of the above three conditions present, there is
      likelihood of stalled FMAN packet processing, especially under
      stress with multiple ports injecting line-rate traffic.
      
      To avoid situations that stall FMAN packet processing, all of the
      above three conditions must be avoided; therefore, configure the
      system with the following rules:
      
        1. Frame buffers must not span a 4KB address boundary, unless
           the frame start address is 256 byte aligned
        2. All FMAN DMA start addresses (for example, BMAN buffer
           address, FD[address] + FD[offset]) are 16B aligned
        3. SG table and buffer addresses are 16B aligned and the size
           of SG buffers are multiple of 16 bytes, except for the last
           SG buffer that can be of any size.
      
      Additional workaround notes:
      - Address alignment of 64 bytes is recommended for maximally
      efficient system bus transactions (although 16 byte alignment is
      sufficient to avoid the stall condition)
      - To support frame sizes that are larger than 4K bytes, there are
      two options:
        1. Large single buffer frames that span a 4KB page boundary can
           be converted into SG frames to avoid transaction splits at
           the 4KB boundary,
        2. Align the large single buffer to 256B address boundaries,
           ensure that the frame address plus offset is 256B aligned.
      - If software generated SG frames have buffers that are unaligned
      and with random non-multiple of 16 byte lengths, before
      transmitting such frames via FMAN, frames will need to be copied
      into a new single buffer or multiple buffer SG frame that is
      compliant with the three rules listed above.
      Signed-off-by: default avatarMadalin Bucur <madalin.bucur@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26d5bb9e
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 357ddbb9
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Patches to bump position index from sysctl seq_next,
         from Vasilin Averin.
      
      2) Release flowtable hook from error path, from Florian Westphal.
      
      3) Patches to add missing netlink attribute validation,
         from Jakub Kicinski.
      
      4) Missing NFTA_CHAIN_FLAGS in nf_tables_fill_chain_info().
      
      5) Infinite loop in module autoload if extension is not available,
         from Florian Westphal.
      
      6) Missing module ownership in inet/nat chain type definition.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      357ddbb9
  2. 06 Mar, 2020 4 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nft_chain_nat: inet family is missing module ownership · 6a42cefb
      Pablo Neira Ayuso authored
      Set owner to THIS_MODULE, otherwise the nft_chain_nat module might be
      removed while there are still inet/nat chains in place.
      
      [  117.942096] BUG: unable to handle page fault for address: ffffffffa0d5e040
      [  117.942101] #PF: supervisor read access in kernel mode
      [  117.942103] #PF: error_code(0x0000) - not-present page
      [  117.942106] PGD 200c067 P4D 200c067 PUD 200d063 PMD 3dc909067 PTE 0
      [  117.942113] Oops: 0000 [#1] PREEMPT SMP PTI
      [  117.942118] CPU: 3 PID: 27 Comm: kworker/3:0 Not tainted 5.6.0-rc3+ #348
      [  117.942133] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
      [  117.942145] RIP: 0010:nf_tables_chain_destroy.isra.0+0x94/0x15a [nf_tables]
      [  117.942149] Code: f6 45 54 01 0f 84 d1 00 00 00 80 3b 05 74 44 48 8b 75 e8 48 c7 c7 72 be de a0 e8 56 e6 2d e0 48 8b 45 e8 48 c7 c7 7f be de a0 <48> 8b 30 e8 43 e6 2d e0 48 8b 45 e8 48 8b 40 10 48 85 c0 74 5b 8b
      [  117.942152] RSP: 0018:ffffc9000015be10 EFLAGS: 00010292
      [  117.942155] RAX: ffffffffa0d5e040 RBX: ffff88840be87fc2 RCX: 0000000000000007
      [  117.942158] RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffffffffa0debe7f
      [  117.942160] RBP: ffff888403b54b50 R08: 0000000000001482 R09: 0000000000000004
      [  117.942162] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8883eda7e540
      [  117.942164] R13: dead000000000122 R14: dead000000000100 R15: ffff888403b3db80
      [  117.942167] FS:  0000000000000000(0000) GS:ffff88840e4c0000(0000) knlGS:0000000000000000
      [  117.942169] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  117.942172] CR2: ffffffffa0d5e040 CR3: 00000003e4c52002 CR4: 00000000001606e0
      [  117.942174] Call Trace:
      [  117.942188]  nf_tables_trans_destroy_work.cold+0xd/0x12 [nf_tables]
      [  117.942196]  process_one_work+0x1d6/0x3b0
      [  117.942200]  worker_thread+0x45/0x3c0
      [  117.942203]  ? process_one_work+0x3b0/0x3b0
      [  117.942210]  kthread+0x112/0x130
      [  117.942214]  ? kthread_create_worker_on_cpu+0x40/0x40
      [  117.942221]  ret_from_fork+0x35/0x40
      
      nf_tables_chain_destroy() crashes on module_put() because the module is
      gone.
      
      Fixes: d164385e ("netfilter: nat: add inet family nat support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      6a42cefb
    • Paolo Abeni's avatar
      mptcp: always include dack if possible. · 2398e399
      Paolo Abeni authored
      Currently passive MPTCP socket can skip including the DACK
      option - if the peer sends data before accept() completes.
      
      The above happens because the msk 'can_ack' flag is set
      only after the accept() call.
      
      Such missing DACK option may cause - as per RFC spec -
      unwanted fallback to TCP.
      
      This change addresses the issue using the key material
      available in the current subflow, if any, to create a suitable
      dack option when msk ack seq is not yet available.
      
      v1 -> v2:
       - adavance the generated ack after the initial MPC packet
      
      Fixes: d22f4988 ("mptcp: process MP_CAPABLE data option")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2398e399
    • Dan Carpenter's avatar
      net: nfc: fix bounds checking bugs on "pipe" · a3aefbfe
      Dan Carpenter authored
      This is similar to commit 674d9de0 ("NFC: Fix possible memory
      corruption when handling SHDLC I-Frame commands") and commit d7ee81ad
      ("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which
      added range checks on "pipe".
      
      The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work().
      It's in the 0-255 range.  We're using it as the array index into the
      hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members.
      
      Fixes: 118278f2 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a3aefbfe
    • Jiang Lidong's avatar
      veth: ignore peer tx_dropped when counting local rx_dropped · e25d5dbc
      Jiang Lidong authored
      When local NET_RX backlog is full due to traffic overrun,
      peer veth tx_dropped counter increases. At that time, list
      local veth stats, rx_dropped has double value of peer
      tx_dropped, even bigger than transmit packets by peer.
      
      In NET_RX softirq process, if any packet drop case happens,
      it increases dev's rx_dropped counter and returns NET_RX_DROP.
      
      At veth tx side, it records any error returned from peer netif_rx
      into local dev tx_dropped counter.
      
      In veth get stats process, it puts local dev rx_dropped and
      peer dev tx_dropped into together as local rx_drpped value.
      So that it shows double value of real dropped packets number in
      this case.
      
      This patch ignores peer tx_dropped when counting local rx_dropped,
      since peer tx_dropped is duplicated to local rx_dropped at most cases.
      Signed-off-by: default avatarJiang Lidong <jianglidong3@jd.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e25d5dbc
  3. 05 Mar, 2020 6 commits
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-2020-03-05' of... · 2f63f2d5
      David S. Miller authored
      Merge tag 'wireless-drivers-2020-03-05' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.6
      
      Second set of fixes for v5.6. Only two small fixes this time.
      
      iwlwifi
      
      * fix another initialisation regression with 3168 devices
      
      mt76
      
      * fix memory corruption with too many rx fragments
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f63f2d5
    • Tom Zhao's avatar
      sfc: complete the next packet when we receive a timestamp · 3b4f06c7
      Tom Zhao authored
      We now ignore the "completion" event when using tx queue timestamping,
      and only pay attention to the two (high and low) timestamp events. The
      NIC will send a pair of timestamp events for every packet transmitted.
      The current firmware may merge the completion events, and it is possible
      that future versions may reorder the completion and timestamp events.
      As such the completion event is not useful.
      
      Without this patch in place a merged completion event on a queue with
      timestamping will cause a "spurious TX completion" error. This affects
      SFN8000-series adapters.
      Signed-off-by: default avatarTom Zhao <tzhao@solarflare.com>
      Acked-by: default avatarMartin Habets <mhabets@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b4f06c7
    • Jian Shen's avatar
      net: hns3: fix a not link up issue when fibre port supports autoneg · 68e1006f
      Jian Shen authored
      When fibre port supports auto-negotiation, the IMP(Intelligent
      Management Process) processes the speed of auto-negotiation
      and the  user's speed separately.
      For below case, the port will get a not link up problem.
      step 1: disables auto-negotiation and sets speed to A, then
      the driver's MAC speed will be updated to A.
      step 2: enables auto-negotiation and MAC gets negotiated
      speed B, then the driver's MAC speed will be updated to B
      through querying in periodical task.
      step 3: MAC gets new negotiated speed A.
      step 4: disables auto-negotiation and sets speed to B before
      periodical task query new MAC speed A, the driver will  ignore
      the speed configuration.
      
      This patch fixes it by skipping speed and duplex checking when
      fibre port supports auto-negotiation.
      
      Fixes: 22f48e24 ("net: hns3: add autoneg and change speed support for fibre port")
      Signed-off-by: default avatarJian Shen <shenjian15@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      68e1006f
    • Eric Dumazet's avatar
      slip: make slhc_compress() more robust against malicious packets · 110a40df
      Eric Dumazet authored
      Before accessing various fields in IPV4 network header
      and TCP header, make sure the packet :
      
      - Has IP version 4 (ip->version == 4)
      - Has not a silly network length (ip->ihl >= 5)
      - Is big enough to hold network and transport headers
      - Has not a silly TCP header size (th->doff >= sizeof(struct tcphdr) / 4)
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
      CPU: 0 PID: 11728 Comm: syz-executor231 Not tainted 5.6.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
       ppp_send_frame drivers/net/ppp/ppp_generic.c:1637 [inline]
       __ppp_xmit_process+0x1902/0x2970 drivers/net/ppp/ppp_generic.c:1495
       ppp_xmit_process+0x147/0x2f0 drivers/net/ppp/ppp_generic.c:1516
       ppp_write+0x6bb/0x790 drivers/net/ppp/ppp_generic.c:512
       do_loop_readv_writev fs/read_write.c:717 [inline]
       do_iter_write+0x812/0xdc0 fs/read_write.c:1000
       compat_writev+0x2df/0x5a0 fs/read_write.c:1351
       do_compat_pwritev64 fs/read_write.c:1400 [inline]
       __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
       __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
       __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
       do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
       do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
       entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7f7cd99
      Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
      RSP: 002b:00000000ffdb84ac EFLAGS: 00000217 ORIG_RAX: 000000000000014e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0
      RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 0000000040047459 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2793 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
       __kmalloc_reserve net/core/skbuff.c:142 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
       alloc_skb include/linux/skbuff.h:1051 [inline]
       ppp_write+0x115/0x790 drivers/net/ppp/ppp_generic.c:500
       do_loop_readv_writev fs/read_write.c:717 [inline]
       do_iter_write+0x812/0xdc0 fs/read_write.c:1000
       compat_writev+0x2df/0x5a0 fs/read_write.c:1351
       do_compat_pwritev64 fs/read_write.c:1400 [inline]
       __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
       __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
       __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
       do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
       do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
       entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
      
      Fixes: b5451d78 ("slip: Move the SLIP drivers")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      110a40df
    • Florian Westphal's avatar
      netfilter: nf_tables: fix infinite loop when expr is not available · 1d305ba4
      Florian Westphal authored
      nft will loop forever if the kernel doesn't support an expression:
      
      1. nft_expr_type_get() appends the family specific name to the module list.
      2. -EAGAIN is returned to nfnetlink, nfnetlink calls abort path.
      3. abort path sets ->done to true and calls request_module for the
         expression.
      4. nfnetlink replays the batch, we end up in nft_expr_type_get() again.
      5. nft_expr_type_get attempts to append family-specific name. This
         one already exists on the list, so we continue
      6. nft_expr_type_get adds the generic expression name to the module
         list. -EAGAIN is returned, nfnetlink calls abort path.
      7. abort path encounters the family-specific expression which
         has 'done' set, so it gets removed.
      8. abort path requests the generic expression name, sets done to true.
      9. batch is replayed.
      
      If the expression could not be loaded, then we will end up back at 1),
      because the family-specific name got removed and the cycle starts again.
      
      Note that userspace can SIGKILL the nft process to stop the cycle, but
      the desired behaviour is to return an error after the generic expr name
      fails to load the expression.
      
      Fixes: eb014de4 ("netfilter: nf_tables: autoload modules from the abort path")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1d305ba4
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: dump NFTA_CHAIN_FLAGS attribute · d78008de
      Pablo Neira Ayuso authored
      Missing NFTA_CHAIN_FLAGS netlink attribute when dumping basechain
      definitions.
      
      Fixes: c9626a2c ("netfilter: nf_tables: add hardware offload support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d78008de
  4. 04 Mar, 2020 14 commits
  5. 03 Mar, 2020 8 commits
    • Russell King's avatar
      net: dsa: fix phylink_start()/phylink_stop() calls · 8640f8dc
      Russell King authored
      Place phylink_start()/phylink_stop() inside dsa_port_enable() and
      dsa_port_disable(), which ensures that we call phylink_stop() before
      tearing down phylink - which is a documented requirement.  Failure
      to do so can cause use-after-free bugs.
      
      Fixes: 0e279218 ("net: dsa: Use PHYLINK for the CPU/DSA ports")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8640f8dc
    • David S. Miller's avatar
      Merge branch 'Fix-IPv6-peer-route-update' · f650bcd4
      David S. Miller authored
      Hangbin Liu says:
      
      ====================
      Fix IPv6 peer route update
      
      Currently we have two issues for peer route update on IPv6.
      1. When update peer route metric, we only updated the local one.
      2. If peer address changed, we didn't remove the old one and add new one.
      
      The first two patches fixed these issues and the third patch add new
      tests to cover it.
      
      With the fixes and updated test:
      ]# ./fib_tests.sh
      IPv6 prefix route tests
          TEST: Default metric                                                [ OK ]
          TEST: User specified metric on first device                         [ OK ]
          TEST: User specified metric on second device                        [ OK ]
          TEST: Delete of address on first device                             [ OK ]
          TEST: Modify metric of address                                      [ OK ]
          TEST: Prefix route removed on link down                             [ OK ]
          TEST: Prefix route with metric on link up                           [ OK ]
          TEST: Set metric with peer route on local side                      [ OK ]
          TEST: User specified metric on local address                        [ OK ]
          TEST: Set metric with peer route on peer side                       [ OK ]
          TEST: Modify metric with peer route on local side                   [ OK ]
          TEST: Modify metric with peer route on peer side                    [ OK ]
      
      IPv4 prefix route tests
          TEST: Default metric                                                [ OK ]
          TEST: User specified metric on first device                         [ OK ]
          TEST: User specified metric on second device                        [ OK ]
          TEST: Delete of address on first device                             [ OK ]
          TEST: Modify metric of address                                      [ OK ]
          TEST: Prefix route removed on link down                             [ OK ]
          TEST: Prefix route with metric on link up                           [ OK ]
          TEST: Modify metric of .0/24 address                                [ OK ]
          TEST: Set metric of address with peer route                         [ OK ]
          TEST: Modify metric of address with peer route                      [ OK ]
      
      Tests passed:  22
      Tests failed:   0
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f650bcd4
    • Hangbin Liu's avatar
      selftests/net/fib_tests: update addr_metric_test for peer route testing · 0d29169a
      Hangbin Liu authored
      This patch update {ipv4, ipv6}_addr_metric_test with
      1. Set metric of address with peer route and see if the route added
      correctly.
      2. Modify metric and peer address for peer route and see if the route
      changed correctly.
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d29169a
    • Hangbin Liu's avatar
      net/ipv6: remove the old peer route if change it to a new one · d0098e4c
      Hangbin Liu authored
      When we modify the peer route and changed it to a new one, we should
      remove the old route first. Before the fix:
      
      + ip addr add dev dummy1 2001:db8::1 peer 2001:db8::2
      + ip -6 route show dev dummy1
      2001:db8::1 proto kernel metric 256 pref medium
      2001:db8::2 proto kernel metric 256 pref medium
      + ip addr change dev dummy1 2001:db8::1 peer 2001:db8::3
      + ip -6 route show dev dummy1
      2001:db8::1 proto kernel metric 256 pref medium
      2001:db8::2 proto kernel metric 256 pref medium
      
      After the fix:
      + ip addr change dev dummy1 2001:db8::1 peer 2001:db8::3
      + ip -6 route show dev dummy1
      2001:db8::1 proto kernel metric 256 pref medium
      2001:db8::3 proto kernel metric 256 pref medium
      
      This patch depend on the previous patch "net/ipv6: need update peer route
      when modify metric" to update new peer route after delete old one.
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0098e4c
    • Hangbin Liu's avatar
      net/ipv6: need update peer route when modify metric · 61794012
      Hangbin Liu authored
      When we modify the route metric, the peer address's route need also
      be updated. Before the fix:
      
      + ip addr add dev dummy1 2001:db8::1 peer 2001:db8::2 metric 60
      + ip -6 route show dev dummy1
      2001:db8::1 proto kernel metric 60 pref medium
      2001:db8::2 proto kernel metric 60 pref medium
      + ip addr change dev dummy1 2001:db8::1 peer 2001:db8::2 metric 61
      + ip -6 route show dev dummy1
      2001:db8::1 proto kernel metric 61 pref medium
      2001:db8::2 proto kernel metric 60 pref medium
      
      After the fix:
      + ip addr change dev dummy1 2001:db8::1 peer 2001:db8::2 metric 61
      + ip -6 route show dev dummy1
      2001:db8::1 proto kernel metric 61 pref medium
      2001:db8::2 proto kernel metric 61 pref medium
      
      Fixes: 8308f3ff ("net/ipv6: Add support for specifying metric of connected routes")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61794012
    • David S. Miller's avatar
      Merge branch 'net-add-missing-netlink-policies' · a6fbcdda
      David S. Miller authored
      Jakub Kicinski says:
      
      ====================
      net: add missing netlink policies
      
      Recent one-off fixes motivated me to do some grepping for
      more missing netlink attribute policies. I didn't manage
      to even produce a KASAN splat with these, but it should
      be possible with sufficient luck. All the missing policies
      are pretty trivial (NLA_Uxx).
      
      I've only tested the devlink patches, the rest compiles.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a6fbcdda
    • Jakub Kicinski's avatar
      nfc: add missing attribute validation for vendor subcommand · 6ba3da44
      Jakub Kicinski authored
      Add missing attribute validation for vendor subcommand attributes
      to the netlink policy.
      
      Fixes: 9e58095f ("NFC: netlink: Implement vendor command support")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ba3da44
    • Jakub Kicinski's avatar
      nfc: add missing attribute validation for deactivate target · 88e706d5
      Jakub Kicinski authored
      Add missing attribute validation for NFC_ATTR_TARGET_INDEX
      to the netlink policy.
      
      Fixes: 4d63adfe ("NFC: Add NFC_CMD_DEACTIVATE_TARGET support")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      88e706d5