1. 25 Apr, 2017 18 commits
    • Alexander Potapenko's avatar
      net/packet: check length in getsockopt() called with PACKET_HDRLEN · fd2c83b3
      Alexander Potapenko authored
      
      
      In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4
      |val| remains uninitialized and the syscall may behave differently
      depending on its value, and even copy garbage to userspace on certain
      architectures. To fix this we now return -EINVAL if optlen is too small.
      
      This bug has been detected with KMSAN.
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd2c83b3
    • David Ahern's avatar
      net: ipv6: regenerate host route if moved to gc list · 8048ced9
      David Ahern authored
      Taking down the loopback device wreaks havoc on IPv6 routing. By
      extension, taking down a VRF device wreaks havoc on its table.
      
      Dmitry and Andrey both reported heap out-of-bounds reports in the IPv6
      FIB code while running syzkaller fuzzer. The root cause is a dead dst
      that is on the garbage list gets reinserted into the IPv6 FIB. While on
      the gc (or perhaps when it gets added to the gc list) the dst->next is
      set to an IPv4 dst. A subsequent walk of the ipv6 tables causes the
      out-of-bounds access.
      
      Andrey's reproducer was the key to getting to the bottom of this.
      
      With IPv6, host routes for an address have the dst->dev set to the
      loopback device. When the 'lo' device is taken down, rt6_ifdown initiates
      a walk of the fib evicting routes with the 'lo' device which means all
      host routes are removed. That process moves the dst which is attached to
      an inet6_ifaddr to the gc list and marks it as dead.
      
      The recent change to keep global IPv6 addresses added a new function,
      fixup_permanent_addr, that is called on admin up. That function restarts
      dad for an inet6_ifaddr and when it completes the host route attached
      to it is inserted into the fib. Since the route was marked dead and
      moved to the gc list, re-inserting the route causes the reported
      out-of-bounds accesses. If the device with the address is taken down
      or the address is removed, the WARN_ON in fib6_del is triggered.
      
      All of those faults are fixed by regenerating the host route if the
      existing one has been moved to the gc list, something that can be
      determined by checking if the rt6i_ref counter is 0.
      
      Fixes: f1705ec1
      
       ("net: ipv6: Make address flushing on ifdown optional")
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8048ced9
    • Xin Long's avatar
      bridge: move bridge multicast cleanup to ndo_uninit · b1b9d366
      Xin Long authored
      During removing a bridge device, if the bridge is still up, a new mdb entry
      still can be added in br_multicast_add_group() after all mdb entries are
      removed in br_multicast_dev_del(). Like the path:
      
        mld_ifc_timer_expire ->
          mld_sendpack -> ...
            br_multicast_rcv ->
              br_multicast_add_group
      
      The new mp's timer will be set up. If the timer expires after the bridge
      is freed, it may cause use-after-free panic in br_multicast_group_expired.
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
      IP: [<ffffffffa07ed2c8>] br_multicast_group_expired+0x28/0xb0 [bridge]
      Call Trace:
       <IRQ>
       [<ffffffff81094536>] call_timer_fn+0x36/0x110
       [<ffffffffa07ed2a0>] ? br_mdb_free+0x30/0x30 [bridge]
       [<ffffffff81096967>] run_timer_softirq+0x237/0x340
       [<ffffffff8108dcbf>] __do_softirq+0xef/0x280
       [<ffffffff8169889c>] call_softirq+0x1c/0x30
       [<ffffffff8102c275>] do_softirq+0x65/0xa0
       [<ffffffff8108e055>] irq_exit+0x115/0x120
       [<ffffffff81699515>] smp_apic_timer_interrupt+0x45/0x60
       [<ffffffff81697a5d>] apic_timer_interrupt+0x6d/0x80
      
      Nikolay also found it would cause a memory leak - the mdb hash is
      reallocated and not freed due to the mdb rehash.
      
      unreferenced object 0xffff8800540ba800 (size 2048):
        backtrace:
          [<ffffffff816e2287>] kmemleak_alloc+0x67/0xc0
          [<ffffffff81260bea>] __kmalloc+0x1ba/0x3e0
          [<ffffffffa05c60ee>] br_mdb_rehash+0x5e/0x340 [bridge]
          [<ffffffffa05c74af>] br_multicast_new_group+0x43f/0x6e0 [bridge]
          [<ffffffffa05c7aa3>] br_multicast_add_group+0x203/0x260 [bridge]
          [<ffffffffa05ca4b5>] br_multicast_rcv+0x945/0x11d0 [bridge]
          [<ffffffffa05b6b10>] br_dev_xmit+0x180/0x470 [bridge]
          [<ffffffff815c781b>] dev_hard_start_xmit+0xbb/0x3d0
          [<ffffffff815c8743>] __dev_queue_xmit+0xb13/0xc10
          [<ffffffff815c8850>] dev_queue_xmit+0x10/0x20
          [<ffffffffa02f8d7a>] ip6_finish_output2+0x5ca/0xac0 [ipv6]
          [<ffffffffa02fbfc6>] ip6_finish_output+0x126/0x2c0 [ipv6]
          [<ffffffffa02fc245>] ip6_output+0xe5/0x390 [ipv6]
          [<ffffffffa032b92c>] NF_HOOK.constprop.44+0x6c/0x240 [ipv6]
          [<ffffffffa032bd16>] mld_sendpack+0x216/0x3e0 [ipv6]
          [<ffffffffa032d5eb>] mld_ifc_timer_expire+0x18b/0x2b0 [ipv6]
      
      This could happen when ip link remove a bridge or destroy a netns with a
      bridge device inside.
      
      With Nikolay's suggestion, this patch is to clean up bridge multicast in
      ndo_uninit after bridge dev is shutdown, instead of br_dev_delete, so
      that netif_running check in br_multicast_add_group can avoid this issue.
      
      v1->v2:
        - fix this issue by moving br_multicast_dev_del to ndo_uninit, instead
          of calling dev_close in br_dev_delete.
      
      (NOTE: Depends upon b6fe0440 ("bridge: implement missing ndo_uninit()"))
      
      Fixes: e10177ab
      
       ("bridge: multicast: fix handling of temp and perm entries")
      Reported-by: default avatarJianwen Ji <jiji@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b1b9d366
    • Sabrina Dubroca's avatar
      ipv6: fix source routing · ec9c4215
      Sabrina Dubroca authored
      Commit a149e7c7 ("ipv6: sr: add support for SRH injection through
      setsockopt") introduced handling of IPV6_SRCRT_TYPE_4, but at the same
      time restricted it to only IPV6_SRCRT_TYPE_0 and
      IPV6_SRCRT_TYPE_4. Previously, ipv6_push_exthdr() and fl6_update_dst()
      would also handle other values (ie STRICT and TYPE_2).
      
      Restore previous source routing behavior, by handling IPV6_SRCRT_STRICT
      and IPV6_SRCRT_TYPE_2 the same way as IPV6_SRCRT_TYPE_0 in
      ipv6_push_exthdr() and fl6_update_dst().
      
      Fixes: a149e7c7
      
       ("ipv6: sr: add support for SRH injection through setsockopt")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ec9c4215
    • sudarsana.kalluru@cavium.com's avatar
      qed: Fix error in the dcbx app meta data initialization. · c8fcd133
      sudarsana.kalluru@cavium.com authored
      
      
      DCBX app_data array is initialized with the incorrect values for
      personality field. This would  prevent offloaded protocols from
      honoring the PFC.
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8fcd133
    • stephen hemminger's avatar
      netvsc: fix calculation of available send sections · fdfb70d2
      stephen hemminger authored
      My change (introduced in 4.11) to use find_first_clear_bit
      incorrectly assumed that the size argument was words, not bits.
      The effect was only a small limited number of the available send
      sections were being actually used. This can cause performance loss
      with some workloads.
      
      Since map_words is now used only during initialization, it can
      be on stack instead of in per-device data.
      
      Fixes: b58a1858
      
       ("netvsc: simplify get next send section")
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fdfb70d2
    • Andreas Kemnade's avatar
      net: hso: fix module unloading · a23f6ce6
      Andreas Kemnade authored
      
      
      keep tty driver until usb driver is unregistered
      rmmod hso
      produces traces like this without that:
      
      [40261.645904] usb 2-2: new high-speed USB device number 2 using ehci-omap
      [40261.854644] usb 2-2: New USB device found, idVendor=0af0, idProduct=8800
      [40261.862609] usb 2-2: New USB device strings: Mfr=3, Product=2, SerialNumber=0
      [40261.872772] usb 2-2: Product: Globetrotter HSUPA Modem
      [40261.880279] usb 2-2: Manufacturer: Option N.V.
      [40262.021270] hso 2-2:1.5: Not our interface
      [40265.556945] hso: unloaded
      [40265.559875] usbcore: deregistering interface driver hso
      [40265.595947] Unable to handle kernel NULL pointer dereference at virtual address 00000033
      [40265.604522] pgd = ecb14000
      [40265.611877] [00000033] *pgd=00000000
      [40265.617034] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
      [40265.622650] Modules linked in: hso(-) bnep bluetooth ipv6 arc4 twl4030_madc_hwmon wl18xx wlcore mac80211 cfg80211 snd_soc_simple_card snd_soc_simple_card_utils snd_soc_omap_twl4030 snd_soc_gtm601 generic_adc_battery extcon_gpio omap3_isp videobuf2_dma_contig videobuf2_memops wlcore_sdio videobuf2_v4l2 videobuf2_core ov9650 bmp280_i2c v4l2_common bmp280 bmg160_i2c bmg160_core at24 nvmem_core videodev bmc150_accel_i2c bmc150_magn_i2c media bmc150_accel_core tsc2007 bmc150_magn leds_tca6507 bno055 snd_soc_omap_mcbsp industrialio_triggered_buffer snd_soc_omap kfifo_buf snd_pcm_dmaengine gpio_twl4030 snd_soc_twl4030 twl4030_vibra twl4030_madc wwan_on_off ehci_omap pwm_bl pwm_omap_dmtimer panel_tpo_td028ttec1 encoder_opa362 connector_analog_tv omapdrm drm_kms_helper cfbfillrect syscopyarea cfbimgblt sysfillrect
      [40265.698211]  sysimgblt fb_sys_fops cfbcopyarea drm omapdss usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap2430 phy_twl4030_usb musb_hdrc twl4030_charger industrialio w2sg0004 twl4030_pwrbutton bq27xxx_battery w1_bq27000 omap_hdq [last unloaded: hso]
      [40265.723175] CPU: 0 PID: 2701 Comm: rmmod Not tainted 4.11.0-rc6-letux+ #6
      [40265.730346] Hardware name: Generic OMAP36xx (Flattened Device Tree)
      [40265.736938] task: ecb81100 task.stack: ecb82000
      [40265.741729] PC is at cdev_del+0xc/0x2c
      [40265.745666] LR is at tty_unregister_device+0x40/0x50
      [40265.750915] pc : [<c027472c>]    lr : [<c04b3ecc>]    psr: 600b0113
      sp : ecb83ea8  ip : eca4f898  fp : 00000000
      [40265.763000] r10: 00000000  r9 : 00000000  r8 : 00000001
      [40265.768493] r7 : eca4f800  r6 : 00000003  r5 : 00000000  r4 : ffffffff
      [40265.775360] r3 : c1458d54  r2 : 00000000  r1 : 00000004  r0 : ffffffff
      [40265.782257] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [40265.789764] Control: 10c5387d  Table: acb14019  DAC: 00000051
      [40265.795806] Process rmmod (pid: 2701, stack limit = 0xecb82218)
      [40265.802062] Stack: (0xecb83ea8 to 0xecb84000)
      [40265.806640] 3ea0:                   ec9e8100 c04b3ecc bf737378 ed5b7c00 00000003 bf7327ec
      [40265.815277] 3ec0: eca4f800 00000000 ec9fd800 eca4f800 bf737070 bf7328bc eca4f820 c05a9a04
      [40265.823883] 3ee0: eca4f820 00000000 00000001 eca4f820 ec9fd870 bf737070 eca4f854 ec9fd8a4
      [40265.832519] 3f00: ecb82000 00000000 00000000 c04e6960 eca4f820 bf737070 bf737048 00000081
      [40265.841125] 3f20: c01071e4 c04e6a60 ecb81100 bf737070 bf737070 c04e5d94 bf737020 c05a8f88
      [40265.849731] 3f40: bf737100 00000800 7f5fa254 00000081 c01071e4 c01c4afc 00000000 006f7368
      [40265.858367] 3f60: ecb815f4 00000000 c0cac9c4 c01071e4 ecb82000 00000000 00000000 c01512f4
      [40265.866973] 3f80: ed5b3200 c01071e4 7f5fa220 7f5fa220 bea78ec9 0010711c 7f5fa220 7f5fa220
      [40265.875579] 3fa0: bea78ec9 c0107040 7f5fa220 7f5fa220 7f5fa254 00000800 dd35b800 dd35b800
      [40265.884216] 3fc0: 7f5fa220 7f5fa220 bea78ec9 00000081 bea78dcc 00000000 bea78bd8 00000000
      [40265.892822] 3fe0: b6f70521 bea78b6c 7f5dd613 b6f70526 80070030 7f5fa254 ffffffff ffffffff
      [40265.901458] [<c027472c>] (cdev_del) from [<c04b3ecc>] (tty_unregister_device+0x40/0x50)
      [40265.909942] [<c04b3ecc>] (tty_unregister_device) from [<bf7327ec>] (hso_free_interface+0x80/0x144 [hso])
      [40265.919982] [<bf7327ec>] (hso_free_interface [hso]) from [<bf7328bc>] (hso_disconnect+0xc/0x18 [hso])
      [40265.929718] [<bf7328bc>] (hso_disconnect [hso]) from [<c05a9a04>] (usb_unbind_interface+0x84/0x200)
      [40265.939239] [<c05a9a04>] (usb_unbind_interface) from [<c04e6960>] (device_release_driver_internal+0x138/0x1cc)
      [40265.949798] [<c04e6960>] (device_release_driver_internal) from [<c04e6a60>] (driver_detach+0x60/0x6c)
      [40265.959503] [<c04e6a60>] (driver_detach) from [<c04e5d94>] (bus_remove_driver+0x64/0x8c)
      [40265.968017] [<c04e5d94>] (bus_remove_driver) from [<c05a8f88>] (usb_deregister+0x5c/0xb8)
      [40265.976654] [<c05a8f88>] (usb_deregister) from [<c01c4afc>] (SyS_delete_module+0x160/0x1dc)
      [40265.985443] [<c01c4afc>] (SyS_delete_module) from [<c0107040>] (ret_fast_syscall+0x0/0x1c)
      [40265.994171] Code: c1458d54 e59f3020 e92d4010 e1a04000 (e5941034)
      [40266.016693] ---[ end trace 9d5ac43c7e41075c ]---
      Signed-off-by: default avatarAndreas Kemnade <andreas@kemnade.info>
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a23f6ce6
    • Parthasarathy Bhuvaragan's avatar
      tipc: fix socket flow control accounting error at tipc_recv_stream · 05ff8378
      Parthasarathy Bhuvaragan authored
      Until now in tipc_recv_stream(), we update the received
      unacknowledged bytes based on a stack variable and not based on the
      actual message size.
      If the user buffer passed at tipc_recv_stream() is smaller than the
      received skb, the size variable in stack differs from the actual
      message size in the skb. This leads to a flow control accounting
      error causing permanent congestion.
      
      In this commit, we fix this accounting error by always using the
      size of the incoming message.
      
      Fixes: 10724cc7
      
       ("tipc: redesign connection-level flow control")
      Signed-off-by: default avatarParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
      Reviewed-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      05ff8378
    • Parthasarathy Bhuvaragan's avatar
      tipc: fix socket flow control accounting error at tipc_send_stream · 3364d61c
      Parthasarathy Bhuvaragan authored
      Until now in tipc_send_stream(), we return -1 when the socket
      encounters link congestion even if the socket had successfully
      sent partial data. This is incorrect as the application resends
      the same the partial data leading to data corruption at
      receiver's end.
      
      In this commit, we return the partially sent bytes as the return
      value at link congestion.
      
      Fixes: 10724cc7
      
       ("tipc: redesign connection-level flow control")
      Signed-off-by: default avatarParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
      Reviewed-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3364d61c
    • Paolo Abeni's avatar
      ipv6: move stub initialization after ipv6 setup completion · b7d6df57
      Paolo Abeni authored
      The ipv6 stub pointer is currently initialized before the ipv6
      routing subsystem: a 3rd party can access and use such stub
      before the routing data is ready.
      Moreover, such pointer is not cleared in case of initialization
      error, possibly leading to dangling pointers usage.
      
      This change addresses the above moving the stub initialization
      at the end of ipv6 init code.
      
      Fixes: 5f81bd2e
      
       ("ipv6: export a stub for IPv6 symbols used by vxlan")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7d6df57
    • Pan Bian's avatar
      team: fix memory leaks · 72ec0bc6
      Pan Bian authored
      In functions team_nl_send_port_list_get() and
      team_nl_send_options_get(), pointer skb keeps the return value of
      nlmsg_new(). When the call to genlmsg_put() fails, the memory is not
      freed(). This will result in memory leak bugs.
      
      Fixes: 9b00cf2d
      
       ("team: implement multipart netlink messages for options transfers")
      Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72ec0bc6
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-4.11-20170425' of... · fccb4422
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-4.11-20170425' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2017-04-25
      
      this is a pull request of three patches for net/master.
      
      There are two patches by Stephane Grosjean for that add a new variant to the
      PCAN-Chip USB driver. The other patch is by Maksim Salau, which swtiches the
      memory for USB transfers from heap to stack.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fccb4422
    • Bert Kenward's avatar
      sfc: tx ring can only have 2048 entries for all EF10 NICs · a53d26eb
      Bert Kenward authored
      Fixes: dd248f1b
      
       ("sfc: Add PCI ID for Solarflare 8000 series 10/40G NIC")
      Reported-by: default avatarPatrick Talbert <ptalbert@redhat.com>
      Signed-off-by: default avatarBert Kenward <bkenward@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a53d26eb
    • Herbert Xu's avatar
      macvlan: Fix device ref leak when purging bc_queue · f6478218
      Herbert Xu authored
      When a parent macvlan device is destroyed we end up purging its
      broadcast queue without dropping the device reference count on
      the packet source device.  This causes the source device to linger.
      
      This patch drops that reference count.
      
      Fixes: 260916df
      
       ("macvlan: Fix potential use-after free for...")
      Reported-by: default avatarJoe Ghalam <Joe.Ghalam@dell.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6478218
    • Roman Spychała's avatar
      usb: plusb: Add support for PL-27A1 · 6f2aee0c
      Roman Spychała authored
      
      
      This patch adds support for the PL-27A1 by adding the appropriate
      USB ID's. This chip is used in the goobay Active USB 3.0 Data Link
      and Unitek Y-3501 cables.
      Signed-off-by: default avatarRoman Spychała <roed@onet.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f2aee0c
    • Maksim Salau's avatar
      net: can: usb: gs_usb: Fix buffer on stack · b05c73bd
      Maksim Salau authored
      
      
      Allocate buffers on HEAP instead of STACK for local structures
      that are to be sent using usb_control_msg().
      Signed-off-by: default avatarMaksim Salau <maksim.salau@gmail.com>
      Cc: linux-stable <stable@vger.kernel.org> # >= v4.8
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      b05c73bd
    • Stephane Grosjean's avatar
      can: usb: Kconfig: Add PCAN-USB X6 device in help text · 71b61156
      Stephane Grosjean authored
      
      
      This patch adds a text line in the help section of the CAN_PEAK_USB
      config item describing the support of the PCAN-USB X6 adapter, which is
      already included in the Kernel since 4.9.
      Signed-off-by: default avatarStephane Grosjean <s.grosjean@peak-system.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      71b61156
    • Stephane Grosjean's avatar
      can: usb: Add support of PCAN-Chip USB stamp module · ea8b65b5
      Stephane Grosjean authored
      
      
      This patch adds the support of the PCAN-Chip USB, a stamp module for
      customer hardware designs, which communicates via USB 2.0 with the
      hardware. The integrated CAN controller supports the protocols CAN 2.0 A/B
      as well as CAN FD. The physical CAN connection is determined by external
      wiring. The Stamp module with its single-sided mounting and plated
      half-holes is suitable for automatic assembly.
      
      Note that the chip is equipped with the same logic than the PCAN-USB FD.
      Signed-off-by: default avatarStephane Grosjean <s.grosjean@peak-system.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      ea8b65b5
  2. 24 Apr, 2017 12 commits
    • David S. Miller's avatar
      Merge branch 'dsa-b53-58xx-fixes' · 38a98bce
      David S. Miller authored
      
      
      Florian Fainelli says:
      
      ====================
      net: dsa: b53: BCM58xx devices fixes
      
      This patch series contains fixes for the 58xx devices (Broadcom Northstar
      Plus), which were identified thanks to the help of Eric Anholt.
      ====================
      Tested-by: default avatarEric Anholt <eric@anholt.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      38a98bce
    • Florian Fainelli's avatar
      net: dsa: b53: Fix CPU port for 58xx devices · bfcda65c
      Florian Fainelli authored
      The 58xx devices (Northstar Plus) do actually have their CPU port wired
      at port 8, it was unfortunately set to port 5 (B53_CPU_PORT_25) which is
      incorrect, since that is the second possible management port.
      
      Fixes: 991a36bb
      
       ("net: dsa: b53: Add support for BCM585xx/586xx/88312 integrated switch")
      Reported-by: default avatarEric Anholt <eric@anholt.net>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bfcda65c
    • Florian Fainelli's avatar
      net: dsa: b53: Implement software reset for 58xx devices · 3fb22b05
      Florian Fainelli authored
      Implement the correct software reset sequence for 58xx devices by
      setting all 3 reset bits and polling for the SW_RST bit to clear itself
      without a given timeout. We cannot use is58xx() here because that would
      also include the 7445/7278 Starfighter 2 which have their own driver
      doing the reset earlier on due to the HW specific integration.
      
      Fixes: 991a36bb
      
       ("net: dsa: b53: Add support for BCM585xx/586xx/88312 integrated switch")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3fb22b05
    • Florian Fainelli's avatar
      net: dsa: b53: Include IMP/CPU port in dumb forwarding mode · a424f0de
      Florian Fainelli authored
      Since Broadcom tags are not enabled in b53 (DSA_PROTO_TAG_NONE), we need
      to make sure that the IMP/CPU port is included in the forwarding
      decision.
      
      Without this change, switching between non-management ports would work,
      but not between management ports and non-management ports thus breaking
      the default state in which DSA switch are brought up.
      
      Fixes: 967dd82f
      
       ("net: dsa: b53: Add support for Broadcom RoboSwitch")
      Reported-by: default avatarEric Anholt <eric@anholt.net>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a424f0de
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2017-04-22' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 38baf3a6
      David S. Miller authored
      
      
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2017-04-22
      
      This series contains some mlx5 fixes for net.
      
      For your convenience, the series doesn't introduce any conflict with
      the ongoing net-next pull request.
      
      Please pull and let me know if there's any problem.
      
      For -stable:
      ("net/mlx5: E-Switch, Correctly deal with inline mode on ConnectX-5") kernels >= 4.10
      ("net/mlx5e: Fix ETHTOOL_GRXCLSRLALL handling") kernels >= 4.8
      ("net/mlx5e: Fix small packet threshold")       kernels >= 4.7
      ("net/mlx5: Fix driver load bad flow when having fw initializing timeout") kernels >= 4.4
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      38baf3a6
    • David Ahern's avatar
      net: ipv6: send unsolicited NA if enabled for all interfaces · fc1f8f4f
      David Ahern authored
      When arp_notify is set to 1 for either a specific interface or for 'all'
      interfaces, gratuitous arp requests are sent. Since ndisc_notify is the
      ipv6 equivalent to arp_notify, it should follow the same semantics.
      Commit 4a6e3c5d ("net: ipv6: send unsolicited NA on admin up") sends
      the NA on admin up. The final piece is checking devconf_all->ndisc_notify
      in addition to the per device setting. Add it.
      
      Fixes: 5cb04436
      
       ("ipv6: add knob to send unsolicited ND on link-layer address change")
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc1f8f4f
    • Dan Carpenter's avatar
      ravb: Double free on error in ravb_start_xmit() · 9199cb76
      Dan Carpenter authored
      If skb_put_padto() fails then it frees the skb.  I shifted that code
      up a bit to make my error handling a little simpler.
      
      Fixes: a0d2f206
      
       ("Renesas Ethernet AVB PTP clock driver")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9199cb76
    • Ansis Atteka's avatar
      udp: disable inner UDP checksum offloads in IPsec case · b40c5f4f
      Ansis Atteka authored
      
      
      Otherwise, UDP checksum offloads could corrupt ESP packets by attempting
      to calculate UDP checksum when this inner UDP packet is already protected
      by IPsec.
      
      One way to reproduce this bug is to have a VM with virtio_net driver (UFO
      set to ON in the guest VM); and then encapsulate all guest's Ethernet
      frames in Geneve; and then further encrypt Geneve with IPsec.  In this
      case following symptoms are observed:
      1. If using ixgbe NIC, then it will complain with following error message:
         ixgbe 0000:01:00.1: partial checksum but l4 proto=32!
      2. Receiving IPsec stack will drop all the corrupted ESP packets and
         increase XfrmInStateProtoError counter in /proc/net/xfrm_stat.
      3. iperf UDP test from the VM with packet sizes above MTU will not work at
         all.
      4. iperf TCP test from the VM will get ridiculously low performance because.
      Signed-off-by: default avatarAnsis Atteka <aatteka@ovn.org>
      Co-authored-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b40c5f4f
    • Jason A. Donenfeld's avatar
      macsec: avoid heap overflow in skb_to_sgvec · 4d6fa57b
      Jason A. Donenfeld authored
      
      
      While this may appear as a humdrum one line change, it's actually quite
      important. An sk_buff stores data in three places:
      
      1. A linear chunk of allocated memory in skb->data. This is the easiest
         one to work with, but it precludes using scatterdata since the memory
         must be linear.
      2. The array skb_shinfo(skb)->frags, which is of maximum length
         MAX_SKB_FRAGS. This is nice for scattergather, since these fragments
         can point to different pages.
      3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff,
         which in turn can have data in either (1) or (2).
      
      The first two are rather easy to deal with, since they're of a fixed
      maximum length, while the third one is not, since there can be
      potentially limitless chains of fragments. Fortunately dealing with
      frag_list is opt-in for drivers, so drivers don't actually have to deal
      with this mess. For whatever reason, macsec decided it wanted pain, and
      so it explicitly specified NETIF_F_FRAGLIST.
      
      Because dealing with (1), (2), and (3) is insane, most users of sk_buff
      doing any sort of crypto or paging operation calls a convenient function
      called skb_to_sgvec (which happens to be recursive if (3) is in use!).
      This takes a sk_buff as input, and writes into its output pointer an
      array of scattergather list items. Sometimes people like to declare a
      fixed size scattergather list on the stack; othertimes people like to
      allocate a fixed size scattergather list on the heap. However, if you're
      doing it in a fixed-size fashion, you really shouldn't be using
      NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its
      frag_list children arent't shared and then you check the number of
      fragments in total required.)
      
      Macsec specifically does this:
      
              size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
              tmp = kmalloc(size, GFP_ATOMIC);
              *sg = (struct scatterlist *)(tmp + sg_offset);
      	...
              sg_init_table(sg, MAX_SKB_FRAGS + 1);
              skb_to_sgvec(skb, sg, 0, skb->len);
      
      Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're
      using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will
      overflow the heap, and disaster ensues.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Cc: stable@vger.kernel.org
      Cc: security@kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4d6fa57b
    • Robert Shearman's avatar
      ipv4: Avoid caching l3mdev dst on mismatched local route · b7c8487c
      Robert Shearman authored
      David reported that doing the following:
      
          ip li add red type vrf table 10
          ip link set dev eth1 vrf red
          ip addr add 127.0.0.1/8 dev red
          ip link set dev eth1 up
          ip li set red up
          ping -c1 -w1 -I red 127.0.0.1
          ip li del red
      
      when either policy routing IP rules are present or the local table
      lookup ip rule is before the l3mdev lookup results in a hang with
      these messages:
      
          unregister_netdevice: waiting for red to become free. Usage count = 1
      
      The problem is caused by caching the dst used for sending the packet
      out of the specified interface on a local route with a different
      nexthop interface. Thus the dst could stay around until the route in
      the table the lookup was done is deleted which may be never.
      
      Address the problem by not forcing output device to be the l3mdev in
      the flow's output interface if the lookup didn't use the l3mdev. This
      then results in the dst using the right device according to the route.
      
      Changes in v2:
       - make the dev_out passed in by __ip_route_output_key_hash correct
         instead of checking the nh dev if FLOWI_FLAG_SKIP_NH_OIF is set as
         suggested by David.
      
      Fixes: 5f02ce24
      
       ("net: l3mdev: Allow the l3mdev to be a loopback")
      Reported-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Suggested-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarRobert Shearman <rshearma@brocade.com>
      Acked-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Tested-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7c8487c
    • Dan Carpenter's avatar
      net: tc35815: move free after the dereference · 11faa7b0
      Dan Carpenter authored
      We dereference "skb" to get "skb->len" so we should probably do that
      step before freeing the skb.
      
      Fixes: eea221ce
      
       ("tc35815 driver update (take 2)")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      11faa7b0
    • Martin KaFai Lau's avatar
      net/mlx5e: Fix race in mlx5e_sw_stats and mlx5e_vport_stats · 1510d728
      Martin KaFai Lau authored
      We have observed a sudden spike in rx/tx_packets and rx/tx_bytes
      reported under /proc/net/dev.  There is a race in mlx5e_update_stats()
      and some of the get-stats functions (the one that we hit is the
      mlx5e_get_stats() which is called by ndo_get_stats64()).
      
      In particular, the very first thing mlx5e_update_sw_counters()
      does is 'memset(s, 0, sizeof(*s))'.  For example, if mlx5e_get_stats()
      is unlucky at one point, rx_bytes and rx_packets could be 0.  One second
      later, a normal (and much bigger than 0) value will be reported.
      
      This patch is to use a 'struct mlx5e_sw_stats temp' to avoid
      a direct memset zero on priv->stats.sw.
      
      mlx5e_update_vport_counters() has a similar race.  Hence, addressed
      together.  However, memset zero is removed instead because
      it is not needed.
      
      I am lucky enough to catch this 0-reset in rx multicast:
      eth0: 41457665   76804   70    0    0    70          0     47085 15586634   87502    3    0    0     0       3          0
      eth0: 41459860   76815   70    0    0    70          0     47094 15588376   87516    3    0    0     0       3          0
      eth0: 41460577   76822   70    0    0    70          0         0 15589083   87521    3    0    0     0       3          0
      eth0: 41463293   76838   70    0    0    70          0     47108 15595872   87538    3    0    0     0       3          0
      eth0: 41463379   76839   70    0    0    70          0     47116 15596138   87539    3    0    0     0       3          0
      
      v2: Remove memset zero from mlx5e_update_vport_counters()
      v1: Use temp and memcpy
      
      Fixes: 9218b44d
      
       ("net/mlx5e: Statistics handling refactoring")
      Suggested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Suggested-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Acked-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1510d728
  3. 22 Apr, 2017 7 commits
  4. 21 Apr, 2017 3 commits
    • Linus Torvalds's avatar
      Merge tag 'nfsd-4.11-2' of git://linux-nfs.org/~bfields/linux · 94836ecf
      Linus Torvalds authored
      Pull nfsd bugfix from Bruce Fields:
       "Fix a 4.11 regression that triggers a BUG() on an attempt to use an
        unsupported NFSv4 compound op"
      
      * tag 'nfsd-4.11-2' of git://linux-nfs.org/~bfields/linux:
        nfsd: fix oops on unsupported operation
      94836ecf
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 057a650b
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Don't race in IPSEC dumps, from Yuejie Shi.
      
       2) Verify lengths properly in IPSEC reqeusts, from Herbert Xu.
      
       3) Fix out of bounds access in ipv6 segment routing code, from David
          Lebrun.
      
       4) Don't write into the header of cloned SKBs in smsc95xx driver, from
          James Hughes.
      
       5) Several other drivers have this bug too, fix them. From Eric
          Dumazet.
      
       6) Fix access to uninitialized data in TC action cookie code, from
          Wolfgang Bumiller.
      
       7) Fix double free in IPV6 segment routing, again from David Lebrun.
      
       8) Don't let userspace set the RTF_PCPU flag, oops. From David Ahern.
      
       9) Fix use after free in qrtr code, from Dan Carpenter.
      
      10) Don't double-destroy devices in ip6mr code, from Nikolay
          Aleksandrov.
      
      11) Don't pass out-of-range TX queue indices into drivers, from Tushar
          Dave.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (30 commits)
        netpoll: Check for skb->queue_mapping
        ip6mr: fix notification device destruction
        bpf, doc: update bpf maintainers entry
        net: qrtr: potential use after free in qrtr_sendmsg()
        bpf: Fix values type used in test_maps
        net: ipv6: RTF_PCPU should not be settable from userspace
        gso: Validate assumption of frag_list segementation
        kaweth: use skb_cow_head() to deal with cloned skbs
        ch9200: use skb_cow_head() to deal with cloned skbs
        lan78xx: use skb_cow_head() to deal with cloned skbs
        sr9700: use skb_cow_head() to deal with cloned skbs
        cx82310_eth: use skb_cow_head() to deal with cloned skbs
        smsc75xx: use skb_cow_head() to deal with cloned skbs
        ipv6: sr: fix double free of skb after handling invalid SRH
        MAINTAINERS: Add "B:" field for networking.
        net sched actions: allocate act cookie early
        qed: Fix issue in populating the PFC config paramters.
        qed: Fix possible system hang in the dcbnl-getdcbx() path.
        qed: Fix sending an invalid PFC error mask to MFW.
        qed: Fix possible error in populating max_tc field.
        ...
      057a650b
    • Tushar Dave's avatar
      netpoll: Check for skb->queue_mapping · c70b17b7
      Tushar Dave authored
      
      
      Reducing real_num_tx_queues needs to be in sync with skb queue_mapping
      otherwise skbs with queue_mapping greater than real_num_tx_queues
      can be sent to the underlying driver and can result in kernel panic.
      
      One such event is running netconsole and enabling VF on the same
      device. Or running netconsole and changing number of tx queues via
      ethtool on same device.
      
      e.g.
      Unable to handle kernel NULL pointer dereference
      tsk->{mm,active_mm}->context = 0000000000001525
      tsk->{mm,active_mm}->pgd = fff800130ff9a000
                    \|/ ____ \|/
                    "@'/ .. \`@"
                    /_| \__/ |_\
                       \__U_/
      kworker/48:1(475): Oops [#1]
      CPU: 48 PID: 475 Comm: kworker/48:1 Tainted: G           OE
      4.11.0-rc3-davem-net+ #7
      Workqueue: events queue_process
      task: fff80013113299c0 task.stack: fff800131132c000
      TSTATE: 0000004480e01600 TPC: 00000000103f9e3c TNPC: 00000000103f9e40 Y:
      00000000    Tainted: G           OE
      TPC: <ixgbe_xmit_frame_ring+0x7c/0x6c0 [ixgbe]>
      g0: 0000000000000000 g1: 0000000000003fff g2: 0000000000000000 g3:
      0000000000000001
      g4: fff80013113299c0 g5: fff8001fa6808000 g6: fff800131132c000 g7:
      00000000000000c0
      o0: fff8001fa760c460 o1: fff8001311329a50 o2: fff8001fa7607504 o3:
      0000000000000003
      o4: fff8001f96e63a40 o5: fff8001311d77ec0 sp: fff800131132f0e1 ret_pc:
      000000000049ed94
      RPC: <set_next_entity+0x34/0xb80>
      l0: 0000000000000000 l1: 0000000000000800 l2: 0000000000000000 l3:
      0000000000000000
      l4: 000b2aa30e34b10d l5: 0000000000000000 l6: 0000000000000000 l7:
      fff8001fa7605028
      i0: fff80013111a8a00 i1: fff80013155a0780 i2: 0000000000000000 i3:
      0000000000000000
      i4: 0000000000000000 i5: 0000000000100000 i6: fff800131132f1a1 i7:
      00000000103fa4b0
      I7: <ixgbe_xmit_frame+0x30/0xa0 [ixgbe]>
      Call Trace:
       [00000000103fa4b0] ixgbe_xmit_frame+0x30/0xa0 [ixgbe]
       [0000000000998c74] netpoll_start_xmit+0xf4/0x200
       [0000000000998e10] queue_process+0x90/0x160
       [0000000000485fa8] process_one_work+0x188/0x480
       [0000000000486410] worker_thread+0x170/0x4c0
       [000000000048c6b8] kthread+0xd8/0x120
       [0000000000406064] ret_from_fork+0x1c/0x2c
       [0000000000000000]           (null)
      Disabling lock debugging due to kernel taint
      Caller[00000000103fa4b0]: ixgbe_xmit_frame+0x30/0xa0 [ixgbe]
      Caller[0000000000998c74]: netpoll_start_xmit+0xf4/0x200
      Caller[0000000000998e10]: queue_process+0x90/0x160
      Caller[0000000000485fa8]: process_one_work+0x188/0x480
      Caller[0000000000486410]: worker_thread+0x170/0x4c0
      Caller[000000000048c6b8]: kthread+0xd8/0x120
      Caller[0000000000406064]: ret_from_fork+0x1c/0x2c
      Caller[0000000000000000]:           (null)
      Signed-off-by: default avatarTushar Dave <tushar.n.dave@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c70b17b7