1. 25 Jan, 2020 6 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 6badad1c
      David S. Miller authored
      
      
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Missing netlink attribute sanity check for NFTA_OSF_DREG,
         from Florian Westphal.
      
      2) Use bitmap infrastructure in ipset to fix KASAN slab-out-of-bounds
         reads, from Jozsef Kadlecsik.
      
      3) Missing initial CLOSED state in new sctp connection through
         ctnetlink events, from Jiri Wiesner.
      
      4) Missing check for NFT_CHAIN_HW_OFFLOAD in nf_tables offload
         indirect block infrastructure, from wenxu.
      
      5) Add __nft_chain_type_get() to sanity check family and chain type.
      
      6) Autoload modules from the nf_tables abort path to fix races
         reported by syzbot.
      
      7) Remove unnecessary skb->csum update on inet_proto_csum_replace16(),
         from Praveen Chaudhary.
      ====================
      
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6badad1c
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2020-01-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 722943a5
      David S. Miller authored
      
      
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2020-01-24
      
      This series introduces some fixes to mlx5 driver.
      
      Please pull and let me know if there is any problem.
      
      Merge conflict: once merge with net-next, a contextual conflict will
      appear in drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
      since the code moved in net-next.
      To resolve, just delete ALL of the conflicting hunk from net.
      So sorry for the small mess ..
      
      For -stable v5.4:
       ('net/mlx5: Update the list of the PCI supported devices')
       ('net/mlx5: Fix lowest FDB pool size')
       ('net/mlx5e: kTLS, Fix corner-case checks in TX resync flow')
       ('net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path')
       ('net/mlx5: Eswitch, Prevent ingress rate configuration of uplink rep')
       ('net/mlx5e: kTLS, Remove redundant posts in TX resync flow')
       ('net/mlx5: DR, Enable counter on non-fwd-dest objects')
       ('net/mlx5: DR, use non preemptible call to get the current cpu number')
      ====================
      
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      722943a5
    • Michael Ellerman's avatar
      net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM · 3546d8f1
      Michael Ellerman authored
      
      
      The cxgb3 driver for "Chelsio T3-based gigabit and 10Gb Ethernet
      adapters" implements a custom ioctl as SIOCCHIOCTL/SIOCDEVPRIVATE in
      cxgb_extension_ioctl().
      
      One of the subcommands of the ioctl is CHELSIO_GET_MEM, which appears
      to read memory directly out of the adapter and return it to userspace.
      It's not entirely clear what the contents of the adapter memory
      contains, but the assumption is that it shouldn't be accessible to all
      users.
      
      So add a CAP_NET_ADMIN check to the CHELSIO_GET_MEM case. Put it after
      the is_offload() check, which matches two of the other subcommands in
      the same function which also check for is_offload() and CAP_NET_ADMIN.
      
      Found by Ilja by code inspection, not tested as I don't have the
      required hardware.
      
      Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3546d8f1
    • Florian Fainelli's avatar
      net: bcmgenet: Use netif_tx_napi_add() for TX NAPI · 148965df
      Florian Fainelli authored
      Before commit 7587935c ("net: bcmgenet: move NAPI initialization to
      ring initialization") moved the code, this used to be
      netif_tx_napi_add(), but we lost that small semantic change in the
      process, restore that.
      
      Fixes: 7587935c
      
       ("net: bcmgenet: move NAPI initialization to ring initialization")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarDoug Berger <opendmb@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      148965df
    • Jon Maloy's avatar
      tipc: change maintainer email address · 61b1f2af
      Jon Maloy authored
      
      
      Reflecting new realities.
      
      Signed-off-by: default avatarJon Maloy <jmaloy@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61b1f2af
    • Ajay Gupta's avatar
      net: stmmac: platform: fix probe for ACPI devices · b9f0b2f6
      Ajay Gupta authored
      
      
      Use generic device API to get phy mode to fix probe failure
      with ACPI based devices.
      
      Signed-off-by: default avatarAjay Gupta <ajayg@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b9f0b2f6
  2. 24 Jan, 2020 26 commits
    • Tariq Toukan's avatar
      net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path · 342508c1
      Tariq Toukan authored
      When TCP out-of-order is identified (unexpected tcp seq mismatch), driver
      analyzes the packet and decides what handling should it get:
      1. go to accelerated path (to be encrypted in HW),
      2. go to regular xmit path (send w/o encryption),
      3. drop.
      
      Packets marked with skb->decrypted by the TLS stack in the TX flow skips
      SW encryption, and rely on the HW offload.
      Verify that such packets are never sent un-encrypted on the wire.
      Add a WARN to catch such bugs, and prefer dropping the packet in these cases.
      
      Fixes: 46a3ea98
      
       ("net/mlx5e: kTLS, Enhance TX resync flow")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Reviewed-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      342508c1
    • Tariq Toukan's avatar
      net/mlx5e: kTLS, Remove redundant posts in TX resync flow · 1e928997
      Tariq Toukan authored
      The call to tx_post_resync_params() is done earlier in the flow,
      the post of the control WQEs is unnecessarily repeated. Remove it.
      
      Fixes: 700ec497
      
       ("net/mlx5e: kTLS, Fix missing SQ edge fill")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Reviewed-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      1e928997
    • Tariq Toukan's avatar
      net/mlx5e: kTLS, Fix corner-case checks in TX resync flow · ffbd9ca9
      Tariq Toukan authored
      There are the following cases:
      
      1. Packet ends before start marker: bypass offload.
      2. Packet starts before start marker and ends after it: drop,
         not supported, breaks contract with kernel.
      3. packet ends before tls record info starts: drop,
         this packet was already acknowledged and its record info
         was released.
      
      Add the above as comment in code.
      
      Mind possible wraparounds of the TCP seq, replace the simple comparison
      with a call to the TCP before() method.
      
      In addition, remove logic that handles negative sync_len values,
      as it became impossible.
      
      Fixes: d2ead1f3 ("net/mlx5e: Add kTLS TX HW offload support")
      Fixes: 46a3ea98
      
       ("net/mlx5e: kTLS, Enhance TX resync flow")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Reviewed-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      ffbd9ca9
    • Dmytro Linkin's avatar
      net/mlx5e: Clear VF config when switching modes · 3b83b6c2
      Dmytro Linkin authored
      Currently VF in LEGACY mode are not able to go up. Also in OFFLOADS
      mode, when switching to it first time, VF can go up independently to
      his representor, which is not expected.
      Perform clearing of VF config when switching modes and set link state
      to AUTO as default value. Also, when switching to OFFLOADS mode set
      link state to DOWN, which allow VF link state to be controlled by its
      REP.
      
      Fixes: 1ab2068a ("net/mlx5: Implement vports admin state backup/restore")
      Fixes: 556b9d16
      
       ("net/mlx5: Clear VF's configuration on disabling SRIOV")
      Signed-off-by: default avatarDmytro Linkin <dmitrolin@mellanox.com>
      Signed-off-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      3b83b6c2
    • Erez Shitrit's avatar
      net/mlx5: DR, use non preemptible call to get the current cpu number · c0702a4b
      Erez Shitrit authored
      Use raw_smp_processor_id instead of smp_processor_id() otherwise we will
      get the following trace in debug-kernel:
      	BUG: using smp_processor_id() in preemptible [00000000] code: devlink
      	caller is dr_create_cq.constprop.2+0x31d/0x970 [mlx5_core]
      	Call Trace:
      	dump_stack+0x9a/0xf0
      	debug_smp_processor_id+0x1f3/0x200
      	dr_create_cq.constprop.2+0x31d/0x970
      	genl_family_rcv_msg+0x5fd/0x1170
      	genl_rcv_msg+0xb8/0x160
      	netlink_rcv_skb+0x11e/0x340
      
      Fixes: 297ccceb
      
       ("net/mlx5: DR, Expose an internal API to issue RDMA operations")
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      c0702a4b
    • Eli Cohen's avatar
      net/mlx5: E-Switch, Prevent ingress rate configuration of uplink rep · e401a184
      Eli Cohen authored
      Since the implementation relies on limiting the VF transmit rate to
      simulate ingress rate limiting, and since either uplink representor or
      ecpf are not associated with a VF, we limit the rate limit configuration
      for those ports.
      
      Fixes: fcb64c0f
      
       ("net/mlx5: E-Switch, add ingress rate support")
      Signed-off-by: default avatarEli Cohen <eli@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      e401a184
    • Erez Shitrit's avatar
      net/mlx5: DR, Enable counter on non-fwd-dest objects · b850a821
      Erez Shitrit authored
      The current code handles only counters that attached to dest, we still
      have the cases where we have counter on non-dest, like over drop etc.
      
      Fixes: 6a48faee
      
       ("net/mlx5: Add direct rule fs_cmd implementation")
      Signed-off-by: default avatarHamdan Igbaria <hamdani@mellanox.com>
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Reviewed-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      b850a821
    • Meir Lichtinger's avatar
      net/mlx5: Update the list of the PCI supported devices · 505a7f54
      Meir Lichtinger authored
      Add the upcoming ConnectX-7 device ID.
      
      Fixes: 85327a9c
      
       ("net/mlx5: Update the list of the PCI supported devices")
      Signed-off-by: default avatarMeir Lichtinger <meirl@mellanox.com>
      Reviewed-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      505a7f54
    • Paul Blakey's avatar
      net/mlx5: Fix lowest FDB pool size · 93b8a7ec
      Paul Blakey authored
      The pool sizes represent the pool sizes in the fw. when we request
      a pool size from fw, it will return the next possible group.
      We track how many pools the fw has left and start requesting groups
      from the big to the small.
      When we start request 4k group, which doesn't exists in fw, fw
      wants to allocate the next possible size, 64k, but will fail since
      its exhausted. The correct smallest pool size in fw is 128 and not 4k.
      
      Fixes: e52c2802
      
       ("net/mlx5: E-Switch, Add chains and priorities")
      Signed-off-by: default avatarPaul Blakey <paulb@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      93b8a7ec
    • Praveen Chaudhary's avatar
      net: Fix skb->csum update in inet_proto_csum_replace16(). · 189c9b1e
      Praveen Chaudhary authored
      
      
      skb->csum is updated incorrectly, when manipulation for
      NF_NAT_MANIP_SRC\DST is done on IPV6 packet.
      
      Fix:
      There is no need to update skb->csum in inet_proto_csum_replace16(),
      because update in two fields a.) IPv6 src/dst address and b.) L4 header
      checksum cancels each other for skb->csum calculation. Whereas
      inet_proto_csum_replace4 function needs to update skb->csum, because
      update in 3 fields a.) IPv4 src/dst address, b.) IPv4 Header checksum
      and c.) L4 header checksum results in same diff as L4 Header checksum
      for skb->csum calculation.
      
      [ pablo@netfilter.org: a few comestic documentation edits ]
      Signed-off-by: default avatarPraveen Chaudhary <pchaudhary@linkedin.com>
      Signed-off-by: default avatarZhenggen Xu <zxu@linkedin.com>
      Signed-off-by: default avatarAndy Stracner <astracner@linkedin.com>
      Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      189c9b1e
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: autoload modules from the abort path · eb014de4
      Pablo Neira Ayuso authored
      This patch introduces a list of pending module requests. This new module
      list is composed of nft_module_request objects that contain the module
      name and one status field that tells if the module has been already
      loaded (the 'done' field).
      
      In the first pass, from the preparation phase, the netlink command finds
      that a module is missing on this list. Then, a module request is
      allocated and added to this list and nft_request_module() returns
      -EAGAIN. This triggers the abort path with the autoload parameter set on
      from nfnetlink, request_module() is called and the module request enters
      the 'done' state. Since the mutex is released when loading modules from
      the abort phase, the module list is zapped so this is iteration occurs
      over a local list. Therefore, the request_module() calls happen when
      object lists are in consistent state (after fulling aborting the
      transaction) and the commit list is empty.
      
      On the second pass, the netlink command will find that it already tried
      to load the module, so it does not request it again and
      nft_request_module() returns 0. Then, there is a look up to find the
      object that the command was missing. If the module was successfully
      loaded, the command proceeds normally since it finds the missing object
      in place, otherwise -ENOENT is reported to userspace.
      
      This patch also updates nfnetlink to include the reason to enter the
      abort phase, which is required for this new autoload module rationale.
      
      Fixes: ec7470b8
      
       ("netfilter: nf_tables: store transaction list locally while requesting module")
      Reported-by: default avatar <syzbot+29125d208b3dae9a7019@syzkaller.appspotmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      eb014de4
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: add __nft_chain_type_get() · 82603549
      Pablo Neira Ayuso authored
      This new helper function validates that unknown family and chain type
      coming from userspace do not trigger an out-of-bound array access. Bail
      out in case __nft_chain_type_get() returns NULL from
      nft_chain_parse_hook().
      
      Fixes: 9370761c
      
       ("netfilter: nf_tables: convert built-in tables/chains to chain types")
      Reported-by: default avatar <syzbot+156a04714799b1d480bc@syzkaller.appspotmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      82603549
    • wenxu's avatar
      netfilter: nf_tables_offload: fix check the chain offload flag · c83de17d
      wenxu authored
      In the nft_indr_block_cb the chain should check the flag with
      NFT_CHAIN_HW_OFFLOAD.
      
      Fixes: 9a32669f
      
       ("netfilter: nf_tables_offload: support indr block call")
      Signed-off-by: default avatarwenxu <wenxu@ucloud.cn>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c83de17d
    • Jiri Wiesner's avatar
      netfilter: conntrack: sctp: use distinct states for new SCTP connections · ab658b9f
      Jiri Wiesner authored
      
      
      The netlink notifications triggered by the INIT and INIT_ACK chunks
      for a tracked SCTP association do not include protocol information
      for the corresponding connection - SCTP state and verification tags
      for the original and reply direction are missing. Since the connection
      tracking implementation allows user space programs to receive
      notifications about a connection and then create a new connection
      based on the values received in a notification, it makes sense that
      INIT and INIT_ACK notifications should contain the SCTP state
      and verification tags available at the time when a notification
      is sent. The missing verification tags cause a newly created
      netfilter connection to fail to verify the tags of SCTP packets
      when this connection has been created from the values previously
      received in an INIT or INIT_ACK notification.
      
      A PROTOINFO event is cached in sctp_packet() when the state
      of a connection changes. The CLOSED and COOKIE_WAIT state will
      be used for connections that have seen an INIT and INIT_ACK chunk,
      respectively. The distinct states will cause a connection state
      change in sctp_packet().
      
      Signed-off-by: default avatarJiri Wiesner <jwiesner@suse.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ab658b9f
    • David S. Miller's avatar
      Merge branch 'netdev-seq_file-next-functions-should-increase-position-index' · 623c8d5c
      David S. Miller authored
      Vasily Averin says:
      
      ====================
      netdev: seq_file .next functions should increase position index
      
      In Aug 2018 NeilBrown noticed
      commit 1f4aace6 ("fs/seq_file.c: simplify seq_file iteration code and interface")
      "Some ->next functions do not increment *pos when they return NULL...
      Note that such ->next functions are buggy and should be fixed.
      A simple demonstration is
      
      dd if=/proc/swaps bs=1000 skip=1
      
      Choose any block size larger than the size of /proc/swaps.  This will
      always show the whole last line of /proc/swaps"
      
      Described problem is still actual. If you make lseek into middle of last output line
      following read will output end of last line and whole last line once again.
      
      $ dd if=/proc/swaps bs=1  # usual output
      Filename				Type		Size	Used	Priority
      /dev/dm-0                               partition	4194812	97536	-2
      104+0 records in
      104+0 records out
      104 bytes copied
      
      $ dd if=/proc/swaps bs=40 skip=1    # last line was generated twice
      dd: /proc/swaps: cannot skip to specified offset
      v/dm-0                               partition	4194812	97536	-2
      /dev/dm-0                               partition	4194812	97536	-2
      3+1 records in
      3+1 records out
      131 bytes copied
      
      There are lot of other affected files, I've found 30+ including
      /proc/net/ip_tables_matches and /proc/sysvipc/*
      
      This patch-set fixes files related to netdev@
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283
      
      
      ====================
      
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      623c8d5c
    • Vasily Averin's avatar
      ipv6_route_seq_next should increase position index · 4fc427e0
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283
      
      
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4fc427e0
    • Vasily Averin's avatar
      rt_cpu_seq_next should increase position index · a3ea8673
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283
      
      
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a3ea8673
    • Vasily Averin's avatar
      neigh_stat_seq_next() should increase position index · 1e3f9f07
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283
      
      
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e3f9f07
    • Vasily Averin's avatar
      vcc_seq_next should increase position index · 8bf70920
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283
      
      
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8bf70920
    • Vasily Averin's avatar
      l2t_seq_next should increase position index · 66018a10
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283
      
      
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      66018a10
    • Vasily Averin's avatar
      seq_tab_next() should increase position index · 70a87287
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283
      
      
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      70a87287
    • Eric Dumazet's avatar
      tcp: do not leave dangling pointers in tp->highest_sack · 2bec445f
      Eric Dumazet authored
      Latest commit 85369750 ("tcp: Fix highest_sack and highest_sack_seq")
      apparently allowed syzbot to trigger various crashes in TCP stack [1]
      
      I believe this commit only made things easier for syzbot to find
      its way into triggering use-after-frees. But really the bugs
      could lead to bad TCP behavior or even plain crashes even for
      non malicious peers.
      
      I have audited all calls to tcp_rtx_queue_unlink() and
      tcp_rtx_queue_unlink_and_free() and made sure tp->highest_sack would be updated
      if we are removing from rtx queue the skb that tp->highest_sack points to.
      
      These updates were missing in three locations :
      
      1) tcp_clean_rtx_queue() [This one seems quite serious,
                                I have no idea why this was not caught earlier]
      
      2) tcp_rtx_queue_purge() [Probably not a big deal for normal operations]
      
      3) tcp_send_synack()     [Probably not a big deal for normal operations]
      
      [1]
      BUG: KASAN: use-after-free in tcp_highest_sack_seq include/net/tcp.h:1864 [inline]
      BUG: KASAN: use-after-free in tcp_highest_sack_seq include/net/tcp.h:1856 [inline]
      BUG: KASAN: use-after-free in tcp_check_sack_reordering+0x33c/0x3a0 net/ipv4/tcp_input.c:891
      Read of size 4 at addr ffff8880a488d068 by task ksoftirqd/1/16
      
      CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.5.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
       tcp_highest_sack_seq include/net/tcp.h:1864 [inline]
       tcp_highest_sack_seq include/net/tcp.h:1856 [inline]
       tcp_check_sack_reordering+0x33c/0x3a0 net/ipv4/tcp_input.c:891
       tcp_try_undo_partial net/ipv4/tcp_input.c:2730 [inline]
       tcp_fastretrans_alert+0xf74/0x23f0 net/ipv4/tcp_input.c:2847
       tcp_ack+0x2577/0x5bf0 net/ipv4/tcp_input.c:3710
       tcp_rcv_established+0x6dd/0x1e90 net/ipv4/tcp_input.c:5706
       tcp_v4_do_rcv+0x619/0x8d0 net/ipv4/tcp_ipv4.c:1619
       tcp_v4_rcv+0x307f/0x3b40 net/ipv4/tcp_ipv4.c:2001
       ip_protocol_deliver_rcu+0x5a/0x880 net/ipv4/ip_input.c:204
       ip_local_deliver_finish+0x23b/0x380 net/ipv4/ip_input.c:231
       NF_HOOK include/linux/netfilter.h:307 [inline]
       NF_HOOK include/linux/netfilter.h:301 [inline]
       ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:252
       dst_input include/net/dst.h:442 [inline]
       ip_rcv_finish+0x1db/0x2f0 net/ipv4/ip_input.c:428
       NF_HOOK include/linux/netfilter.h:307 [inline]
       NF_HOOK include/linux/netfilter.h:301 [inline]
       ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:538
       __netif_receive_skb_one_core+0x113/0x1a0 net/core/dev.c:5148
       __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5262
       process_backlog+0x206/0x750 net/core/dev.c:6093
       napi_poll net/core/dev.c:6530 [inline]
       net_rx_action+0x508/0x1120 net/core/dev.c:6598
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       run_ksoftirqd kernel/softirq.c:603 [inline]
       run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595
       smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165
       kthread+0x361/0x430 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Allocated by task 10091:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       __kasan_kmalloc mm/kasan/common.c:513 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
       kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521
       slab_post_alloc_hook mm/slab.h:584 [inline]
       slab_alloc_node mm/slab.c:3263 [inline]
       kmem_cache_alloc_node+0x138/0x740 mm/slab.c:3575
       __alloc_skb+0xd5/0x5e0 net/core/skbuff.c:198
       alloc_skb_fclone include/linux/skbuff.h:1099 [inline]
       sk_stream_alloc_skb net/ipv4/tcp.c:875 [inline]
       sk_stream_alloc_skb+0x113/0xc90 net/ipv4/tcp.c:852
       tcp_sendmsg_locked+0xcf9/0x3470 net/ipv4/tcp.c:1282
       tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1432
       inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:672
       __sys_sendto+0x262/0x380 net/socket.c:1998
       __do_sys_sendto net/socket.c:2010 [inline]
       __se_sys_sendto net/socket.c:2006 [inline]
       __x64_sys_sendto+0xe1/0x1a0 net/socket.c:2006
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 10095:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       kasan_set_free_info mm/kasan/common.c:335 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
       __cache_free mm/slab.c:3426 [inline]
       kmem_cache_free+0x86/0x320 mm/slab.c:3694
       kfree_skbmem+0x178/0x1c0 net/core/skbuff.c:645
       __kfree_skb+0x1e/0x30 net/core/skbuff.c:681
       sk_eat_skb include/net/sock.h:2453 [inline]
       tcp_recvmsg+0x1252/0x2930 net/ipv4/tcp.c:2166
       inet_recvmsg+0x136/0x610 net/ipv4/af_inet.c:838
       sock_recvmsg_nosec net/socket.c:886 [inline]
       sock_recvmsg net/socket.c:904 [inline]
       sock_recvmsg+0xce/0x110 net/socket.c:900
       __sys_recvfrom+0x1ff/0x350 net/socket.c:2055
       __do_sys_recvfrom net/socket.c:2073 [inline]
       __se_sys_recvfrom net/socket.c:2069 [inline]
       __x64_sys_recvfrom+0xe1/0x1a0 net/socket.c:2069
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8880a488d040
       which belongs to the cache skbuff_fclone_cache of size 456
      The buggy address is located 40 bytes inside of
       456-byte region [ffff8880a488d040, ffff8880a488d208)
      The buggy address belongs to the page:
      page:ffffea0002922340 refcount:1 mapcount:0 mapping:ffff88821b057000 index:0x0
      raw: 00fffe0000000200 ffffea00022a5788 ffffea0002624a48 ffff88821b057000
      raw: 0000000000000000 ffff8880a488d040 0000000100000006 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8880a488cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff8880a488cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff8880a488d000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                                ^
       ffff8880a488d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8880a488d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: 85369750 ("tcp: Fix highest_sack and highest_sack_seq")
      Fixes: 50895b9d ("tcp: highest_sack fix")
      Fixes: 737ff314
      
       ("tcp: use sequence distance to detect reordering")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Cambda Zhu <cambda@linux.alibaba.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2bec445f
    • Colin Ian King's avatar
      net/rose: fix spelling mistake "to" -> "too" · 4d299f18
      Colin Ian King authored
      
      
      There is a spelling mistake in a printk message. Fix it.
      
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4d299f18
    • Colin Ian King's avatar
      caif_usb: fix spelling mistake "to" -> "too" · 43d88774
      Colin Ian King authored
      
      
      There is a spelling mistake in a pr_warn message. Fix it.
      
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43d88774
    • Colin Ian King's avatar
      ipvs: fix spelling mistake "to" -> "too" · 971485a0
      Colin Ian King authored
      
      
      There is a spelling mistake in a IP_VS_ERR_RL message. Fix it.
      
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      971485a0
    • Colin Ian King's avatar
      i40e: fix spelling mistake "to" -> "too" · 959b1825
      Colin Ian King authored
      
      
      There is a spelling mistake in a hw_dbg message. Fix it.
      
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      959b1825
  3. 23 Jan, 2020 8 commits
    • Cong Wang's avatar
      net_sched: fix datalen for ematch · 61678d28
      Cong Wang authored
      
      
      syzbot reported an out-of-bound access in em_nbyte. As initially
      analyzed by Eric, this is because em_nbyte sets its own em->datalen
      in em_nbyte_change() other than the one specified by user, but this
      value gets overwritten later by its caller tcf_em_validate().
      We should leave em->datalen untouched to respect their choices.
      
      I audit all the in-tree ematch users, all of those implement
      ->change() set em->datalen, so we can just avoid setting it twice
      in this case.
      
      Reported-and-tested-by: default avatar <syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com>
      Reported-by: default avatar <syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com>
      Fixes: 1da177e4
      
       ("Linux-2.6.12-rc2")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61678d28
    • David S. Miller's avatar
      Merge branch 'Fixes-for-SONIC-ethernet-driver' · 42c9bdae
      David S. Miller authored
      Finn Thain says:
      
      ====================
      Fixes for SONIC ethernet driver
      
      Various SONIC driver problems have become apparent over the years,
      including tx watchdog timeouts, lost packets and duplicated packets.
      
      The problems are mostly caused by bugs in buffer handling, locking and
      (re-)initialization code.
      
      This patch series resolves these problems.
      
      This series has been tested on National Semiconductor hardware (macsonic),
      qemu-system-m68k (macsonic) and qemu-system-mips64el (jazzsonic).
      
      The emulated dp8393x device used in QEMU also has bugs.
      I have fixed the bugs that I know of in a series of patches at,
      https://github.com/fthain/qemu/commits/sonic
      
      
      
      Changed since v1:
       - Minor revisions as described in commit logs.
       - Deferred net-next patches.
      Changed since v2:
       - Minor revisions as described in commit logs.
      ====================
      
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      42c9bdae
    • Finn Thain's avatar
      net/sonic: Prevent tx watchdog timeout · 686f85d7
      Finn Thain authored
      Section 5.5.3.2 of the datasheet says,
      
          If FIFO Underrun, Byte Count Mismatch, Excessive Collision, or
          Excessive Deferral (if enabled) errors occur, transmission ceases.
      
      In this situation, the chip asserts a TXER interrupt rather than TXDN.
      But the handler for the TXDN is the only way that the transmit queue
      gets restarted. Hence, an aborted transmission can result in a watchdog
      timeout.
      
      This problem can be reproduced on congested link, as that can result in
      excessive transmitter collisions. Another way to reproduce this is with
      a FIFO Underrun, which may be caused by DMA latency.
      
      In event of a TXER interrupt, prevent a watchdog timeout by restarting
      transmission.
      
      Fixes: 1da177e4
      
       ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      686f85d7
    • Finn Thain's avatar
      net/sonic: Fix CAM initialization · 772f6642
      Finn Thain authored
      Section 4.3.1 of the datasheet says,
      
          This bit [TXP] must not be set if a Load CAM operation is in
          progress (LCAM is set). The SONIC will lock up if both bits are
          set simultaneously.
      
      Testing has shown that the driver sometimes attempts to set LCAM
      while TXP is set. Avoid this by waiting for command completion
      before and after giving the LCAM command.
      
      After issuing the Load CAM command, poll for !SONIC_CR_LCAM rather than
      SONIC_INT_LCD, because the SONIC_CR_TXP bit can't be used until
      !SONIC_CR_LCAM.
      
      When in reset mode, take the opportunity to reset the CAM Enable
      register.
      
      Fixes: 1da177e4
      
       ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      772f6642
    • Finn Thain's avatar
      net/sonic: Fix command register usage · 27e0c31c
      Finn Thain authored
      There are several issues relating to command register usage during
      chip initialization.
      
      Firstly, the SONIC sometimes comes out of software reset with the
      Start Timer bit set. This gets logged as,
      
          macsonic macsonic eth0: sonic_init: status=24, i=101
      
      Avoid this by giving the Stop Timer command earlier than later.
      
      Secondly, the loop that waits for the Read RRA command to complete has
      the break condition inverted. That's why the for loop iterates until
      its termination condition. Call the helper for this instead.
      
      Finally, give the Receiver Enable command after clearing interrupts,
      not before, to avoid the possibility of losing an interrupt.
      
      Fixes: 1da177e4
      
       ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      27e0c31c
    • Finn Thain's avatar
      net/sonic: Quiesce SONIC before re-initializing descriptor memory · 3f4b7e6a
      Finn Thain authored
      Make sure the SONIC's DMA engine is idle before altering the transmit
      and receive descriptors. Add a helper for this as it will be needed
      again.
      
      Fixes: 1da177e4
      
       ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f4b7e6a
    • Finn Thain's avatar
      net/sonic: Fix receive buffer replenishment · 89ba879e
      Finn Thain authored
      As soon as the driver is finished with a receive buffer it allocs a new
      one and overwrites the corresponding RRA entry with a new buffer pointer.
      
      Problem is, the buffer pointer is split across two word-sized registers.
      It can't be updated in one atomic store. So this operation races with the
      chip while it stores received packets and advances its RRP register.
      This could result in memory corruption by a DMA write.
      
      Avoid this problem by adding buffers only at the location given by the
      RWP register, in accordance with the National Semiconductor datasheet.
      
      Re-factor this code into separate functions to calculate a RRA pointer
      and to update the RWP.
      
      Fixes: efcce839
      
       ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89ba879e
    • Finn Thain's avatar
      net/sonic: Improve receive descriptor status flag check · 94b16634
      Finn Thain authored
      After sonic_tx_timeout() calls sonic_init(), it can happen that
      sonic_rx() will subsequently encounter a receive descriptor with no
      flags set. Remove the comment that says that this can't happen.
      
      When giving a receive descriptor to the SONIC, clear the descriptor
      status field. That way, any rx descriptor with flags set can only be
      a newly received packet.
      
      Don't process a descriptor without the LPKT bit set. The buffer is
      still in use by the SONIC.
      
      Fixes: 1da177e4
      
       ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      94b16634