summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* isdn: divert: fix sprintf buffer overflow warningArnd Bergmann2017-07-141-12/+13
| | | | | | | | | | | | | | | | | | | One string we pass into the cs->info buffer might be too long, as pointed out by gcc: drivers/isdn/divert/isdn_divert.c: In function 'll_callback': drivers/isdn/divert/isdn_divert.c:488:22: error: '%d' directive writing between 1 and 3 bytes into a region of size between 1 and 69 [-Werror=format-overflow=] sprintf(cs->info, "%d 0x%lx %s %s %s %s 0x%x 0x%x %d %d %s\n", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/isdn/divert/isdn_divert.c:488:22: note: directive argument in the range [0, 255] drivers/isdn/divert/isdn_divert.c:488:4: note: 'sprintf' output 25 or more bytes (assuming 129) into a destination of size 90 This is unlikely to actually cause problems, so let's use snprintf as a simple workaround to shut up the warning and truncate the buffer instead. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: qcom/emac: fix double free of SGMII IRQ during shutdownTimur Tabi2017-07-141-4/+6
| | | | | | | | | | If the interface is not up, then don't try to close it during a shutdown. This avoids possible double free of the IRQ, which can happen during a shutdown. Fixes: 03eb3eb4d4d5 ("net: qcom/emac: add shutdown function") Signed-off-by: Timur Tabi <timur@codeaurora.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* smsc95xx: use ethtool_op_get_ts_info()Petr Kulhavy2017-07-141-0/+1
| | | | | | | | | | | | | | This change enables the use of SW timestamping on Raspberry PI. smsc95xx uses the usbnet transmit function usbnet_start_xmit(), which implements software timestamping. However the SOF_TIMESTAMPING_TX_SOFTWARE capability was missing and only SOF_TIMESTAMPING_RX_SOFTWARE was announced. By using ethtool_op_get_ts_info() as get_ts_info() also the SOF_TIMESTAMPING_TX_SOFTWARE is announced. Signed-off-by: Petr Kulhavy <brain@jikos.cz> Reviewed-by: Woojung Huh <Woojung.Huh@microchip.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net sched actions: rename act_get_notify() to tcf_get_notify()Roman Mashak2017-07-141-2/+2
| | | | | | | | Make name consistent with other TC event notification routines, such as tcf_add_notify() and tcf_del_notify() Signed-off-by: Roman Mashak <mrv@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net/packet: Fix Tx queue selection for AF_PACKETIván Briano2017-07-141-4/+2
| | | | | | | | | | | | | | | | | | | | | | When PACKET_QDISC_BYPASS is not used, Tx queue selection will be done before the packet is enqueued, taking into account any mappings set by a queuing discipline such as mqprio without hardware offloading. This selection may be affected by a previously saved queue_mapping, either on the Rx path, or done before the packet reaches the device, as it's currently the case for AF_PACKET. In order for queue selection to work as expected when using traffic control, there can't be another selection done before that point is reached, so move the call to packet_pick_tx_queue to packet_direct_xmit, leaving the default xmit path as it was before PACKET_QDISC_BYPASS was introduced. A forward declaration of packet_pick_tx_queue() is introduced to avoid the need to reorder the functions within the file. Fixes: d346a3fae3ff ("packet: introduce PACKET_QDISC_BYPASS socket option") Signed-off-by: Iván Briano <ivan.briano@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: bridge: fix dest lookup when vlan proto doesn't matchNikolay Aleksandrov2017-07-142-2/+4
| | | | | | | | | | | | | | | | | | | With 802.1ad support the vlan_ingress code started checking for vlan protocol mismatch which causes the current tag to be inserted and the bridge vlan protocol & pvid to be set. The vlan tag insertion changes the skb mac_header and thus the lookup mac dest pointer which was loaded prior to calling br_allowed_ingress in br_handle_frame_finish is VLAN_HLEN bytes off now, pointing to the last two bytes of the destination mac and the first four of the source mac causing lookups to always fail and broadcasting all such packets to all ports. Same thing happens for locally originated packets when passing via br_dev_xmit. So load the dest pointer after the vlan checks and possible skb change. Fixes: 8580e2117c06 ("bridge: Prepare for 802.1ad vlan filtering support") Reported-by: Anitha Narasimha Murthy <anitha@cumulusnetworks.com> Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Acked-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp> Signed-off-by: David S. Miller <davem@davemloft.net>
* cxgb4: ptp_clock_register() returns error pointersGanesh Goudar2017-07-141-1/+2
| | | | | | | | | | | | Check ptp_clock_register() return not only for NULL but also for error pointers, and also nullify adapter->ptp_clock if ptp_clock_register() fails. Fixes: 9c33e4208bce ("cxgb4: Add PTP Hardware Clock (PHC) support") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Richard Cochran <richardcochran@gmail.com> Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: hns: add acpi function of xge led controlLiuJian2017-07-142-3/+58
| | | | | | | | | | | The current code only support DT method to control xge led. This patch is the implementation of acpi method to control xge led. Signed-off-by: LiuJian <liujian56@huawei.com> Reviewed-by: John Garry <john.garry@huawei.com> Reviewed-by: Yunsheng Lin <linyunsheng@huawei.com> Reviewed-by: Daode Huang <huangdaode@hisilicon.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* netpoll: shut up a kernel warning on refcountWANG Cong2017-07-141-1/+1
| | | | | | | | | | | | | | | When we convert atomic_t to refcount_t, a new kernel warning on "increment on 0" is introduced in the netpoll code, zap_completion_queue(). In fact for this special case, we know the refcount is 0 and we just have to set it to 1 to satisfy the following dev_kfree_skb_any(), so we can just use refcount_set(..., 1) instead. Fixes: 633547973ffc ("net: convert sk_buff.users from atomic_t to refcount_t") Reported-by: Dave Jones <davej@codemonkey.org.uk> Cc: Reshetova, Elena <elena.reshetova@intel.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* cdc_ncm: Set NTB format again after altsetting switch for Huawei devicesEnrico Mioso2017-07-143-0/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | Some firmwares in Huawei E3372H devices have been observed to switch back to NTB 32-bit format after altsetting switch. This patch implements a driver flag to check for the device settings and set NTB format to 16-bit again if needed. The flag has been activated for devices controlled by the huawei_cdc_ncm.c driver. V1->V2: - fixed broken error checks - some corrections to the commit message V2->V3: - variable name changes, to clarify what's happening - check (and possibly set) the NTB format later in the common bind code path Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com> Reported-and-tested-by: Christian Panton <christian@panton.org> Reviewed-by: Bjørn Mork <bjorn@mork.no> CC: Bjørn Mork <bjorn@mork.no> CC: Christian Panton <christian@panton.org> CC: linux-usb@vger.kernel.org CC: netdev@vger.kernel.org CC: Oliver Neukum <oliver@neukum.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* mdio: mux: fix parsing mux registers outside of the PHY address rangeMartin Blumenstingl2017-07-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | mdio_mux_init parses the child nodes of the MDIO mux. When using "mdio-mux-mmioreg" the child nodes are describing the register value that is written to switch between the MDIO busses. The change which makes the error messages more verbose changed the parsing of the "reg" property from a simple of_property_read_u32 call to of_mdio_parse_addr. On a Khadas VIM (based on the Meson GXL SoC, which uses mdio-mux-mmioreg) this prevents registering the MDIO mux (because the "reg" values on the MDIO mux child nodes are 0x2009087f and 0xe40908ff) and leads to the following errors: mdio-mux-mmioreg c883455c.eth-phy-mux: /soc/periphs@c8834000/eth-phy-mux/mdio@e40908ff PHY address -469169921 is too large mdio-mux-mmioreg c883455c.eth-phy-mux: Error: Failed to find reg for child /soc/periphs@c8834000/eth-phy-mux/mdio@e40908ff mdio-mux-mmioreg c883455c.eth-phy-mux: /soc/periphs@c8834000/eth-phy-mux/mdio@2009087f PHY address 537462911 is too large mdio-mux-mmioreg c883455c.eth-phy-mux: Error: Failed to find reg for child /soc/periphs@c8834000/eth-phy-mux/mdio@2009087f mdio-mux-mmioreg c883455c.eth-phy-mux: Error: No acceptable child buses found mdio-mux-mmioreg c883455c.eth-phy-mux: failed to register mdio-mux bus /soc/periphs@c8834000/eth-phy-mux (as a result of that ethernet is not working, because the PHY which is connected through the mux' child MDIO bus, which is not being registered). Fix this by reverting the change from of_mdio_parse_addr to of_mdio_parse_addr. Fixes: 342fa1964439 ("mdio: mux: make child bus walking more permissive and errors more verbose") Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Acked-by: Neil Armstrong <narmstrong@baylibre.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: set fib rule refcount after mallocDavid Ahern2017-07-131-2/+1
| | | | | | | | | | | The configure callback of fib_rules_ops can change the refcnt of a fib rule. For instance, mlxsw takes a refcnt when adding the processing of the rule to a work queue. Thus the rule refcnt can not be reset to to 1 afterwards. Move the refcnt setting to after the allocation. Fixes: 5361e209dd30 ("net: avoid one splat in fib_nl_delrule()") Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* netlink: correctly document nla_put_u64_64bit()Rolf Eike Beer2017-07-131-2/+2
| | | | | Signed-off-by: Rolf Eike Beer <eb@emlix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* cxgb4: add new T5 pci device id'sGanesh Goudar2017-07-131-0/+2
| | | | | | | Add 0x50a3 and 0x50a4 T5 device id's Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* dccp: make const array error_code staticColin Ian King2017-07-131-1/+1
| | | | | | | | | | | | | | | | Don't populate array error_code on the stack but make it static. Makes the object code smaller by almost 250 bytes: Before: text data bss dec hex filename 10366 983 0 11349 2c55 net/dccp/input.o After: text data bss dec hex filename 10161 1039 0 11200 2bc0 net/dccp/input.o Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* rt2x00: make const array glrt_table staticColin Ian King2017-07-131-1/+1
| | | | | | | | | | | | | | | | | Don't populate array glrt_table on the stack but make it static. Makes the object code a smaller by over 670 bytes: Before: text data bss dec hex filename 131772 4733 0 136505 21539 rt2800lib.o After: text data bss dec hex filename 131043 4789 0 135832 21298 rt2800lib.o Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: stmmac: make const array route_possibilities staticColin Ian King2017-07-131-1/+1
| | | | | | | | | | | | | | | | Don't populate array route_possibilities on the stack but make it static const. Makes the object code a little smaller by 85 bytes: Before: text data bss dec hex filename 9901 2448 0 12349 303d dwmac4_core.o After: text data bss dec hex filename 9760 2504 0 12264 2fe8 dwmac4_core.o Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: broadcom: bnx2x: make a couple of const arrays staticColin Ian King2017-07-131-2/+2
| | | | | | | | | | | | | | | | | Don't populate various tables on the stack but make them static const. Makes the object code smaller by nearly 200 bytes: Before: text data bss dec hex filename 113468 11200 0 124668 1e6fc bnx2x_ethtool.o After: text data bss dec hex filename 113129 11344 0 124473 1e639 bnx2x_ethtool.o Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Yuval Mintz <Yuval.Mintz@cavium.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* xgene: Don't fail probe, if there is no clk resource for SGMII interfacesThomas Bogendoerfer2017-07-131-10/+12
| | | | | | | | | | | | | | | | | | This change fixes following problem [ 1.827940] xgene-enet: probe of 1f210030.ethernet failed with error -2 which leads to a missing ethernet interface (reproducable at least on Gigabyte MP30-AR0 and APM Mustang systems). The check for a valid clk resource fails, because DT doesn't provide a clock for sgenet1. But the driver doesn't use this clk, if the ethernet port is connected via SGMII. Therefore this patch avoids probing for clk on SGMII interfaces. Fixes: 9aea7779b764 ("drivers: net: xgene: Fix crash on DT systems") Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* bpf: fix return in bpf_skb_adjust_netKefeng Wang2017-07-131-1/+1
| | | | | | | | | The bpf_skb_adjust_net() ignores the return value of bpf_skb_net_shrink/grow, and always return 0, fix it by return 'ret'. Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds2017-07-1338-101/+172
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull networking fixes from David Miller: 1) Fix 64-bit division in mlx5 IPSEC offload support, from Ilan Tayari and Arnd Bergmann. 2) Fix race in statistics gathering in bnxt_en driver, from Michael Chan. 3) Can't use a mutex in RCU reader protected section on tap driver, from Cong WANG. 4) Fix mdb leak in bridging code, from Eduardo Valentin. 5) Fix free of wrong pointer variable in nfp driver, from Dan Carpenter. 6) Buffer overflow in brcmfmac driver, from Arend van SPriel. 7) ioremap_nocache() return value needs to be checked in smsc911x driver, from Alexey Khoroshilov. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (34 commits) net: stmmac: revert "support future possible different internal phy mode" sfc: don't read beyond unicast address list datagram: fix kernel-doc comments socket: add documentation for missing elements smsc911x: Add check for ioremap_nocache() return code brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() net: hns: Bugfix for Tx timeout handling in hns driver net: ipmr: ipmr_get_table() returns NULL nfp: freeing the wrong variable mlxsw: spectrum_switchdev: Check status of memory allocation mlxsw: spectrum_switchdev: Remove unused variable mlxsw: spectrum_router: Fix use-after-free in route replace mlxsw: spectrum_router: Add missing rollback samples/bpf: fix a build issue bridge: mdb: fix leak on complete_info ptr on fail path tap: convert a mutex to a spinlock cxgb4: fix BUG() on interrupt deallocating path of ULD qed: Fix printk option passed when printing ipv6 addresses net: Fix minor code bug in timestamping.txt net: stmmac: Make 'alloc_dma_[rt]x_desc_resources()' look even closer ...
| * net: stmmac: revert "support future possible different internal phy mode"LABBE Corentin2017-07-121-7/+3
| | | | | | | | | | | | | | | | | | | | | | | | Since internal phy-mode is reserved for non-xMII protocol we cannot use it with dwmac-sun8i. Furthermore, all DT patchs which comes with this patch were cleaned, so the current state is broken. This reverts commit 1c2fa5f84683 ("net: stmmac: support future possible different internal phy mode") Fixes: 1c2fa5f84683 ("net: stmmac: support future possible different internal phy mode") Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * sfc: don't read beyond unicast address listBert Kenward2017-07-121-5/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | If we have more than 32 unicast MAC addresses assigned to an interface we will read beyond the end of the address table in the driver when adding filters. The next 256 entries store multicast addresses, so we will end up attempting to insert duplicate filters, which is mostly harmless. If we add more than 288 unicast addresses we will then read past the multicast address table, which is likely to be more exciting. Fixes: 12fb0da45c9a ("sfc: clean fallbacks between promisc/normal in efx_ef10_filter_sync_rx_mode") Signed-off-by: Bert Kenward <bkenward@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * Merge branch 'net-doc-fixes'David S. Miller2017-07-122-3/+6
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Stephen Hemminger says: ==================== minor net kernel-doc fixes Fix a couple of small errors in kernel-doc for networking ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
| | * datagram: fix kernel-doc commentsstephen hemminger2017-07-121-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | An underscore in the kernel-doc comment section has special meaning and mis-use generates an errors. ./net/core/datagram.c:207: ERROR: Unknown target name: "msg". ./net/core/datagram.c:379: ERROR: Unknown target name: "msg". ./net/core/datagram.c:816: ERROR: Unknown target name: "t". Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * socket: add documentation for missing elementsstephen hemminger2017-07-121-0/+3
| |/ | | | | | | | | | | | | Fill in missing kernel-doc for missing elements in struct sock. Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * smsc911x: Add check for ioremap_nocache() return codeAlexey Khoroshilov2017-07-121-0/+5
| | | | | | | | | | | | | | | | | | | | There is no check for return code of smsc911x_drv_probe() in smsc911x_drv_probe(). The patch adds one. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
| * brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()Arend van Spriel2017-07-121-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The lower level nl80211 code in cfg80211 ensures that "len" is between 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from "len" so thats's max of 2280. However, the action_frame->data[] buffer is only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can overflow. memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], le16_to_cpu(action_frame->len)); Cc: stable@vger.kernel.org # 3.9.x Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.") Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * net: hns: Bugfix for Tx timeout handling in hns driverLin Yun Sheng2017-07-121-7/+9
| | | | | | | | | | | | | | | | | | | | | | When hns port type is not debug mode, netif_tx_disable is called when there is a tx timeout, which requires system reboot to return to normal state. This patch fix this problem by resetting the net dev. Fixes: b5996f11ea54 ("net: add Hisilicon Network Subsystem basic ethernet support") Signed-off-by: Lin Yun Sheng <linyunsheng@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * net: ipmr: ipmr_get_table() returns NULLDan Carpenter2017-07-121-2/+2
| | | | | | | | | | | | | | | | | | | | The ipmr_get_table() function doesn't return error pointers it returns NULL on error. Fixes: 4f75ba6982bc ("net: ipmr: Add ipmr_rtm_getroute") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * nfp: freeing the wrong variableDan Carpenter2017-07-121-1/+1
| | | | | | | | | | | | | | | | | | | | We accidentally free a NULL pointer and leak the pointer we want to free. Also you can tell from the label name what was intended. :) Fixes: abfcdc1de9bf ("nfp: add a stats handler for flower offloads") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * Merge branch 'mlxsw-spectrum-Various-fixes'David S. Miller2017-07-122-3/+10
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Jiri Pirko says: ==================== mlxsw: spectrum: Various fixes First patch adds a missing rollback in error path. Second patch prevents a use-after-free during IPv4 route replace. Last two patches fix warnings from static checkers. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
| | * mlxsw: spectrum_switchdev: Check status of memory allocationIdo Schimmel2017-07-121-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can't rely on kzalloc() always succeeding, so check its return value. Suppresses the following smatch error: mlxsw_sp_switchdev_event() error: potential null dereference 'switchdev_work->fdb_info.addr'. (kzalloc returns null) Fixes: af061378924f ("mlxsw: spectrum_switchdev: Add support for learning FDB through notification") Signed-off-by: Ido Schimmel <idosch@mellanox.com> Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * mlxsw: spectrum_switchdev: Remove unused variableIdo Schimmel2017-07-121-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 10e23eb299fa ("mlxsw: spectrum: Remove support for bypass bridge port attributes/vlan set") removed statements that used 'bridge_vlan', but didn't remove the variable itself resulting in the following warning with W=1: warning: variable ‘bridge_vlan’ set but not used [-Wunused-but-set-variable] Remove the variable and suppress the warning. Fixes: 10e23eb299fa ("mlxsw: spectrum: Remove support for bypass bridge port attributes/vlan set") Signed-off-by: Ido Schimmel <idosch@mellanox.com> Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * mlxsw: spectrum_router: Fix use-after-free in route replaceIdo Schimmel2017-07-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While working on IPv6 route replace I realized we can have a use-after-free in IPv4 in case the replaced route is offloaded and the only one using its FIB info. The problem is that fib_table_insert() drops the reference on the FIB info of the replaced routes which is eventually freed via call_rcu(). Since the driver doesn't hold a reference on this FIB info it can cause a use-after-free when it tries to clear the RTNH_F_OFFLOAD flag stored in fi->fib_flags. After running the following commands in a loop for enough time with a KASAN enabled kernel I finally got the below trace. $ ip route add 192.168.50.0/24 via 192.168.200.1 dev enp3s0np3 $ ip route replace 192.168.50.0/24 dev enp3s0np5 $ ip route del 192.168.50.0/24 dev enp3s0np5 BUG: KASAN: use-after-free in mlxsw_sp_fib_entry_offload_unset+0xa7/0x120 [mlxsw_spectrum] Read of size 4 at addr ffff8803717d9820 by task kworker/u4:2/55 [...] ? mlxsw_sp_fib_entry_offload_unset+0xa7/0x120 [mlxsw_spectrum] ? mlxsw_sp_fib_entry_offload_unset+0xa7/0x120 [mlxsw_spectrum] ? mlxsw_sp_router_neighs_update_work+0x1cd0/0x1ce0 [mlxsw_spectrum] ? mlxsw_sp_fib_entry_offload_unset+0xa7/0x120 [mlxsw_spectrum] __asan_load4+0x61/0x80 mlxsw_sp_fib_entry_offload_unset+0xa7/0x120 [mlxsw_spectrum] mlxsw_sp_fib_entry_offload_refresh+0xb6/0x370 [mlxsw_spectrum] mlxsw_sp_router_fib_event_work+0xd1c/0x2780 [mlxsw_spectrum] [...] Freed by task 5131: save_stack_trace+0x16/0x20 save_stack+0x46/0xd0 kasan_slab_free+0x70/0xc0 kfree+0x144/0x570 free_fib_info_rcu+0x2e7/0x410 rcu_process_callbacks+0x4f8/0xe30 __do_softirq+0x1d3/0x9e2 Fix this by taking a reference on the FIB info when creating the nexthop group it represents and drop it when the group is destroyed. Fixes: 599cf8f95f22 ("mlxsw: spectrum_router: Add support for route replace") Signed-off-by: Ido Schimmel <idosch@mellanox.com> Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * mlxsw: spectrum_router: Add missing rollbackIdo Schimmel2017-07-121-0/+1
| |/ | | | | | | | | | | | | | | | | | | With this patch the error path of mlxsw_sp_nexthop_init() is symmetric with mlxsw_sp_nexthop_fini(). Noticed during code review. Fixes: a8c970142798 ("mlxsw: spectrum_router: Refactor nexthop init routine") Signed-off-by: Ido Schimmel <idosch@mellanox.com> Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * samples/bpf: fix a build issueYonghong Song2017-07-124-1/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With latest net-next: ==== clang -nostdinc -isystem /usr/lib/gcc/x86_64-redhat-linux/6.3.1/include -I./arch/x86/include -I./arch/x86/include/generated/uapi -I./arch/x86/include/generated -I./include -I./arch/x86/include/uapi -I./include/uapi -I./include/generated/uapi -include ./include/linux/kconfig.h -Isamples/bpf \ -D__KERNEL__ -D__ASM_SYSREG_H -Wno-unused-value -Wno-pointer-sign \ -Wno-compare-distinct-pointer-types \ -Wno-gnu-variable-sized-type-not-at-end \ -Wno-address-of-packed-member -Wno-tautological-compare \ -Wno-unknown-warning-option \ -O2 -emit-llvm -c samples/bpf/tcp_synrto_kern.c -o -| llc -march=bpf -filetype=obj -o samples/bpf/tcp_synrto_kern.o samples/bpf/tcp_synrto_kern.c:20:10: fatal error: 'bpf_endian.h' file not found ^~~~~~~~~~~~~~ 1 error generated. ==== net has the same issue. Add support for ntohl and htonl in tools/testing/selftests/bpf/bpf_endian.h. Also move bpf_helpers.h from samples/bpf to selftests/bpf and change compiler include logic so that programs in samples/bpf can access the headers in selftests/bpf, but not the other way around. Signed-off-by: Yonghong Song <yhs@fb.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Lawrence Brakmo <brakmo@fb.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * bridge: mdb: fix leak on complete_info ptr on fail pathEduardo Valentin2017-07-121-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We currently get the following kmemleak report: unreferenced object 0xffff8800039d9820 (size 32): comm "softirq", pid 0, jiffies 4295212383 (age 792.416s) hex dump (first 32 bytes): 00 0c e0 03 00 88 ff ff ff 02 00 00 00 00 00 00 ................ 00 00 00 01 ff 11 00 02 86 dd 00 00 ff ff ff ff ................ backtrace: [<ffffffff8152b4aa>] kmemleak_alloc+0x4a/0xa0 [<ffffffff811d8ec8>] kmem_cache_alloc_trace+0xb8/0x1c0 [<ffffffffa0389683>] __br_mdb_notify+0x2a3/0x300 [bridge] [<ffffffffa038a0ce>] br_mdb_notify+0x6e/0x70 [bridge] [<ffffffffa0386479>] br_multicast_add_group+0x109/0x150 [bridge] [<ffffffffa0386518>] br_ip6_multicast_add_group+0x58/0x60 [bridge] [<ffffffffa0387fb5>] br_multicast_rcv+0x1d5/0xdb0 [bridge] [<ffffffffa037d7cf>] br_handle_frame_finish+0xcf/0x510 [bridge] [<ffffffffa03a236b>] br_nf_hook_thresh.part.27+0xb/0x10 [br_netfilter] [<ffffffffa03a3738>] br_nf_hook_thresh+0x48/0xb0 [br_netfilter] [<ffffffffa03a3fb9>] br_nf_pre_routing_finish_ipv6+0x109/0x1d0 [br_netfilter] [<ffffffffa03a4400>] br_nf_pre_routing_ipv6+0xd0/0x14c [br_netfilter] [<ffffffffa03a3c27>] br_nf_pre_routing+0x197/0x3d0 [br_netfilter] [<ffffffff814a2952>] nf_iterate+0x52/0x60 [<ffffffff814a29bc>] nf_hook_slow+0x5c/0xb0 [<ffffffffa037ddf4>] br_handle_frame+0x1a4/0x2c0 [bridge] This happens when switchdev_port_obj_add() fails. This patch frees complete_info object in the fail path. Reviewed-by: Vallish Vaidyeshwara <vallish@amazon.com> Signed-off-by: Eduardo Valentin <eduval@amazon.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * tap: convert a mutex to a spinlockWANG Cong2017-07-111-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | We are not allowed to block on the RCU reader side, so can't just hold the mutex as before. As a quick fix, convert it to a spinlock. Fixes: d9f1f61c0801 ("tap: Extending tap device create/destroy APIs") Reported-by: Christian Borntraeger <borntraeger@de.ibm.com> Tested-by: Christian Borntraeger <borntraeger@de.ibm.com> Cc: Sainath Grandhi <sainath.grandhi@intel.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * cxgb4: fix BUG() on interrupt deallocating path of ULDGuilherme G. Piccoli2017-07-112-22/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the introduction of ULD (Upper-Layer Drivers), the MSI-X deallocating path changed in cxgb4: the driver frees the interrupts of ULD when unregistering it or on shutdown PCI handler. Problem is that if a MSI-X is not freed before deallocated in the PCI layer, it will trigger a BUG() due to still "alive" interrupt being tentatively quiesced. The below trace was observed when doing a simple unbind of Chelsio's adapter PCI function, like: "echo 001e:80:00.4 > /sys/bus/pci/drivers/cxgb4/unbind" Trace: kernel BUG at drivers/pci/msi.c:352! Oops: Exception in kernel mode, sig: 5 [#1] ... NIP [c0000000005a5e60] free_msi_irqs+0xa0/0x250 LR [c0000000005a5e50] free_msi_irqs+0x90/0x250 Call Trace: [c0000000005a5e50] free_msi_irqs+0x90/0x250 (unreliable) [c0000000005a72c4] pci_disable_msix+0x124/0x180 [d000000011e06708] disable_msi+0x88/0xb0 [cxgb4] [d000000011e06948] free_some_resources+0xa8/0x160 [cxgb4] [d000000011e06d60] remove_one+0x170/0x3c0 [cxgb4] [c00000000058a910] pci_device_remove+0x70/0x110 [c00000000064ef04] device_release_driver_internal+0x1f4/0x2c0 ... This patch fixes the issue by refactoring the shutdown path of ULD on cxgb4 driver, by properly freeing and disabling interrupts on PCI remove handler too. Fixes: 0fbc81b3ad51 ("Allocate resources dynamically for all cxgb4 ULD's") Reported-by: Harsha Thyagaraja <hathyaga@in.ibm.com> Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * qed: Fix printk option passed when printing ipv6 addressesKalderon, Michal2017-07-111-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The option "h" (host order ) exists for ipv4 only. Remove the h when printing ipv6 addresses. Lead to the following smatch warning: drivers/net/ethernet/qlogic/qed/qed_iwarp.c:585 qed_iwarp_print_tcp_ramrod() warn: '%pI6' can only be followed by c drivers/net/ethernet/qlogic/qed/qed_iwarp.c:1521 qed_iwarp_print_cm_info() warn: '%pI6' can only be followed by c Fixes commit 456a584947d5 ("qed: iWARP CM add passive side connect") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com> Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * net: Fix minor code bug in timestamping.txtAhmad Fatoum2017-07-111-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Passing (void*)val instead of &val would make a pointer out of an integer and cause sock_setsockopt to -EFAULT. See tools/testing/selftests/networking/timestamping/timestamping.c for a working example. Cc: David S. Miller <davem@davemloft.net> Cc: netdev@vger.kernel.org Signed-off-by: Ahmad Fatoum <ahmad@a3f.at> Signed-off-by: David S. Miller <davem@davemloft.net>
| * Merge branch 'stmmac-dma-resources-fixes'David S. Miller2017-07-111-7/+7
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Christophe JAILLET says: ==================== net: stmmac: Fixes and cleanups in 'alloc_dma_[rt]x_desc_resources()' These patchs are all related to 'alloc_dma_[rt]x_desc_resources()' functions. The 2 first fix an error path where some resources are leaking. I've separated them into 2 patches because the issues have been introduced by 2 deferent commits. The 3rd patch is just a clean-up. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
| | * net: stmmac: Make 'alloc_dma_[rt]x_desc_resources()' look even closerChristophe Jaillet2017-07-111-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'alloc_dma_[rt]x_desc_resources()' functions look very close. Remove a useless initialization and use the same label name for error handling path in order to get them even closer. Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * net: stmmac: Fix error handling path in 'alloc_dma_tx_desc_resources()'Christophe Jaillet2017-07-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the first 'kmalloc_array' within the loop fails, we should free what as already been allocated, as done in all other error handling path. Fixes: ce736788e8a9 ("net: stmmac: adding multiple buffers for TX") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * net: stmmac: Fix error handling path in 'alloc_dma_rx_desc_resources()'Christophe Jaillet2017-07-111-1/+1
| |/ | | | | | | | | | | | | | | | | | | If the first 'kmalloc_array' within the loop fails, we should free what as already been allocated, as done in all other error handling path. Fixes: 54139cf3bb33 ("net: stmmac: adding multiple buffers for rx") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * cisco: enic: Fic an error handling path in 'vnic_dev_init_devcmd2()'Christophe Jaillet2017-07-111-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | if 'ioread32()' returns 0xFFFFFFF, we have to go through the error handling path as done everywhere else in this function. Move the 'err_free_wq' label to better match its name and its location and add a new label 'err_disable_wq'. Update the code accordingly. Fixes: 373fb0873d43 ("enic: add devcmd2") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
| * Merge branch 'bnxt_en-Bug-fixes'David S. Miller2017-07-114-16/+35
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Michael Chan says: ==================== bnxt_en: Bug fixes. 3 bug fixes in this series. Fix a crash in bnxt_get_stats64() that can happen if the device is closing and freeing the statistics block at the same time. The 2nd one fixes ethtool -L failing when changing from combined to non-combined mode or vice versa. The last one fixes SRIOV failure on big-endian systems because we were setting a bitmap wrong in a firmware message. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
| | * bnxt_en: Fix SRIOV on big-endian architecture.Michael Chan2017-07-111-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The PF driver sets up a list of firmware commands from the VF driver that needs to be forwarded to the PF for approval. This list is a 256-bit bitmap. The code that sets up the bitmap falls apart on big-endian architecture. __set_bit() does not work because it operates on long types whereas the firmware interface is defined in u32 types, causing bits in the wrong 32-bit word to be set. Fix it by setting the proper bits on an array of u32. Fixes: de68f5de5651 ("bnxt_en: Fix bitmap declaration to work on 32-bit arches.") Reported-by: Shannon Nelson <shannon.nelson@oracle.com> Signed-off-by: Michael Chan <michael.chan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| | * bnxt_en: Fix bug in ethtool -L.Michael Chan2017-07-114-9/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When changing channels from combined to rx/tx or vice versa, the code uses the wrong "sh" parameter to determine if we are reserving rings for shared or non-shared mode. It should be using the ethtool requested "sh" parameter instead of the current "sh" parameter. Fix it by passing the "sh" parameter to bnxt_reserve_rings(). For ethtool, we will pass in the requested "sh" parameter. Fixes: 391be5c27364 ("bnxt_en: Implement new scheme to reserve tx rings.") Signed-off-by: Michael Chan <michael.chan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>