This is a snapshot of the sockev module taken as of msm-4.4
commit 33193859886dd87 ("net: core: Send only BIND and LISTEN events.").
Added module which subscribes to socket notifier events. Notifier events
are then converted to a multicast netlink message for user space
applications to consume.
CRs-Fixed: 1078373
Change-Id: If72b7c9a127d3861d276b681b052be3619bc6562
Acked-by: Manoj Basapathi <manojbm@qti.qualcomm.com>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlqiLKAACgkQONu9yGCS
aT6v+BAAqksTfviS5Ar4+si/6RYsj8x8gz0yYiidh2/L09BMa1E6lsNouHxko1/f
kdjmjK/BDcVZcZtNCZk5p0+PYt8sU0IFoSZvAD7+4zsbNnAR4z0O+2LMdengnzuY
d4U1dpKW0rBdRHNhrZLDr4m5VgDm+MMG5glMdg52bDHmP0449yS8pADgFGtgNvRe
Z1pd5XyrUJ4bz7K2qcmlm0IS/Rev3c1m4wtJW15IvdjfwFkhSbj/2t1sQrFeqMFz
Unvg/bIchTSCluRjagbb+fKHV0PhfBMIr2dAb7pobIOSeJsKSix2HGy8ugRy2yLR
ssATVpkLWvmisPQYXQ6gaUixg4hVGryqc3AeuEMc0NWUZyBn5XKVNC4+Uyq/Wv1I
XsvhcyJ0meB4SxnrU5SO9cxJdOmXIgJijNuyFCO5/Qv/WUZGjhQU0RGsixdPx1MU
7KYDFPd0H9aV7zliaWEXuCuH4tsASgfKojQble9OID1/q/8YJIgG5jqkljAcYcXG
AuFmHXHIWim7hB3zc5jq5KxtfA2hbZ3ixWxmV79dL6V8DBeZsTPqPfhizCYAneAU
D3830bIBP1HYPlVdPZV5GWVDEc9H4HHPIRTrXhHc7apQDt3wjqWWShrYyIfDLtnB
eSCN5heTxWpUjHVjyX56v4uoOWPwjrw2MpQRxt1KsX+B8a2HEb4=
=ULMj
-----END PGP SIGNATURE-----
Merge 4.14.25 into android-4.14
Changes in 4.14.25
Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking
ixgbe: fix crash in build_skb Rx code path
tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus
tpm: fix potential buffer overruns caused by bit glitches on the bus
tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus
tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus
tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
tpm: constify transmit data pointers
tpm_tis_spi: Use DMA-safe memory for SPI transfers
ALSA: usb-audio: Add a quirck for B&W PX headphones
ALSA: control: Fix memory corruption risk in snd_ctl_elem_read
ALSA: x86: Fix missing spinlock and mutex initializations
ALSA: hda: Add a power_save blacklist
ALSA: hda - Fix pincfg at resume on Lenovo T470 dock
mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias
mmc: dw_mmc: Avoid accessing registers in runtime suspended state
mmc: dw_mmc: Factor out dw_mci_init_slot_caps
mmc: dw_mmc: Fix out-of-bounds access for slot's caps
timers: Forward timer base before migrating timers
parisc: Use cr16 interval timers unconditionally on qemu
parisc: Reduce irq overhead when run in qemu
parisc: Fix ordering of cache and TLB flushes
btrfs: use proper endianness accessors for super_copy
block: fix the count of PGPGOUT for WRITE_SAME
block: kyber: fix domain token leak during requeue
vfio: disable filesystem-dax page pinning
cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
dax: fix vma_is_fsdax() helper
direct-io: Fix sleep in atomic due to sync AIO
x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
x86/platform/intel-mid: Handle Intel Edison reboot correctly
x86/cpu_entry_area: Sync cpu_entry_area to initial_page_table
bridge: check brport attr show in brport_show
fib_semantics: Don't match route with mismatching tclassid
hdlc_ppp: carrier detect ok, don't turn off negotiation
ipv6 sit: work around bogus gcc-8 -Wrestrict warning
net: amd-xgbe: fix comparison to bitshift when dealing with a mask
net: ethernet: ti: cpsw: fix net watchdog timeout
net: fix race on decreasing number of TX queues
net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
netlink: ensure to loop over all netns in genlmsg_multicast_allns()
net: sched: report if filter is too large to dump
ppp: prevent unregistered channels from connecting to PPP units
sctp: verify size of a new chunk in _sctp_make_chunk()
udplite: fix partial checksum initialization
net/mlx5e: Fix TCP checksum in LRO buffers
sctp: fix dst refcnt leak in sctp_v4_get_dst
mlxsw: spectrum_switchdev: Check success of FDB add operation
net/mlx5e: Specify numa node when allocating drop rq
net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT
tcp: Honor the eor bit in tcp_mtu_probe
rxrpc: Fix send in rxrpc_send_data_packet()
tcp_bbr: better deal with suboptimal GSO
doc: Change the min default value of tcp_wmem/tcp_rmem.
net/mlx5e: Fix loopback self test when GRO is off
net_sched: gen_estimator: fix broken estimators based on percpu stats
net/sched: cls_u32: fix cls_u32 on filter replace
sctp: do not pr_err for the duplicated node in transport rhlist
tcp: revert F-RTO middle-box workaround
tcp: revert F-RTO extension to detect more spurious timeouts
mlxsw: spectrum_router: Fix error path in mlxsw_sp_vr_create
net: ipv4: Set addr_type in hash_keys for forwarded case
sctp: fix dst refcnt leak in sctp_v6_get_dst()
bridge: Fix VLAN reference count problem
net/mlx5e: Verify inline header size do not exceed SKB linear size
amd-xgbe: Restore PCI interrupt enablement setting on resume
cls_u32: fix use after free in u32_destroy_key()
mlxsw: spectrum_router: Do not unconditionally clear route offload indication
netlink: put module reference if dump start fails
tcp: purge write queue upon RST
tuntap: correctly add the missing XDP flush
tuntap: disable preemption during XDP processing
virtio-net: disable NAPI only when enabled during XDP set
s390/qeth: fix underestimated count of buffer elements
s390/qeth: fix SETIP command handling
s390/qeth: fix overestimated count of buffer elements
s390/qeth: fix IP removal on offline cards
s390/qeth: fix double-free on IP add/remove race
Revert "s390/qeth: fix using of ref counter for rxip addresses"
s390/qeth: fix IP address lookup for L3 devices
s390/qeth: fix IPA command submission race
blk-mq: don't call io sched's .requeue_request when requeueing rq to ->dispatch
media: m88ds3103: don't call a non-initalized function
EDAC, sb_edac: Fix out of bound writes during DIMM configuration on KNL
KVM: s390: take care of clock-comparator sign control
KVM: s390: provide only a single function for setting the tod (fix SCK)
KVM: s390: consider epoch index on hotplugged CPUs
KVM: s390: consider epoch index on TOD clock syncs
nospec: Allow index argument to have const-qualified type
x86/mm: Fix {pmd,pud}_{set,clear}_flags()
ARM: orion: fix orion_ge00_switch_board_info initialization
ARM: dts: rockchip: Remove 1.8 GHz operation point from phycore som
ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
ARM: kvm: fix building with gcc-8
KVM: x86: extend usage of RET_MMIO_PF_* constants
KVM: X86: Fix SMRAM accessing even if VM is shutdown
KVM: mmu: Fix overlap between public and private memslots
KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
KVM: x86: move LAPIC initialization after VMCS creation
KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely()
KVM: x86: fix vcpu initialization with userspace lapic
PCI/ASPM: Deal with missing root ports in link state handling
KVM/x86: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs()
KVM/x86: remove WARN_ON() for when vm_munmap() fails
ACPI / bus: Parse tables as term_list for Dell XPS 9570 and Precision M5530
ARM: dts: LogicPD SOM-LV: Fix I2C1 pinmux
ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux
md: only allow remove_and_add_spares when no sync_thread running.
nvme-rdma: don't suppress send completions
Linux 4.14.25
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit a27fd7a8ed3856faaf5a2ff1c8c5f00c0667aaa0 ]
When the connection is reset, there is no point in
keeping the packets on the write queue until the connection
is closed.
RFC 793 (page 70) and RFC 793-bis (page 64) both suggest
purging the write queue upon RST:
https://tools.ietf.org/html/draft-ietf-tcpm-rfc793bis-07
Moreover, this is essential for a correct MSG_ZEROCOPY
implementation, because userspace cannot call close(fd)
before receiving zerocopy signals even when the connection
is reset.
Fixes: f214f915e7db ("tcp: enable MSG_ZEROCOPY")
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit b87b6194be631c94785fe93398651e804ed43e28 ]
Before, if cb->start() failed, the module reference would never be put,
because cb->cb_running is intentionally false at this point. Users are
generally annoyed by this because they can no longer unload modules that
leak references. Also, it may be possible to tediously wrap a reference
counter back to zero, especially since module.c still uses atomic_inc
instead of refcount_inc.
This patch expands the error path to simply call module_put if
cb->start() fails.
Fixes: 41c87425a1ac ("netlink: do not set cb_running if dump's start() errs")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit d7cdee5ea8d28ae1b6922deb0c1badaa3aa0ef8c ]
Li Shuang reported an Oops with cls_u32 due to an use-after-free
in u32_destroy_key(). The use-after-free can be triggered with:
dev=lo
tc qdisc add dev $dev root handle 1: htb default 10
tc filter add dev $dev parent 1: prio 5 handle 1: protocol ip u32 divisor 256
tc filter add dev $dev protocol ip parent 1: prio 5 u32 ht 800:: match ip dst\
10.0.0.0/8 hashkey mask 0x0000ff00 at 16 link 1:
tc qdisc del dev $dev root
Which causes the following kasan splat:
==================================================================
BUG: KASAN: use-after-free in u32_destroy_key.constprop.21+0x117/0x140 [cls_u32]
Read of size 4 at addr ffff881b83dae618 by task kworker/u48:5/571
CPU: 17 PID: 571 Comm: kworker/u48:5 Not tainted 4.15.0+ #87
Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.1.7 06/16/2016
Workqueue: tc_filter_workqueue u32_delete_key_freepf_work [cls_u32]
Call Trace:
dump_stack+0xd6/0x182
? dma_virt_map_sg+0x22e/0x22e
print_address_description+0x73/0x290
kasan_report+0x277/0x360
? u32_destroy_key.constprop.21+0x117/0x140 [cls_u32]
u32_destroy_key.constprop.21+0x117/0x140 [cls_u32]
u32_delete_key_freepf_work+0x1c/0x30 [cls_u32]
process_one_work+0xae0/0x1c80
? sched_clock+0x5/0x10
? pwq_dec_nr_in_flight+0x3c0/0x3c0
? _raw_spin_unlock_irq+0x29/0x40
? trace_hardirqs_on_caller+0x381/0x570
? _raw_spin_unlock_irq+0x29/0x40
? finish_task_switch+0x1e5/0x760
? finish_task_switch+0x208/0x760
? preempt_notifier_dec+0x20/0x20
? __schedule+0x839/0x1ee0
? check_noncircular+0x20/0x20
? firmware_map_remove+0x73/0x73
? find_held_lock+0x39/0x1c0
? worker_thread+0x434/0x1820
? lock_contended+0xee0/0xee0
? lock_release+0x1100/0x1100
? init_rescuer.part.16+0x150/0x150
? retint_kernel+0x10/0x10
worker_thread+0x216/0x1820
? process_one_work+0x1c80/0x1c80
? lock_acquire+0x1a5/0x540
? lock_downgrade+0x6b0/0x6b0
? sched_clock+0x5/0x10
? lock_release+0x1100/0x1100
? compat_start_thread+0x80/0x80
? do_raw_spin_trylock+0x190/0x190
? _raw_spin_unlock_irq+0x29/0x40
? trace_hardirqs_on_caller+0x381/0x570
? _raw_spin_unlock_irq+0x29/0x40
? finish_task_switch+0x1e5/0x760
? finish_task_switch+0x208/0x760
? preempt_notifier_dec+0x20/0x20
? __schedule+0x839/0x1ee0
? kmem_cache_alloc_trace+0x143/0x320
? firmware_map_remove+0x73/0x73
? sched_clock+0x5/0x10
? sched_clock_cpu+0x18/0x170
? find_held_lock+0x39/0x1c0
? schedule+0xf3/0x3b0
? lock_downgrade+0x6b0/0x6b0
? __schedule+0x1ee0/0x1ee0
? do_wait_intr_irq+0x340/0x340
? do_raw_spin_trylock+0x190/0x190
? _raw_spin_unlock_irqrestore+0x32/0x60
? process_one_work+0x1c80/0x1c80
? process_one_work+0x1c80/0x1c80
kthread+0x312/0x3d0
? kthread_create_worker_on_cpu+0xc0/0xc0
ret_from_fork+0x3a/0x50
Allocated by task 1688:
kasan_kmalloc+0xa0/0xd0
__kmalloc+0x162/0x380
u32_change+0x1220/0x3c9e [cls_u32]
tc_ctl_tfilter+0x1ba6/0x2f80
rtnetlink_rcv_msg+0x4f0/0x9d0
netlink_rcv_skb+0x124/0x320
netlink_unicast+0x430/0x600
netlink_sendmsg+0x8fa/0xd60
sock_sendmsg+0xb1/0xe0
___sys_sendmsg+0x678/0x980
__sys_sendmsg+0xc4/0x210
do_syscall_64+0x232/0x7f0
return_from_SYSCALL_64+0x0/0x75
Freed by task 112:
kasan_slab_free+0x71/0xc0
kfree+0x114/0x320
rcu_process_callbacks+0xc3f/0x1600
__do_softirq+0x2bf/0xc06
The buggy address belongs to the object at ffff881b83dae600
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 24 bytes inside of
4096-byte region [ffff881b83dae600, ffff881b83daf600)
The buggy address belongs to the page:
page:ffffea006e0f6a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
flags: 0x17ffffc0008100(slab|head)
raw: 0017ffffc0008100 0000000000000000 0000000000000000 0000000100070007
raw: dead000000000100 dead000000000200 ffff880187c0e600 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff881b83dae500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff881b83dae580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff881b83dae600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff881b83dae680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff881b83dae700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
The problem is that the htnode is freed before the linked knodes and the
latter will try to access the first at u32_destroy_key() time.
This change addresses the issue using the htnode refcnt to guarantee
the correct free order. While at it also add a RCU annotation,
to keep sparse happy.
v1 -> v2: use rtnl_derefence() instead of RCU read locks
v2 -> v3:
- don't check refcnt in u32_destroy_hnode()
- cleaned-up u32_destroy() implementation
- cleaned-up code comment
v3 -> v4:
- dropped unneeded comment
Reported-by: Li Shuang <shuali@redhat.com>
Fixes: c0d378ef1266 ("net_sched: use tcf_queue_work() in u32 filter")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 0e5a82efda872c2469c210957d7d4161ef8f4391 ]
When a VLAN is added on a port, a reference is taken on the
corresponding master VLAN entry. If it does not already exist, then it
is created and a reference taken.
However, in the second case a reference is not really taken when
CONFIG_REFCOUNT_FULL is enabled as refcount_inc() is replaced by
refcount_inc_not_zero().
Fix this by using refcount_set() on a newly created master VLAN entry.
Fixes: 251277598596 ("net, bridge: convert net_bridge_vlan.refcnt from atomic_t to refcount_t")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 957d761cf91cdbb175ad7d8f5472336a4d54dbf2 ]
When going through the bind address list in sctp_v6_get_dst() and
the previously found address is better ('matchlen > bmatchlen'),
the code continues to the next iteration without releasing currently
held destination.
Fix it by releasing 'bdst' before continue to the next iteration, and
instead of introducing one more '!IS_ERR(bdst)' check for dst_release(),
move the already existed one right after ip6_dst_lookup_flow(), i.e. we
shouldn't proceed further if we get an error for the route lookup.
Fixes: dbc2b5e9a09e ("sctp: fix src address selection if using secondary addresses for ipv6")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1fe4b1184c2ae2bfbf9e8b14c9c0c1945c98f205 ]
The result of the skb flow dissect is copied from keys to hash_keys to
ensure only the intended data is hashed. The original L4 hash patch
overlooked setting the addr_type for this case; add it.
Fixes: bf4e0a3db97eb ("net: ipv4: add support for ECMP hash policy choice")
Reported-by: Ido Schimmel <idosch@idosch.org>
Signed-off-by: David Ahern <dsahern@gmail.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Reviewed-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit fc68e171d376c322e6777a3d7ac2f0278b68b17f ]
This reverts commit 89fe18e44f7ee5ab1c90d0dff5835acee7751427.
While the patch could detect more spurious timeouts, it could cause
poor TCP performance on broken middle-boxes that modifies TCP packets
(e.g. receive window, SACK options). Since the performance gain is
much smaller compared to the potential loss. The best solution is
to fully revert the change.
Fixes: 89fe18e44f7e ("tcp: extend F-RTO to catch more spurious timeouts")
Reported-by: Teodor Milkov <tm@del.bg>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit d4131f09770d9b7471c9da65e6ecd2477746ac5c ]
This reverts commit cc663f4d4c97b7297fb45135ab23cfd508b35a77. While fixing
some broken middle-boxes that modifies receive window fields, it does not
address middle-boxes that strip off SACK options. The best solution is
to fully revert this patch and the root F-RTO enhancement.
Fixes: cc663f4d4c97 ("tcp: restrict F-RTO to work-around broken middle-boxes")
Reported-by: Teodor Milkov <tm@del.bg>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 27af86bb038d9c8b8066cd17854ddaf2ea92bce1 ]
The pr_err in sctp_hash_transport was supposed to report a sctp bug
for using rhashtable/rhlist.
The err '-EEXIST' introduced in Commit cd2b70875058 ("sctp: check
duplicate node before inserting a new transport") doesn't belong
to that case.
So just return -EEXIST back without pr_err any kmsg.
Fixes: cd2b70875058 ("sctp: check duplicate node before inserting a new transport")
Reported-by: Wei Chen <weichen@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit eb53f7af6f15285e2f6ada97285395343ce9f433 ]
The following sequence is currently broken:
# tc qdisc add dev foo ingress
# tc filter replace dev foo protocol all ingress \
u32 match u8 0 0 action mirred egress mirror dev bar1
# tc filter replace dev foo protocol all ingress \
handle 800::800 pref 49152 \
u32 match u8 0 0 action mirred egress mirror dev bar2
Error: cls_u32: Key node flags do not match passed flags.
We have an error talking to the kernel, -1
The error comes from u32_change() when comparing new and
existing flags. The existing ones always contains one of
TCA_CLS_FLAGS_{,NOT}_IN_HW flag depending on offloading state.
These flags cannot be passed from userspace so the condition
(n->flags != flags) in u32_change() always fails.
Fix the condition so the flags TCA_CLS_FLAGS_NOT_IN_HW and
TCA_CLS_FLAGS_IN_HW are not taken into account.
Fixes: 24d3dc6d27ea ("net/sched: cls_u32: Reflect HW offload status")
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit a5f7add332b4ea6d4b9480971b3b0f5e66466ae9 ]
pfifo_fast got percpu stats lately, uncovering a bug I introduced last
year in linux-4.10.
I missed the fact that we have to clear our temporary storage
before calling __gnet_stats_copy_basic() in the case of percpu stats.
Without this fix, rate estimators (tc qd replace dev xxx root est 1sec
4sec pfifo_fast) are utterly broken.
Fixes: 1c0d32fde5bd ("net_sched: gen_estimator: complete rewrite of rate estimators")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 350c9f484bde93ef229682eedd98cd5f74350f7f ]
BBR uses tcp_tso_autosize() in an attempt to probe what would be the
burst sizes and to adjust cwnd in bbr_target_cwnd() with following
gold formula :
/* Allow enough full-sized skbs in flight to utilize end systems. */
cwnd += 3 * bbr->tso_segs_goal;
But GSO can be lacking or be constrained to very small
units (ip link set dev ... gso_max_segs 2)
What we really want is to have enough packets in flight so that both
GSO and GRO are efficient.
So in the case GSO is off or downgraded, we still want to have the same
number of packets in flight as if GSO/TSO was fully operational, so
that GRO can hopefully be working efficiently.
To fix this issue, we make tcp_tso_autosize() unaware of
sk->sk_gso_max_segs
Only tcp_tso_segs() has to enforce the gso_max_segs limit.
Tested:
ethtool -K eth0 tso off gso off
tc qd replace dev eth0 root pfifo_fast
Before patch:
for f in {1..5}; do ./super_netperf 1 -H lpaa24 -- -K bbr; done
691 (ss -temoi shows cwnd is stuck around 6 )
667
651
631
517
After patch :
# for f in {1..5}; do ./super_netperf 1 -H lpaa24 -- -K bbr; done
1733 (ss -temoi shows cwnd is around 386 )
1778
1746
1781
1718
Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 93c62c45ed5fad1b87e3a45835b251cd68de9c46 ]
All the kernel_sendmsg() calls in rxrpc_send_data_packet() need to send
both parts of the iov[] buffer, but one of them does not. Fix it so that
it does.
Without this, short IPv6 rxrpc DATA packets may be seen that have the rxrpc
header included, but no payload.
Fixes: 5a924b8951f8 ("rxrpc: Don't store the rxrpc header in the Tx queue sk_buffs")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 808cf9e38cd7923036a99f459ccc8cf2955e47af ]
Avoid SKB coalescing if eor bit is set in one of the relevant
SKBs.
Fixes: c134ecb87817 ("tcp: Make use of MSG_EOR in tcp_sendmsg")
Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 4a31a6b19f9ddf498c81f5c9b089742b7472a6f8 ]
Fix dst reference count leak in sctp_v4_get_dst() introduced in commit
410f03831 ("sctp: add routing output fallback"):
When walking the address_list, successive ip_route_output_key() calls
may return the same rt->dst with the reference incremented on each call.
The code would not decrement the dst refcount when the dst pointer was
identical from the previous iteration, causing the dst refcnt leak.
Testcase:
ip netns add TEST
ip netns exec TEST ip link set lo up
ip link add dummy0 type dummy
ip link add dummy1 type dummy
ip link add dummy2 type dummy
ip link set dev dummy0 netns TEST
ip link set dev dummy1 netns TEST
ip link set dev dummy2 netns TEST
ip netns exec TEST ip addr add 192.168.1.1/24 dev dummy0
ip netns exec TEST ip link set dummy0 up
ip netns exec TEST ip addr add 192.168.1.2/24 dev dummy1
ip netns exec TEST ip link set dummy1 up
ip netns exec TEST ip addr add 192.168.1.3/24 dev dummy2
ip netns exec TEST ip link set dummy2 up
ip netns exec TEST sctp_test -H 192.168.1.2 -P 20002 -h 192.168.1.1 -p 20000 -s -B 192.168.1.3
ip netns del TEST
In 4.4 and 4.9 kernels this results to:
[ 354.179591] unregister_netdevice: waiting for lo to become free. Usage count = 1
[ 364.419674] unregister_netdevice: waiting for lo to become free. Usage count = 1
[ 374.663664] unregister_netdevice: waiting for lo to become free. Usage count = 1
[ 384.903717] unregister_netdevice: waiting for lo to become free. Usage count = 1
[ 395.143724] unregister_netdevice: waiting for lo to become free. Usage count = 1
[ 405.383645] unregister_netdevice: waiting for lo to become free. Usage count = 1
...
Fixes: 410f03831 ("sctp: add routing output fallback")
Fixes: 0ca50d12f ("sctp: fix src address selection if using secondary addresses")
Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 15f35d49c93f4fa9875235e7bf3e3783d2dd7a1b ]
Since UDP-Lite is always using checksum, the following path is
triggered when calculating pseudo header for it:
udp4_csum_init() or udp6_csum_init()
skb_checksum_init_zero_check()
__skb_checksum_validate_complete()
The problem can appear if skb->len is less than CHECKSUM_BREAK. In
this particular case __skb_checksum_validate_complete() also invokes
__skb_checksum_complete(skb). If UDP-Lite is using partial checksum
that covers only part of a packet, the function will return bad
checksum and the packet will be dropped.
It can be fixed if we skip skb_checksum_init_zero_check() and only
set the required pseudo header checksum for UDP-Lite with partial
checksum before udp4_csum_init()/udp6_csum_init() functions return.
Fixes: ed70fcfcee95 ("net: Call skb_checksum_init in IPv4")
Fixes: e4f45b7f40bd ("net: Call skb_checksum_init in IPv6")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c ]
When SCTP makes INIT or INIT_ACK packet the total chunk length
can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
transmitting these packets, e.g. the crash on sending INIT_ACK:
[ 597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168
put:120156 head:000000007aa47635 data:00000000d991c2de
tail:0x1d640 end:0xfec0 dev:<NULL>
...
[ 597.976970] ------------[ cut here ]------------
[ 598.033408] kernel BUG at net/core/skbuff.c:104!
[ 600.314841] Call Trace:
[ 600.345829] <IRQ>
[ 600.371639] ? sctp_packet_transmit+0x2095/0x26d0 [sctp]
[ 600.436934] skb_put+0x16c/0x200
[ 600.477295] sctp_packet_transmit+0x2095/0x26d0 [sctp]
[ 600.540630] ? sctp_packet_config+0x890/0x890 [sctp]
[ 600.601781] ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp]
[ 600.671356] ? sctp_cmp_addr_exact+0x3f/0x90 [sctp]
[ 600.731482] sctp_outq_flush+0x663/0x30d0 [sctp]
[ 600.788565] ? sctp_make_init+0xbf0/0xbf0 [sctp]
[ 600.845555] ? sctp_check_transmitted+0x18f0/0x18f0 [sctp]
[ 600.912945] ? sctp_outq_tail+0x631/0x9d0 [sctp]
[ 600.969936] sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp]
[ 601.041593] ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp]
[ 601.104837] ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp]
[ 601.175436] ? sctp_eat_data+0x1710/0x1710 [sctp]
[ 601.233575] sctp_do_sm+0x182/0x560 [sctp]
[ 601.284328] ? sctp_has_association+0x70/0x70 [sctp]
[ 601.345586] ? sctp_rcv+0xef4/0x32f0 [sctp]
[ 601.397478] ? sctp6_rcv+0xa/0x20 [sctp]
...
Here the chunk size for INIT_ACK packet becomes too big, mostly
because of the state cookie (INIT packet has large size with
many address parameters), plus additional server parameters.
Later this chunk causes the panic in skb_put_data():
skb_packet_transmit()
sctp_packet_pack()
skb_put_data(nskb, chunk->skb->data, chunk->skb->len);
'nskb' (head skb) was previously allocated with packet->size
from u16 'chunk->chunk_hdr->length'.
As suggested by Marcelo we should check the chunk's length in
_sctp_make_chunk() before trying to allocate skb for it and
discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leinter@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 5ae437ad5a2ed573b1ebb04e0afa70b8869f88dd ]
So far, if the filter was too large to fit in the allocated skb, the
kernel did not return any error and stopped dumping. Modify the dumper
so that it returns -EMSGSIZE when a filter fails to dump and it is the
first filter in the skb. If we are not first, we will get a next chance
with more room.
I understand this is pretty near to being an API change, but the
original design (silent truncation) can be considered a bug.
Note: The error case can happen pretty easily if you create a filter
with 32 actions and have 4kb pages. Also recent versions of iproute try
to be clever with their buffer allocation size, which in turn leads to
Signed-off-by: Roman Kapl <code@rkapl.cz>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit cb9f7a9a5c96a773bbc9c70660dc600cfff82f82 ]
Nowadays, nlmsg_multicast() returns only 0 or -ESRCH but this was not the
case when commit 134e63756d5f was pushed.
However, there was no reason to stop the loop if a netns does not have
listeners.
Returns -ESRCH only if there was no listeners in all netns.
To avoid having the same problem in the future, I didn't take the
assumption that nlmsg_multicast() returns only 0 or -ESRCH.
Fixes: 134e63756d5f ("genetlink: make netns aware")
CC: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit c7272c2f1229125f74f22dcdd59de9bbd804f1c8 ]
According to RFC 1191 sections 3 and 4, ICMP frag-needed messages
indicating an MTU below 68 should be rejected:
A host MUST never reduce its estimate of the Path MTU below 68
octets.
and (talking about ICMP frag-needed's Next-Hop MTU field):
This field will never contain a value less than 68, since every
router "must be able to forward a datagram of 68 octets without
fragmentation".
Furthermore, by letting net.ipv4.route.min_pmtu be set to negative
values, we can end up with a very large PMTU when (-1) is cast into u32.
Let's also make ip_rt_min_pmtu a u32, since it's only ever compared to
unsigned ints.
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit ac5b70198adc25c73fba28de4f78adcee8f6be0b ]
netif_set_real_num_tx_queues() can be called when netdev is up.
That usually happens when user requests change of number of
channels/rings with ethtool -L. The procedure for changing
the number of queues involves resetting the qdiscs and setting
dev->num_tx_queues to the new value. When the new value is
lower than the old one, extra care has to be taken to ensure
ordering of accesses to the number of queues vs qdisc reset.
Currently the queues are reset before new dev->num_tx_queues
is assigned, leaving a window of time where packets can be
enqueued onto the queues going down, leading to a likely
crash in the drivers, since most drivers don't check if TX
skbs are assigned to an active queue.
Fixes: e6484930d7c7 ("net: allocate tx queues in register_netdevice")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit ca79bec237f5809a7c3c59bd41cd0880aa889966 ]
gcc-8 has a new warning that detects overlapping input and output arguments
in memcpy(). It triggers for sit_init_net() calling ipip6_tunnel_clone_6rd(),
which is actually correct:
net/ipv6/sit.c: In function 'sit_init_net':
net/ipv6/sit.c:192:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
The problem here is that the logic detecting the memcpy() arguments finds them
to be the same, but the conditional that tests for the input and output of
ipip6_tunnel_clone_6rd() to be identical is not a compile-time constant.
We know that netdev_priv(t->dev) is the same as t for a tunnel device,
and comparing "dev" directly here lets the compiler figure out as well
that 'dev == sitn->fb_tunnel_dev' when called from sit_init_net(), so
it no longer warns.
This code is old, so Cc stable to make sure that we don't get the warning
for older kernels built with new gcc.
Cc: Martin Sebor <msebor@gmail.com>
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83456
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit a8c6db1dfd1b1d18359241372bb204054f2c3174 ]
In fib_nh_match(), if output interface or gateway are passed in
the FIB configuration, we don't have to check next hops of
multipath routes to conclude whether we have a match or not.
However, we might still have routes with different realms
matching the same output interface and gateway configuration,
and this needs to cause the match to fail. Otherwise the first
route inserted in the FIB will match, regardless of the realms:
# ip route add 1.1.1.1 dev eth0 table 1234 realms 1/2
# ip route append 1.1.1.1 dev eth0 table 1234 realms 3/4
# ip route list table 1234
1.1.1.1 dev eth0 scope link realms 1/2
1.1.1.1 dev eth0 scope link realms 3/4
# ip route del 1.1.1.1 dev ens3 table 1234 realms 3/4
# ip route list table 1234
1.1.1.1 dev ens3 scope link realms 3/4
whereas route with realms 3/4 should have been deleted instead.
Explicitly check for fc_flow passed in the FIB configuration
(this comes from RTA_FLOW extracted by rtm_to_fib_config()) and
fail matching if it differs from nh_tclassid.
The handling of RTA_FLOW for multipath routes later in
fib_nh_match() is still needed, as we can have multiple RTA_FLOW
attributes that need to be matched against the tclassid of each
next hop.
v2: Check that fc_flow is set before discarding the match, so
that the user can still select the first matching rule by
not specifying any realm, as suggested by David Ahern.
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1b12580af1d0677c3c3a19e35bfe5d59b03f737f ]
Now br_sysfs_if file flush doesn't have attr show. To read it will
cause kernel panic after users chmod u+r this file.
Xiong found this issue when running the commands:
ip link add br0 type bridge
ip link add type veth
ip link set veth0 master br0
chmod u+r /sys/devices/virtual/net/veth0/brport/flush
timeout 3 cat /sys/devices/virtual/net/veth0/brport/flush
kernel crashed with NULL a pointer dereference call trace.
This patch is to fix it by return -EINVAL when brport_attr->show
is null, just the same as the check for brport_attr->store in
brport_store().
Fixes: 9cf637473c85 ("bridge: add sysfs hook to flush forwarding table")
Reported-by: Xiong Zhou <xzhou@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is a snapshot of hardifletimer netfilter target as of msm-4.4
commit 469a150b7426 ("netfilter: xtables: hardidletimer target implementation")
This patch implements a hardidletimer Xtables target that can be
used to identify when interfaces have been idle for a certain period
of time.
Timers are identified by labels and are created when a rule is set
with a new label. The rules also take a timeout value (in seconds) as
an option. If more than one rule uses the same timer label, the timer
will be restarted whenever any of the rules get a hit.
One entry for each timer is created in sysfs. This attribute contains
the timer remaining for the timer to expire. The attributes are
located under the xt_idletimer class:
/sys/class/xt_hardidletimer/timers/<label>
When the timer expires, the target module sends a sysfs notification
to the userspace, which can then decide what to do (eg. disconnect to
save power)
Compared to xt_IDLETIMER, xt_HARDIDLETIMER can send notifications when
CPU is in suspend too, to notify the timer expiry.
CRs-Fixed: 1078373
Change-Id: Ib2e05af7267f3c86d1967f149f7e7e782c59807e
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
* remotes/origin/tmp-85ab9a0:
Linux 4.14.24
net: sched: fix use-after-free in tcf_block_put_ext
net_sched: get rid of rcu_barrier() in tcf_block_put_ext()
net: sched: crash on blocks with goto chain action
net: sched: fix crash when deleting secondary chains
arm64: dts: marvell: mcbin: add comphy references to Ethernet ports
arm64: dts: marvell: add comphy nodes on cp110 master and slave
powerpc/pseries: Enable RAS hotplug events later
MIPS: Implement __multi3 for GCC7 MIPS64r6 builds
mlxsw: pci: Wait after reset before accessing HW
nfp: always unmask aux interrupts at init
of_mdio: avoid MDIO bus removal when a PHY is missing
net: gianfar_ptp: move set_fipers() to spinlock protecting area
sctp: make use of pre-calculated len
sctp: add a ceiling to optlen in some sockopts
xen/gntdev: Fix partial gntdev_mmap() cleanup
xen/gntdev: Fix off-by-one error when unmapping with holes
SolutionEngine771x: fix Ether platform data
mdio-sun4i: Fix a memory leak
xen-netfront: enable device after manual module load
bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine.
bnxt_en: Fix population of flow_type in bnxt_hwrm_cfa_flow_alloc()
x86/platform/intel-mid: Revert "Make 'bt_sfi_data' const"
nvme-fabrics: initialize default host->id in nvmf_host_default()
powerpc/pseries: Make RAS IRQ explicitly dependent on DLPAR WQ
leds: core: Fix regression caused by commit 2b83ff96f51d
bpf: sockmap missing NULL psock check
ia64, sched/cputime: Fix build error if CONFIG_VIRT_CPU_ACCOUNTING_NATIVE=y
block: drain queue before waiting for q_usage_counter becoming zero
wcn36xx: Fix dynamic power saving
can: flex_can: Correct the checking for frame length in flexcan_start_xmit()
mac80211: mesh: drop frames appearing to be from us
nl80211: Check for the required netlink attribute presence
net: ena: unmask MSI-X only after device initialization is completed
i40e: don't remove netdev->dev_addr when syncing uc list
i40e/i40evf: Account for frags split over multiple descriptors in check linearize
uapi libc compat: add fallback for unsupported libcs
x86/efi: Fix kernel param add_efi_memmap regression
RDMA/netlink: Fix locking around __ib_get_device_by_index
drm/ttm: check the return value of kzalloc
NET: usb: qmi_wwan: add support for YUGA CLM920-NC5 PID 0x9625
e1000: fix disabling already-disabled warning
macvlan: Fix one possible double free
xfs: quota: check result of register_shrinker()
xfs: quota: fix missed destroy of qi_tree_lock
IB/ipoib: Fix race condition in neigh creation
IB/mlx4: Fix mlx4_ib_alloc_mr error flow
Input: xen-kbdfront - do not advertise multi-touch pressure support
ip6_tunnel: allow ip6gre dev mtu to be set below 1280
btrfs: Fix flush bio leak
s390/dasd: fix wrongly assigned configuration data
afs: Fix missing error handling in afs_write_end()
genirq: Guard handle_bad_irq log messages
IB/mlx5: Fix mlx5_ib_alloc_mr error flow
led: core: Fix brightness setting when setting delay_off=0
perf/x86/intel: Plug memory leak in intel_pmu_init()
bnx2x: Improve reliability in case of nested PCI errors
tg3: Enable PHY reset in MTU change path for 5720
tg3: Add workaround to restrict 5762 MRRS to 2048
tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path
tipc: error path leak fixes in tipc_enable_bearer()
netfilter: nf_tables: fix potential NULL-ptr deref in nf_tables_dump_obj_done()
crypto: inside-secure - fix request allocations in invalidation path
crypto: inside-secure - free requests even if their handling failed
crypto: inside-secure - per request invalidation
arm64: dts: renesas: ulcb: Remove renesas, no-ether-link property
lib/mpi: Fix umul_ppmm() for MIPS64r6
crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t
ARM: dts: ls1021a: fix incorrect clock references
RDMA/vmw_pvrdma: Call ib_umem_release on destroy QP path
i915: Reject CCS modifiers for pipe C on Geminilake
netfilter: uapi: correct UNTRACKED conntrack state bit number
scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error
netfilter: nf_tables: fix chain filter in nf_tables_dump_rules()
xen/balloon: Mark unallocated host memory as UNUSABLE
ASoC: rsnd: fixup ADG register mask
net/mlx5: Stay in polling mode when command EQ destroy fails
net/mlx5: Cleanup IRQs in case of unload failure
net/mlx5e: Fix ETS BW check
net: stmmac: Fix bad RX timestamp extraction
net: stmmac: Fix TX timestamp calculation
ip6_tunnel: get the min mtu properly in ip6_tnl_xmit
ip6_gre: remove the incorrect mtu limit for ipgre tap
ip_gre: remove the incorrect mtu limit for ipgre tap
vxlan: update skb dst pmtu on tx path
net: arc_emac: fix arc_emac_rx() error paths
net: mediatek: setup proper state for disabled GMAC on the default
x86-64/Xen: eliminate W+X mappings
staging: ion: Fix ion_cma_heap allocations
cgroup: Fix deadlock in cpu hotplug path
ASoC: nau8825: fix issue that pop noise when start capture
spi: atmel: fixed spin_lock usage inside atmel_spi_remove
mac80211_hwsim: Fix a possible sleep-in-atomic bug in hwsim_get_radio_nl
x86/stacktrace: Make zombie stack traces reliable
xfrm: Reinject transport-mode packets through tasklet
drm/nouveau/pci: do a msi rearm on init
net: phy: xgene: disable clk on error paths
sget(): handle failures of register_shrinker()
sctp: fix the issue that a __u16 variable may overflow in sctp_ulpq_renege
x86/asm: Allow again using asm.h when building for the 'bpf' clang target
ARM: 8731/1: Fix csum_partial_copy_from_user() stack mismatch
parisc: Reduce thread stack to 16 kb
ipv6: icmp6: Allow icmp messages to be looped back
mtd: nand: brcmnand: Zero bitflip is not an error
mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM
net: usb: qmi_wwan: add Telit ME910 PID 0x1101 support
net: aquantia: Fix hardware DMA stream overload on large MRRS
net: aquantia: Fix actual speed capabilities reporting
nvme: check hw sectors before setting chunk sectors
nvme-fc: remove double put reference if admin connect fails
phy: cpcap-usb: Fix platform_get_irq_byname's error checking.
dmaengine: fsl-edma: disable clks on all error paths
scsi: aacraid: Fix I/O drop during reset
mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()'
exec: avoid gcc-8 warning for get_task_comm
hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
Conflicts:
drivers/staging/android/ion/Kconfig
drivers/staging/android/ion/ion_cma_heap.c
Change-Id: I58485dd9ac8092a184c42a8e125e44523221e3ea
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlqaaf0ACgkQONu9yGCS
aT7cDxAAxjZ8e9TGlix7q2wIWSFRfAaWpb4SyZYxP6pYnrdhrHr6IQ+U5ydtiRcz
T+zYkpXGMTMdkmKogXITp8FUL9ztkABJ/RyHcYuTdxTSpSUN67KNrVwGbM5NobX/
dPwPkkvUQDh1jyCUsqbYMoGfBSJVH5e7KgsfCtpcnckNzX3R2TOuwRb7aVjpyD63
Nb2tY70o07bjQZ+M3iWM1cHQ5AaMkJcZeML7mc/40AAcDB0pPNr53LKfVjSFrwgK
Od5tOHR//XF17Kdi1dtT+XSmHsXcocq4FEp6x4htJPD19uOou5KC31ceXi2k8UEG
g6iCRrsijdTrsl0ajyrwvXRWtQFN5fUw6BjA1G1/82FE8Eovxv28VjEHFElS+jX3
gQNDsyeJjQIP7Kpq2tRLmUTtFBGnBW7pcLRR/9jmZJdKsvTGa1BwOUbp9OO2FHip
hiijnuqz8gpS9mEilALpAF7QLQk3dX8qLS1HZO3KKnFLxwSJqZhENvdfPZ2Fl7kr
4zavBe7suEyj1+jEt6xqksNOEZh+KAqRIhOZVBry9bvxAG4VCiN6pxEx63uIimMC
bN9OFZZACFlao/4MCOggS0M48/tWU15Hep+jstUZ3FarUfrNy4VcRjcrTKdDEPMX
Z5kwJEi9p/J0cReQMagJ/Y63aG4lPHTW8wUxOlHcp+e1wi0q+Kc=
=h0lU
-----END PGP SIGNATURE-----
Merge 4.14.24 into android-4.14
Changes in 4.14.24
hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
exec: avoid gcc-8 warning for get_task_comm
mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()'
scsi: aacraid: Fix I/O drop during reset
dmaengine: fsl-edma: disable clks on all error paths
phy: cpcap-usb: Fix platform_get_irq_byname's error checking.
nvme-fc: remove double put reference if admin connect fails
nvme: check hw sectors before setting chunk sectors
net: aquantia: Fix actual speed capabilities reporting
net: aquantia: Fix hardware DMA stream overload on large MRRS
net: usb: qmi_wwan: add Telit ME910 PID 0x1101 support
mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM
mtd: nand: brcmnand: Zero bitflip is not an error
ipv6: icmp6: Allow icmp messages to be looped back
parisc: Reduce thread stack to 16 kb
ARM: 8731/1: Fix csum_partial_copy_from_user() stack mismatch
x86/asm: Allow again using asm.h when building for the 'bpf' clang target
sctp: fix the issue that a __u16 variable may overflow in sctp_ulpq_renege
sget(): handle failures of register_shrinker()
net: phy: xgene: disable clk on error paths
drm/nouveau/pci: do a msi rearm on init
xfrm: Reinject transport-mode packets through tasklet
x86/stacktrace: Make zombie stack traces reliable
mac80211_hwsim: Fix a possible sleep-in-atomic bug in hwsim_get_radio_nl
spi: atmel: fixed spin_lock usage inside atmel_spi_remove
ASoC: nau8825: fix issue that pop noise when start capture
cgroup: Fix deadlock in cpu hotplug path
staging: ion: Fix ion_cma_heap allocations
x86-64/Xen: eliminate W+X mappings
net: mediatek: setup proper state for disabled GMAC on the default
net: arc_emac: fix arc_emac_rx() error paths
vxlan: update skb dst pmtu on tx path
ip_gre: remove the incorrect mtu limit for ipgre tap
ip6_gre: remove the incorrect mtu limit for ipgre tap
ip6_tunnel: get the min mtu properly in ip6_tnl_xmit
net: stmmac: Fix TX timestamp calculation
net: stmmac: Fix bad RX timestamp extraction
net/mlx5e: Fix ETS BW check
net/mlx5: Cleanup IRQs in case of unload failure
net/mlx5: Stay in polling mode when command EQ destroy fails
ASoC: rsnd: fixup ADG register mask
xen/balloon: Mark unallocated host memory as UNUSABLE
netfilter: nf_tables: fix chain filter in nf_tables_dump_rules()
scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error
netfilter: uapi: correct UNTRACKED conntrack state bit number
i915: Reject CCS modifiers for pipe C on Geminilake
RDMA/vmw_pvrdma: Call ib_umem_release on destroy QP path
ARM: dts: ls1021a: fix incorrect clock references
crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t
lib/mpi: Fix umul_ppmm() for MIPS64r6
arm64: dts: renesas: ulcb: Remove renesas, no-ether-link property
crypto: inside-secure - per request invalidation
crypto: inside-secure - free requests even if their handling failed
crypto: inside-secure - fix request allocations in invalidation path
netfilter: nf_tables: fix potential NULL-ptr deref in nf_tables_dump_obj_done()
tipc: error path leak fixes in tipc_enable_bearer()
tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path
tg3: Add workaround to restrict 5762 MRRS to 2048
tg3: Enable PHY reset in MTU change path for 5720
bnx2x: Improve reliability in case of nested PCI errors
perf/x86/intel: Plug memory leak in intel_pmu_init()
led: core: Fix brightness setting when setting delay_off=0
IB/mlx5: Fix mlx5_ib_alloc_mr error flow
genirq: Guard handle_bad_irq log messages
afs: Fix missing error handling in afs_write_end()
s390/dasd: fix wrongly assigned configuration data
btrfs: Fix flush bio leak
ip6_tunnel: allow ip6gre dev mtu to be set below 1280
Input: xen-kbdfront - do not advertise multi-touch pressure support
IB/mlx4: Fix mlx4_ib_alloc_mr error flow
IB/ipoib: Fix race condition in neigh creation
xfs: quota: fix missed destroy of qi_tree_lock
xfs: quota: check result of register_shrinker()
macvlan: Fix one possible double free
e1000: fix disabling already-disabled warning
NET: usb: qmi_wwan: add support for YUGA CLM920-NC5 PID 0x9625
drm/ttm: check the return value of kzalloc
RDMA/netlink: Fix locking around __ib_get_device_by_index
x86/efi: Fix kernel param add_efi_memmap regression
uapi libc compat: add fallback for unsupported libcs
i40e/i40evf: Account for frags split over multiple descriptors in check linearize
i40e: don't remove netdev->dev_addr when syncing uc list
net: ena: unmask MSI-X only after device initialization is completed
nl80211: Check for the required netlink attribute presence
mac80211: mesh: drop frames appearing to be from us
can: flex_can: Correct the checking for frame length in flexcan_start_xmit()
wcn36xx: Fix dynamic power saving
block: drain queue before waiting for q_usage_counter becoming zero
ia64, sched/cputime: Fix build error if CONFIG_VIRT_CPU_ACCOUNTING_NATIVE=y
bpf: sockmap missing NULL psock check
leds: core: Fix regression caused by commit 2b83ff96f51d
powerpc/pseries: Make RAS IRQ explicitly dependent on DLPAR WQ
nvme-fabrics: initialize default host->id in nvmf_host_default()
x86/platform/intel-mid: Revert "Make 'bt_sfi_data' const"
bnxt_en: Fix population of flow_type in bnxt_hwrm_cfa_flow_alloc()
bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine.
xen-netfront: enable device after manual module load
mdio-sun4i: Fix a memory leak
SolutionEngine771x: fix Ether platform data
xen/gntdev: Fix off-by-one error when unmapping with holes
xen/gntdev: Fix partial gntdev_mmap() cleanup
sctp: add a ceiling to optlen in some sockopts
sctp: make use of pre-calculated len
net: gianfar_ptp: move set_fipers() to spinlock protecting area
of_mdio: avoid MDIO bus removal when a PHY is missing
nfp: always unmask aux interrupts at init
mlxsw: pci: Wait after reset before accessing HW
MIPS: Implement __multi3 for GCC7 MIPS64r6 builds
powerpc/pseries: Enable RAS hotplug events later
arm64: dts: marvell: add comphy nodes on cp110 master and slave
arm64: dts: marvell: mcbin: add comphy references to Ethernet ports
net: sched: fix crash when deleting secondary chains
net: sched: crash on blocks with goto chain action
net_sched: get rid of rcu_barrier() in tcf_block_put_ext()
net: sched: fix use-after-free in tcf_block_put_ext
Linux 4.14.24
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit df45bf84e4f5a48f23d4b1a07d21d566e8b587b2 upstream.
Since the block is freed with last chain being put, once we reach the
end of iteration of list_for_each_entry_safe, the block may be
already freed. I'm hitting this only by creating and deleting clsact:
[ 202.171952] ==================================================================
[ 202.180182] BUG: KASAN: use-after-free in tcf_block_put_ext+0x240/0x390
[ 202.187590] Read of size 8 at addr ffff880225539a80 by task tc/796
[ 202.194508]
[ 202.196185] CPU: 0 PID: 796 Comm: tc Not tainted 4.15.0-rc2jiri+ #5
[ 202.203200] Hardware name: Mellanox Technologies Ltd. "MSN2100-CB2F"/"SA001017", BIOS 5.6.5 06/07/2016
[ 202.213613] Call Trace:
[ 202.216369] dump_stack+0xda/0x169
[ 202.220192] ? dma_virt_map_sg+0x147/0x147
[ 202.224790] ? show_regs_print_info+0x54/0x54
[ 202.229691] ? tcf_chain_destroy+0x1dc/0x250
[ 202.234494] print_address_description+0x83/0x3d0
[ 202.239781] ? tcf_block_put_ext+0x240/0x390
[ 202.244575] kasan_report+0x1ba/0x460
[ 202.248707] ? tcf_block_put_ext+0x240/0x390
[ 202.253518] tcf_block_put_ext+0x240/0x390
[ 202.258117] ? tcf_chain_flush+0x290/0x290
[ 202.262708] ? qdisc_hash_del+0x82/0x1a0
[ 202.267111] ? qdisc_hash_add+0x50/0x50
[ 202.271411] ? __lock_is_held+0x5f/0x1a0
[ 202.275843] clsact_destroy+0x3d/0x80 [sch_ingress]
[ 202.281323] qdisc_destroy+0xcb/0x240
[ 202.285445] qdisc_graft+0x216/0x7b0
[ 202.289497] tc_get_qdisc+0x260/0x560
Fix this by holding the block also by chain 0 and put chain 0
explicitly, out of the list_for_each_entry_safe loop at the very
end of tcf_block_put_ext.
Fixes: efbf78973978 ("net_sched: get rid of rcu_barrier() in tcf_block_put_ext()")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit efbf78973978b0d25af59bc26c8013a942af6e64 upstream.
Both Eric and Paolo noticed the rcu_barrier() we use in
tcf_block_put_ext() could be a performance bottleneck when
we have a lot of tc classes.
Paolo provided the following to demonstrate the issue:
tc qdisc add dev lo root htb
for I in `seq 1 1000`; do
tc class add dev lo parent 1: classid 1:$I htb rate 100kbit
tc qdisc add dev lo parent 1:$I handle $((I + 1)): htb
for J in `seq 1 10`; do
tc filter add dev lo parent $((I + 1)): u32 match ip src 1.1.1.$J
done
done
time tc qdisc del dev root
real 0m54.764s
user 0m0.023s
sys 0m0.000s
The rcu_barrier() there is to ensure we free the block after all chains
are gone, that is, to queue tcf_block_put_final() at the tail of workqueue.
We can achieve this ordering requirement by refcnt'ing tcf block instead,
that is, the tcf block is freed only when the last chain in this block is
gone. This also simplifies the code.
Paolo reported after this patch we get:
real 0m0.017s
user 0m0.000s
sys 0m0.017s
Tested-by: Paolo Abeni <pabeni@redhat.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jiri Pirko <jiri@mellanox.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a60b3f515d30d0fe8537c64671926879a3548103 upstream.
tcf_block_put_ext has assumed that all filters (and thus their goto
actions) are destroyed in RCU callback and thus can not race with our
list iteration. However, that is not true during netns cleanup (see
tcf_exts_get_net comment).
Prevent the user after free by holding all chains (except 0, that one is
already held). foreach_safe is not enough in this case.
To reproduce, run the following in a netns and then delete the ns:
ip link add dtest type dummy
tc qdisc add dev dtest ingress
tc filter add dev dtest chain 1 parent ffff: handle 1 prio 1 flower action goto chain 2
Fixes: 822e86d997 ("net_sched: remove tcf_block_put_deferred()")
Signed-off-by: Roman Kapl <code@rkapl.cz>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d7aa04a5e82b4f254d306926c81eae8df69e5200 upstream.
If you flush (delete) a filter chain other than chain 0 (such as when
deleting the device), the kernel may run into a use-after-free. The
chain refcount must not be decremented unless we are sure we are done
with the chain.
To reproduce the bug, run:
ip link add dtest type dummy
tc qdisc add dev dtest ingress
tc filter add dev dtest chain 1 parent ffff: flower
ip link del dtest
Introduced in: commit f93e1cdcf42c ("net/sched: fix filter flushing"),
but unless you have KAsan or luck, you won't notice it until
commit 0dadc117ac8b ("cls_flower: use tcf_exts_get_net() before call_rcu()")
Fixes: f93e1cdcf42c ("net/sched: fix filter flushing")
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Roman Kapl <code@rkapl.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit c76f97c99ae6d26d14c7f0e50e074382bfbc9f98 ]
Some sockopt handling functions were calculating the length of the
buffer to be written to userspace and then calculating it again when
actually writing the buffer, which could lead to some write not using
an up-to-date length.
This patch updates such places to just make use of the len variable.
Also, replace some sizeof(type) to sizeof(var).
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 5960cefab9df76600a1a7d4ff592c59e14616e88 ]
Hangbin Liu reported that some sockopt calls could cause the kernel to log
a warning on memory allocation failure if the user supplied a large optlen
value. That is because some of them called memdup_user() without a ceiling
on optlen, allowing it to try to allocate really large buffers.
This patch adds a ceiling by limiting optlen to the maximum allowed that
would still make sense for these sockopt.
Reported-by: Hangbin Liu <haliu@redhat.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 736a80bbfda709fb3631f5f62056f250a38e5804 ]
If there are multiple mesh stations with the same MAC address,
they will both get confused and start throwing warnings.
Obviously in this case nothing can actually work anyway, so just
drop frames that look like they're from ourselves early on.
Reported-by: Gui Iribarren <gui@altermundi.net>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 3ea15452ee85754f70f3b9fa1f23165ef2e77ba7 ]
nl80211_nan_add_func() does not check if the required attribute
NL80211_NAN_FUNC_FOLLOW_UP_DEST is present when processing
NL80211_CMD_ADD_NAN_FUNCTION request. This request can be issued
by users with CAP_NET_ADMIN privilege and may result in NULL dereference
and a system crash. Add a check for the required attribute presence.
Signed-off-by: Hao Chen <flank3rsky@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 2fa771be953a17f8e0a9c39103464c2574444c62 ]
Commit 582442d6d5bc ("ipv6: Allow the MTU of ipip6 tunnel to be set
below 1280") fixed a mtu setting issue. It works for ipip6 tunnel.
But ip6gre dev updates the mtu also with ip6_tnl_change_mtu. Since
the inner packet over ip6gre can be ipv4 and it's mtu should also
be allowed to set below 1280, the same issue also exists on ip6gre.
This patch is to fix it by simply changing to check if parms.proto
is IPPROTO_IPV6 in ip6_tnl_change_mtu instead, to make ip6gre to
go to 'else' branch.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 19142551b2be4a9e13838099fde1351386e5e007 ]
Fix memory leak in tipc_enable_bearer() if enable_media() fails, and
cleanup with bearer_disable() if tipc_mon_create() fails.
Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 8bea728dce8972e534e6b99fd550f7b5cc3864e8 ]
If there is no NFTA_OBJ_TABLE and NFTA_OBJ_TYPE, the c.data will be NULL in
nf_tables_getobj(). So before free filter->table in nf_tables_dump_obj_done(),
we need to check if filter is NULL first.
Fixes: e46abbcc05aa ("netfilter: nf_tables: Allow table names of up to 255 chars")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 24c0df82ef7919e4d10cf2e4e65d368eb2e8ea21 ]
ctx->chain may be null now that we have very large object names,
so we cannot check for ctx->chain[0] here.
Fixes: b7263e071aba7 ("netfilter: nf_tables: Allow table names of up to 255 chars")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit c9fefa08190fc879fb2e681035d7774e0a8c5170 ]
Now it's using IPV6_MIN_MTU as the min mtu in ip6_tnl_xmit, but
IPV6_MIN_MTU actually only works when the inner packet is ipv6.
With IPV6_MIN_MTU for ipv4 packets, the new pmtu for inner dst
couldn't be set less than 1280. It would cause tx_err and the
packet to be dropped when the outer dst pmtu is close to 1280.
Jianlin found it by running ipv4 traffic with the topo:
(client) gre6 <---> eth1 (route) eth2 <---> gre6 (server)
After changing eth2 mtu to 1300, the performance became very
low, or the connection was even broken. The issue also affects
ip4ip6 and ip6ip6 tunnels.
So if the inner packet is ipv4, 576 should be considered as the
min mtu.
Note that for ip4ip6 and ip6ip6 tunnels, the inner packet can
only be ipv4 or ipv6, but for gre6 tunnel, it may also be ARP.
This patch using 576 as the min mtu for non-ipv6 packet works
for all those cases.
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 2c52129a7d74d017320804c6928de770815c5f4a ]
The same fix as the patch "ip_gre: remove the incorrect mtu limit for
ipgre tap" is also needed for ip6_gre.
Fixes: 61e84623ace3 ("net: centralize net_device min/max MTU checking")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit cfddd4c33c254954927942599d299b3865743146 ]
ipgre tap driver calls ether_setup(), after commit 61e84623ace3
("net: centralize net_device min/max MTU checking"), the range
of mtu is [min_mtu, max_mtu], which is [68, 1500] by default.
It causes the dev mtu of the ipgre tap device to not be greater
than 1500, this limit value is not correct for ipgre tap device.
Besides, it's .change_mtu already does the right check. So this
patch is just to set max_mtu as 0, and leave the check to it's
.change_mtu.
Fixes: 61e84623ace3 ("net: centralize net_device min/max MTU checking")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit acf568ee859f098279eadf551612f103afdacb4e ]
This is an old bugbear of mine:
https://www.mail-archive.com/netdev@vger.kernel.org/msg03894.html
By crafting special packets, it is possible to cause recursion
in our kernel when processing transport-mode packets at levels
that are only limited by packet size.
The easiest one is with DNAT, but an even worse one is where
UDP encapsulation is used in which case you just have to insert
an UDP encapsulation header in between each level of recursion.
This patch avoids this problem by reinjecting tranport-mode packets
through a tasklet.
Fixes: b05e106698d9 ("[IPV4/6]: Netfilter IPsec input hooks")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 5c468674d17056148da06218d4da5d04baf22eac ]
Now when reneging events in sctp_ulpq_renege(), the variable freed
could be increased by a __u16 value twice while freed is of __u16
type. It means freed may overflow at the second addition.
This patch is to fix it by using __u32 type for 'freed', while at
it, also to remove 'if (chunk)' check, as all renege commands are
generated in sctp_eat_data and it can't be NULL.
Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 588753f1eb18978512b1c9b85fddb457d46f9033 ]
One example of when an ICMPv6 packet is required to be looped back is
when a host acts as both a Multicast Listener and a Multicast Router.
A Multicast Router will listen on address ff02::16 for MLDv2 messages.
Currently, MLDv2 messages originating from a Multicast Listener running
on the same host as the Multicast Router are not being delivered to the
Multicast Router. This is due to dst.input being assigned the default
value of dst_discard.
This results in the packet being looped back but discarded before being
delivered to the Multicast Router.
This patch sets dst.input to ip6_input to ensure a looped back packet
is delivered to the Multicast Router.
Signed-off-by: Brendan McGrath <redmcg@redmandi.dyndns.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* remotes/origin/tmp-2c71b7c:
Linux 4.14.23
microblaze: fix endian handling
m32r: fix endianness constraints
drm/i915/breadcrumbs: Ignore unsubmitted signalers
drm/amdgpu: add new device to use atpx quirk
drm/amdgpu: Avoid leaking PM domain on driver unbind (v2)
drm/amdgpu: add atpx quirk handling (v2)
drm/amdgpu: only check mmBIF_IOV_FUNC_IDENTIFIER on tonga/fiji
drm/amdgpu: Add dpm quirk for Jet PRO (v2)
drm/amdgpu: disable MMHUB power gating on raven
drm: Handle unexpected holes in color-eviction
drm/cirrus: Load lut in crtc_commit
usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path
usb: gadget: f_fs: Use config_ep_by_speed()
usb: gadget: f_fs: Process all descriptors during bind
Revert "usb: musb: host: don't start next rx urb if current one failed"
usb: ldusb: add PIDs for new CASSY devices supported by this driver
usb: dwc3: ep0: Reset TRB counter for ep0 IN
usb: dwc3: gadget: Set maxpacket size for ep0 IN
usb: host: ehci: use correct device pointer for dma ops
drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
Add delay-init quirk for Corsair K70 RGB keyboards
arm64: cpufeature: Fix CTR_EL0 field definitions
arm64: Disable unhandled signal log messages by default
arm64: Remove unimplemented syscall log message
usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks()
ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and io_watchdog_func()
PCI/cxgb4: Extend T3 PCI quirk to T4+ devices
irqchip/mips-gic: Avoid spuriously handling masked interrupts
irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
mm, swap, frontswap: fix THP swap if frontswap enabled
x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
Kbuild: always define endianess in kconfig.h
iio: adis_lib: Initialize trigger before requesting interrupt
iio: buffer: check if a buffer has been set up when poll is called
iio: srf08: fix link error "devm_iio_triggered_buffer_setup" undefined
iio: adc: stm32: fix stm32h7_adc_enable error handling
RDMA/uverbs: Sanitize user entered port numbers prior to access it
RDMA/uverbs: Fix circular locking dependency
RDMA/uverbs: Fix bad unlock balance in ib_uverbs_close_xrcd
RDMA/uverbs: Protect from command mask overflow
RDMA/uverbs: Protect from races between lookup and destroy of uobjects
extcon: int3496: process id-pin first so that we start with the right status
PKCS#7: fix certificate blacklisting
PKCS#7: fix certificate chain verification
X.509: fix NULL dereference when restricting key with unsupported_sig
X.509: fix BUG_ON() when hash algorithm is unsupported
i2c: bcm2835: Set up the rising/falling edge delays
i2c: designware: must wait for enable
cfg80211: fix cfg80211_beacon_dup
MIPS: Drop spurious __unused in struct compat_flock
scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
xtensa: fix high memory/reserved memory collision
MIPS: boot: Define __ASSEMBLY__ for its.S build
kconfig.h: Include compiler types to avoid missed struct attributes
arm64: mm: don't write garbage into TTBR1_EL1 register
netfilter: drop outermost socket lock in getsockopt()
ANDROID: sched/fair: fix logic error in wake_cap
ANDROID: sdcardfs: Set num in extension_details during make_item
Conflicts:
drivers/usb/gadget/function/f_fs.c
kernel/sched/fair.c
Change-Id: I381680472605bdee73e7d24722e23bb846667172
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
