- May 01, 2018
-
-
Michael S. Tsirkin authored
There's a 32 bit hole just after type. It's best to give it a name, this way compiler is forced to initialize it with rest of the structure. Reported-by:
Kevin Easton <kevin@guarana.org> Signed-off-by:
Michael S. Tsirkin <mst@redhat.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
syzbot is able to produce a nasty WARN_ON() in tcp_verify_left_out() with following C-repro : socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3 setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0 setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0 bind(3, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 sendto(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1242, MSG_FASTOPEN, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("127.0.0.1")}, 16) = 1242 setsockopt(3, SOL_TCP, TCP_REPAIR_WINDOW, "\4\0\0@+\205\0\0\377\377\0\0\377\377\377\177\0\0\0\0", 20) = 0 writev(3, [{"\270", 1}], 1) = 1 setsockopt(3, SOL_TCP, TCP_REPAIR_OPTIONS, "\10\0\0\0\0\0\0\0\0\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 386) = 0 writev(3, [{"\210v\r[\226\320t\231qwQ\204\264l\254\t\1\20\245\214p\350H\223\254;\\\37\345\307p$"..., 3144}], 1) = 3144 The 3rd system call looks odd : setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0 This patch makes sure bound checking is using an unsigned compare. Fixes: ee995283 ("tcp: Initial repair mode") Signed-off-by:Eric Dumazet <edumazet@google.com> Reported-by:
syzbot <syzkaller@googlegroups.com> Cc: Pavel Emelyanov <xemul@parallels.com> Signed-off-by:
-
Eric Dumazet authored
syzbot/KMSAN reported an uninit-value in ip6_multipath_l3_keys(), root caused to a bad assumption of ICMP header being already pulled in skb->head ip_multipath_l3_keys() does the correct thing, so it is an IPv6 only bug. BUG: KMSAN: uninit-value in ip6_multipath_l3_keys net/ipv6/route.c:1830 [inline] BUG: KMSAN: uninit-value in rt6_multipath_hash+0x5c4/0x640 net/ipv6/route.c:1858 CPU: 0 PID: 4507 Comm: syz-executor661 Not tainted 4.16.0+ #87 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 ip6_multipath_l3_keys net/ipv6/route.c:1830 [inline] rt6_multipath_hash+0x5c4/0x640 net/ipv6/route.c:1858 ip6_route_input+0x65a/0x920 net/ipv6/route.c:1884 ip6_rcv_finish+0x413/0x6e0 net/ipv6/ip6_input.c:69 NF_HOOK include/linux/netfilter.h:288 [inline] ipv6_rcv+0x1e16/0x2340 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562 __netif_receive_skb net/core/dev.c:4627 [inline] netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701 netif_receive_skb+0x230/0x240 net/core/dev.c:4725 tun_rx_batched drivers/net/tun.c:1555 [inline] tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962 tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990 call_write_iter include/linux/fs.h:1782 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x7fb/0x9f0 fs/read_write.c:482 vfs_write+0x463/0x8d0 fs/read_write.c:544 SYSC_write+0x172/0x360 fs/read_write.c:589 SyS_write+0x55/0x80 fs/read_write.c:581 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Fixes: 23aebdac ("ipv6: Compute multipath hash for ICMP errors from offending packet") Signed-off-by:
Jakub Sitnicki <jkbs@redhat.com> Signed-off-by:
-
- Apr 30, 2018
-
-
Colin Ian King authored
Trivial fix to spelling mistake in tx_fw_stat_gstrings text Signed-off-by:
Colin Ian King <colin.king@canonical.com> Signed-off-by:
-
Colin Ian King authored
Trivial fix to spelling mistake in DP_INFO message text Signed-off-by:
-
Marcelo Ricardo Leitner authored
Signed-off-by:
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Acked-by:
Neil Horman <nhorman@tuxdriver.com> Signed-off-by:
-
Colin Ian King authored
Trivial fix to spelling mistake in netdev_warn warning message Signed-off-by:
Florian Fainelli <f.fainelli@gmail.com> Signed-off-by:
-
Hangbin Liu authored
When we set a bond slave's master to bridge via ioctl, we only check the IFF_BRIDGE_PORT flag. Although we will find the slave's real master at netdev_master_upper_dev_link() later, it already does some settings and allocates some resources. It would be better to return as early as possible. v1 -> v2: use netdev_master_upper_dev_get() instead of netdev_has_any_upper_dev() to check if we have a master, because not all upper devs are masters, e.g. vlan device. Reported-by:
<syzbot+de73361ee4971b6e6f75@syzkaller.appspotmail.com> Signed-off-by:
Hangbin Liu <liuhangbin@gmail.com> Acked-by:
Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by:
-
- Apr 28, 2018
-
-
David S. Miller authored
Edward Cree says: ==================== sfc: more ARFS fixes A couple more bits of breakage in my recent ARFS and async filters work. Patch #1 in particular fixes a bug that leads to memory trampling and consequent crashes. ==================== Signed-off-by: -
Edward Cree authored
Owing to a missing conditional, the result of rps_may_expire_flow() was being ignored and filters were being removed even if we'd decided not to expire them. Fixes: f8d62037 ("sfc: ARFS filter IDs") Signed-off-by:
Edward Cree <ecree@solarflare.com> Signed-off-by:
-
Edward Cree authored
efx->type->filter_insert() returns an ID rather than the index that efx->type->filter_async_insert() used to, which causes it to exceed efx->type->max_rx_ip_filters on some EF10 configurations, leading to out- of-bounds array writes. So, in efx_filter_rfs_work(), convert this back into an index (which is what the remove call in the expiry path expects, anyway). Fixes: 3af0f342 ("sfc: replace asynchronous filter operations") Signed-off-by:
-
- Apr 27, 2018
-
-
Lance Richardson authored
For the x32 ABI, struct timeval has two 64-bit fields. However the kernel currently interprets the user-space values used for the SO_RCVTIMEO and SO_SNDTIMEO socket options as having a pair of 32-bit fields. When the seconds portion of the requested timeout is less than 2**32, the seconds portion of the effective timeout is correct but the microseconds portion is zero. When the seconds portion of the requested timeout is zero and the microseconds portion is non-zero, the kernel interprets the timeout as zero (never timeout). Fix by using 64-bit time for SO_RCVTIMEO/SO_SNDTIMEO as required for the ABI. The code included below demonstrates the problem. Results before patch: $ gcc -m64 -Wall -O2 -o socktmo socktmo.c && ./socktmo recv time: 2.008181 seconds send time: 2.015985 seconds $ gcc -m32 -Wall -O2 -o socktmo socktmo.c && ./socktmo recv time: 2.016763 seconds send time: 2.016062 seconds $ gcc -mx32 -Wall -O2 -o socktmo socktmo.c && ./socktmo recv time: 1.007239 seconds send time: 1.023890 seconds Results after patch: $ gcc -m64 -O2 -Wall -o socktmo socktmo.c && ./socktmo recv time: 2.010062 seconds send time: 2.015836 seconds $ gcc -m32 -O2 -Wall -o socktmo socktmo.c && ./socktmo recv time: 2.013974 seconds send time: 2.015981 seconds $ gcc -mx32 -O2 -Wall -o socktmo socktmo.c && ./socktmo recv time: 2.030257 seconds send time: 2.013383 seconds #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> void checkrc(char *str, int rc) { if (rc >= 0) return; perror(str); exit(1); } static char buf[1024]; int main(int argc, char **argv) { int rc; int socks[2]; struct timeval tv; struct timeval start, end, delta; rc = socketpair(AF_UNIX, SOCK_STREAM, 0, socks); checkrc("socketpair", rc); /* set timeout to 1.999999 seconds */ tv.tv_sec = 1; tv.tv_usec = 999999; rc = setsockopt(socks[0], SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof tv); rc = setsockopt(socks[0], SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof tv); checkrc("setsockopt", rc); /* measure actual receive timeout */ gettimeofday(&start, NULL); rc = recv(socks[0], buf, sizeof buf, 0); gettimeofday(&end, NULL); timersub(&end, &start, &delta); printf("recv time: %ld.%06ld seconds\n", (long)delta.tv_sec, (long)delta.tv_usec); /* fill send buffer */ do { rc = send(socks[0], buf, sizeof buf, 0); } while (rc > 0); /* measure actual send timeout */ gettimeofday(&start, NULL); rc = send(socks[0], buf, sizeof buf, 0); gettimeofday(&end, NULL); timersub(&end, &start, &delta); printf("send time: %ld.%06ld seconds\n", (long)delta.tv_sec, (long)delta.tv_usec); exit(0); } Fixes: 515c7af8 ("x32: Use compat shims for {g,s}etsockopt") Reported-by:Gopal RajagopalSai <gopalsr83@gmail.com> Signed-off-by:
Lance Richardson <lance.richardson.net@gmail.com> Signed-off-by:
-
Vivien Didelot authored
"./scripts/get_maintainer.pl -f" does not actually show us David as the maintainer of drivers/net directories such as team, bonding, phy or dsa. Adding him in an M: entry of NETWORKING DRIVERS fixes this. Signed-off-by:
Vivien Didelot <vivien.didelot@savoirfairelinux.com> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linuxDavid S. Miller authored
Saeed Mahameed says: ==================== Mellanox, mlx5 fixes 2018-04-26 This pull request includes fixes for mlx5 core and netdev driver. Please pull and let me know if there's any problems. For -stable v4.12 net/mlx5e: TX, Use correct counter in dma_map error flow For -stable v4.13 net/mlx5: Avoid cleaning flow steering table twice during error flow For -stable v4.14 net/mlx5e: Allow offloading ipv4 header re-write for icmp For -stable v4.15 net/mlx5e: DCBNL fix min inline header size for dscp For -stable v4.16 net/mlx5: Fix mlx5_get_vector_affinity function ==================== Signed-off-by: -
David S. Miller authored
Merge tag 'wireless-drivers-for-davem-2018-04-26' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.17 A few fixes for 4.17 but nothing really special. The new ETSI WMM parameter support for iwlwifi is not technically a bugfix but important for regulatory compliance. iwlwifi * use new ETSI WMM parameters from regulatory database * fix a regression with the older firmware API 31 (eg. 31.560484.0) brcmfmac * fix a double free in nvmam loading fails rtlwifi * yet another fix for ant_sel module parameter ==================== Signed-off-by:
-
Ido Schimmel authored
When IGMP snooping is enabled on a bridge, traffic forwarded by an MDB entry should be sent to both ports member in the MDB's ports list and mrouter ports. In case a port needs to be removed from an MDB's ports list, but this port is also configured as an mrouter port, then do not update the device so that it will continue to forward traffic through that port. Fix a copy-paste error that checked that IGMP snooping is enabled twice instead of checking the port's mrouter state. Fixes: ded711c8 ("mlxsw: spectrum_switchdev: Consider mrouter status for mdb changes") Signed-off-by:
Ido Schimmel <idosch@mellanox.com> Reported-by:
Nogah Frankel <nogahf@mellanox.com> Signed-off-by:
-
Xin Long authored
When processing a duplicate cookie-echo chunk, sctp moves the new temp asoc's stream out/in into the old asoc, and later frees this new temp asoc. But now after this move, the new temp asoc's stream->outcnt is not cleared while stream->out is set to NULL, which would cause a same crash as the one fixed in Commit 79d08951 ("sctp: fix error path in sctp_stream_init") when freeing this asoc later. This fix is to clear this outcnt in sctp_stream_update. Fixes: f952be79 ("sctp: introduce struct sctp_stream_out_ext") Reported-by:
Jianwen Ji <jiji@redhat.com> Signed-off-by:
Xin Long <lucien.xin@gmail.com> Acked-by:
-
SZ Lin (林上智) authored
This patch adds support for PID 0x90b2 of ublox R410M. qmicli -d /dev/cdc-wdm0 --dms-get-manufacturer [/dev/cdc-wdm0] Device manufacturer retrieved: Manufacturer: 'u-blox' qmicli -d /dev/cdc-wdm0 --dms-get-model [/dev/cdc-wdm0] Device model retrieved: Model: 'SARA-R410M-02B' Signed-off-by:SZ Lin (林上智) <sz.lin@moxa.com> Cc: stable <stable@vger.kernel.org> Acked-by:
Bjørn Mork <bjorn@mork.no> Signed-off-by:
-
Xin Long authored
Since sctp ipv6 socket also supports v4 addrs, it's possible to compare two v4 addrs in pf v6 .cmp_addr, sctp_inet6_cmp_addr. However after Commit 1071ec9d ("sctp: do not check port in sctp_inet6_cmp_addr"), it no longer calls af1->cmp_addr, which in this case is sctp_v4_cmp_addr, but calls __sctp_v6_cmp_addr where it handles them as two v6 addrs. It would cause a out of bounds crash. syzbot found this crash when trying to bind two v4 addrs to a v6 socket. This patch fixes it by adding the process for two v4 addrs in sctp_inet6_cmp_addr. Fixes: 1071ec9d ("sctp: do not check port in sctp_inet6_cmp_addr") Reported-by:
<syzbot+cd494c1dd681d4d93ebb@syzkaller.appspotmail.com> Signed-off-by:
-
Florian Fainelli authored
While adding the DSA notifier, we will be sending DSA notifications with info->master that is going to point to a particular net_device instance. Our logic in bcm_sysport_map_queues() correctly disambiguates net_device instances that are not covered by our own driver, but it will not make sure that info->master points to a particular driver instance that we are interested in. In a system where e.g: two or more SYSTEMPORT instances are registered, this would lead in programming two or more times the queue mapping, completely messing with the logic which does the queue/port allocation and tracking. Fix this by looking at the notifier_block pointer which is unique per instance and allows us to go back to our driver private structure, and in turn to the backing net_device instance. Fixes: d1565763 ("net: systemport: Establish lower/upper queue mapping") Signed-off-by:
-
Anders Roxell authored
Script in_netns.sh is a utility function and not its own test so it shouldn't be part of the TEST_PROGS. The in_netns.sh get used by run_afpackettests. To install in_netns.sh without being added to the main run_kselftest.sh script use the TEST_GEN_PROGS_EXTENDED variable. Fixes: 5ff9c1a3 ("selftests: net: add in_netns.sh to TEST_PROGS") Signed-off-by:
Anders Roxell <anders.roxell@linaro.org> Signed-off-by:
-
Yuchung Cheng authored
The TCP repair sequence of operation is to first set the socket in repair mode, then inject the TCP stats into the socket with repair socket options, then call connect() to re-activate the socket. The connect syscall simply returns and set state to ESTABLISHED mode. As a result Fast Open is meaningless for TCP repair. However allowing sendto() system call with MSG_FASTOPEN flag half-way during the repair operation could unexpectedly cause data to be sent, before the operation finishes changing the internal TCP stats (e.g. MSS). This in turn triggers TCP warnings on inconsistent packet accounting. The fix is to simply disallow Fast Open operation once the socket is in the repair mode. Reported-by:
Yuchung Cheng <ycheng@google.com> Reviewed-by:
Neal Cardwell <ncardwell@google.com> Reviewed-by:
-
David S. Miller authored
Maxime Chevallier says: ==================== net: mvpp2: Fix hangs when starting some interfaces on 7k/8k Armada 7K / 8K clock management has recently been reworked, see : commit c7e92def ("clk: mvebu: cp110: Fix clock tree representation") I have been experiencing overall system hangs on MacchiatoBin when starting the eth1 interface since then. It turns out some clocks dependencies were missing in the PPv2 and xmdio driver, the clock rework made this visible. This is the V2 series, that adds support for the missing 'MG Core clock' in mvpp2, and fixes an issue with the error path for the axi_clk. Thanks to Gregory Clement for finding the root cause of this bug. V2 : Remove all DT patches from this series, they will be merged through the mvebu tree. ==================== Signed-off-by:
-
Maxime Chevallier authored
Marvell's PPv2.2 IP needs an additional clock named "MG Core clock". This is required on Armada 7K and 8K. This commit adds the required clock in mvpp2, making sure it's only used on PPv2.2. Fixes: c7e92def ("clk: mvebu: cp110: Fix clock tree representation") Signed-off-by:
Maxime Chevallier <maxime.chevallier@bootlin.com> Signed-off-by:
-
Maxime Chevallier authored
When clk_prepare_enable fails for the axi_clk, the mg_clk isn't properly cleaned up. Add another jump label to handle that case, and make sure we jump to it in the later error cases. Fixes: 4792ea04 ("net: mvpp2: Fix clock resource by adding an optional bus clock") Signed-off-by:
Gregory CLEMENT <gregory.clement@bootlin.com> Signed-off-by:
-
Jakub Kicinski authored
For very very old generation of the management FW Ethernet port information table may theoretically not be available. This in turn will cause the nfp_port structures to not be allocated. Make sure we don't crash the kernel when there is no eth_tbl: RIP: 0010:nfp_net_pci_probe+0xf2/0xb40 [nfp] ... Call Trace: nfp_pci_probe+0x6de/0xab0 [nfp] local_pci_probe+0x47/0xa0 work_for_cpu_fn+0x1a/0x30 process_one_work+0x1de/0x3e0 Found while working with broken/development version of management FW. Fixes: a5950182 ("nfp: map mac_stats and vf_cfg BARs") Fixes: 93da7d96 ("nfp: provide nfp_port to of nfp_net_get_mac_addr()") Signed-off-by:
Jakub Kicinski <jakub.kicinski@netronome.com> Reviewed-by:
Dirk van der Merwe <dirk.vandermerwe@netronome.com> Signed-off-by:
-
Jon Maloy authored
Commit 36a50a98 ("tipc: fix infinite loop when dumping link monitor summary") intended to fix a problem with user tool looping when max number of bearers are enabled. Unfortunately, the wrong version of the commit was posted, so the problem was not solved at all. This commit adds the missing part. Fixes: 36a50a98 ("tipc: fix infinite loop when dumping link monitor summary") Signed-off-by:
Jon Maloy <jon.maloy@ericsson.com> Signed-off-by:
-
- Apr 26, 2018
-
-
Chris Mi authored
When deleting a flow counter, the modify mask should be the action and the flow counter. Otherwise the flow counter is not deleted and we'll get a firmware warning when deleting the remaining destinations on the same FTE. It only happens in the presence of flow counter and multiple vport destinations. If there is only one vport destination, there is no need to update the FTE when deleting the only vport destination, we just delete the FTE. Fixes: ae058314 ("net/mlx5: Add option to add fwd rule with counter") Signed-off-by:
Chris Mi <chrism@mellanox.com> Signed-off-by:
Jianbo Liu <jianbol@mellanox.com> Reviewed-by:
Mark Bloch <markb@mellanox.com> Signed-off-by:
Saeed Mahameed <saeedm@mellanox.com>
-
Shahar Klein authored
After the cited commit, WQE RQ size is calculated based on sw_mtu but it was not set for representors. This commit fixes that. Fixes: 472a1e44 ("net/mlx5e: Save MTU in channels params") Signed-off-by:
Shahar Klein <shahark@mellanox.com> Signed-off-by:
-
Talat Batheesh authored
When we fail to initialize the RX root namespace, we need to clean only that and not the entire flow steering. Currently the code may try to clean the flow steering twice on error witch leads to null pointer deference. Make sure we clean correctly. Fixes: fba53f7b ("net/mlx5: Introduce mlx5_flow_steering structure") Signed-off-by:
Talat Batheesh <talatb@mellanox.com> Reviewed-by:
-
Tariq Toukan authored
In case of a dma_mapping_error, do not use wi->num_dma as a parameter for dma unmap function because it's yet to be set, and holds an out-of-date value. Use actual value (local variable num_dma) instead. Fixes: 34802a42 ("net/mlx5e: Do not modify the TX SKB") Fixes: e586b3b0 ("net/mlx5: Ethernet Datapath files") Signed-off-by:
Tariq Toukan <tariqt@mellanox.com> Signed-off-by:
-
Israel Rukshin authored
Adding the vector offset when calling to mlx5_vector2eqn() is wrong. This is because mlx5_vector2eqn() checks if EQ index is equal to vector number and the fact that the internal completion vectors that mlx5 allocates don't get an EQ index. The second problem here is that using effective_affinity_mask gives the same CPU for different vectors. This leads to unmapped queues when calling it from blk_mq_rdma_map_queues(). This doesn't happen when using affinity_hint mask. Fixes: 2572cf57 ("mlx5: fix mlx5_get_vector_affinity to start from completion vector 0") Fixes: 05e0cc84 ("net/mlx5: Fix get vector affinity helper function") Signed-off-by:
Israel Rukshin <israelr@mellanox.com> Reviewed-by:
Max Gurtovoy <maxg@mellanox.com> Reviewed-by:
Sagi Grimberg <sagi@grimberg.me>
-
Huy Nguyen authored
When the trust state is set to dscp and the netdev is down, the inline header size is not updated. When netdev is up, the inline header size stays at L2 instead of IP. Fix this issue by updating the private parameter when the netdev is in down so that when netdev is up, it picks up the right header size. Fixes: fbcb127e ("net/mlx5e: Support DSCP trust state ...") Signed-off-by:
Huy Nguyen <huyn@mellanox.com> Signed-off-by:
-
Jianbo Liu authored
For ICMPv4, the checksum is calculated from the ICMP headers and data. Since the ICMPv4 checksum doesn't cover the IP header, we can allow to do L3 header re-write for this protocol. Fixes: bdd66ac0 ('net/mlx5e: Disallow TC offloading of unsupported match/action combinations') Signed-off-by:
Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfDavid S. Miller authored
Daniel Borkmann says: ==================== pull-request: bpf 2018-04-25 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Fix to clear the percpu metadata_dst that could otherwise carry stale ip_tunnel_info, from William. 2) Fix that reduces the number of passes in x64 JIT with regards to dead code sanitation to avoid risk of prog rejection, from Gianluca. 3) Several fixes of sockmap programs, besides others, fixing a double page_put() in error path, missing refcount hold for pinned sockmap, adding required -target bpf for clang in sample Makefile, from John. 4) Fix to disable preemption in __BPF_PROG_RUN_ARRAY() paths, from Roman. 5) Fix tools/bpf/ Makefile with regards to a lex/yacc build error seen on older gcc-5, from John. ==================== Signed-off-by:
-
- Apr 25, 2018
-
-
John Fastabend authored
Fix build error found with Ubuntu shipped gcc-5 ~/git/bpf/tools/bpf$ make all Auto-detecting system features: ... libbfd: [ OFF ] ... disassembler-four-args: [ OFF ] CC bpf_jit_disasm.o LINK bpf_jit_disasm CC bpf_dbg.o /home/john/git/bpf/tools/bpf/bpf_dbg.c: In function ‘cmd_load’: /home/john/git/bpf/tools/bpf/bpf_dbg.c:1077:13: warning: ‘cont’ may be used uninitialized in this function [-Wmaybe-uninitialized] } else if (matches(subcmd, "pcap") == 0) { ^ LINK bpf_dbg CC bpf_asm.o make: *** No rule to make target `bpf_exp.yacc.o', needed by `bpf_asm'. Stop. Fixes: 5a8997f2 ("tools: bpf: respect output directory during build") Signed-off-by:John Fastabend <john.fastabend@gmail.com> Signed-off-by:
Daniel Borkmann <daniel@iogearbox.net>
-
Dag Moxnes authored
The function rds_ib_setup_qp is calling rds_ib_get_client_data and should correspondingly call rds_ib_dev_put. This call was lost in the non-error path with the introduction of error handling done in commit 3b12f73a ("rds: ib: add error handle") Signed-off-by:
Dag Moxnes <dag.moxnes@oracle.com> Reviewed-by:
Håkon Bugge <haakon.bugge@oracle.com> Acked-by:
Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by:
-
Ursula Braun authored
The internal CLC socket should exist till the SMC-socket is released. Function tcp_listen_worker() releases the internal CLC socket of a listen socket, if an smc_close_active() is called. This function is called for the final release(), but it is called for shutdown SHUT_RDWR as well. This opens a door for protection faults, if socket calls using the internal CLC socket are called for a shutdown listen socket. With the changes of commit 3d502067 ("net/smc: simplify wait when closing listen socket") there is no need anymore to release the internal CLC socket in function tcp_listen_worker((). It is sufficient to release it in smc_release(). Fixes: 127f4970 ("net/smc: release clcsock from tcp_listen_worker") Signed-off-by:
Ursula Braun <ubraun@linux.ibm.com> Reported-by:
<syzbot+9045fc589fcd196ef522@syzkaller.appspotmail.com> Reported-by:
<syzbot+28a2c86cf19c81d871fa@syzkaller.appspotmail.com> Reported-by:
<syzbot+9605e6cace1b5efd4a0a@syzkaller.appspotmail.com> Reported-by:
<syzbot+cf9012c597c8379d535c@syzkaller.appspotmail.com> Signed-off-by:
-
Alexandre Belloni authored
Some MDIO busses will error out when trying to read a phy address with no phy present at that address. In that case, probing the bus will fail because __mdiobus_register() is scanning the bus for all possible phys addresses. In case MII_PHYSID1 returns -EIO or -ENODEV, consider there is no phy at this address and set the phy ID to 0xffffffff which is then properly handled in get_phy_device(). Suggested-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
Alexandre Belloni <alexandre.belloni@bootlin.com> Reviewed-by:
-
Gianluca Borello authored
Commit 2a5418a1 ("bpf: improve dead code sanitizing") replaced dead code with a series of ja-1 instructions, for safety. That made JIT compilation much more complex for some BPF programs. One instance of such programs is, for example: bool flag = false ... /* A bunch of other code */ ... if (flag) do_something() In some cases llvm is not able to remove at compile time the code for do_something(), so the generated BPF program ends up with a large amount of dead instructions. In one specific real life example, there are two series of ~500 and ~1000 dead instructions in the program. When the verifier replaces them with a series of ja-1 instructions, it causes an interesting behavior at JIT time. During the first pass, since all the instructions are estimated at 64 bytes, the ja-1 instructions end up being translated as 5 bytes JMP instructions (0xE9), since the jump offsets become increasingly large (> 127) as each instruction gets discovered to be 5 bytes instead of the estimated 64. Starting from the second pass, the first N instructions of the ja-1 sequence get translated into 2 bytes JMPs (0xEB) because the jump offsets become <= 127 this time. In particular, N is defined as roughly 127 / (5 - 2) ~= 42. So, each further pass will make the subsequent N JMP instructions shrink from 5 to 2 bytes, making the image shrink every time. This means that in order to have the entire program converge, there need to be, in the real example above, at least ~1000 / 42 ~= 24 passes just for translating the dead code. If we add this number to the passes needed to translate the other non dead code, it brings such program to 40+ passes, and JIT doesn't complete. Ultimately the userspace loader fails because such BPF program was supposed to be part of a prog array owner being JITed. While it is certainly possible to try to refactor such programs to help the compiler remove dead code, the behavior is not really intuitive and it puts further burden on the BPF developer who is not expecting such behavior. To make things worse, such programs are working just fine in all the kernel releases prior to the ja-1 fix. A possible approach to mitigate this behavior consists into noticing that for ja-1 instructions we don't really need to rely on the estimated size of the previous and current instructions, we know that a -1 BPF jump offset can be safely translated into a 0xEB instruction with a jump offset of -2. Such fix brings the BPF program in the previous example to complete again in ~9 passes. Fixes: 2a5418a1 ("bpf: improve dead code sanitizing") Signed-off-by:
Gianluca Borello <g.borello@gmail.com> Acked-by:
Alexei Starovoitov <ast@kernel.org> Signed-off-by:
-
