Skip to content

Commit 5b7d279

Browse files
torvaldstorvalds
committed
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller: 1) Avoid negative netdev refcount in error flow of xfrm state add, from Aviad Yehezkel. 2) Fix tcpdump decoding of IPSEC decap'd frames by filling in the ethernet header protocol field in xfrm{4,6}_mode_tunnel_input(). From Yossi Kuperman. 3) Fix a syzbot triggered skb_under_panic in pppoe having to do with failing to allocate an appropriate amount of headroom. From Guillaume Nault. 4) Fix memory leak in vmxnet3 driver, from Neil Horman. 5) Cure out-of-bounds packet memory access in em_nbyte EMATCH module, from Wolfgang Bumiller. 6) Restrict what kinds of sockets can be bound to the KCM multiplexer and also disallow when another layer has attached to the socket and made use of sk_user_data. From Tom Herbert. 7) Fix use before init of IOTLB in vhost code, from Jason Wang. 8) Correct STACR register write bit definition in IBM emac driver, from Ivan Mikhaylov. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: net/ibm/emac: wrong bit is used for STA control register write net/ibm/emac: add 8192 rx/tx fifo size vhost: do not try to access device IOTLB when not initialized vhost: use mutex_lock_nested() in vhost_dev_lock_vqs() i40e: flower: check if TC offload is enabled on a netdev qed: Free reserved MR tid qed: Remove reserveration of dpi for kernel kcm: Check if sk_user_data already set in kcm_attach kcm: Only allow TCP sockets to be attached to a KCM mux net: sched: fix TCF_LAYER_LINK case in tcf_get_base_ptr net: sched: em_nbyte: don't add the data offset twice mlxsw: spectrum_router: Don't log an error on missing neighbor vmxnet3: repair memory leak ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL pppoe: take ->needed_headroom of lower device into account on xmit xfrm: fix boolean assignment in xfrm_get_type_offload xfrm: Fix eth_hdr(skb)->h_proto to reflect inner IP version xfrm: fix error flow in case of add state fails xfrm: Add SA to hardware at the end of xfrm_state_construct()
2 parents f165495 + 624ca9c commit 5b7d279

File tree

19 files changed

+90
-49
lines changed

19 files changed

+90
-49
lines changed

drivers/net/ethernet/ibm/emac/core.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -494,6 +494,9 @@ static u32 __emac_calc_base_mr1(struct emac_instance *dev, int tx_size, int rx_s
494494
case 16384:
495495
ret |= EMAC_MR1_RFS_16K;
496496
break;
497+
case 8192:
498+
ret |= EMAC4_MR1_RFS_8K;
499+
break;
497500
case 4096:
498501
ret |= EMAC_MR1_RFS_4K;
499502
break;
@@ -516,6 +519,9 @@ static u32 __emac4_calc_base_mr1(struct emac_instance *dev, int tx_size, int rx_
516519
case 16384:
517520
ret |= EMAC4_MR1_TFS_16K;
518521
break;
522+
case 8192:
523+
ret |= EMAC4_MR1_TFS_8K;
524+
break;
519525
case 4096:
520526
ret |= EMAC4_MR1_TFS_4K;
521527
break;

drivers/net/ethernet/ibm/emac/emac.h

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -151,9 +151,11 @@ struct emac_regs {
151151

152152
#define EMAC4_MR1_RFS_2K 0x00100000
153153
#define EMAC4_MR1_RFS_4K 0x00180000
154+
#define EMAC4_MR1_RFS_8K 0x00200000
154155
#define EMAC4_MR1_RFS_16K 0x00280000
155156
#define EMAC4_MR1_TFS_2K 0x00020000
156157
#define EMAC4_MR1_TFS_4K 0x00030000
158+
#define EMAC4_MR1_TFS_8K 0x00040000
157159
#define EMAC4_MR1_TFS_16K 0x00050000
158160
#define EMAC4_MR1_TR 0x00008000
159161
#define EMAC4_MR1_MWSW_001 0x00001000
@@ -242,7 +244,7 @@ struct emac_regs {
242244
#define EMAC_STACR_PHYE 0x00004000
243245
#define EMAC_STACR_STAC_MASK 0x00003000
244246
#define EMAC_STACR_STAC_READ 0x00001000
245-
#define EMAC_STACR_STAC_WRITE 0x00002000
247+
#define EMAC_STACR_STAC_WRITE 0x00000800
246248
#define EMAC_STACR_OPBC_MASK 0x00000C00
247249
#define EMAC_STACR_OPBC_50 0x00000000
248250
#define EMAC_STACR_OPBC_66 0x00000400

drivers/net/ethernet/intel/i40e/i40e_main.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7505,6 +7505,8 @@ static int i40e_setup_tc_cls_flower(struct i40e_netdev_priv *np,
75057505
{
75067506
struct i40e_vsi *vsi = np->vsi;
75077507

7508+
if (!tc_can_offload(vsi->netdev))
7509+
return -EOPNOTSUPP;
75087510
if (cls_flower->common.chain_index)
75097511
return -EOPNOTSUPP;
75107512

drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c

Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1942,11 +1942,8 @@ static void mlxsw_sp_router_neigh_ent_ipv4_process(struct mlxsw_sp *mlxsw_sp,
19421942
dipn = htonl(dip);
19431943
dev = mlxsw_sp->router->rifs[rif]->dev;
19441944
n = neigh_lookup(&arp_tbl, &dipn, dev);
1945-
if (!n) {
1946-
netdev_err(dev, "Failed to find matching neighbour for IP=%pI4h\n",
1947-
&dip);
1945+
if (!n)
19481946
return;
1949-
}
19501947

19511948
netdev_dbg(dev, "Updating neighbour with IP=%pI4h\n", &dip);
19521949
neigh_event_send(n, NULL);
@@ -1973,11 +1970,8 @@ static void mlxsw_sp_router_neigh_ent_ipv6_process(struct mlxsw_sp *mlxsw_sp,
19731970

19741971
dev = mlxsw_sp->router->rifs[rif]->dev;
19751972
n = neigh_lookup(&nd_tbl, &dip, dev);
1976-
if (!n) {
1977-
netdev_err(dev, "Failed to find matching neighbour for IP=%pI6c\n",
1978-
&dip);
1973+
if (!n)
19791974
return;
1980-
}
19811975

19821976
netdev_dbg(dev, "Updating neighbour with IP=%pI6c\n", &dip);
19831977
neigh_event_send(n, NULL);

drivers/net/ethernet/qlogic/qed/qed_rdma.c

Lines changed: 17 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -358,10 +358,27 @@ static void qed_rdma_resc_free(struct qed_hwfn *p_hwfn)
358358
kfree(p_rdma_info);
359359
}
360360

361+
static void qed_rdma_free_tid(void *rdma_cxt, u32 itid)
362+
{
363+
struct qed_hwfn *p_hwfn = (struct qed_hwfn *)rdma_cxt;
364+
365+
DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "itid = %08x\n", itid);
366+
367+
spin_lock_bh(&p_hwfn->p_rdma_info->lock);
368+
qed_bmap_release_id(p_hwfn, &p_hwfn->p_rdma_info->tid_map, itid);
369+
spin_unlock_bh(&p_hwfn->p_rdma_info->lock);
370+
}
371+
372+
static void qed_rdma_free_reserved_lkey(struct qed_hwfn *p_hwfn)
373+
{
374+
qed_rdma_free_tid(p_hwfn, p_hwfn->p_rdma_info->dev->reserved_lkey);
375+
}
376+
361377
static void qed_rdma_free(struct qed_hwfn *p_hwfn)
362378
{
363379
DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "Freeing RDMA\n");
364380

381+
qed_rdma_free_reserved_lkey(p_hwfn);
365382
qed_rdma_resc_free(p_hwfn);
366383
}
367384

@@ -615,9 +632,6 @@ static int qed_rdma_reserve_lkey(struct qed_hwfn *p_hwfn)
615632
{
616633
struct qed_rdma_device *dev = p_hwfn->p_rdma_info->dev;
617634

618-
/* The first DPI is reserved for the Kernel */
619-
__set_bit(0, p_hwfn->p_rdma_info->dpi_map.bitmap);
620-
621635
/* Tid 0 will be used as the key for "reserved MR".
622636
* The driver should allocate memory for it so it can be loaded but no
623637
* ramrod should be passed on it.
@@ -797,17 +811,6 @@ static struct qed_rdma_device *qed_rdma_query_device(void *rdma_cxt)
797811
return p_hwfn->p_rdma_info->dev;
798812
}
799813

800-
static void qed_rdma_free_tid(void *rdma_cxt, u32 itid)
801-
{
802-
struct qed_hwfn *p_hwfn = (struct qed_hwfn *)rdma_cxt;
803-
804-
DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "itid = %08x\n", itid);
805-
806-
spin_lock_bh(&p_hwfn->p_rdma_info->lock);
807-
qed_bmap_release_id(p_hwfn, &p_hwfn->p_rdma_info->tid_map, itid);
808-
spin_unlock_bh(&p_hwfn->p_rdma_info->lock);
809-
}
810-
811814
static void qed_rdma_cnq_prod_update(void *rdma_cxt, u8 qz_offset, u16 prod)
812815
{
813816
struct qed_hwfn *p_hwfn;

drivers/net/ppp/pppoe.c

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -842,6 +842,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
842842
struct pppoe_hdr *ph;
843843
struct net_device *dev;
844844
char *start;
845+
int hlen;
845846

846847
lock_sock(sk);
847848
if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) {
@@ -860,16 +861,16 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
860861
if (total_len > (dev->mtu + dev->hard_header_len))
861862
goto end;
862863

863-
864-
skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
865-
0, GFP_KERNEL);
864+
hlen = LL_RESERVED_SPACE(dev);
865+
skb = sock_wmalloc(sk, hlen + sizeof(*ph) + total_len +
866+
dev->needed_tailroom, 0, GFP_KERNEL);
866867
if (!skb) {
867868
error = -ENOMEM;
868869
goto end;
869870
}
870871

871872
/* Reserve space for headers. */
872-
skb_reserve(skb, dev->hard_header_len);
873+
skb_reserve(skb, hlen);
873874
skb_reset_network_header(skb);
874875

875876
skb->dev = dev;
@@ -930,7 +931,7 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
930931
/* Copy the data if there is no space for the header or if it's
931932
* read-only.
932933
*/
933-
if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
934+
if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph)))
934935
goto abort;
935936

936937
__skb_push(skb, sizeof(*ph));

drivers/net/vmxnet3/vmxnet3_drv.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1616,7 +1616,6 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq,
16161616
rq->rx_ring[i].basePA);
16171617
rq->rx_ring[i].base = NULL;
16181618
}
1619-
rq->buf_info[i] = NULL;
16201619
}
16211620

16221621
if (rq->data_ring.base) {
@@ -1638,6 +1637,7 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq,
16381637
(rq->rx_ring[0].size + rq->rx_ring[1].size);
16391638
dma_free_coherent(&adapter->pdev->dev, sz, rq->buf_info[0],
16401639
rq->buf_info_pa);
1640+
rq->buf_info[0] = rq->buf_info[1] = NULL;
16411641
}
16421642
}
16431643

drivers/vhost/vhost.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -904,7 +904,7 @@ static void vhost_dev_lock_vqs(struct vhost_dev *d)
904904
{
905905
int i = 0;
906906
for (i = 0; i < d->nvqs; ++i)
907-
mutex_lock(&d->vqs[i]->mutex);
907+
mutex_lock_nested(&d->vqs[i]->mutex, i);
908908
}
909909

910910
static void vhost_dev_unlock_vqs(struct vhost_dev *d)
@@ -1015,6 +1015,10 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev,
10151015
vhost_iotlb_notify_vq(dev, msg);
10161016
break;
10171017
case VHOST_IOTLB_INVALIDATE:
1018+
if (!dev->iotlb) {
1019+
ret = -EFAULT;
1020+
break;
1021+
}
10181022
vhost_vq_meta_reset(dev);
10191023
vhost_del_umem_range(dev->iotlb, msg->iova,
10201024
msg->iova + msg->size - 1);

include/net/ipv6.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -331,6 +331,7 @@ int ipv6_flowlabel_opt_get(struct sock *sk, struct in6_flowlabel_req *freq,
331331
int flags);
332332
int ip6_flowlabel_init(void);
333333
void ip6_flowlabel_cleanup(void);
334+
bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np);
334335

335336
static inline void fl6_sock_release(struct ip6_flowlabel *fl)
336337
{

include/net/pkt_cls.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -522,7 +522,7 @@ static inline unsigned char * tcf_get_base_ptr(struct sk_buff *skb, int layer)
522522
{
523523
switch (layer) {
524524
case TCF_LAYER_LINK:
525-
return skb->data;
525+
return skb_mac_header(skb);
526526
case TCF_LAYER_NETWORK:
527527
return skb_network_header(skb);
528528
case TCF_LAYER_TRANSPORT:

net/ipv4/xfrm4_mode_tunnel.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,7 @@ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
9292

9393
skb_reset_network_header(skb);
9494
skb_mac_header_rebuild(skb);
95+
eth_hdr(skb)->h_proto = skb->protocol;
9596

9697
err = 0;
9798

net/ipv6/ip6_output.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -166,7 +166,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
166166
!(IP6CB(skb)->flags & IP6SKB_REROUTED));
167167
}
168168

169-
static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
169+
bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
170170
{
171171
if (!np->autoflowlabel_set)
172172
return ip6_default_np_autolabel(net);

net/ipv6/ipv6_sockglue.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1336,7 +1336,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
13361336
break;
13371337

13381338
case IPV6_AUTOFLOWLABEL:
1339-
val = np->autoflowlabel;
1339+
val = ip6_autoflowlabel(sock_net(sk), np);
13401340
break;
13411341

13421342
case IPV6_RECVFRAGSIZE:

net/ipv6/xfrm6_mode_tunnel.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,7 @@ static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
9292

9393
skb_reset_network_header(skb);
9494
skb_mac_header_rebuild(skb);
95+
eth_hdr(skb)->h_proto = skb->protocol;
9596

9697
err = 0;
9798

net/kcm/kcmsock.c

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1387,8 +1387,13 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
13871387
if (!csk)
13881388
return -EINVAL;
13891389

1390-
/* We must prevent loops or risk deadlock ! */
1391-
if (csk->sk_family == PF_KCM)
1390+
/* Only allow TCP sockets to be attached for now */
1391+
if ((csk->sk_family != AF_INET && csk->sk_family != AF_INET6) ||
1392+
csk->sk_protocol != IPPROTO_TCP)
1393+
return -EOPNOTSUPP;
1394+
1395+
/* Don't allow listeners or closed sockets */
1396+
if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE)
13921397
return -EOPNOTSUPP;
13931398

13941399
psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL);
@@ -1405,18 +1410,30 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
14051410
return err;
14061411
}
14071412

1408-
sock_hold(csk);
1409-
14101413
write_lock_bh(&csk->sk_callback_lock);
1414+
1415+
/* Check if sk_user_data is aready by KCM or someone else.
1416+
* Must be done under lock to prevent race conditions.
1417+
*/
1418+
if (csk->sk_user_data) {
1419+
write_unlock_bh(&csk->sk_callback_lock);
1420+
strp_done(&psock->strp);
1421+
kmem_cache_free(kcm_psockp, psock);
1422+
return -EALREADY;
1423+
}
1424+
14111425
psock->save_data_ready = csk->sk_data_ready;
14121426
psock->save_write_space = csk->sk_write_space;
14131427
psock->save_state_change = csk->sk_state_change;
14141428
csk->sk_user_data = psock;
14151429
csk->sk_data_ready = psock_data_ready;
14161430
csk->sk_write_space = psock_write_space;
14171431
csk->sk_state_change = psock_state_change;
1432+
14181433
write_unlock_bh(&csk->sk_callback_lock);
14191434

1435+
sock_hold(csk);
1436+
14201437
/* Finished initialization, now add the psock to the MUX. */
14211438
spin_lock_bh(&mux->lock);
14221439
head = &mux->psocks;

net/sched/em_nbyte.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ static int em_nbyte_match(struct sk_buff *skb, struct tcf_ematch *em,
5151
if (!tcf_valid_offset(skb, ptr, nbyte->hdr.len))
5252
return 0;
5353

54-
return !memcmp(ptr + nbyte->hdr.off, nbyte->pattern, nbyte->hdr.len);
54+
return !memcmp(ptr, nbyte->pattern, nbyte->hdr.len);
5555
}
5656

5757
static struct tcf_ematch_ops em_nbyte_ops = {

net/xfrm/xfrm_device.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
102102

103103
err = dev->xfrmdev_ops->xdo_dev_state_add(x);
104104
if (err) {
105+
xso->dev = NULL;
105106
dev_put(dev);
106107
return err;
107108
}

net/xfrm/xfrm_state.c

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -317,7 +317,7 @@ xfrm_get_type_offload(u8 proto, unsigned short family, bool try_load)
317317

318318
if (!type && try_load) {
319319
request_module("xfrm-offload-%d-%d", family, proto);
320-
try_load = 0;
320+
try_load = false;
321321
goto retry;
322322
}
323323

@@ -2272,8 +2272,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload)
22722272
goto error;
22732273
}
22742274

2275-
x->km.state = XFRM_STATE_VALID;
2276-
22772275
error:
22782276
return err;
22792277
}
@@ -2282,7 +2280,13 @@ EXPORT_SYMBOL(__xfrm_init_state);
22822280

22832281
int xfrm_init_state(struct xfrm_state *x)
22842282
{
2285-
return __xfrm_init_state(x, true, false);
2283+
int err;
2284+
2285+
err = __xfrm_init_state(x, true, false);
2286+
if (!err)
2287+
x->km.state = XFRM_STATE_VALID;
2288+
2289+
return err;
22862290
}
22872291

22882292
EXPORT_SYMBOL(xfrm_init_state);

net/xfrm/xfrm_user.c

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -598,13 +598,6 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
598598
goto error;
599599
}
600600

601-
if (attrs[XFRMA_OFFLOAD_DEV]) {
602-
err = xfrm_dev_state_add(net, x,
603-
nla_data(attrs[XFRMA_OFFLOAD_DEV]));
604-
if (err)
605-
goto error;
606-
}
607-
608601
if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
609602
attrs[XFRMA_REPLAY_ESN_VAL])))
610603
goto error;
@@ -620,6 +613,14 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
620613
/* override default values from above */
621614
xfrm_update_ae_params(x, attrs, 0);
622615

616+
/* configure the hardware if offload is requested */
617+
if (attrs[XFRMA_OFFLOAD_DEV]) {
618+
err = xfrm_dev_state_add(net, x,
619+
nla_data(attrs[XFRMA_OFFLOAD_DEV]));
620+
if (err)
621+
goto error;
622+
}
623+
623624
return x;
624625

625626
error:
@@ -662,6 +663,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
662663
goto out;
663664
}
664665

666+
if (x->km.state == XFRM_STATE_VOID)
667+
x->km.state = XFRM_STATE_VALID;
668+
665669
c.seq = nlh->nlmsg_seq;
666670
c.portid = nlh->nlmsg_pid;
667671
c.event = nlh->nlmsg_type;

0 commit comments

Comments
 (0)