tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'net-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Jakub Kicinski:
"Networking fixes for 5.12-rc8, including fixes from netfilter, and
bpf. BPF verifier changes stand out, otherwise things have slowed
down.

Current release - regressions:

- gro: ensure frag0 meets IP header alignment

- Revert "net: stmmac: re-init rx buffers when mac resume back"

- ethernet: macb: fix the restore of cmp registers

Previous releases - regressions:

- ixgbe: Fix NULL pointer dereference in ethtool loopback test

- ixgbe: fix unbalanced device enable/disable in suspend/resume

- phy: marvell: fix detection of PHY on Topaz switches

- make tcp_allowed_congestion_control readonly in non-init netns

- xen-netback: Check for hotplug-status existence before watching

Previous releases - always broken:

- bpf: mitigate a speculative oob read of up to map value size by
tightening the masking window

- sctp: fix race condition in sctp_destroy_sock

- sit, ip6_tunnel: Unregister catch-all devices

- netfilter: nftables: clone set element expression template

- netfilter: flowtable: fix NAT IPv6 offload mangling

- net: geneve: check skb is large enough for IPv4/IPv6 header

- netlink: don't call ->netlink_bind with table lock held"

* tag 'net-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (52 commits)
netlink: don't call ->netlink_bind with table lock held
MAINTAINERS: update my email
bpf: Update selftests to reflect new error states
bpf: Tighten speculative pointer arithmetic mask
bpf: Move sanitize_val_alu out of op switch
bpf: Refactor and streamline bounds check into helper
bpf: Improve verifier error messages for users
bpf: Rework ptr_limit into alu_limit and add common error path
bpf: Ensure off_reg has no mixed signed bounds for all types
bpf: Move off_reg into sanitize_ptr_alu
bpf: Use correct permission flag for mixed signed bounds arithmetic
ch_ktls: do not send snd_una update to TCB in middle
ch_ktls: tcb close causes tls connection failure
ch_ktls: fix device connection close
ch_ktls: Fix kernel panic
i40e: fix the panic when running bpf in xdpdrv mode
net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta
net/mlx5e: Fix setting of RS FEC mode
net/mlx5: Fix setting of devlink traps in switchdev mode
Revert "net: stmmac: re-init rx buffers when mac resume back"
...

Linus Torvalds 88a5af94 bdfd99e6

+479 -439
-15
Documentation/networking/ip-sysctl.rst
··· 1849 1849 ip6frag_time - INTEGER 1850 1850 Time in seconds to keep an IPv6 fragment in memory. 1851 1851 1852 - IPv6 Segment Routing: 1853 - 1854 - seg6_flowlabel - INTEGER 1855 - Controls the behaviour of computing the flowlabel of outer 1856 - IPv6 header in case of SR T.encaps 1857 - 1858 - == ======================================================= 1859 - -1 set flowlabel to zero. 1860 - 0 copy flowlabel from Inner packet in case of Inner IPv6 1861 - (Set flowlabel to 0 in case IPv4/L2) 1862 - 1 Compute the flowlabel using seg6_make_flowlabel() 1863 - == ======================================================= 1864 - 1865 - Default is 0. 1866 - 1867 1852 ``conf/default/*``: 1868 1853 Change the interface-specific default settings. 1869 1854
+13
Documentation/networking/seg6-sysctl.rst
··· 24 24 * 1 - Drop SR packets without HMAC, validate SR packets with HMAC 25 25 26 26 Default is 0. 27 + 28 + seg6_flowlabel - INTEGER 29 + Controls the behaviour of computing the flowlabel of outer 30 + IPv6 header in case of SR T.encaps 31 + 32 + == ======================================================= 33 + -1 set flowlabel to zero. 34 + 0 copy flowlabel from Inner packet in case of Inner IPv6 35 + (Set flowlabel to 0 in case IPv4/L2) 36 + 1 Compute the flowlabel using seg6_make_flowlabel() 37 + == ======================================================= 38 + 39 + Default is 0.
+2 -2
MAINTAINERS
··· 7096 7096 F: drivers/i2c/busses/i2c-cpm.c 7097 7097 7098 7098 FREESCALE IMX / MXC FEC DRIVER 7099 - M: Fugang Duan <fugang.duan@nxp.com> 7099 + M: Joakim Zhang <qiangqing.zhang@nxp.com> 7100 7100 L: netdev@vger.kernel.org 7101 7101 S: Maintained 7102 7102 F: Documentation/devicetree/bindings/net/fsl-fec.txt ··· 8524 8524 8525 8525 IBM Power SRIOV Virtual NIC Device Driver 8526 8526 M: Dany Madden <drt@linux.ibm.com> 8527 - M: Lijun Pan <ljp@linux.ibm.com> 8528 8527 M: Sukadev Bhattiprolu <sukadev@linux.ibm.com> 8529 8528 R: Thomas Falcon <tlfalcon@linux.ibm.com> 8529 + R: Lijun Pan <lijunp213@gmail.com> 8530 8530 L: netdev@vger.kernel.org 8531 8531 S: Supported 8532 8532 F: drivers/net/ethernet/ibm/ibmvnic.*
+13 -17
drivers/net/dsa/mv88e6xxx/chip.c
··· 3026 3026 return err; 3027 3027 } 3028 3028 3029 + /* prod_id for switch families which do not have a PHY model number */ 3030 + static const u16 family_prod_id_table[] = { 3031 + [MV88E6XXX_FAMILY_6341] = MV88E6XXX_PORT_SWITCH_ID_PROD_6341, 3032 + [MV88E6XXX_FAMILY_6390] = MV88E6XXX_PORT_SWITCH_ID_PROD_6390, 3033 + }; 3034 + 3029 3035 static int mv88e6xxx_mdio_read(struct mii_bus *bus, int phy, int reg) 3030 3036 { 3031 3037 struct mv88e6xxx_mdio_bus *mdio_bus = bus->priv; 3032 3038 struct mv88e6xxx_chip *chip = mdio_bus->chip; 3039 + u16 prod_id; 3033 3040 u16 val; 3034 3041 int err; 3035 3042 ··· 3047 3040 err = chip->info->ops->phy_read(chip, bus, phy, reg, &val); 3048 3041 mv88e6xxx_reg_unlock(chip); 3049 3042 3050 - if (reg == MII_PHYSID2) { 3051 - /* Some internal PHYs don't have a model number. */ 3052 - if (chip->info->family != MV88E6XXX_FAMILY_6165) 3053 - /* Then there is the 6165 family. It gets is 3054 - * PHYs correct. But it can also have two 3055 - * SERDES interfaces in the PHY address 3056 - * space. And these don't have a model 3057 - * number. But they are not PHYs, so we don't 3058 - * want to give them something a PHY driver 3059 - * will recognise. 3060 - * 3061 - * Use the mv88e6390 family model number 3062 - * instead, for anything which really could be 3063 - * a PHY, 3064 - */ 3065 - if (!(val & 0x3f0)) 3066 - val |= MV88E6XXX_PORT_SWITCH_ID_PROD_6390 >> 4; 3043 + /* Some internal PHYs don't have a model number. */ 3044 + if (reg == MII_PHYSID2 && !(val & 0x3f0) && 3045 + chip->info->family < ARRAY_SIZE(family_prod_id_table)) { 3046 + prod_id = family_prod_id_table[chip->info->family]; 3047 + if (prod_id) 3048 + val |= prod_id >> 4; 3067 3049 } 3068 3050 3069 3051 return err ? err : val;
+1 -1
drivers/net/ethernet/cadence/macb_main.c
··· 3918 3918 reg = gem_readl(bp, DCFG8); 3919 3919 bp->max_tuples = min((GEM_BFEXT(SCR2CMP, reg) / 3), 3920 3920 GEM_BFEXT(T2SCR, reg)); 3921 + INIT_LIST_HEAD(&bp->rx_fs_list.list); 3921 3922 if (bp->max_tuples > 0) { 3922 3923 /* also needs one ethtype match to check IPv4 */ 3923 3924 if (GEM_BFEXT(SCR2ETH, reg) > 0) { ··· 3929 3928 /* Filtering is supported in hw but don't enable it in kernel now */ 3930 3929 dev->hw_features |= NETIF_F_NTUPLE; 3931 3930 /* init Rx flow definitions */ 3932 - INIT_LIST_HEAD(&bp->rx_fs_list.list); 3933 3931 bp->rx_fs_list.count = 0; 3934 3932 spin_lock_init(&bp->rx_fs_lock); 3935 3933 } else
+1 -1
drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h
··· 412 412 | CN6XXX_INTR_M0UNWI_ERR \ 413 413 | CN6XXX_INTR_M1UPB0_ERR \ 414 414 | CN6XXX_INTR_M1UPWI_ERR \ 415 - | CN6XXX_INTR_M1UPB0_ERR \ 415 + | CN6XXX_INTR_M1UNB0_ERR \ 416 416 | CN6XXX_INTR_M1UNWI_ERR \ 417 417 | CN6XXX_INTR_INSTR_DB_OF_ERR \ 418 418 | CN6XXX_INTR_SLIST_DB_OF_ERR \
+11 -91
drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
··· 350 350 } 351 351 352 352 /* 353 - * chcr_ktls_mark_tcb_close: mark tcb state to CLOSE 354 - * @tx_info - driver specific tls info. 355 - * return: NET_TX_OK/NET_XMIT_DROP. 356 - */ 357 - static int chcr_ktls_mark_tcb_close(struct chcr_ktls_info *tx_info) 358 - { 359 - return chcr_set_tcb_field(tx_info, TCB_T_STATE_W, 360 - TCB_T_STATE_V(TCB_T_STATE_M), 361 - CHCR_TCB_STATE_CLOSED, 1); 362 - } 363 - 364 - /* 365 353 * chcr_ktls_dev_del: call back for tls_dev_del. 366 354 * Remove the tid and l2t entry and close the connection. 367 355 * it per connection basis. ··· 383 395 384 396 /* clear tid */ 385 397 if (tx_info->tid != -1) { 386 - /* clear tcb state and then release tid */ 387 - chcr_ktls_mark_tcb_close(tx_info); 388 398 cxgb4_remove_tid(&tx_info->adap->tids, tx_info->tx_chan, 389 399 tx_info->tid, tx_info->ip_family); 390 400 } ··· 560 574 return 0; 561 575 562 576 free_tid: 563 - chcr_ktls_mark_tcb_close(tx_info); 564 577 #if IS_ENABLED(CONFIG_IPV6) 565 578 /* clear clip entry */ 566 579 if (tx_info->ip_family == AF_INET6) ··· 657 672 if (tx_info->pending_close) { 658 673 spin_unlock(&tx_info->lock); 659 674 if (!status) { 660 - /* it's a late success, tcb status is established, 661 - * mark it close. 662 - */ 663 - chcr_ktls_mark_tcb_close(tx_info); 664 675 cxgb4_remove_tid(&tx_info->adap->tids, tx_info->tx_chan, 665 676 tid, tx_info->ip_family); 666 677 } ··· 1645 1664 } 1646 1665 1647 1666 /* 1648 - * chcr_ktls_update_snd_una: Reset the SEND_UNA. It will be done to avoid 1649 - * sending the same segment again. It will discard the segment which is before 1650 - * the current tx max. 1651 - * @tx_info - driver specific tls info. 1652 - * @q - TX queue. 1653 - * return: NET_TX_OK/NET_XMIT_DROP. 1654 - */ 1655 - static int chcr_ktls_update_snd_una(struct chcr_ktls_info *tx_info, 1656 - struct sge_eth_txq *q) 1657 - { 1658 - struct fw_ulptx_wr *wr; 1659 - unsigned int ndesc; 1660 - int credits; 1661 - void *pos; 1662 - u32 len; 1663 - 1664 - len = sizeof(*wr) + roundup(CHCR_SET_TCB_FIELD_LEN, 16); 1665 - ndesc = DIV_ROUND_UP(len, 64); 1666 - 1667 - credits = chcr_txq_avail(&q->q) - ndesc; 1668 - if (unlikely(credits < 0)) { 1669 - chcr_eth_txq_stop(q); 1670 - return NETDEV_TX_BUSY; 1671 - } 1672 - 1673 - pos = &q->q.desc[q->q.pidx]; 1674 - 1675 - wr = pos; 1676 - /* ULPTX wr */ 1677 - wr->op_to_compl = htonl(FW_WR_OP_V(FW_ULPTX_WR)); 1678 - wr->cookie = 0; 1679 - /* fill len in wr field */ 1680 - wr->flowid_len16 = htonl(FW_WR_LEN16_V(DIV_ROUND_UP(len, 16))); 1681 - 1682 - pos += sizeof(*wr); 1683 - 1684 - pos = chcr_write_cpl_set_tcb_ulp(tx_info, q, tx_info->tid, pos, 1685 - TCB_SND_UNA_RAW_W, 1686 - TCB_SND_UNA_RAW_V(TCB_SND_UNA_RAW_M), 1687 - TCB_SND_UNA_RAW_V(0), 0); 1688 - 1689 - chcr_txq_advance(&q->q, ndesc); 1690 - cxgb4_ring_tx_db(tx_info->adap, &q->q, ndesc); 1691 - 1692 - return 0; 1693 - } 1694 - 1695 - /* 1696 1667 * chcr_end_part_handler: This handler will handle the record which 1697 1668 * is complete or if record's end part is received. T6 adapter has a issue that 1698 1669 * it can't send out TAG with partial record so if its an end part then we have ··· 1668 1735 struct sge_eth_txq *q, u32 skb_offset, 1669 1736 u32 tls_end_offset, bool last_wr) 1670 1737 { 1738 + bool free_skb_if_tx_fails = false; 1671 1739 struct sk_buff *nskb = NULL; 1740 + 1672 1741 /* check if it is a complete record */ 1673 1742 if (tls_end_offset == record->len) { 1674 1743 nskb = skb; ··· 1693 1758 1694 1759 if (last_wr) 1695 1760 dev_kfree_skb_any(skb); 1761 + else 1762 + free_skb_if_tx_fails = true; 1696 1763 1697 1764 last_wr = true; 1698 1765 ··· 1706 1769 record->num_frags, 1707 1770 (last_wr && tcp_push_no_fin), 1708 1771 mss)) { 1772 + if (free_skb_if_tx_fails) 1773 + dev_kfree_skb_any(skb); 1709 1774 goto out; 1710 1775 } 1711 1776 tx_info->prev_seq = record->end_seq; ··· 1844 1905 /* reset tcp_seq as per the prior_data_required len */ 1845 1906 tcp_seq -= prior_data_len; 1846 1907 } 1847 - /* reset snd una, so the middle record won't send the already 1848 - * sent part. 1849 - */ 1850 - if (chcr_ktls_update_snd_una(tx_info, q)) 1851 - goto out; 1852 1908 atomic64_inc(&tx_info->adap->ch_ktls_stats.ktls_tx_middle_pkts); 1853 1909 } else { 1854 1910 atomic64_inc(&tx_info->adap->ch_ktls_stats.ktls_tx_start_pkts); ··· 1944 2010 * we will send the complete record again. 1945 2011 */ 1946 2012 2013 + spin_lock_irqsave(&tx_ctx->base.lock, flags); 2014 + 1947 2015 do { 1948 - int i; 1949 2016 1950 2017 cxgb4_reclaim_completed_tx(adap, &q->q, true); 1951 - /* lock taken */ 1952 - spin_lock_irqsave(&tx_ctx->base.lock, flags); 1953 2018 /* fetch the tls record */ 1954 2019 record = tls_get_record(&tx_ctx->base, tcp_seq, 1955 2020 &tx_info->record_no); ··· 2007 2074 tls_end_offset, skb_offset, 2008 2075 0); 2009 2076 2010 - spin_unlock_irqrestore(&tx_ctx->base.lock, flags); 2011 2077 if (ret) { 2012 2078 /* free the refcount taken earlier */ 2013 2079 if (tls_end_offset < data_len) 2014 2080 dev_kfree_skb_any(skb); 2081 + spin_unlock_irqrestore(&tx_ctx->base.lock, flags); 2015 2082 goto out; 2016 2083 } 2017 2084 ··· 2020 2087 skb_offset += tls_end_offset; 2021 2088 continue; 2022 2089 } 2023 - 2024 - /* increase page reference count of the record, so that there 2025 - * won't be any chance of page free in middle if in case stack 2026 - * receives ACK and try to delete the record. 2027 - */ 2028 - for (i = 0; i < record->num_frags; i++) 2029 - __skb_frag_ref(&record->frags[i]); 2030 - /* lock cleared */ 2031 - spin_unlock_irqrestore(&tx_ctx->base.lock, flags); 2032 - 2033 2090 2034 2091 /* if a tls record is finishing in this SKB */ 2035 2092 if (tls_end_offset <= data_len) { ··· 2045 2122 data_len = 0; 2046 2123 } 2047 2124 2048 - /* clear the frag ref count which increased locally before */ 2049 - for (i = 0; i < record->num_frags; i++) { 2050 - /* clear the frag ref count */ 2051 - __skb_frag_unref(&record->frags[i]); 2052 - } 2053 2125 /* if any failure, come out from the loop. */ 2054 2126 if (ret) { 2127 + spin_unlock_irqrestore(&tx_ctx->base.lock, flags); 2055 2128 if (th->fin) 2056 2129 dev_kfree_skb_any(skb); 2057 2130 ··· 2062 2143 2063 2144 } while (data_len > 0); 2064 2145 2146 + spin_unlock_irqrestore(&tx_ctx->base.lock, flags); 2065 2147 atomic64_inc(&port_stats->ktls_tx_encrypted_packets); 2066 2148 atomic64_add(skb_data_len, &port_stats->ktls_tx_encrypted_bytes); 2067 2149
+4 -2
drivers/net/ethernet/davicom/dm9000.c
··· 1471 1471 1472 1472 /* Init network device */ 1473 1473 ndev = alloc_etherdev(sizeof(struct board_info)); 1474 - if (!ndev) 1475 - return -ENOMEM; 1474 + if (!ndev) { 1475 + ret = -ENOMEM; 1476 + goto out_regulator_disable; 1477 + } 1476 1478 1477 1479 SET_NETDEV_DEV(ndev, &pdev->dev); 1478 1480
+9 -16
drivers/net/ethernet/ibm/ibmvnic.c
··· 1149 1149 1150 1150 rc = set_link_state(adapter, IBMVNIC_LOGICAL_LNK_UP); 1151 1151 if (rc) { 1152 - for (i = 0; i < adapter->req_rx_queues; i++) 1153 - napi_disable(&adapter->napi[i]); 1152 + ibmvnic_napi_disable(adapter); 1154 1153 release_resources(adapter); 1155 1154 return rc; 1156 1155 } 1157 1156 1158 1157 netif_tx_start_all_queues(netdev); 1159 - 1160 - if (prev_state == VNIC_CLOSED) { 1161 - for (i = 0; i < adapter->req_rx_queues; i++) 1162 - napi_schedule(&adapter->napi[i]); 1163 - } 1164 1158 1165 1159 adapter->state = VNIC_OPEN; 1166 1160 return rc; ··· 1916 1922 u64 old_num_rx_queues, old_num_tx_queues; 1917 1923 u64 old_num_rx_slots, old_num_tx_slots; 1918 1924 struct net_device *netdev = adapter->netdev; 1919 - int i, rc; 1925 + int rc; 1920 1926 1921 1927 netdev_dbg(adapter->netdev, 1922 1928 "[S:%d FOP:%d] Reset reason %d, reset_state %d\n", ··· 2104 2110 2105 2111 /* refresh device's multicast list */ 2106 2112 ibmvnic_set_multi(netdev); 2107 - 2108 - /* kick napi */ 2109 - for (i = 0; i < adapter->req_rx_queues; i++) 2110 - napi_schedule(&adapter->napi[i]); 2111 2113 2112 2114 if (adapter->reset_reason == VNIC_RESET_FAILOVER || 2113 2115 adapter->reset_reason == VNIC_RESET_MOBILITY) ··· 3194 3204 3195 3205 next = ibmvnic_next_scrq(adapter, scrq); 3196 3206 for (i = 0; i < next->tx_comp.num_comps; i++) { 3197 - if (next->tx_comp.rcs[i]) 3198 - dev_err(dev, "tx error %x\n", 3199 - next->tx_comp.rcs[i]); 3200 3207 index = be32_to_cpu(next->tx_comp.correlators[i]); 3201 3208 if (index & IBMVNIC_TSO_POOL_MASK) { 3202 3209 tx_pool = &adapter->tso_pool[pool]; ··· 3207 3220 num_entries += txbuff->num_entries; 3208 3221 if (txbuff->skb) { 3209 3222 total_bytes += txbuff->skb->len; 3210 - dev_consume_skb_irq(txbuff->skb); 3223 + if (next->tx_comp.rcs[i]) { 3224 + dev_err(dev, "tx error %x\n", 3225 + next->tx_comp.rcs[i]); 3226 + dev_kfree_skb_irq(txbuff->skb); 3227 + } else { 3228 + dev_consume_skb_irq(txbuff->skb); 3229 + } 3211 3230 txbuff->skb = NULL; 3212 3231 } else { 3213 3232 netdev_warn(adapter->netdev,
+6
drivers/net/ethernet/intel/i40e/i40e_main.c
··· 12357 12357 { 12358 12358 int err = 0; 12359 12359 int size; 12360 + u16 pow; 12360 12361 12361 12362 /* Set default capability flags */ 12362 12363 pf->flags = I40E_FLAG_RX_CSUM_ENABLED | ··· 12376 12375 pf->rss_table_size = pf->hw.func_caps.rss_table_size; 12377 12376 pf->rss_size_max = min_t(int, pf->rss_size_max, 12378 12377 pf->hw.func_caps.num_tx_qp); 12378 + 12379 + /* find the next higher power-of-2 of num cpus */ 12380 + pow = roundup_pow_of_two(num_online_cpus()); 12381 + pf->rss_size_max = min_t(int, pf->rss_size_max, pow); 12382 + 12379 12383 if (pf->hw.func_caps.rss) { 12380 12384 pf->flags |= I40E_FLAG_RSS_ENABLED; 12381 12385 pf->alloc_rss_size = min_t(int, pf->rss_size_max,
+2 -2
drivers/net/ethernet/intel/ice/ice_dcb.c
··· 747 747 struct ice_port_info *pi) 748 748 { 749 749 u32 status, tlv_status = le32_to_cpu(cee_cfg->tlv_status); 750 - u32 ice_aqc_cee_status_mask, ice_aqc_cee_status_shift; 751 - u8 i, j, err, sync, oper, app_index, ice_app_sel_type; 750 + u32 ice_aqc_cee_status_mask, ice_aqc_cee_status_shift, j; 751 + u8 i, err, sync, oper, app_index, ice_app_sel_type; 752 752 u16 app_prio = le16_to_cpu(cee_cfg->oper_app_prio); 753 753 u16 ice_aqc_cee_app_mask, ice_aqc_cee_app_shift; 754 754 struct ice_dcbx_cfg *cmp_dcbcfg, *dcbcfg;
+13 -1
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
··· 6536 6536 return err; 6537 6537 } 6538 6538 6539 + static int ixgbe_rx_napi_id(struct ixgbe_ring *rx_ring) 6540 + { 6541 + struct ixgbe_q_vector *q_vector = rx_ring->q_vector; 6542 + 6543 + return q_vector ? q_vector->napi.napi_id : 0; 6544 + } 6545 + 6539 6546 /** 6540 6547 * ixgbe_setup_rx_resources - allocate Rx resources (Descriptors) 6541 6548 * @adapter: pointer to ixgbe_adapter ··· 6590 6583 6591 6584 /* XDP RX-queue info */ 6592 6585 if (xdp_rxq_info_reg(&rx_ring->xdp_rxq, adapter->netdev, 6593 - rx_ring->queue_index, rx_ring->q_vector->napi.napi_id) < 0) 6586 + rx_ring->queue_index, ixgbe_rx_napi_id(rx_ring)) < 0) 6594 6587 goto err; 6595 6588 6596 6589 rx_ring->xdp_prog = adapter->xdp_prog; ··· 6899 6892 6900 6893 adapter->hw.hw_addr = adapter->io_addr; 6901 6894 6895 + err = pci_enable_device_mem(pdev); 6896 + if (err) { 6897 + e_dev_err("Cannot enable PCI device from suspend\n"); 6898 + return err; 6899 + } 6902 6900 smp_mb__before_atomic(); 6903 6901 clear_bit(__IXGBE_DISABLED, &adapter->state); 6904 6902 pci_set_master(pdev);
+5
drivers/net/ethernet/mellanox/mlx5/core/devlink.c
··· 246 246 struct mlx5_devlink_trap *dl_trap; 247 247 int err = 0; 248 248 249 + if (is_mdev_switchdev_mode(dev)) { 250 + NL_SET_ERR_MSG_MOD(extack, "Devlink traps can't be set in switchdev mode"); 251 + return -EOPNOTSUPP; 252 + } 253 + 249 254 dl_trap = mlx5_find_trap_by_id(dev, trap->id); 250 255 if (!dl_trap) { 251 256 mlx5_core_err(dev, "Devlink trap: Set action on invalid trap id 0x%x", trap->id);
+4 -19
drivers/net/ethernet/mellanox/mlx5/core/en/port.c
··· 387 387 *_policy = MLX5_GET(pplm_reg, _buf, fec_override_admin_##link); \ 388 388 } while (0) 389 389 390 - #define MLX5E_FEC_OVERRIDE_ADMIN_50G_POLICY(buf, policy, write, link) \ 391 - do { \ 392 - unsigned long policy_long; \ 393 - u16 *__policy = &(policy); \ 394 - bool _write = (write); \ 395 - \ 396 - policy_long = *__policy; \ 397 - if (_write && *__policy) \ 398 - *__policy = find_first_bit(&policy_long, \ 399 - sizeof(policy_long) * BITS_PER_BYTE);\ 400 - MLX5E_FEC_OVERRIDE_ADMIN_POLICY(buf, *__policy, _write, link); \ 401 - if (!_write && *__policy) \ 402 - *__policy = 1 << *__policy; \ 403 - } while (0) 404 - 405 390 /* get/set FEC admin field for a given speed */ 406 391 static int mlx5e_fec_admin_field(u32 *pplm, u16 *fec_policy, bool write, 407 392 enum mlx5e_fec_supported_link_mode link_mode) ··· 408 423 MLX5E_FEC_OVERRIDE_ADMIN_POLICY(pplm, *fec_policy, write, 100g); 409 424 break; 410 425 case MLX5E_FEC_SUPPORTED_LINK_MODE_50G_1X: 411 - MLX5E_FEC_OVERRIDE_ADMIN_50G_POLICY(pplm, *fec_policy, write, 50g_1x); 426 + MLX5E_FEC_OVERRIDE_ADMIN_POLICY(pplm, *fec_policy, write, 50g_1x); 412 427 break; 413 428 case MLX5E_FEC_SUPPORTED_LINK_MODE_100G_2X: 414 - MLX5E_FEC_OVERRIDE_ADMIN_50G_POLICY(pplm, *fec_policy, write, 100g_2x); 429 + MLX5E_FEC_OVERRIDE_ADMIN_POLICY(pplm, *fec_policy, write, 100g_2x); 415 430 break; 416 431 case MLX5E_FEC_SUPPORTED_LINK_MODE_200G_4X: 417 - MLX5E_FEC_OVERRIDE_ADMIN_50G_POLICY(pplm, *fec_policy, write, 200g_4x); 432 + MLX5E_FEC_OVERRIDE_ADMIN_POLICY(pplm, *fec_policy, write, 200g_4x); 418 433 break; 419 434 case MLX5E_FEC_SUPPORTED_LINK_MODE_400G_8X: 420 - MLX5E_FEC_OVERRIDE_ADMIN_50G_POLICY(pplm, *fec_policy, write, 400g_8x); 435 + MLX5E_FEC_OVERRIDE_ADMIN_POLICY(pplm, *fec_policy, write, 400g_8x); 421 436 break; 422 437 default: 423 438 return -EINVAL;
+3
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
··· 1895 1895 return 0; 1896 1896 1897 1897 flow_rule_match_meta(rule, &match); 1898 + if (!match.mask->ingress_ifindex) 1899 + return 0; 1900 + 1898 1901 if (match.mask->ingress_ifindex != 0xFFFFFFFF) { 1899 1902 NL_SET_ERR_MSG_MOD(extack, "Unsupported ingress ifindex mask"); 1900 1903 return -EOPNOTSUPP;
+7 -2
drivers/net/ethernet/realtek/r8169_main.c
··· 2350 2350 2351 2351 if (pci_is_pcie(tp->pci_dev) && tp->supports_gmii) 2352 2352 pcie_set_readrq(tp->pci_dev, readrq); 2353 + 2354 + /* Chip doesn't support pause in jumbo mode */ 2355 + linkmode_mod_bit(ETHTOOL_LINK_MODE_Pause_BIT, 2356 + tp->phydev->advertising, !jumbo); 2357 + linkmode_mod_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT, 2358 + tp->phydev->advertising, !jumbo); 2359 + phy_start_aneg(tp->phydev); 2353 2360 } 2354 2361 2355 2362 DECLARE_RTL_COND(rtl_chipcmd_cond) ··· 4636 4629 4637 4630 if (!tp->supports_gmii) 4638 4631 phy_set_max_speed(phydev, SPEED_100); 4639 - 4640 - phy_support_asym_pause(phydev); 4641 4632 4642 4633 phy_attached_info(phydev); 4643 4634
+1 -83
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
··· 1380 1380 } 1381 1381 1382 1382 /** 1383 - * stmmac_reinit_rx_buffers - reinit the RX descriptor buffer. 1384 - * @priv: driver private structure 1385 - * Description: this function is called to re-allocate a receive buffer, perform 1386 - * the DMA mapping and init the descriptor. 1387 - */ 1388 - static void stmmac_reinit_rx_buffers(struct stmmac_priv *priv) 1389 - { 1390 - u32 rx_count = priv->plat->rx_queues_to_use; 1391 - u32 queue; 1392 - int i; 1393 - 1394 - for (queue = 0; queue < rx_count; queue++) { 1395 - struct stmmac_rx_queue *rx_q = &priv->rx_queue[queue]; 1396 - 1397 - for (i = 0; i < priv->dma_rx_size; i++) { 1398 - struct stmmac_rx_buffer *buf = &rx_q->buf_pool[i]; 1399 - 1400 - if (buf->page) { 1401 - page_pool_recycle_direct(rx_q->page_pool, buf->page); 1402 - buf->page = NULL; 1403 - } 1404 - 1405 - if (priv->sph && buf->sec_page) { 1406 - page_pool_recycle_direct(rx_q->page_pool, buf->sec_page); 1407 - buf->sec_page = NULL; 1408 - } 1409 - } 1410 - } 1411 - 1412 - for (queue = 0; queue < rx_count; queue++) { 1413 - struct stmmac_rx_queue *rx_q = &priv->rx_queue[queue]; 1414 - 1415 - for (i = 0; i < priv->dma_rx_size; i++) { 1416 - struct stmmac_rx_buffer *buf = &rx_q->buf_pool[i]; 1417 - struct dma_desc *p; 1418 - 1419 - if (priv->extend_desc) 1420 - p = &((rx_q->dma_erx + i)->basic); 1421 - else 1422 - p = rx_q->dma_rx + i; 1423 - 1424 - if (!buf->page) { 1425 - buf->page = page_pool_dev_alloc_pages(rx_q->page_pool); 1426 - if (!buf->page) 1427 - goto err_reinit_rx_buffers; 1428 - 1429 - buf->addr = page_pool_get_dma_addr(buf->page); 1430 - } 1431 - 1432 - if (priv->sph && !buf->sec_page) { 1433 - buf->sec_page = page_pool_dev_alloc_pages(rx_q->page_pool); 1434 - if (!buf->sec_page) 1435 - goto err_reinit_rx_buffers; 1436 - 1437 - buf->sec_addr = page_pool_get_dma_addr(buf->sec_page); 1438 - } 1439 - 1440 - stmmac_set_desc_addr(priv, p, buf->addr); 1441 - if (priv->sph) 1442 - stmmac_set_desc_sec_addr(priv, p, buf->sec_addr, true); 1443 - else 1444 - stmmac_set_desc_sec_addr(priv, p, buf->sec_addr, false); 1445 - if (priv->dma_buf_sz == BUF_SIZE_16KiB) 1446 - stmmac_init_desc3(priv, p); 1447 - } 1448 - } 1449 - 1450 - return; 1451 - 1452 - err_reinit_rx_buffers: 1453 - do { 1454 - while (--i >= 0) 1455 - stmmac_free_rx_buffer(priv, queue, i); 1456 - 1457 - if (queue == 0) 1458 - break; 1459 - 1460 - i = priv->dma_rx_size; 1461 - } while (queue-- > 0); 1462 - } 1463 - 1464 - /** 1465 1383 * init_dma_rx_desc_rings - init the RX descriptor rings 1466 1384 * @dev: net device structure 1467 1385 * @flags: gfp flag. ··· 5346 5428 mutex_lock(&priv->lock); 5347 5429 5348 5430 stmmac_reset_queues_param(priv); 5349 - stmmac_reinit_rx_buffers(priv); 5431 + 5350 5432 stmmac_free_tx_skbufs(priv); 5351 5433 stmmac_clear_descriptors(priv); 5352 5434
+6
drivers/net/geneve.c
··· 891 891 __be16 sport; 892 892 int err; 893 893 894 + if (!pskb_network_may_pull(skb, sizeof(struct iphdr))) 895 + return -EINVAL; 896 + 894 897 sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); 895 898 rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, 896 899 geneve->cfg.info.key.tp_dst, sport); ··· 987 984 __u8 prio, ttl; 988 985 __be16 sport; 989 986 int err; 987 + 988 + if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr))) 989 + return -EINVAL; 990 990 991 991 sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); 992 992 dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info,
+29 -3
drivers/net/phy/marvell.c
··· 3021 3021 .get_stats = marvell_get_stats, 3022 3022 }, 3023 3023 { 3024 - .phy_id = MARVELL_PHY_ID_88E6390, 3024 + .phy_id = MARVELL_PHY_ID_88E6341_FAMILY, 3025 3025 .phy_id_mask = MARVELL_PHY_ID_MASK, 3026 - .name = "Marvell 88E6390", 3026 + .name = "Marvell 88E6341 Family", 3027 + /* PHY_GBIT_FEATURES */ 3028 + .flags = PHY_POLL_CABLE_TEST, 3029 + .probe = m88e1510_probe, 3030 + .config_init = marvell_config_init, 3031 + .config_aneg = m88e6390_config_aneg, 3032 + .read_status = marvell_read_status, 3033 + .config_intr = marvell_config_intr, 3034 + .handle_interrupt = marvell_handle_interrupt, 3035 + .resume = genphy_resume, 3036 + .suspend = genphy_suspend, 3037 + .read_page = marvell_read_page, 3038 + .write_page = marvell_write_page, 3039 + .get_sset_count = marvell_get_sset_count, 3040 + .get_strings = marvell_get_strings, 3041 + .get_stats = marvell_get_stats, 3042 + .get_tunable = m88e1540_get_tunable, 3043 + .set_tunable = m88e1540_set_tunable, 3044 + .cable_test_start = marvell_vct7_cable_test_start, 3045 + .cable_test_tdr_start = marvell_vct5_cable_test_tdr_start, 3046 + .cable_test_get_status = marvell_vct7_cable_test_get_status, 3047 + }, 3048 + { 3049 + .phy_id = MARVELL_PHY_ID_88E6390_FAMILY, 3050 + .phy_id_mask = MARVELL_PHY_ID_MASK, 3051 + .name = "Marvell 88E6390 Family", 3027 3052 /* PHY_GBIT_FEATURES */ 3028 3053 .flags = PHY_POLL_CABLE_TEST, 3029 3054 .probe = m88e6390_probe, ··· 3132 3107 { MARVELL_PHY_ID_88E1540, MARVELL_PHY_ID_MASK }, 3133 3108 { MARVELL_PHY_ID_88E1545, MARVELL_PHY_ID_MASK }, 3134 3109 { MARVELL_PHY_ID_88E3016, MARVELL_PHY_ID_MASK }, 3135 - { MARVELL_PHY_ID_88E6390, MARVELL_PHY_ID_MASK }, 3110 + { MARVELL_PHY_ID_88E6341_FAMILY, MARVELL_PHY_ID_MASK }, 3111 + { MARVELL_PHY_ID_88E6390_FAMILY, MARVELL_PHY_ID_MASK }, 3136 3112 { MARVELL_PHY_ID_88E1340S, MARVELL_PHY_ID_MASK }, 3137 3113 { MARVELL_PHY_ID_88E1548P, MARVELL_PHY_ID_MASK }, 3138 3114 { }
+4 -6
drivers/net/vrf.c
··· 471 471 472 472 skb_dst_drop(skb); 473 473 474 - /* if dst.dev is loopback or the VRF device again this is locally 475 - * originated traffic destined to a local address. Short circuit 476 - * to Rx path 474 + /* if dst.dev is the VRF device again this is locally originated traffic 475 + * destined to a local address. Short circuit to Rx path. 477 476 */ 478 477 if (dst->dev == dev) 479 478 return vrf_local_xmit(skb, dev, dst); ··· 546 547 547 548 skb_dst_drop(skb); 548 549 549 - /* if dst.dev is loopback or the VRF device again this is locally 550 - * originated traffic destined to a local address. Short circuit 551 - * to Rx path 550 + /* if dst.dev is the VRF device again this is locally originated traffic 551 + * destined to a local address. Short circuit to Rx path. 552 552 */ 553 553 if (rt->dst.dev == vrf_dev) 554 554 return vrf_local_xmit(skb, vrf_dev, &rt->dst);
+8 -4
drivers/net/xen-netback/xenbus.c
··· 824 824 xenvif_carrier_on(be->vif); 825 825 826 826 unregister_hotplug_status_watch(be); 827 - err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, NULL, 828 - hotplug_status_changed, 829 - "%s/%s", dev->nodename, "hotplug-status"); 830 - if (!err) 827 + if (xenbus_exists(XBT_NIL, dev->nodename, "hotplug-status")) { 828 + err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, 829 + NULL, hotplug_status_changed, 830 + "%s/%s", dev->nodename, 831 + "hotplug-status"); 832 + if (err) 833 + goto err; 831 834 be->have_hotplug_status_watch = 1; 835 + } 832 836 833 837 netif_tx_wake_all_queues(be->vif->dev); 834 838
+3 -2
include/linux/marvell_phy.h
··· 28 28 /* Marvel 88E1111 in Finisar SFP module with modified PHY ID */ 29 29 #define MARVELL_PHY_ID_88E1111_FINISAR 0x01ff0cc0 30 30 31 - /* The MV88e6390 Ethernet switch contains embedded PHYs. These PHYs do 31 + /* These Ethernet switch families contain embedded PHYs, but they do 32 32 * not have a model ID. So the switch driver traps reads to the ID2 33 33 * register and returns the switch family ID 34 34 */ 35 - #define MARVELL_PHY_ID_88E6390 0x01410f90 35 + #define MARVELL_PHY_ID_88E6341_FAMILY 0x01410f41 36 + #define MARVELL_PHY_ID_88E6390_FAMILY 0x01410f90 36 37 37 38 #define MARVELL_PHY_FAMILY_ID(id) ((id) >> 4) 38 39
+3 -2
include/linux/netfilter_arp/arp_tables.h
··· 52 52 int arpt_register_table(struct net *net, const struct xt_table *table, 53 53 const struct arpt_replace *repl, 54 54 const struct nf_hook_ops *ops, struct xt_table **res); 55 - void arpt_unregister_table(struct net *net, struct xt_table *table, 56 - const struct nf_hook_ops *ops); 55 + void arpt_unregister_table(struct net *net, struct xt_table *table); 56 + void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table, 57 + const struct nf_hook_ops *ops); 57 58 extern unsigned int arpt_do_table(struct sk_buff *skb, 58 59 const struct nf_hook_state *state, 59 60 struct xt_table *table);
+3 -2
include/linux/netfilter_bridge/ebtables.h
··· 110 110 const struct ebt_table *table, 111 111 const struct nf_hook_ops *ops, 112 112 struct ebt_table **res); 113 - extern void ebt_unregister_table(struct net *net, struct ebt_table *table, 114 - const struct nf_hook_ops *); 113 + extern void ebt_unregister_table(struct net *net, struct ebt_table *table); 114 + void ebt_unregister_table_pre_exit(struct net *net, const char *tablename, 115 + const struct nf_hook_ops *ops); 115 116 extern unsigned int ebt_do_table(struct sk_buff *skb, 116 117 const struct nf_hook_state *state, 117 118 struct ebt_table *table);
+156 -74
kernel/bpf/verifier.c
··· 5856 5856 return &env->insn_aux_data[env->insn_idx]; 5857 5857 } 5858 5858 5859 + enum { 5860 + REASON_BOUNDS = -1, 5861 + REASON_TYPE = -2, 5862 + REASON_PATHS = -3, 5863 + REASON_LIMIT = -4, 5864 + REASON_STACK = -5, 5865 + }; 5866 + 5859 5867 static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, 5860 - u32 *ptr_limit, u8 opcode, bool off_is_neg) 5868 + const struct bpf_reg_state *off_reg, 5869 + u32 *alu_limit, u8 opcode) 5861 5870 { 5871 + bool off_is_neg = off_reg->smin_value < 0; 5862 5872 bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || 5863 5873 (opcode == BPF_SUB && !off_is_neg); 5864 - u32 off, max; 5874 + u32 max = 0, ptr_limit = 0; 5875 + 5876 + if (!tnum_is_const(off_reg->var_off) && 5877 + (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) 5878 + return REASON_BOUNDS; 5865 5879 5866 5880 switch (ptr_reg->type) { 5867 5881 case PTR_TO_STACK: 5868 5882 /* Offset 0 is out-of-bounds, but acceptable start for the 5869 - * left direction, see BPF_REG_FP. 5883 + * left direction, see BPF_REG_FP. Also, unknown scalar 5884 + * offset where we would need to deal with min/max bounds is 5885 + * currently prohibited for unprivileged. 5870 5886 */ 5871 5887 max = MAX_BPF_STACK + mask_to_left; 5872 - /* Indirect variable offset stack access is prohibited in 5873 - * unprivileged mode so it's not handled here. 5874 - */ 5875 - off = ptr_reg->off + ptr_reg->var_off.value; 5876 - if (mask_to_left) 5877 - *ptr_limit = MAX_BPF_STACK + off; 5878 - else 5879 - *ptr_limit = -off - 1; 5880 - return *ptr_limit >= max ? -ERANGE : 0; 5888 + ptr_limit = -(ptr_reg->var_off.value + ptr_reg->off); 5889 + break; 5881 5890 case PTR_TO_MAP_VALUE: 5882 5891 max = ptr_reg->map_ptr->value_size; 5883 - if (mask_to_left) { 5884 - *ptr_limit = ptr_reg->umax_value + ptr_reg->off; 5885 - } else { 5886 - off = ptr_reg->smin_value + ptr_reg->off; 5887 - *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; 5888 - } 5889 - return *ptr_limit >= max ? -ERANGE : 0; 5892 + ptr_limit = (mask_to_left ? 5893 + ptr_reg->smin_value : 5894 + ptr_reg->umax_value) + ptr_reg->off; 5895 + break; 5890 5896 default: 5891 - return -EINVAL; 5897 + return REASON_TYPE; 5892 5898 } 5899 + 5900 + if (ptr_limit >= max) 5901 + return REASON_LIMIT; 5902 + *alu_limit = ptr_limit; 5903 + return 0; 5893 5904 } 5894 5905 5895 5906 static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env, ··· 5918 5907 if (aux->alu_state && 5919 5908 (aux->alu_state != alu_state || 5920 5909 aux->alu_limit != alu_limit)) 5921 - return -EACCES; 5910 + return REASON_PATHS; 5922 5911 5923 5912 /* Corresponding fixup done in fixup_bpf_calls(). */ 5924 5913 aux->alu_state = alu_state; ··· 5937 5926 return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0); 5938 5927 } 5939 5928 5929 + static bool sanitize_needed(u8 opcode) 5930 + { 5931 + return opcode == BPF_ADD || opcode == BPF_SUB; 5932 + } 5933 + 5940 5934 static int sanitize_ptr_alu(struct bpf_verifier_env *env, 5941 5935 struct bpf_insn *insn, 5942 5936 const struct bpf_reg_state *ptr_reg, 5937 + const struct bpf_reg_state *off_reg, 5943 5938 struct bpf_reg_state *dst_reg, 5944 - bool off_is_neg) 5939 + struct bpf_insn_aux_data *tmp_aux, 5940 + const bool commit_window) 5945 5941 { 5942 + struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : tmp_aux; 5946 5943 struct bpf_verifier_state *vstate = env->cur_state; 5947 - struct bpf_insn_aux_data *aux = cur_aux(env); 5944 + bool off_is_neg = off_reg->smin_value < 0; 5948 5945 bool ptr_is_dst_reg = ptr_reg == dst_reg; 5949 5946 u8 opcode = BPF_OP(insn->code); 5950 5947 u32 alu_state, alu_limit; ··· 5970 5951 if (vstate->speculative) 5971 5952 goto do_sim; 5972 5953 5973 - alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; 5974 - alu_state |= ptr_is_dst_reg ? 5975 - BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; 5976 - 5977 - err = retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg); 5954 + err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode); 5978 5955 if (err < 0) 5979 5956 return err; 5957 + 5958 + if (commit_window) { 5959 + /* In commit phase we narrow the masking window based on 5960 + * the observed pointer move after the simulated operation. 5961 + */ 5962 + alu_state = tmp_aux->alu_state; 5963 + alu_limit = abs(tmp_aux->alu_limit - alu_limit); 5964 + } else { 5965 + alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; 5966 + alu_state |= ptr_is_dst_reg ? 5967 + BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; 5968 + } 5980 5969 5981 5970 err = update_alu_sanitation_state(aux, alu_state, alu_limit); 5982 5971 if (err < 0) 5983 5972 return err; 5984 5973 do_sim: 5974 + /* If we're in commit phase, we're done here given we already 5975 + * pushed the truncated dst_reg into the speculative verification 5976 + * stack. 5977 + */ 5978 + if (commit_window) 5979 + return 0; 5980 + 5985 5981 /* Simulate and find potential out-of-bounds access under 5986 5982 * speculative execution from truncation as a result of 5987 5983 * masking when off was not within expected range. If off ··· 6013 5979 ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); 6014 5980 if (!ptr_is_dst_reg && ret) 6015 5981 *dst_reg = tmp; 6016 - return !ret ? -EFAULT : 0; 5982 + return !ret ? REASON_STACK : 0; 5983 + } 5984 + 5985 + static int sanitize_err(struct bpf_verifier_env *env, 5986 + const struct bpf_insn *insn, int reason, 5987 + const struct bpf_reg_state *off_reg, 5988 + const struct bpf_reg_state *dst_reg) 5989 + { 5990 + static const char *err = "pointer arithmetic with it prohibited for !root"; 5991 + const char *op = BPF_OP(insn->code) == BPF_ADD ? "add" : "sub"; 5992 + u32 dst = insn->dst_reg, src = insn->src_reg; 5993 + 5994 + switch (reason) { 5995 + case REASON_BOUNDS: 5996 + verbose(env, "R%d has unknown scalar with mixed signed bounds, %s\n", 5997 + off_reg == dst_reg ? dst : src, err); 5998 + break; 5999 + case REASON_TYPE: 6000 + verbose(env, "R%d has pointer with unsupported alu operation, %s\n", 6001 + off_reg == dst_reg ? src : dst, err); 6002 + break; 6003 + case REASON_PATHS: 6004 + verbose(env, "R%d tried to %s from different maps, paths or scalars, %s\n", 6005 + dst, op, err); 6006 + break; 6007 + case REASON_LIMIT: 6008 + verbose(env, "R%d tried to %s beyond pointer bounds, %s\n", 6009 + dst, op, err); 6010 + break; 6011 + case REASON_STACK: 6012 + verbose(env, "R%d could not be pushed for speculative verification, %s\n", 6013 + dst, err); 6014 + break; 6015 + default: 6016 + verbose(env, "verifier internal error: unknown reason (%d)\n", 6017 + reason); 6018 + break; 6019 + } 6020 + 6021 + return -EACCES; 6017 6022 } 6018 6023 6019 6024 /* check that stack access falls within stack limits and that 'reg' doesn't ··· 6089 6016 return 0; 6090 6017 } 6091 6018 6019 + static int sanitize_check_bounds(struct bpf_verifier_env *env, 6020 + const struct bpf_insn *insn, 6021 + const struct bpf_reg_state *dst_reg) 6022 + { 6023 + u32 dst = insn->dst_reg; 6024 + 6025 + /* For unprivileged we require that resulting offset must be in bounds 6026 + * in order to be able to sanitize access later on. 6027 + */ 6028 + if (env->bypass_spec_v1) 6029 + return 0; 6030 + 6031 + switch (dst_reg->type) { 6032 + case PTR_TO_STACK: 6033 + if (check_stack_access_for_ptr_arithmetic(env, dst, dst_reg, 6034 + dst_reg->off + dst_reg->var_off.value)) 6035 + return -EACCES; 6036 + break; 6037 + case PTR_TO_MAP_VALUE: 6038 + if (check_map_access(env, dst, dst_reg->off, 1, false)) { 6039 + verbose(env, "R%d pointer arithmetic of map value goes out of range, " 6040 + "prohibited for !root\n", dst); 6041 + return -EACCES; 6042 + } 6043 + break; 6044 + default: 6045 + break; 6046 + } 6047 + 6048 + return 0; 6049 + } 6092 6050 6093 6051 /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. 6094 6052 * Caller should also handle BPF_MOV case separately. ··· 6139 6035 smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; 6140 6036 u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, 6141 6037 umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; 6142 - u32 dst = insn->dst_reg, src = insn->src_reg; 6038 + struct bpf_insn_aux_data tmp_aux = {}; 6143 6039 u8 opcode = BPF_OP(insn->code); 6040 + u32 dst = insn->dst_reg; 6144 6041 int ret; 6145 6042 6146 6043 dst_reg = &regs[dst]; ··· 6189 6084 verbose(env, "R%d pointer arithmetic on %s prohibited\n", 6190 6085 dst, reg_type_str[ptr_reg->type]); 6191 6086 return -EACCES; 6192 - case PTR_TO_MAP_VALUE: 6193 - if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { 6194 - verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", 6195 - off_reg == dst_reg ? dst : src); 6196 - return -EACCES; 6197 - } 6198 - fallthrough; 6199 6087 default: 6200 6088 break; 6201 6089 } ··· 6206 6108 /* pointer types do not carry 32-bit bounds at the moment. */ 6207 6109 __mark_reg32_unbounded(dst_reg); 6208 6110 6111 + if (sanitize_needed(opcode)) { 6112 + ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg, 6113 + &tmp_aux, false); 6114 + if (ret < 0) 6115 + return sanitize_err(env, insn, ret, off_reg, dst_reg); 6116 + } 6117 + 6209 6118 switch (opcode) { 6210 6119 case BPF_ADD: 6211 - ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); 6212 - if (ret < 0) { 6213 - verbose(env, "R%d tried to add from different maps, paths, or prohibited types\n", dst); 6214 - return ret; 6215 - } 6216 6120 /* We can take a fixed offset as long as it doesn't overflow 6217 6121 * the s32 'off' field 6218 6122 */ ··· 6265 6165 } 6266 6166 break; 6267 6167 case BPF_SUB: 6268 - ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); 6269 - if (ret < 0) { 6270 - verbose(env, "R%d tried to sub from different maps, paths, or prohibited types\n", dst); 6271 - return ret; 6272 - } 6273 6168 if (dst_reg == off_reg) { 6274 6169 /* scalar -= pointer. Creates an unknown scalar */ 6275 6170 verbose(env, "R%d tried to subtract pointer from scalar\n", ··· 6345 6250 __reg_deduce_bounds(dst_reg); 6346 6251 __reg_bound_offset(dst_reg); 6347 6252 6348 - /* For unprivileged we require that resulting offset must be in bounds 6349 - * in order to be able to sanitize access later on. 6350 - */ 6351 - if (!env->bypass_spec_v1) { 6352 - if (dst_reg->type == PTR_TO_MAP_VALUE && 6353 - check_map_access(env, dst, dst_reg->off, 1, false)) { 6354 - verbose(env, "R%d pointer arithmetic of map value goes out of range, " 6355 - "prohibited for !root\n", dst); 6356 - return -EACCES; 6357 - } else if (dst_reg->type == PTR_TO_STACK && 6358 - check_stack_access_for_ptr_arithmetic( 6359 - env, dst, dst_reg, dst_reg->off + 6360 - dst_reg->var_off.value)) { 6361 - return -EACCES; 6362 - } 6253 + if (sanitize_check_bounds(env, insn, dst_reg) < 0) 6254 + return -EACCES; 6255 + if (sanitize_needed(opcode)) { 6256 + ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg, 6257 + &tmp_aux, true); 6258 + if (ret < 0) 6259 + return sanitize_err(env, insn, ret, off_reg, dst_reg); 6363 6260 } 6364 6261 6365 6262 return 0; ··· 6945 6858 s32 s32_min_val, s32_max_val; 6946 6859 u32 u32_min_val, u32_max_val; 6947 6860 u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; 6948 - u32 dst = insn->dst_reg; 6949 - int ret; 6950 6861 bool alu32 = (BPF_CLASS(insn->code) != BPF_ALU64); 6862 + int ret; 6951 6863 6952 6864 smin_val = src_reg.smin_value; 6953 6865 smax_val = src_reg.smax_value; ··· 6988 6902 return 0; 6989 6903 } 6990 6904 6905 + if (sanitize_needed(opcode)) { 6906 + ret = sanitize_val_alu(env, insn); 6907 + if (ret < 0) 6908 + return sanitize_err(env, insn, ret, NULL, NULL); 6909 + } 6910 + 6991 6911 /* Calculate sign/unsigned bounds and tnum for alu32 and alu64 bit ops. 6992 6912 * There are two classes of instructions: The first class we track both 6993 6913 * alu32 and alu64 sign/unsigned bounds independently this provides the ··· 7010 6918 */ 7011 6919 switch (opcode) { 7012 6920 case BPF_ADD: 7013 - ret = sanitize_val_alu(env, insn); 7014 - if (ret < 0) { 7015 - verbose(env, "R%d tried to add from different pointers or scalars\n", dst); 7016 - return ret; 7017 - } 7018 6921 scalar32_min_max_add(dst_reg, &src_reg); 7019 6922 scalar_min_max_add(dst_reg, &src_reg); 7020 6923 dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); 7021 6924 break; 7022 6925 case BPF_SUB: 7023 - ret = sanitize_val_alu(env, insn); 7024 - if (ret < 0) { 7025 - verbose(env, "R%d tried to sub from different pointers or scalars\n", dst); 7026 - return ret; 7027 - } 7028 6926 scalar32_min_max_sub(dst_reg, &src_reg); 7029 6927 scalar_min_max_sub(dst_reg, &src_reg); 7030 6928 dst_reg->var_off = tnum_sub(dst_reg->var_off, src_reg.var_off);
+7 -1
net/bridge/netfilter/ebtable_broute.c
··· 105 105 &net->xt.broute_table); 106 106 } 107 107 108 + static void __net_exit broute_net_pre_exit(struct net *net) 109 + { 110 + ebt_unregister_table_pre_exit(net, "broute", &ebt_ops_broute); 111 + } 112 + 108 113 static void __net_exit broute_net_exit(struct net *net) 109 114 { 110 - ebt_unregister_table(net, net->xt.broute_table, &ebt_ops_broute); 115 + ebt_unregister_table(net, net->xt.broute_table); 111 116 } 112 117 113 118 static struct pernet_operations broute_net_ops = { 114 119 .init = broute_net_init, 115 120 .exit = broute_net_exit, 121 + .pre_exit = broute_net_pre_exit, 116 122 }; 117 123 118 124 static int __init ebtable_broute_init(void)
+7 -1
net/bridge/netfilter/ebtable_filter.c
··· 99 99 &net->xt.frame_filter); 100 100 } 101 101 102 + static void __net_exit frame_filter_net_pre_exit(struct net *net) 103 + { 104 + ebt_unregister_table_pre_exit(net, "filter", ebt_ops_filter); 105 + } 106 + 102 107 static void __net_exit frame_filter_net_exit(struct net *net) 103 108 { 104 - ebt_unregister_table(net, net->xt.frame_filter, ebt_ops_filter); 109 + ebt_unregister_table(net, net->xt.frame_filter); 105 110 } 106 111 107 112 static struct pernet_operations frame_filter_net_ops = { 108 113 .init = frame_filter_net_init, 109 114 .exit = frame_filter_net_exit, 115 + .pre_exit = frame_filter_net_pre_exit, 110 116 }; 111 117 112 118 static int __init ebtable_filter_init(void)
+7 -1
net/bridge/netfilter/ebtable_nat.c
··· 99 99 &net->xt.frame_nat); 100 100 } 101 101 102 + static void __net_exit frame_nat_net_pre_exit(struct net *net) 103 + { 104 + ebt_unregister_table_pre_exit(net, "nat", ebt_ops_nat); 105 + } 106 + 102 107 static void __net_exit frame_nat_net_exit(struct net *net) 103 108 { 104 - ebt_unregister_table(net, net->xt.frame_nat, ebt_ops_nat); 109 + ebt_unregister_table(net, net->xt.frame_nat); 105 110 } 106 111 107 112 static struct pernet_operations frame_nat_net_ops = { 108 113 .init = frame_nat_net_init, 109 114 .exit = frame_nat_net_exit, 115 + .pre_exit = frame_nat_net_pre_exit, 110 116 }; 111 117 112 118 static int __init ebtable_nat_init(void)
+27 -3
net/bridge/netfilter/ebtables.c
··· 1232 1232 return ret; 1233 1233 } 1234 1234 1235 - void ebt_unregister_table(struct net *net, struct ebt_table *table, 1236 - const struct nf_hook_ops *ops) 1235 + static struct ebt_table *__ebt_find_table(struct net *net, const char *name) 1237 1236 { 1238 - nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); 1237 + struct ebt_table *t; 1238 + 1239 + mutex_lock(&ebt_mutex); 1240 + 1241 + list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) { 1242 + if (strcmp(t->name, name) == 0) { 1243 + mutex_unlock(&ebt_mutex); 1244 + return t; 1245 + } 1246 + } 1247 + 1248 + mutex_unlock(&ebt_mutex); 1249 + return NULL; 1250 + } 1251 + 1252 + void ebt_unregister_table_pre_exit(struct net *net, const char *name, const struct nf_hook_ops *ops) 1253 + { 1254 + struct ebt_table *table = __ebt_find_table(net, name); 1255 + 1256 + if (table) 1257 + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); 1258 + } 1259 + EXPORT_SYMBOL(ebt_unregister_table_pre_exit); 1260 + 1261 + void ebt_unregister_table(struct net *net, struct ebt_table *table) 1262 + { 1239 1263 __ebt_unregister_table(net, table); 1240 1264 } 1241 1265
+2 -1
net/core/dev.c
··· 5924 5924 NAPI_GRO_CB(skb)->frag0_len = 0; 5925 5925 5926 5926 if (!skb_headlen(skb) && pinfo->nr_frags && 5927 - !PageHighMem(skb_frag_page(frag0))) { 5927 + !PageHighMem(skb_frag_page(frag0)) && 5928 + (!NET_IP_ALIGN || !(skb_frag_off(frag0) & 3))) { 5928 5929 NAPI_GRO_CB(skb)->frag0 = skb_frag_address(frag0); 5929 5930 NAPI_GRO_CB(skb)->frag0_len = min_t(unsigned int, 5930 5931 skb_frag_size(frag0),
+3 -3
net/ethtool/netlink.h
··· 36 36 37 37 /** 38 38 * ethnl_put_strz() - put string attribute with fixed size string 39 - * @skb: skb with the message 40 - * @attrype: attribute type 41 - * @s: ETH_GSTRING_LEN sized string (may not be null terminated) 39 + * @skb: skb with the message 40 + * @attrtype: attribute type 41 + * @s: ETH_GSTRING_LEN sized string (may not be null terminated) 42 42 * 43 43 * Puts an attribute with null terminated string from @s into the message. 44 44 *
+4 -4
net/ethtool/pause.c
··· 38 38 if (!dev->ethtool_ops->get_pauseparam) 39 39 return -EOPNOTSUPP; 40 40 41 + ethtool_stats_init((u64 *)&data->pausestat, 42 + sizeof(data->pausestat) / 8); 43 + 41 44 ret = ethnl_ops_begin(dev); 42 45 if (ret < 0) 43 46 return ret; 44 47 dev->ethtool_ops->get_pauseparam(dev, &data->pauseparam); 45 48 if (req_base->flags & ETHTOOL_FLAG_STATS && 46 - dev->ethtool_ops->get_pause_stats) { 47 - ethtool_stats_init((u64 *)&data->pausestat, 48 - sizeof(data->pausestat) / 8); 49 + dev->ethtool_ops->get_pause_stats) 49 50 dev->ethtool_ops->get_pause_stats(dev, &data->pausestat); 50 - } 51 51 ethnl_ops_complete(dev); 52 52 53 53 return 0;
+9 -2
net/ipv4/netfilter/arp_tables.c
··· 1193 1193 if (!newinfo) 1194 1194 goto out_unlock; 1195 1195 1196 + memset(newinfo->entries, 0, size); 1197 + 1196 1198 newinfo->number = compatr->num_entries; 1197 1199 for (i = 0; i < NF_ARP_NUMHOOKS; i++) { 1198 1200 newinfo->hook_entry[i] = compatr->hook_entry[i]; ··· 1541 1539 return ret; 1542 1540 } 1543 1541 1544 - void arpt_unregister_table(struct net *net, struct xt_table *table, 1545 - const struct nf_hook_ops *ops) 1542 + void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table, 1543 + const struct nf_hook_ops *ops) 1546 1544 { 1547 1545 nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); 1546 + } 1547 + EXPORT_SYMBOL(arpt_unregister_table_pre_exit); 1548 + 1549 + void arpt_unregister_table(struct net *net, struct xt_table *table) 1550 + { 1548 1551 __arpt_unregister_table(net, table); 1549 1552 } 1550 1553
+9 -1
net/ipv4/netfilter/arptable_filter.c
··· 56 56 return err; 57 57 } 58 58 59 + static void __net_exit arptable_filter_net_pre_exit(struct net *net) 60 + { 61 + if (net->ipv4.arptable_filter) 62 + arpt_unregister_table_pre_exit(net, net->ipv4.arptable_filter, 63 + arpfilter_ops); 64 + } 65 + 59 66 static void __net_exit arptable_filter_net_exit(struct net *net) 60 67 { 61 68 if (!net->ipv4.arptable_filter) 62 69 return; 63 - arpt_unregister_table(net, net->ipv4.arptable_filter, arpfilter_ops); 70 + arpt_unregister_table(net, net->ipv4.arptable_filter); 64 71 net->ipv4.arptable_filter = NULL; 65 72 } 66 73 67 74 static struct pernet_operations arptable_filter_net_ops = { 68 75 .exit = arptable_filter_net_exit, 76 + .pre_exit = arptable_filter_net_pre_exit, 69 77 }; 70 78 71 79 static int __init arptable_filter_init(void)
+2
net/ipv4/netfilter/ip_tables.c
··· 1428 1428 if (!newinfo) 1429 1429 goto out_unlock; 1430 1430 1431 + memset(newinfo->entries, 0, size); 1432 + 1431 1433 newinfo->number = compatr->num_entries; 1432 1434 for (i = 0; i < NF_INET_NUMHOOKS; i++) { 1433 1435 newinfo->hook_entry[i] = compatr->hook_entry[i];
+13 -3
net/ipv4/sysctl_net_ipv4.c
··· 1378 1378 if (!table) 1379 1379 goto err_alloc; 1380 1380 1381 - /* Update the variables to point into the current struct net */ 1382 - for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) 1383 - table[i].data += (void *)net - (void *)&init_net; 1381 + for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) { 1382 + if (table[i].data) { 1383 + /* Update the variables to point into 1384 + * the current struct net 1385 + */ 1386 + table[i].data += (void *)net - (void *)&init_net; 1387 + } else { 1388 + /* Entries without data pointer are global; 1389 + * Make them read-only in non-init_net ns 1390 + */ 1391 + table[i].mode &= ~0222; 1392 + } 1393 + } 1384 1394 } 1385 1395 1386 1396 net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
+10
net/ipv6/ip6_tunnel.c
··· 2244 2244 t = rtnl_dereference(t->next); 2245 2245 } 2246 2246 } 2247 + 2248 + t = rtnl_dereference(ip6n->tnls_wc[0]); 2249 + while (t) { 2250 + /* If dev is in the same netns, it has already 2251 + * been added to the list by the previous loop. 2252 + */ 2253 + if (!net_eq(dev_net(t->dev), net)) 2254 + unregister_netdevice_queue(t->dev, list); 2255 + t = rtnl_dereference(t->next); 2256 + } 2247 2257 } 2248 2258 2249 2259 static int __net_init ip6_tnl_init_net(struct net *net)
+2
net/ipv6/netfilter/ip6_tables.c
··· 1443 1443 if (!newinfo) 1444 1444 goto out_unlock; 1445 1445 1446 + memset(newinfo->entries, 0, size); 1447 + 1446 1448 newinfo->number = compatr->num_entries; 1447 1449 for (i = 0; i < NF_INET_NUMHOOKS; i++) { 1448 1450 newinfo->hook_entry[i] = compatr->hook_entry[i];
+2 -2
net/ipv6/sit.c
··· 1867 1867 if (dev->rtnl_link_ops == &sit_link_ops) 1868 1868 unregister_netdevice_queue(dev, head); 1869 1869 1870 - for (prio = 1; prio < 4; prio++) { 1870 + for (prio = 0; prio < 4; prio++) { 1871 1871 int h; 1872 - for (h = 0; h < IP6_SIT_HASH_SIZE; h++) { 1872 + for (h = 0; h < (prio ? IP6_SIT_HASH_SIZE : 1); h++) { 1873 1873 struct ip_tunnel *t; 1874 1874 1875 1875 t = rtnl_dereference(sitn->tunnels[prio][h]);
+1
net/netfilter/nf_conntrack_standalone.c
··· 266 266 case IPPROTO_GRE: return "gre"; 267 267 case IPPROTO_SCTP: return "sctp"; 268 268 case IPPROTO_UDPLITE: return "udplite"; 269 + case IPPROTO_ICMPV6: return "icmpv6"; 269 270 } 270 271 271 272 return "unknown";
+3 -3
net/netfilter/nf_flow_table_offload.c
··· 305 305 const __be32 *addr, const __be32 *mask) 306 306 { 307 307 struct flow_action_entry *entry; 308 - int i; 308 + int i, j; 309 309 310 - for (i = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32)) { 310 + for (i = 0, j = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32), j++) { 311 311 entry = flow_action_entry_next(flow_rule); 312 312 flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6, 313 - offset + i, &addr[i], mask); 313 + offset + i, &addr[j], mask); 314 314 } 315 315 } 316 316
+34 -12
net/netfilter/nf_tables_api.c
··· 5295 5295 return -ENOMEM; 5296 5296 } 5297 5297 5298 - static void nft_set_elem_expr_setup(const struct nft_set_ext *ext, int i, 5299 - struct nft_expr *expr_array[]) 5298 + static int nft_set_elem_expr_setup(struct nft_ctx *ctx, 5299 + const struct nft_set_ext *ext, 5300 + struct nft_expr *expr_array[], 5301 + u32 num_exprs) 5300 5302 { 5301 5303 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 5302 - struct nft_expr *expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 5304 + struct nft_expr *expr; 5305 + int i, err; 5303 5306 5304 - memcpy(expr, expr_array[i], expr_array[i]->ops->size); 5305 - elem_expr->size += expr_array[i]->ops->size; 5306 - kfree(expr_array[i]); 5307 - expr_array[i] = NULL; 5307 + for (i = 0; i < num_exprs; i++) { 5308 + expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 5309 + err = nft_expr_clone(expr, expr_array[i]); 5310 + if (err < 0) 5311 + goto err_elem_expr_setup; 5312 + 5313 + elem_expr->size += expr_array[i]->ops->size; 5314 + nft_expr_destroy(ctx, expr_array[i]); 5315 + expr_array[i] = NULL; 5316 + } 5317 + 5318 + return 0; 5319 + 5320 + err_elem_expr_setup: 5321 + for (; i < num_exprs; i++) { 5322 + nft_expr_destroy(ctx, expr_array[i]); 5323 + expr_array[i] = NULL; 5324 + } 5325 + 5326 + return -ENOMEM; 5308 5327 } 5309 5328 5310 5329 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, ··· 5575 5556 *nft_set_ext_obj(ext) = obj; 5576 5557 obj->use++; 5577 5558 } 5578 - for (i = 0; i < num_exprs; i++) 5579 - nft_set_elem_expr_setup(ext, i, expr_array); 5559 + err = nft_set_elem_expr_setup(ctx, ext, expr_array, num_exprs); 5560 + if (err < 0) 5561 + goto err_elem_expr; 5580 5562 5581 5563 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 5582 - if (trans == NULL) 5583 - goto err_trans; 5564 + if (trans == NULL) { 5565 + err = -ENOMEM; 5566 + goto err_elem_expr; 5567 + } 5584 5568 5585 5569 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; 5586 5570 err = set->ops->insert(ctx->net, set, &elem, &ext2); ··· 5627 5605 set->ops->remove(ctx->net, set, &elem); 5628 5606 err_element_clash: 5629 5607 kfree(trans); 5630 - err_trans: 5608 + err_elem_expr: 5631 5609 if (obj) 5632 5610 obj->use--; 5633 5611
+2 -2
net/netfilter/nft_limit.c
··· 76 76 return -EOVERFLOW; 77 77 78 78 if (pkts) { 79 - tokens = div_u64(limit->nsecs, limit->rate) * limit->burst; 79 + tokens = div64_u64(limit->nsecs, limit->rate) * limit->burst; 80 80 } else { 81 81 /* The token bucket size limits the number of tokens can be 82 82 * accumulated. tokens_max specifies the bucket size. 83 83 * tokens_max = unit * (rate + burst) / rate. 84 84 */ 85 - tokens = div_u64(limit->nsecs * (limit->rate + limit->burst), 85 + tokens = div64_u64(limit->nsecs * (limit->rate + limit->burst), 86 86 limit->rate); 87 87 } 88 88
+2 -8
net/netfilter/x_tables.c
··· 733 733 { 734 734 const struct xt_match *match = m->u.kernel.match; 735 735 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; 736 - int pad, off = xt_compat_match_offset(match); 736 + int off = xt_compat_match_offset(match); 737 737 u_int16_t msize = cm->u.user.match_size; 738 738 char name[sizeof(m->u.user.name)]; 739 739 ··· 743 743 match->compat_from_user(m->data, cm->data); 744 744 else 745 745 memcpy(m->data, cm->data, msize - sizeof(*cm)); 746 - pad = XT_ALIGN(match->matchsize) - match->matchsize; 747 - if (pad > 0) 748 - memset(m->data + match->matchsize, 0, pad); 749 746 750 747 msize += off; 751 748 m->u.user.match_size = msize; ··· 1113 1116 { 1114 1117 const struct xt_target *target = t->u.kernel.target; 1115 1118 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; 1116 - int pad, off = xt_compat_target_offset(target); 1119 + int off = xt_compat_target_offset(target); 1117 1120 u_int16_t tsize = ct->u.user.target_size; 1118 1121 char name[sizeof(t->u.user.name)]; 1119 1122 ··· 1123 1126 target->compat_from_user(t->data, ct->data); 1124 1127 else 1125 1128 memcpy(t->data, ct->data, tsize - sizeof(*ct)); 1126 - pad = XT_ALIGN(target->targetsize) - target->targetsize; 1127 - if (pad > 0) 1128 - memset(t->data + target->targetsize, 0, pad); 1129 1129 1130 1130 tsize += off; 1131 1131 t->u.user.target_size = tsize;
+2 -2
net/netlink/af_netlink.c
··· 1019 1019 return -EINVAL; 1020 1020 } 1021 1021 1022 - netlink_lock_table(); 1023 1022 if (nlk->netlink_bind && groups) { 1024 1023 int group; 1025 1024 ··· 1030 1031 if (!err) 1031 1032 continue; 1032 1033 netlink_undo_bind(group, groups, sk); 1033 - goto unlock; 1034 + return err; 1034 1035 } 1035 1036 } 1036 1037 1037 1038 /* No need for barriers here as we return to user-space without 1038 1039 * using any of the bound attributes. 1039 1040 */ 1041 + netlink_lock_table(); 1040 1042 if (!bound) { 1041 1043 err = nladdr->nl_pid ? 1042 1044 netlink_insert(sk, nladdr->nl_pid) :
+5 -8
net/sctp/socket.c
··· 1520 1520 1521 1521 /* Supposedly, no process has access to the socket, but 1522 1522 * the net layers still may. 1523 - * Also, sctp_destroy_sock() needs to be called with addr_wq_lock 1524 - * held and that should be grabbed before socket lock. 1525 1523 */ 1526 - spin_lock_bh(&net->sctp.addr_wq_lock); 1527 - bh_lock_sock_nested(sk); 1524 + local_bh_disable(); 1525 + bh_lock_sock(sk); 1528 1526 1529 1527 /* Hold the sock, since sk_common_release() will put sock_put() 1530 1528 * and we have just a little more cleanup. ··· 1531 1533 sk_common_release(sk); 1532 1534 1533 1535 bh_unlock_sock(sk); 1534 - spin_unlock_bh(&net->sctp.addr_wq_lock); 1536 + local_bh_enable(); 1535 1537 1536 1538 sock_put(sk); 1537 1539 ··· 4991 4993 sk_sockets_allocated_inc(sk); 4992 4994 sock_prot_inuse_add(net, sk->sk_prot, 1); 4993 4995 4994 - /* Nothing can fail after this block, otherwise 4995 - * sctp_destroy_sock() will be called without addr_wq_lock held 4996 - */ 4997 4996 if (net->sctp.default_auto_asconf) { 4998 4997 spin_lock(&sock_net(sk)->sctp.addr_wq_lock); 4999 4998 list_add_tail(&sp->auto_asconf_list, ··· 5025 5030 5026 5031 if (sp->do_auto_asconf) { 5027 5032 sp->do_auto_asconf = 0; 5033 + spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock); 5028 5034 list_del(&sp->auto_asconf_list); 5035 + spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock); 5029 5036 } 5030 5037 sctp_endpoint_free(sp->ep); 5031 5038 local_bh_disable();
+3 -2
tools/lib/bpf/xsk.c
··· 852 852 struct xsk_ring_cons *comp, 853 853 const struct xsk_socket_config *usr_config) 854 854 { 855 + bool unmap, rx_setup_done = false, tx_setup_done = false; 855 856 void *rx_map = NULL, *tx_map = NULL; 856 857 struct sockaddr_xdp sxdp = {}; 857 858 struct xdp_mmap_offsets off; 858 859 struct xsk_socket *xsk; 859 860 struct xsk_ctx *ctx; 860 861 int err, ifindex; 861 - bool unmap = umem->fill_save != fill; 862 - bool rx_setup_done = false, tx_setup_done = false; 863 862 864 863 if (!umem || !xsk_ptr || !(rx || tx)) 865 864 return -EFAULT; 865 + 866 + unmap = umem->fill_save != fill; 866 867 867 868 xsk = calloc(1, sizeof(*xsk)); 868 869 if (!xsk)
-5
tools/testing/selftests/bpf/verifier/bounds.c
··· 261 261 }, 262 262 .fixup_map_hash_8b = { 3 }, 263 263 /* not actually fully unbounded, but the bound is very high */ 264 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root", 265 - .result_unpriv = REJECT, 266 264 .errstr = "value -4294967168 makes map_value pointer be out of bounds", 267 265 .result = REJECT, 268 266 }, ··· 296 298 BPF_EXIT_INSN(), 297 299 }, 298 300 .fixup_map_hash_8b = { 3 }, 299 - /* not actually fully unbounded, but the bound is very high */ 300 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root", 301 - .result_unpriv = REJECT, 302 301 .errstr = "value -4294967168 makes map_value pointer be out of bounds", 303 302 .result = REJECT, 304 303 },
+11 -10
tools/testing/selftests/bpf/verifier/bounds_deduction.c
··· 6 6 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 7 7 BPF_EXIT_INSN(), 8 8 }, 9 - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", 9 + .errstr_unpriv = "R1 has pointer with unsupported alu operation", 10 10 .errstr = "R0 tried to subtract pointer from scalar", 11 11 .result = REJECT, 12 12 }, ··· 21 21 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), 22 22 BPF_EXIT_INSN(), 23 23 }, 24 - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", 24 + .errstr_unpriv = "R1 has pointer with unsupported alu operation", 25 25 .result_unpriv = REJECT, 26 26 .result = ACCEPT, 27 27 .retval = 1, ··· 34 34 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 35 35 BPF_EXIT_INSN(), 36 36 }, 37 - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", 37 + .errstr_unpriv = "R1 has pointer with unsupported alu operation", 38 38 .errstr = "R0 tried to subtract pointer from scalar", 39 39 .result = REJECT, 40 40 }, 41 41 { 42 42 "check deducing bounds from const, 4", 43 43 .insns = { 44 + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 44 45 BPF_MOV64_IMM(BPF_REG_0, 0), 45 46 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1), 46 47 BPF_EXIT_INSN(), 47 48 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), 48 49 BPF_EXIT_INSN(), 49 - BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), 50 + BPF_ALU64_REG(BPF_SUB, BPF_REG_6, BPF_REG_0), 50 51 BPF_EXIT_INSN(), 51 52 }, 52 - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", 53 + .errstr_unpriv = "R6 has pointer with unsupported alu operation", 53 54 .result_unpriv = REJECT, 54 55 .result = ACCEPT, 55 56 }, ··· 62 61 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 63 62 BPF_EXIT_INSN(), 64 63 }, 65 - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", 64 + .errstr_unpriv = "R1 has pointer with unsupported alu operation", 66 65 .errstr = "R0 tried to subtract pointer from scalar", 67 66 .result = REJECT, 68 67 }, ··· 75 74 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 76 75 BPF_EXIT_INSN(), 77 76 }, 78 - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", 77 + .errstr_unpriv = "R1 has pointer with unsupported alu operation", 79 78 .errstr = "R0 tried to subtract pointer from scalar", 80 79 .result = REJECT, 81 80 }, ··· 89 88 offsetof(struct __sk_buff, mark)), 90 89 BPF_EXIT_INSN(), 91 90 }, 92 - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", 91 + .errstr_unpriv = "R1 has pointer with unsupported alu operation", 93 92 .errstr = "dereference of modified ctx ptr", 94 93 .result = REJECT, 95 94 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, ··· 104 103 offsetof(struct __sk_buff, mark)), 105 104 BPF_EXIT_INSN(), 106 105 }, 107 - .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", 106 + .errstr_unpriv = "R1 has pointer with unsupported alu operation", 108 107 .errstr = "dereference of modified ctx ptr", 109 108 .result = REJECT, 110 109 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, ··· 117 116 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 118 117 BPF_EXIT_INSN(), 119 118 }, 120 - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", 119 + .errstr_unpriv = "R1 has pointer with unsupported alu operation", 121 120 .errstr = "R0 tried to subtract pointer from scalar", 122 121 .result = REJECT, 123 122 },
-13
tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c
··· 19 19 }, 20 20 .fixup_map_hash_8b = { 3 }, 21 21 .errstr = "unbounded min value", 22 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", 23 22 .result = REJECT, 24 23 }, 25 24 { ··· 42 43 }, 43 44 .fixup_map_hash_8b = { 3 }, 44 45 .errstr = "unbounded min value", 45 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", 46 46 .result = REJECT, 47 47 }, 48 48 { ··· 67 69 }, 68 70 .fixup_map_hash_8b = { 3 }, 69 71 .errstr = "unbounded min value", 70 - .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", 71 72 .result = REJECT, 72 73 }, 73 74 { ··· 91 94 }, 92 95 .fixup_map_hash_8b = { 3 }, 93 96 .errstr = "unbounded min value", 94 - .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", 95 97 .result = REJECT, 96 98 }, 97 99 { ··· 137 141 }, 138 142 .fixup_map_hash_8b = { 3 }, 139 143 .errstr = "unbounded min value", 140 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", 141 144 .result = REJECT, 142 145 }, 143 146 { ··· 205 210 }, 206 211 .fixup_map_hash_8b = { 3 }, 207 212 .errstr = "unbounded min value", 208 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", 209 213 .result = REJECT, 210 214 }, 211 215 { ··· 254 260 }, 255 261 .fixup_map_hash_8b = { 3 }, 256 262 .errstr = "unbounded min value", 257 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", 258 263 .result = REJECT, 259 264 }, 260 265 { ··· 280 287 }, 281 288 .fixup_map_hash_8b = { 3 }, 282 289 .errstr = "unbounded min value", 283 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", 284 290 .result = REJECT, 285 291 }, 286 292 { ··· 305 313 }, 306 314 .fixup_map_hash_8b = { 3 }, 307 315 .errstr = "unbounded min value", 308 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", 309 316 .result = REJECT, 310 317 }, 311 318 { ··· 333 342 }, 334 343 .fixup_map_hash_8b = { 3 }, 335 344 .errstr = "unbounded min value", 336 - .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds", 337 345 .result = REJECT, 338 346 }, 339 347 { ··· 362 372 }, 363 373 .fixup_map_hash_8b = { 4 }, 364 374 .errstr = "unbounded min value", 365 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", 366 375 .result = REJECT, 367 376 }, 368 377 { ··· 389 400 }, 390 401 .fixup_map_hash_8b = { 3 }, 391 402 .errstr = "unbounded min value", 392 - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", 393 403 .result = REJECT, 394 - .result_unpriv = REJECT, 395 404 },
+2 -2
tools/testing/selftests/bpf/verifier/map_ptr.c
··· 76 76 }, 77 77 .fixup_map_hash_16b = { 4 }, 78 78 .result_unpriv = REJECT, 79 - .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", 79 + .errstr_unpriv = "R1 has pointer with unsupported alu operation", 80 80 .result = ACCEPT, 81 81 }, 82 82 { ··· 94 94 }, 95 95 .fixup_map_hash_16b = { 4 }, 96 96 .result_unpriv = REJECT, 97 - .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", 97 + .errstr_unpriv = "R0 has pointer with unsupported alu operation", 98 98 .result = ACCEPT, 99 99 },
+1 -1
tools/testing/selftests/bpf/verifier/unpriv.c
··· 505 505 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), 506 506 BPF_EXIT_INSN(), 507 507 }, 508 - .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", 508 + .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 509 509 .result_unpriv = REJECT, 510 510 .result = ACCEPT, 511 511 },
+2 -4
tools/testing/selftests/bpf/verifier/value_ptr_arith.c
··· 21 21 .fixup_map_hash_16b = { 5 }, 22 22 .fixup_map_array_48b = { 8 }, 23 23 .result = ACCEPT, 24 - .result_unpriv = REJECT, 25 - .errstr_unpriv = "R1 tried to add from different maps", 26 24 .retval = 1, 27 25 }, 28 26 { ··· 120 122 .fixup_map_array_48b = { 1 }, 121 123 .result = ACCEPT, 122 124 .result_unpriv = REJECT, 123 - .errstr_unpriv = "R2 tried to add from different pointers or scalars", 125 + .errstr_unpriv = "R2 tried to add from different maps, paths or scalars", 124 126 .retval = 0, 125 127 }, 126 128 { ··· 167 169 .fixup_map_array_48b = { 1 }, 168 170 .result = ACCEPT, 169 171 .result_unpriv = REJECT, 170 - .errstr_unpriv = "R2 tried to add from different maps, paths, or prohibited types", 172 + .errstr_unpriv = "R2 tried to add from different maps, paths or scalars", 171 173 .retval = 0, 172 174 }, 173 175 {