tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'net-6.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Paolo Abeni:
"Including fixes from Bluetooth.

Current release - regressions:

- tcp: refine sk_rcvbuf increase for ooo packets

- bluetooth: fix attempting to send HCI_Disconnect to BIS handle

- rxrpc: fix over large frame size warning

- eth: bcmgenet: initialize u64 stats seq counter

Previous releases - regressions:

- tcp: correct signedness in skb remaining space calculation

- sched: abort __tc_modify_qdisc if parent class does not exist

- vsock: fix transport_{g2h,h2g} TOCTOU

- rxrpc: fix bug due to prealloc collision

- tipc: fix use-after-free in tipc_conn_close().

- bluetooth: fix not marking Broadcast Sink BIS as connected

- phy: qca808x: fix WoL issue by utilizing at8031_set_wol()

- eth: am65-cpsw-nuss: fix skb size by accounting for skb_shared_info

Previous releases - always broken:

- netlink: fix wraparounds of sk->sk_rmem_alloc.

- atm: fix infinite recursive call of clip_push().

- eth:
- stmmac: fix interrupt handling for level-triggered mode in DWC_XGMAC2
- rtsn: fix a null pointer dereference in rtsn_probe()"

* tag 'net-6.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (37 commits)
net/sched: sch_qfq: Fix null-deref in agg_dequeue
rxrpc: Fix oops due to non-existence of prealloc backlog struct
rxrpc: Fix bug due to prealloc collision
MAINTAINERS: remove myself as netronome maintainer
selftests/net: packetdrill: add tcp_ooo-before-and-after-accept.pkt
tcp: refine sk_rcvbuf increase for ooo packets
net/sched: Abort __tc_modify_qdisc if parent class does not exist
net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info
net: thunderx: avoid direct MTU assignment after WRITE_ONCE()
selftests/tc-testing: Create test case for UAF scenario with DRR/NETEM/BLACKHOLE chain
atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
atm: clip: Fix infinite recursive call of clip_push().
atm: clip: Fix memory leak of struct clip_vcc.
atm: clip: Fix potential null-ptr-deref in to_atmarpd().
net: phy: smsc: Fix link failure in forced mode with Auto-MDIX
net: phy: smsc: Force predictable MDI-X state on LAN87xx
net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap
net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2
rxrpc: Fix over large frame size warning
net: airoha: Fix an error handling path in airoha_probe()
...

Linus Torvalds bc9ff192 73d7cf07

+425 -179
+1 -1
Documentation/devicetree/bindings/net/allwinner,sun8i-a83t-emac.yaml
··· 23 23 - allwinner,sun20i-d1-emac 24 24 - allwinner,sun50i-h6-emac 25 25 - allwinner,sun50i-h616-emac0 26 - - allwinner,sun55i-a523-emac0 26 + - allwinner,sun55i-a523-gmac0 27 27 - const: allwinner,sun50i-a64-emac 28 28 29 29 reg:
+2 -2
MAINTAINERS
··· 17224 17224 F: include/linux/mfd/ntxec.h 17225 17225 17226 17226 NETRONOME ETHERNET DRIVERS 17227 - M: Louis Peens <louis.peens@corigine.com> 17228 17227 R: Jakub Kicinski <kuba@kernel.org> 17228 + R: Simon Horman <horms@kernel.org> 17229 17229 L: oss-drivers@corigine.com 17230 - S: Maintained 17230 + S: Odd Fixes 17231 17231 F: drivers/net/ethernet/netronome/ 17232 17232 17233 17233 NETWORK BLOCK DEVICE (NBD)
+1
drivers/net/ethernet/airoha/airoha_eth.c
··· 2984 2984 error_napi_stop: 2985 2985 for (i = 0; i < ARRAY_SIZE(eth->qdma); i++) 2986 2986 airoha_qdma_stop_napi(&eth->qdma[i]); 2987 + airoha_ppe_deinit(eth); 2987 2988 error_hw_cleanup: 2988 2989 for (i = 0; i < ARRAY_SIZE(eth->qdma); i++) 2989 2990 airoha_hw_cleanup(&eth->qdma[i]);
+4 -6
drivers/net/ethernet/broadcom/bnxt/bnxt.c
··· 11607 11607 11608 11608 static int bnxt_request_irq(struct bnxt *bp) 11609 11609 { 11610 + struct cpu_rmap *rmap = NULL; 11610 11611 int i, j, rc = 0; 11611 11612 unsigned long flags = 0; 11612 - #ifdef CONFIG_RFS_ACCEL 11613 - struct cpu_rmap *rmap; 11614 - #endif 11615 11613 11616 11614 rc = bnxt_setup_int_mode(bp); 11617 11615 if (rc) { ··· 11630 11632 int map_idx = bnxt_cp_num_to_irq_num(bp, i); 11631 11633 struct bnxt_irq *irq = &bp->irq_tbl[map_idx]; 11632 11634 11633 - #ifdef CONFIG_RFS_ACCEL 11634 - if (rmap && bp->bnapi[i]->rx_ring) { 11635 + if (IS_ENABLED(CONFIG_RFS_ACCEL) && 11636 + rmap && bp->bnapi[i]->rx_ring) { 11635 11637 rc = irq_cpu_rmap_add(rmap, irq->vector); 11636 11638 if (rc) 11637 11639 netdev_warn(bp->dev, "failed adding irq rmap for ring %d\n", 11638 11640 j); 11639 11641 j++; 11640 11642 } 11641 - #endif 11643 + 11642 11644 rc = request_irq(irq->vector, irq->handler, flags, irq->name, 11643 11645 bp->bnapi[i]); 11644 11646 if (rc)
+6
drivers/net/ethernet/broadcom/genet/bcmgenet.c
··· 4092 4092 for (i = 0; i <= priv->hw_params->rx_queues; i++) 4093 4093 priv->rx_rings[i].rx_max_coalesced_frames = 1; 4094 4094 4095 + /* Initialize u64 stats seq counter for 32bit machines */ 4096 + for (i = 0; i <= priv->hw_params->rx_queues; i++) 4097 + u64_stats_init(&priv->rx_rings[i].stats64.syncp); 4098 + for (i = 0; i <= priv->hw_params->tx_queues; i++) 4099 + u64_stats_init(&priv->tx_rings[i].stats64.syncp); 4100 + 4095 4101 /* libphy will determine the link state */ 4096 4102 netif_carrier_off(dev); 4097 4103
+3 -9
drivers/net/ethernet/cavium/thunder/nicvf_main.c
··· 1578 1578 static int nicvf_change_mtu(struct net_device *netdev, int new_mtu) 1579 1579 { 1580 1580 struct nicvf *nic = netdev_priv(netdev); 1581 - int orig_mtu = netdev->mtu; 1582 1581 1583 1582 /* For now just support only the usual MTU sized frames, 1584 1583 * plus some headroom for VLAN, QinQ. ··· 1588 1589 return -EINVAL; 1589 1590 } 1590 1591 1591 - WRITE_ONCE(netdev->mtu, new_mtu); 1592 - 1593 - if (!netif_running(netdev)) 1594 - return 0; 1595 - 1596 - if (nicvf_update_hw_max_frs(nic, new_mtu)) { 1597 - netdev->mtu = orig_mtu; 1592 + if (netif_running(netdev) && nicvf_update_hw_max_frs(nic, new_mtu)) 1598 1593 return -EINVAL; 1599 - } 1594 + 1595 + WRITE_ONCE(netdev->mtu, new_mtu); 1600 1596 1601 1597 return 0; 1602 1598 }
+5
drivers/net/ethernet/renesas/rtsn.c
··· 1259 1259 priv = netdev_priv(ndev); 1260 1260 priv->pdev = pdev; 1261 1261 priv->ndev = ndev; 1262 + 1262 1263 priv->ptp_priv = rcar_gen4_ptp_alloc(pdev); 1264 + if (!priv->ptp_priv) { 1265 + ret = -ENOMEM; 1266 + goto error_free; 1267 + } 1263 1268 1264 1269 spin_lock_init(&priv->lock); 1265 1270 platform_set_drvdata(pdev, priv);
+11 -13
drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
··· 364 364 } 365 365 366 366 /* TX/RX NORMAL interrupts */ 367 - if (likely(intr_status & XGMAC_NIS)) { 368 - if (likely(intr_status & XGMAC_RI)) { 369 - u64_stats_update_begin(&stats->syncp); 370 - u64_stats_inc(&stats->rx_normal_irq_n[chan]); 371 - u64_stats_update_end(&stats->syncp); 372 - ret |= handle_rx; 373 - } 374 - if (likely(intr_status & (XGMAC_TI | XGMAC_TBU))) { 375 - u64_stats_update_begin(&stats->syncp); 376 - u64_stats_inc(&stats->tx_normal_irq_n[chan]); 377 - u64_stats_update_end(&stats->syncp); 378 - ret |= handle_tx; 379 - } 367 + if (likely(intr_status & XGMAC_RI)) { 368 + u64_stats_update_begin(&stats->syncp); 369 + u64_stats_inc(&stats->rx_normal_irq_n[chan]); 370 + u64_stats_update_end(&stats->syncp); 371 + ret |= handle_rx; 372 + } 373 + if (likely(intr_status & (XGMAC_TI | XGMAC_TBU))) { 374 + u64_stats_update_begin(&stats->syncp); 375 + u64_stats_inc(&stats->tx_normal_irq_n[chan]); 376 + u64_stats_update_end(&stats->syncp); 377 + ret |= handle_tx; 380 378 } 381 379 382 380 /* Clear interrupts */
+1 -3
drivers/net/ethernet/ti/am65-cpsw-nuss.c
··· 856 856 { 857 857 struct sk_buff *skb; 858 858 859 - len += AM65_CPSW_HEADROOM; 860 - 861 859 skb = build_skb(page_addr, len); 862 860 if (unlikely(!skb)) 863 861 return NULL; ··· 1342 1344 } 1343 1345 1344 1346 skb = am65_cpsw_build_skb(page_addr, ndev, 1345 - AM65_CPSW_MAX_PACKET_SIZE, headroom); 1347 + PAGE_SIZE, headroom); 1346 1348 if (unlikely(!skb)) { 1347 1349 new_page = page; 1348 1350 goto requeue;
-27
drivers/net/phy/qcom/at803x.c
··· 26 26 27 27 #define AT803X_LED_CONTROL 0x18 28 28 29 - #define AT803X_PHY_MMD3_WOL_CTRL 0x8012 30 - #define AT803X_WOL_EN BIT(5) 31 - 32 29 #define AT803X_REG_CHIP_CONFIG 0x1f 33 30 #define AT803X_BT_BX_REG_SEL 0x8000 34 31 ··· 861 864 return ret; 862 865 863 866 return at803x_config_init(phydev); 864 - } 865 - 866 - static int at8031_set_wol(struct phy_device *phydev, 867 - struct ethtool_wolinfo *wol) 868 - { 869 - int ret; 870 - 871 - /* First setup MAC address and enable WOL interrupt */ 872 - ret = at803x_set_wol(phydev, wol); 873 - if (ret) 874 - return ret; 875 - 876 - if (wol->wolopts & WAKE_MAGIC) 877 - /* Enable WOL function for 1588 */ 878 - ret = phy_modify_mmd(phydev, MDIO_MMD_PCS, 879 - AT803X_PHY_MMD3_WOL_CTRL, 880 - 0, AT803X_WOL_EN); 881 - else 882 - /* Disable WoL function for 1588 */ 883 - ret = phy_modify_mmd(phydev, MDIO_MMD_PCS, 884 - AT803X_PHY_MMD3_WOL_CTRL, 885 - AT803X_WOL_EN, 0); 886 - 887 - return ret; 888 867 } 889 868 890 869 static int at8031_config_intr(struct phy_device *phydev)
+1 -1
drivers/net/phy/qcom/qca808x.c
··· 633 633 .handle_interrupt = at803x_handle_interrupt, 634 634 .get_tunable = at803x_get_tunable, 635 635 .set_tunable = at803x_set_tunable, 636 - .set_wol = at803x_set_wol, 636 + .set_wol = at8031_set_wol, 637 637 .get_wol = at803x_get_wol, 638 638 .get_features = qca808x_get_features, 639 639 .config_aneg = qca808x_config_aneg,
+25
drivers/net/phy/qcom/qcom-phy-lib.c
··· 115 115 } 116 116 EXPORT_SYMBOL_GPL(at803x_set_wol); 117 117 118 + int at8031_set_wol(struct phy_device *phydev, 119 + struct ethtool_wolinfo *wol) 120 + { 121 + int ret; 122 + 123 + /* First setup MAC address and enable WOL interrupt */ 124 + ret = at803x_set_wol(phydev, wol); 125 + if (ret) 126 + return ret; 127 + 128 + if (wol->wolopts & WAKE_MAGIC) 129 + /* Enable WOL function for 1588 */ 130 + ret = phy_modify_mmd(phydev, MDIO_MMD_PCS, 131 + AT803X_PHY_MMD3_WOL_CTRL, 132 + 0, AT803X_WOL_EN); 133 + else 134 + /* Disable WoL function for 1588 */ 135 + ret = phy_modify_mmd(phydev, MDIO_MMD_PCS, 136 + AT803X_PHY_MMD3_WOL_CTRL, 137 + AT803X_WOL_EN, 0); 138 + 139 + return ret; 140 + } 141 + EXPORT_SYMBOL_GPL(at8031_set_wol); 142 + 118 143 void at803x_get_wol(struct phy_device *phydev, 119 144 struct ethtool_wolinfo *wol) 120 145 {
+5
drivers/net/phy/qcom/qcom.h
··· 172 172 #define AT803X_LOC_MAC_ADDR_16_31_OFFSET 0x804B 173 173 #define AT803X_LOC_MAC_ADDR_32_47_OFFSET 0x804A 174 174 175 + #define AT803X_PHY_MMD3_WOL_CTRL 0x8012 176 + #define AT803X_WOL_EN BIT(5) 177 + 175 178 #define AT803X_DEBUG_ADDR 0x1D 176 179 #define AT803X_DEBUG_DATA 0x1E 177 180 ··· 217 214 u16 clear, u16 set); 218 215 int at803x_debug_reg_write(struct phy_device *phydev, u16 reg, u16 data); 219 216 int at803x_set_wol(struct phy_device *phydev, 217 + struct ethtool_wolinfo *wol); 218 + int at8031_set_wol(struct phy_device *phydev, 220 219 struct ethtool_wolinfo *wol); 221 220 void at803x_get_wol(struct phy_device *phydev, 222 221 struct ethtool_wolinfo *wol);
+52 -5
drivers/net/phy/smsc.c
··· 155 155 156 156 static int lan87xx_config_aneg(struct phy_device *phydev) 157 157 { 158 - int rc; 158 + u8 mdix_ctrl; 159 159 int val; 160 + int rc; 160 161 161 - switch (phydev->mdix_ctrl) { 162 + /* When auto-negotiation is disabled (forced mode), the PHY's 163 + * Auto-MDIX will continue toggling the TX/RX pairs. 164 + * 165 + * To establish a stable link, we must select a fixed MDI mode. 166 + * If the user has not specified a fixed MDI mode (i.e., mdix_ctrl is 167 + * 'auto'), we default to ETH_TP_MDI. This choice of a ETH_TP_MDI mode 168 + * mirrors the behavior the hardware would exhibit if the AUTOMDIX_EN 169 + * strap were configured for a fixed MDI connection. 170 + */ 171 + if (phydev->autoneg == AUTONEG_DISABLE) { 172 + if (phydev->mdix_ctrl == ETH_TP_MDI_AUTO) 173 + mdix_ctrl = ETH_TP_MDI; 174 + else 175 + mdix_ctrl = phydev->mdix_ctrl; 176 + } else { 177 + mdix_ctrl = phydev->mdix_ctrl; 178 + } 179 + 180 + switch (mdix_ctrl) { 162 181 case ETH_TP_MDI: 163 182 val = SPECIAL_CTRL_STS_OVRRD_AMDIX_; 164 183 break; ··· 186 167 SPECIAL_CTRL_STS_AMDIX_STATE_; 187 168 break; 188 169 case ETH_TP_MDI_AUTO: 189 - val = SPECIAL_CTRL_STS_AMDIX_ENABLE_; 170 + val = SPECIAL_CTRL_STS_OVRRD_AMDIX_ | 171 + SPECIAL_CTRL_STS_AMDIX_ENABLE_; 190 172 break; 191 173 default: 192 174 return genphy_config_aneg(phydev); ··· 203 183 rc |= val; 204 184 phy_write(phydev, SPECIAL_CTRL_STS, rc); 205 185 206 - phydev->mdix = phydev->mdix_ctrl; 186 + phydev->mdix = mdix_ctrl; 207 187 return genphy_config_aneg(phydev); 208 188 } 209 189 ··· 280 260 return err; 281 261 } 282 262 EXPORT_SYMBOL_GPL(lan87xx_read_status); 263 + 264 + static int lan87xx_phy_config_init(struct phy_device *phydev) 265 + { 266 + int rc; 267 + 268 + /* The LAN87xx PHY's initial MDI-X mode is determined by the AUTOMDIX_EN 269 + * hardware strap, but the driver cannot read the strap's status. This 270 + * creates an unpredictable initial state. 271 + * 272 + * To ensure consistent and reliable behavior across all boards, 273 + * override the strap configuration on initialization and force the PHY 274 + * into a known state with Auto-MDIX enabled, which is the expected 275 + * default for modern hardware. 276 + */ 277 + rc = phy_modify(phydev, SPECIAL_CTRL_STS, 278 + SPECIAL_CTRL_STS_OVRRD_AMDIX_ | 279 + SPECIAL_CTRL_STS_AMDIX_ENABLE_ | 280 + SPECIAL_CTRL_STS_AMDIX_STATE_, 281 + SPECIAL_CTRL_STS_OVRRD_AMDIX_ | 282 + SPECIAL_CTRL_STS_AMDIX_ENABLE_); 283 + if (rc < 0) 284 + return rc; 285 + 286 + phydev->mdix_ctrl = ETH_TP_MDI_AUTO; 287 + 288 + return smsc_phy_config_init(phydev); 289 + } 283 290 284 291 static int lan874x_phy_config_init(struct phy_device *phydev) 285 292 { ··· 742 695 743 696 /* basic functions */ 744 697 .read_status = lan87xx_read_status, 745 - .config_init = smsc_phy_config_init, 698 + .config_init = lan87xx_phy_config_init, 746 699 .soft_reset = smsc_phy_reset, 747 700 .config_aneg = lan87xx_config_aneg, 748 701
+1 -1
include/net/af_vsock.h
··· 243 243 int vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg, 244 244 size_t len, int flags); 245 245 246 - #ifdef CONFIG_BPF_SYSCALL 247 246 extern struct proto vsock_proto; 247 + #ifdef CONFIG_BPF_SYSCALL 248 248 int vsock_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore); 249 249 void __init vsock_bpf_build_proto(void); 250 250 #else
+1 -2
include/net/bluetooth/hci_core.h
··· 1350 1350 rcu_read_lock(); 1351 1351 1352 1352 list_for_each_entry_rcu(c, &h->list, list) { 1353 - if (c->type != BIS_LINK || bacmp(&c->dst, BDADDR_ANY) || 1354 - c->state != state) 1353 + if (c->type != BIS_LINK || c->state != state) 1355 1354 continue; 1356 1355 1357 1356 if (handle == c->iso_qos.bcast.big) {
+24 -1
include/net/pkt_sched.h
··· 114 114 struct netlink_ext_ack *extack); 115 115 void qdisc_put_rtab(struct qdisc_rate_table *tab); 116 116 void qdisc_put_stab(struct qdisc_size_table *tab); 117 - void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc); 118 117 bool sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q, 119 118 struct net_device *dev, struct netdev_queue *txq, 120 119 spinlock_t *root_lock, bool validate); ··· 287 288 288 289 arg->count++; 289 290 return true; 291 + } 292 + 293 + static inline void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) 294 + { 295 + if (!(qdisc->flags & TCQ_F_WARN_NONWC)) { 296 + pr_warn("%s: %s qdisc %X: is non-work-conserving?\n", 297 + txt, qdisc->ops->id, qdisc->handle >> 16); 298 + qdisc->flags |= TCQ_F_WARN_NONWC; 299 + } 300 + } 301 + 302 + static inline unsigned int qdisc_peek_len(struct Qdisc *sch) 303 + { 304 + struct sk_buff *skb; 305 + unsigned int len; 306 + 307 + skb = sch->ops->peek(sch); 308 + if (unlikely(skb == NULL)) { 309 + qdisc_warn_nonwc("qdisc_peek_len", sch); 310 + return 0; 311 + } 312 + len = qdisc_pkt_len(skb); 313 + 314 + return len; 290 315 } 291 316 292 317 #endif
+48 -16
net/atm/clip.c
··· 45 45 #include <net/atmclip.h> 46 46 47 47 static struct net_device *clip_devs; 48 - static struct atm_vcc *atmarpd; 48 + static struct atm_vcc __rcu *atmarpd; 49 + static DEFINE_MUTEX(atmarpd_lock); 49 50 static struct timer_list idle_timer; 50 51 static const struct neigh_ops clip_neigh_ops; 51 52 ··· 54 53 { 55 54 struct sock *sk; 56 55 struct atmarp_ctrl *ctrl; 56 + struct atm_vcc *vcc; 57 57 struct sk_buff *skb; 58 + int err = 0; 58 59 59 60 pr_debug("(%d)\n", type); 60 - if (!atmarpd) 61 - return -EUNATCH; 61 + 62 + rcu_read_lock(); 63 + vcc = rcu_dereference(atmarpd); 64 + if (!vcc) { 65 + err = -EUNATCH; 66 + goto unlock; 67 + } 62 68 skb = alloc_skb(sizeof(struct atmarp_ctrl), GFP_ATOMIC); 63 - if (!skb) 64 - return -ENOMEM; 69 + if (!skb) { 70 + err = -ENOMEM; 71 + goto unlock; 72 + } 65 73 ctrl = skb_put(skb, sizeof(struct atmarp_ctrl)); 66 74 ctrl->type = type; 67 75 ctrl->itf_num = itf; 68 76 ctrl->ip = ip; 69 - atm_force_charge(atmarpd, skb->truesize); 77 + atm_force_charge(vcc, skb->truesize); 70 78 71 - sk = sk_atm(atmarpd); 79 + sk = sk_atm(vcc); 72 80 skb_queue_tail(&sk->sk_receive_queue, skb); 73 81 sk->sk_data_ready(sk); 74 - return 0; 82 + unlock: 83 + rcu_read_unlock(); 84 + return err; 75 85 } 76 86 77 87 static void link_vcc(struct clip_vcc *clip_vcc, struct atmarp_entry *entry) ··· 429 417 430 418 if (!vcc->push) 431 419 return -EBADFD; 420 + if (vcc->user_back) 421 + return -EINVAL; 432 422 clip_vcc = kmalloc(sizeof(struct clip_vcc), GFP_KERNEL); 433 423 if (!clip_vcc) 434 424 return -ENOMEM; ··· 621 607 { 622 608 pr_debug("\n"); 623 609 624 - rtnl_lock(); 625 - atmarpd = NULL; 610 + mutex_lock(&atmarpd_lock); 611 + RCU_INIT_POINTER(atmarpd, NULL); 612 + mutex_unlock(&atmarpd_lock); 613 + 614 + synchronize_rcu(); 626 615 skb_queue_purge(&sk_atm(vcc)->sk_receive_queue); 627 - rtnl_unlock(); 628 616 629 617 pr_debug("(done)\n"); 630 618 module_put(THIS_MODULE); 631 619 } 632 620 621 + static int atmarpd_send(struct atm_vcc *vcc, struct sk_buff *skb) 622 + { 623 + atm_return_tx(vcc, skb); 624 + dev_kfree_skb_any(skb); 625 + return 0; 626 + } 627 + 633 628 static const struct atmdev_ops atmarpd_dev_ops = { 634 - .close = atmarpd_close 629 + .close = atmarpd_close, 630 + .send = atmarpd_send 635 631 }; 636 632 637 633 ··· 655 631 656 632 static int atm_init_atmarp(struct atm_vcc *vcc) 657 633 { 658 - rtnl_lock(); 634 + if (vcc->push == clip_push) 635 + return -EINVAL; 636 + 637 + mutex_lock(&atmarpd_lock); 659 638 if (atmarpd) { 660 - rtnl_unlock(); 639 + mutex_unlock(&atmarpd_lock); 661 640 return -EADDRINUSE; 662 641 } 663 642 664 643 mod_timer(&idle_timer, jiffies + CLIP_CHECK_INTERVAL * HZ); 665 644 666 - atmarpd = vcc; 645 + rcu_assign_pointer(atmarpd, vcc); 667 646 set_bit(ATM_VF_META, &vcc->flags); 668 647 set_bit(ATM_VF_READY, &vcc->flags); 669 648 /* allow replies and avoid getting closed if signaling dies */ ··· 675 648 vcc->push = NULL; 676 649 vcc->pop = NULL; /* crash */ 677 650 vcc->push_oam = NULL; /* crash */ 678 - rtnl_unlock(); 651 + mutex_unlock(&atmarpd_lock); 679 652 return 0; 680 653 } 681 654 682 655 static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 683 656 { 684 657 struct atm_vcc *vcc = ATM_SD(sock); 658 + struct sock *sk = sock->sk; 685 659 int err = 0; 686 660 687 661 switch (cmd) { ··· 703 675 err = clip_create(arg); 704 676 break; 705 677 case ATMARPD_CTRL: 678 + lock_sock(sk); 706 679 err = atm_init_atmarp(vcc); 707 680 if (!err) { 708 681 sock->state = SS_CONNECTED; 709 682 __module_get(THIS_MODULE); 710 683 } 684 + release_sock(sk); 711 685 break; 712 686 case ATMARP_MKIP: 687 + lock_sock(sk); 713 688 err = clip_mkip(vcc, arg); 689 + release_sock(sk); 714 690 break; 715 691 case ATMARP_SETENTRY: 716 692 err = clip_setentry(vcc, (__force __be32)arg);
+3
net/bluetooth/hci_event.c
··· 6966 6966 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu); 6967 6967 6968 6968 if (!ev->status) { 6969 + bis->state = BT_CONNECTED; 6969 6970 set_bit(HCI_CONN_BIG_SYNC, &bis->flags); 6971 + hci_debugfs_create_conn(bis); 6972 + hci_conn_add_sysfs(bis); 6970 6973 hci_iso_setup_path(bis); 6971 6974 } 6972 6975 }
+2 -2
net/bluetooth/hci_sync.c
··· 1345 1345 * Command Disallowed error, so we must first disable the 1346 1346 * instance if it is active. 1347 1347 */ 1348 - if (adv && !adv->pending) { 1348 + if (adv) { 1349 1349 err = hci_disable_ext_adv_instance_sync(hdev, instance); 1350 1350 if (err) 1351 1351 return err; ··· 5493 5493 { 5494 5494 struct hci_cp_disconnect cp; 5495 5495 5496 - if (test_bit(HCI_CONN_BIG_CREATED, &conn->flags)) { 5496 + if (conn->type == BIS_LINK) { 5497 5497 /* This is a BIS connection, hci_conn_del will 5498 5498 * do the necessary cleanup. 5499 5499 */
+1 -1
net/ipv4/tcp.c
··· 1176 1176 goto do_error; 1177 1177 1178 1178 while (msg_data_left(msg)) { 1179 - ssize_t copy = 0; 1179 + int copy = 0; 1180 1180 1181 1181 skb = tcp_write_queue_tail(sk); 1182 1182 if (skb)
+3 -1
net/ipv4/tcp_input.c
··· 5181 5181 skb_condense(skb); 5182 5182 skb_set_owner_r(skb, sk); 5183 5183 } 5184 - tcp_rcvbuf_grow(sk); 5184 + /* do not grow rcvbuf for not-yet-accepted or orphaned sockets. */ 5185 + if (sk->sk_socket) 5186 + tcp_rcvbuf_grow(sk); 5185 5187 } 5186 5188 5187 5189 static int __must_check tcp_queue_rcv(struct sock *sk, struct sk_buff *skb,
+53 -36
net/netlink/af_netlink.c
··· 387 387 WARN_ON(skb->sk != NULL); 388 388 skb->sk = sk; 389 389 skb->destructor = netlink_skb_destructor; 390 - atomic_add(skb->truesize, &sk->sk_rmem_alloc); 391 390 sk_mem_charge(sk, skb->truesize); 392 391 } 393 392 ··· 1211 1212 int netlink_attachskb(struct sock *sk, struct sk_buff *skb, 1212 1213 long *timeo, struct sock *ssk) 1213 1214 { 1215 + DECLARE_WAITQUEUE(wait, current); 1214 1216 struct netlink_sock *nlk; 1217 + unsigned int rmem; 1215 1218 1216 1219 nlk = nlk_sk(sk); 1220 + rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); 1217 1221 1218 - if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf || 1219 - test_bit(NETLINK_S_CONGESTED, &nlk->state))) { 1220 - DECLARE_WAITQUEUE(wait, current); 1221 - if (!*timeo) { 1222 - if (!ssk || netlink_is_kernel(ssk)) 1223 - netlink_overrun(sk); 1224 - sock_put(sk); 1225 - kfree_skb(skb); 1226 - return -EAGAIN; 1227 - } 1228 - 1229 - __set_current_state(TASK_INTERRUPTIBLE); 1230 - add_wait_queue(&nlk->wait, &wait); 1231 - 1232 - if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf || 1233 - test_bit(NETLINK_S_CONGESTED, &nlk->state)) && 1234 - !sock_flag(sk, SOCK_DEAD)) 1235 - *timeo = schedule_timeout(*timeo); 1236 - 1237 - __set_current_state(TASK_RUNNING); 1238 - remove_wait_queue(&nlk->wait, &wait); 1239 - sock_put(sk); 1240 - 1241 - if (signal_pending(current)) { 1242 - kfree_skb(skb); 1243 - return sock_intr_errno(*timeo); 1244 - } 1245 - return 1; 1222 + if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) && 1223 + !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { 1224 + netlink_skb_set_owner_r(skb, sk); 1225 + return 0; 1246 1226 } 1247 - netlink_skb_set_owner_r(skb, sk); 1248 - return 0; 1227 + 1228 + atomic_sub(skb->truesize, &sk->sk_rmem_alloc); 1229 + 1230 + if (!*timeo) { 1231 + if (!ssk || netlink_is_kernel(ssk)) 1232 + netlink_overrun(sk); 1233 + sock_put(sk); 1234 + kfree_skb(skb); 1235 + return -EAGAIN; 1236 + } 1237 + 1238 + __set_current_state(TASK_INTERRUPTIBLE); 1239 + add_wait_queue(&nlk->wait, &wait); 1240 + rmem = atomic_read(&sk->sk_rmem_alloc); 1241 + 1242 + if (((rmem && rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)) || 1243 + test_bit(NETLINK_S_CONGESTED, &nlk->state)) && 1244 + !sock_flag(sk, SOCK_DEAD)) 1245 + *timeo = schedule_timeout(*timeo); 1246 + 1247 + __set_current_state(TASK_RUNNING); 1248 + remove_wait_queue(&nlk->wait, &wait); 1249 + sock_put(sk); 1250 + 1251 + if (signal_pending(current)) { 1252 + kfree_skb(skb); 1253 + return sock_intr_errno(*timeo); 1254 + } 1255 + 1256 + return 1; 1249 1257 } 1250 1258 1251 1259 static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb) ··· 1313 1307 ret = -ECONNREFUSED; 1314 1308 if (nlk->netlink_rcv != NULL) { 1315 1309 ret = skb->len; 1310 + atomic_add(skb->truesize, &sk->sk_rmem_alloc); 1316 1311 netlink_skb_set_owner_r(skb, sk); 1317 1312 NETLINK_CB(skb).sk = ssk; 1318 1313 netlink_deliver_tap_kernel(sk, ssk, skb); ··· 1390 1383 static int netlink_broadcast_deliver(struct sock *sk, struct sk_buff *skb) 1391 1384 { 1392 1385 struct netlink_sock *nlk = nlk_sk(sk); 1386 + unsigned int rmem, rcvbuf; 1393 1387 1394 - if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf && 1388 + rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); 1389 + rcvbuf = READ_ONCE(sk->sk_rcvbuf); 1390 + 1391 + if ((rmem != skb->truesize || rmem <= rcvbuf) && 1395 1392 !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { 1396 1393 netlink_skb_set_owner_r(skb, sk); 1397 1394 __netlink_sendskb(sk, skb); 1398 - return atomic_read(&sk->sk_rmem_alloc) > (sk->sk_rcvbuf >> 1); 1395 + return rmem > (rcvbuf >> 1); 1399 1396 } 1397 + 1398 + atomic_sub(skb->truesize, &sk->sk_rmem_alloc); 1400 1399 return -1; 1401 1400 } 1402 1401 ··· 2262 2249 struct module *module; 2263 2250 int err = -ENOBUFS; 2264 2251 int alloc_min_size; 2252 + unsigned int rmem; 2265 2253 int alloc_size; 2266 2254 2267 2255 if (!lock_taken) ··· 2271 2257 err = -EINVAL; 2272 2258 goto errout_skb; 2273 2259 } 2274 - 2275 - if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) 2276 - goto errout_skb; 2277 2260 2278 2261 /* NLMSG_GOODSIZE is small to avoid high order allocations being 2279 2262 * required, but it makes sense to _attempt_ a 32KiB allocation ··· 2293 2282 } 2294 2283 if (!skb) 2295 2284 goto errout_skb; 2285 + 2286 + rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); 2287 + if (rmem >= READ_ONCE(sk->sk_rcvbuf)) { 2288 + atomic_sub(skb->truesize, &sk->sk_rmem_alloc); 2289 + goto errout_skb; 2290 + } 2296 2291 2297 2292 /* Trim skb to allocated size. User is expected to provide buffer as 2298 2293 * large as max(min_dump_alloc, 32KiB (max_recvmsg_len capped at
+9 -6
net/rxrpc/ar-internal.h
··· 361 361 struct list_head new_client_calls; /* Newly created client calls need connection */ 362 362 spinlock_t client_call_lock; /* Lock for ->new_client_calls */ 363 363 struct sockaddr_rxrpc srx; /* local address */ 364 - /* Provide a kvec table sufficiently large to manage either a DATA 365 - * packet with a maximum set of jumbo subpackets or a PING ACK padded 366 - * out to 64K with zeropages for PMTUD. 367 - */ 368 - struct kvec kvec[1 + RXRPC_MAX_NR_JUMBO > 3 + 16 ? 369 - 1 + RXRPC_MAX_NR_JUMBO : 3 + 16]; 364 + union { 365 + /* Provide a kvec table sufficiently large to manage either a 366 + * DATA packet with a maximum set of jumbo subpackets or a PING 367 + * ACK padded out to 64K with zeropages for PMTUD. 368 + */ 369 + struct kvec kvec[1 + RXRPC_MAX_NR_JUMBO > 3 + 16 ? 370 + 1 + RXRPC_MAX_NR_JUMBO : 3 + 16]; 371 + struct bio_vec bvec[3 + 16]; 372 + }; 370 373 }; 371 374 372 375 /*
+4
net/rxrpc/call_accept.c
··· 149 149 150 150 id_in_use: 151 151 write_unlock(&rx->call_lock); 152 + rxrpc_prefail_call(call, RXRPC_CALL_LOCAL_ERROR, -EBADSLT); 152 153 rxrpc_cleanup_call(call); 153 154 _leave(" = -EBADSLT"); 154 155 return -EBADSLT; ··· 254 253 unsigned short call_head, conn_head, peer_head; 255 254 unsigned short call_tail, conn_tail, peer_tail; 256 255 unsigned short call_count, conn_count; 256 + 257 + if (!b) 258 + return NULL; 257 259 258 260 /* #calls >= #conns >= #peers must hold true. */ 259 261 call_head = smp_load_acquire(&b->call_backlog_head);
+4 -1
net/rxrpc/output.c
··· 924 924 { 925 925 struct rxrpc_skb_priv *sp = rxrpc_skb(response); 926 926 struct scatterlist sg[16]; 927 - struct bio_vec bvec[16]; 927 + struct bio_vec *bvec = conn->local->bvec; 928 928 struct msghdr msg; 929 929 size_t len = sp->resp.len; 930 930 __be32 wserial; ··· 938 938 if (ret < 0) 939 939 goto fail; 940 940 nr_sg = ret; 941 + ret = -EIO; 942 + if (WARN_ON_ONCE(nr_sg > ARRAY_SIZE(conn->local->bvec))) 943 + goto fail; 941 944 942 945 for (int i = 0; i < nr_sg; i++) 943 946 bvec_set_page(&bvec[i], sg_page(&sg[i]), sg[i].length, sg[i].offset);
+16 -17
net/sched/sch_api.c
··· 336 336 return q; 337 337 } 338 338 339 - static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid) 339 + static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid, 340 + struct netlink_ext_ack *extack) 340 341 { 341 342 unsigned long cl; 342 343 const struct Qdisc_class_ops *cops = p->ops->cl_ops; 343 344 344 - if (cops == NULL) 345 - return NULL; 345 + if (cops == NULL) { 346 + NL_SET_ERR_MSG(extack, "Parent qdisc is not classful"); 347 + return ERR_PTR(-EOPNOTSUPP); 348 + } 346 349 cl = cops->find(p, classid); 347 350 348 - if (cl == 0) 349 - return NULL; 351 + if (cl == 0) { 352 + NL_SET_ERR_MSG(extack, "Specified class not found"); 353 + return ERR_PTR(-ENOENT); 354 + } 350 355 return cops->leaf(p, cl); 351 356 } 352 357 ··· 600 595 pkt_len = 1; 601 596 qdisc_skb_cb(skb)->pkt_len = pkt_len; 602 597 } 603 - 604 - void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) 605 - { 606 - if (!(qdisc->flags & TCQ_F_WARN_NONWC)) { 607 - pr_warn("%s: %s qdisc %X: is non-work-conserving?\n", 608 - txt, qdisc->ops->id, qdisc->handle >> 16); 609 - qdisc->flags |= TCQ_F_WARN_NONWC; 610 - } 611 - } 612 - EXPORT_SYMBOL(qdisc_warn_nonwc); 613 598 614 599 static enum hrtimer_restart qdisc_watchdog(struct hrtimer *timer) 615 600 { ··· 1485 1490 NL_SET_ERR_MSG(extack, "Failed to find qdisc with specified classid"); 1486 1491 return -ENOENT; 1487 1492 } 1488 - q = qdisc_leaf(p, clid); 1493 + q = qdisc_leaf(p, clid, extack); 1489 1494 } else if (dev_ingress_queue(dev)) { 1490 1495 q = rtnl_dereference(dev_ingress_queue(dev)->qdisc_sleeping); 1491 1496 } ··· 1496 1501 NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device"); 1497 1502 return -ENOENT; 1498 1503 } 1504 + if (IS_ERR(q)) 1505 + return PTR_ERR(q); 1499 1506 1500 1507 if (tcm->tcm_handle && q->handle != tcm->tcm_handle) { 1501 1508 NL_SET_ERR_MSG(extack, "Invalid handle"); ··· 1599 1602 NL_SET_ERR_MSG(extack, "Failed to find specified qdisc"); 1600 1603 return -ENOENT; 1601 1604 } 1602 - q = qdisc_leaf(p, clid); 1605 + q = qdisc_leaf(p, clid, extack); 1606 + if (IS_ERR(q)) 1607 + return PTR_ERR(q); 1603 1608 } else if (dev_ingress_queue_create(dev)) { 1604 1609 q = rtnl_dereference(dev_ingress_queue(dev)->qdisc_sleeping); 1605 1610 }
-16
net/sched/sch_hfsc.c
··· 835 835 } 836 836 } 837 837 838 - static unsigned int 839 - qdisc_peek_len(struct Qdisc *sch) 840 - { 841 - struct sk_buff *skb; 842 - unsigned int len; 843 - 844 - skb = sch->ops->peek(sch); 845 - if (unlikely(skb == NULL)) { 846 - qdisc_warn_nonwc("qdisc_peek_len", sch); 847 - return 0; 848 - } 849 - len = qdisc_pkt_len(skb); 850 - 851 - return len; 852 - } 853 - 854 838 static void 855 839 hfsc_adjust_levels(struct hfsc_class *cl) 856 840 {
+1 -1
net/sched/sch_qfq.c
··· 989 989 990 990 if (cl->qdisc->q.qlen == 0) /* no more packets, remove from list */ 991 991 list_del_init(&cl->alist); 992 - else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) { 992 + else if (cl->deficit < qdisc_peek_len(cl->qdisc)) { 993 993 cl->deficit += agg->lmax; 994 994 list_move_tail(&cl->alist, &agg->active); 995 995 }
+2
net/tipc/topsrv.c
··· 704 704 for (id = 0; srv->idr_in_use; id++) { 705 705 con = idr_find(&srv->conn_idr, id); 706 706 if (con) { 707 + conn_get(con); 707 708 spin_unlock_bh(&srv->idr_lock); 708 709 tipc_conn_close(con); 710 + conn_put(con); 709 711 spin_lock_bh(&srv->idr_lock); 710 712 } 711 713 }
+46 -11
net/vmw_vsock/af_vsock.c
··· 407 407 408 408 static bool vsock_use_local_transport(unsigned int remote_cid) 409 409 { 410 + lockdep_assert_held(&vsock_register_mutex); 411 + 410 412 if (!transport_local) 411 413 return false; 412 414 ··· 466 464 467 465 remote_flags = vsk->remote_addr.svm_flags; 468 466 467 + mutex_lock(&vsock_register_mutex); 468 + 469 469 switch (sk->sk_type) { 470 470 case SOCK_DGRAM: 471 471 new_transport = transport_dgram; ··· 483 479 new_transport = transport_h2g; 484 480 break; 485 481 default: 486 - return -ESOCKTNOSUPPORT; 482 + ret = -ESOCKTNOSUPPORT; 483 + goto err; 487 484 } 488 485 489 486 if (vsk->transport) { 490 - if (vsk->transport == new_transport) 491 - return 0; 487 + if (vsk->transport == new_transport) { 488 + ret = 0; 489 + goto err; 490 + } 492 491 493 492 /* transport->release() must be called with sock lock acquired. 494 493 * This path can only be taken during vsock_connect(), where we ··· 515 508 /* We increase the module refcnt to prevent the transport unloading 516 509 * while there are open sockets assigned to it. 517 510 */ 518 - if (!new_transport || !try_module_get(new_transport->module)) 519 - return -ENODEV; 511 + if (!new_transport || !try_module_get(new_transport->module)) { 512 + ret = -ENODEV; 513 + goto err; 514 + } 515 + 516 + /* It's safe to release the mutex after a successful try_module_get(). 517 + * Whichever transport `new_transport` points at, it won't go away until 518 + * the last module_put() below or in vsock_deassign_transport(). 519 + */ 520 + mutex_unlock(&vsock_register_mutex); 520 521 521 522 if (sk->sk_type == SOCK_SEQPACKET) { 522 523 if (!new_transport->seqpacket_allow || ··· 543 528 vsk->transport = new_transport; 544 529 545 530 return 0; 531 + err: 532 + mutex_unlock(&vsock_register_mutex); 533 + return ret; 546 534 } 547 535 EXPORT_SYMBOL_GPL(vsock_assign_transport); 548 536 537 + /* 538 + * Provide safe access to static transport_{h2g,g2h,dgram,local} callbacks. 539 + * Otherwise we may race with module removal. Do not use on `vsk->transport`. 540 + */ 541 + static u32 vsock_registered_transport_cid(const struct vsock_transport **transport) 542 + { 543 + u32 cid = VMADDR_CID_ANY; 544 + 545 + mutex_lock(&vsock_register_mutex); 546 + if (*transport) 547 + cid = (*transport)->get_local_cid(); 548 + mutex_unlock(&vsock_register_mutex); 549 + 550 + return cid; 551 + } 552 + 549 553 bool vsock_find_cid(unsigned int cid) 550 554 { 551 - if (transport_g2h && cid == transport_g2h->get_local_cid()) 555 + if (cid == vsock_registered_transport_cid(&transport_g2h)) 552 556 return true; 553 557 554 558 if (transport_h2g && cid == VMADDR_CID_HOST) ··· 2570 2536 unsigned int cmd, void __user *ptr) 2571 2537 { 2572 2538 u32 __user *p = ptr; 2573 - u32 cid = VMADDR_CID_ANY; 2574 2539 int retval = 0; 2540 + u32 cid; 2575 2541 2576 2542 switch (cmd) { 2577 2543 case IOCTL_VM_SOCKETS_GET_LOCAL_CID: 2578 2544 /* To be compatible with the VMCI behavior, we prioritize the 2579 2545 * guest CID instead of well-know host CID (VMADDR_CID_HOST). 2580 2546 */ 2581 - if (transport_g2h) 2582 - cid = transport_g2h->get_local_cid(); 2583 - else if (transport_h2g) 2584 - cid = transport_h2g->get_local_cid(); 2547 + cid = vsock_registered_transport_cid(&transport_g2h); 2548 + if (cid == VMADDR_CID_ANY) 2549 + cid = vsock_registered_transport_cid(&transport_h2g); 2550 + if (cid == VMADDR_CID_ANY) 2551 + cid = vsock_registered_transport_cid(&transport_local); 2585 2552 2586 2553 if (put_user(cid, p) != 0) 2587 2554 retval = -EFAULT;
+53
tools/testing/selftests/net/packetdrill/tcp_ooo-before-and-after-accept.pkt
··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + 3 + --mss=1000 4 + 5 + `./defaults.sh 6 + sysctl -q net.ipv4.tcp_rmem="4096 131072 $((32*1024*1024))"` 7 + 8 + // Test that a not-yet-accepted socket does not change 9 + // its initial sk_rcvbuf (tcp_rmem[1]) when receiving ooo packets. 10 + 11 + +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 12 + +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 13 + +0 bind(3, ..., ...) = 0 14 + +0 listen(3, 1) = 0 15 + 16 + +0 < S 0:0(0) win 65535 <mss 1000,nop,nop,sackOK,nop,wscale 7> 17 + +0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 10> 18 + +.1 < . 1:1(0) ack 1 win 257 19 + +0 < . 2001:41001(39000) ack 1 win 257 20 + +0 > . 1:1(0) ack 1 <nop,nop,sack 2001:41001> 21 + +0 < . 41001:101001(60000) ack 1 win 257 22 + +0 > . 1:1(0) ack 1 <nop,nop,sack 2001:101001> 23 + +0 < . 1:1001(1000) ack 1 win 257 24 + +0 > . 1:1(0) ack 1001 <nop,nop,sack 2001:101001> 25 + +0 < . 1001:2001(1000) ack 1 win 257 26 + +0 > . 1:1(0) ack 101001 27 + 28 + +0 accept(3, ..., ...) = 4 29 + 30 + +0 %{ assert SK_MEMINFO_RCVBUF == 131072, SK_MEMINFO_RCVBUF }% 31 + 32 + +0 close(4) = 0 33 + +0 close(3) = 0 34 + 35 + // Test that ooo packets for accepted sockets do increase sk_rcvbuf 36 + +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 37 + +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 38 + +0 bind(3, ..., ...) = 0 39 + +0 listen(3, 1) = 0 40 + 41 + +0 < S 0:0(0) win 65535 <mss 1000,nop,nop,sackOK,nop,wscale 7> 42 + +0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 10> 43 + +.1 < . 1:1(0) ack 1 win 257 44 + 45 + +0 accept(3, ..., ...) = 4 46 + 47 + +0 < . 2001:41001(39000) ack 1 win 257 48 + +0 > . 1:1(0) ack 1 <nop,nop,sack 2001:41001> 49 + +0 < . 41001:101001(60000) ack 1 win 257 50 + +0 > . 1:1(0) ack 1 <nop,nop,sack 2001:101001> 51 + 52 + +0 %{ assert SK_MEMINFO_RCVBUF > 131072, SK_MEMINFO_RCVBUF }% 53 +
+37
tools/testing/selftests/tc-testing/tc-tests/infra/qdiscs.json
··· 635 635 "$TC qdisc del dev $DUMMY handle 1:0 root", 636 636 "$IP addr del 10.10.10.10/24 dev $DUMMY || true" 637 637 ] 638 + }, 639 + { 640 + "id": "d74b", 641 + "name": "Test use-after-free with DRR/NETEM/BLACKHOLE chain", 642 + "category": [ 643 + "qdisc", 644 + "hfsc", 645 + "drr", 646 + "netem", 647 + "blackhole" 648 + ], 649 + "plugins": { 650 + "requires": [ 651 + "nsPlugin", 652 + "scapyPlugin" 653 + ] 654 + }, 655 + "setup": [ 656 + "$IP link set dev $DUMMY up || true", 657 + "$IP addr add 10.10.11.10/24 dev $DUMMY || true", 658 + "$TC qdisc add dev $DUMMY root handle 1: drr", 659 + "$TC filter add dev $DUMMY parent 1: basic classid 1:1", 660 + "$TC class add dev $DUMMY parent 1: classid 1:1 drr", 661 + "$TC qdisc add dev $DUMMY parent 1:1 handle 2: hfsc def 1", 662 + "$TC class add dev $DUMMY parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0", 663 + "$TC qdisc add dev $DUMMY parent 2:1 handle 3: netem", 664 + "$TC qdisc add dev $DUMMY parent 3:1 handle 4: blackhole", 665 + "ping -c1 -W0.01 -I $DUMMY 10.10.11.11 || true", 666 + "$TC class del dev $DUMMY classid 1:1" 667 + ], 668 + "cmdUnderTest": "ping -c1 -W0.01 -I $DUMMY 10.10.11.11", 669 + "expExitCode": "1", 670 + "verifyCmd": "$TC -j class ls dev $DUMMY classid 1:1", 671 + "matchJSON": [], 672 + "teardown": [ 673 + "$TC qdisc del dev $DUMMY root handle 1: drr" 674 + ] 638 675 } 639 676 ]