Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Out of bounds access in xfrm IPSEC policy unlink, from Yue Haibing.
2) Missing length check for esp4 UDP encap, from Sabrina Dubroca.
3) Fix byte order of RX STBC access in mac80211, from Johannes Berg.
4) Inifnite loop in bpftool map create, from Alban Crequy.
5) Register mark fix in ebpf verifier after pkt/null checks, from Paul
Chaignon.
6) Properly use rcu_dereference_sk_user_data in L2TP code, from Eric
Dumazet.
7) Buffer overrun in marvell phy driver, from Andrew Lunn.
8) Several crash and statistics handling fixes to bnxt_en driver, from
Michael Chan and Vasundhara Volam.
9) Several fixes to the TLS layer from Jakub Kicinski (copying negative
amounts of data in reencrypt, reencrypt frag copying, blind nskb->sk
NULL deref, etc).
10) Several UDP GRO fixes, from Paolo Abeni and Eric Dumazet.
11) PID/UID checks on ipv6 flow labels are inverted, from Willem de
Bruijn.
12) Use after free in l2tp, from Eric Dumazet.
13) IPV6 route destroy races, also from Eric Dumazet.
14) SCTP state machine can erroneously run recursively, fix from Xin
Long.
15) Adjust AF_PACKET msg_name length checks, add padding bytes if
necessary. From Willem de Bruijn.
16) Preserve skb_iif, so that forwarded packets have consistent values
even if fragmentation is involved. From Shmulik Ladkani.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (69 commits)
udp: fix GRO packet of death
ipv6: A few fixes on dereferencing rt->from
rds: ib: force endiannes annotation
selftests: fib_rule_tests: print the result and return 1 if any tests failed
ipv4: ip_do_fragment: Preserve skb_iif during fragmentation
net/tls: avoid NULL pointer deref on nskb->sk in fallback
selftests: fib_rule_tests: Fix icmp proto with ipv6
packet: validate msg_namelen in send directly
packet: in recvmsg msg_name return at least sizeof sockaddr_ll
sctp: avoid running the sctp state machine recursively
stmmac: pci: Fix typo in IOT2000 comment
Documentation: fix netdev-FAQ.rst markup warning
ipv6: fix races in ip6_dst_destroy()
l2ip: fix possible use-after-free
appletalk: Set error code if register_snap_client failed
net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc
rxrpc: Fix net namespace cleanup
ipv6/flowlabel: wait rcu grace period before put_pid()
vrf: Use orig netdev to count Ip6InNoRoutes and a fresh route lookup when sending dest unreach
tcp: add sanity tests in tcp_add_backlog()
...
+548
-293
+2
Documentation/networking/ip-sysctl.txt
+2
Documentation/networking/ip-sysctl.txt
···
1337
1337
Default value is 0.
1338
1338
1339
1339
xfrm4_gc_thresh - INTEGER
1340
+
(Obsolete since linux-4.14)
1340
1341
The threshold at which we will start garbage collecting for IPv4
1341
1342
destination cache entries. At twice this value the system will
1342
1343
refuse new allocations.
···
1921
1920
Default: 0
1922
1921
1923
1922
xfrm6_gc_thresh - INTEGER
1923
+
(Obsolete since linux-4.14)
1924
1924
The threshold at which we will start garbage collecting for IPv6
1925
1925
destination cache entries. At twice this value the system will
1926
1926
refuse new allocations.
+1
-1
Documentation/networking/netdev-FAQ.rst
+1
-1
Documentation/networking/netdev-FAQ.rst
···
132
132
will reply and ask what should be done.
133
133
134
134
Q: I made changes to only a few patches in a patch series should I resend only those changed?
135
-
--------------------------------------------------------------------------------------------
135
+
---------------------------------------------------------------------------------------------
136
136
A: No, please resend the entire patch series and make sure you do number your
137
137
patches such that it is clear this is the latest and greatest set of patches
138
138
that can be applied.
+3
-2
arch/mips/net/ebpf_jit.c
+3
-2
arch/mips/net/ebpf_jit.c
···
186
186
* separate frame pointer, so BPF_REG_10 relative accesses are
187
187
* adjusted to be $sp relative.
188
188
*/
189
-
int ebpf_to_mips_reg(struct jit_ctx *ctx, const struct bpf_insn *insn,
190
-
enum which_ebpf_reg w)
189
+
static int ebpf_to_mips_reg(struct jit_ctx *ctx,
190
+
const struct bpf_insn *insn,
191
+
enum which_ebpf_reg w)
191
192
{
192
193
int ebpf_reg = (w == src_reg || w == src_reg_no_fp) ?
193
194
insn->src_reg : insn->dst_reg;
+6
drivers/net/dsa/bcm_sf2_cfp.c
+6
drivers/net/dsa/bcm_sf2_cfp.c
···
886
886
fs->m_ext.data[1]))
887
887
return -EINVAL;
888
888
889
+
if (fs->location != RX_CLS_LOC_ANY && fs->location >= CFP_NUM_RULES)
890
+
return -EINVAL;
891
+
889
892
if (fs->location != RX_CLS_LOC_ANY &&
890
893
test_bit(fs->location, priv->cfp.used))
891
894
return -EBUSY;
···
976
973
{
977
974
struct cfp_rule *rule;
978
975
int ret;
976
+
977
+
if (loc >= CFP_NUM_RULES)
978
+
return -EINVAL;
979
979
980
980
/* Refuse deleting unused rules, and those that are not unique since
981
981
* that could leave IPv6 rules with one of the chained rule in the
+32
-21
drivers/net/ethernet/broadcom/bnxt/bnxt.c
+32
-21
drivers/net/ethernet/broadcom/bnxt/bnxt.c
···
1625
1625
netdev_warn(bp->dev, "RX buffer error %x\n", rx_err);
1626
1626
bnxt_sched_reset(bp, rxr);
1627
1627
}
1628
-
goto next_rx;
1628
+
goto next_rx_no_len;
1629
1629
}
1630
1630
1631
1631
len = le32_to_cpu(rxcmp->rx_cmp_len_flags_type) >> RX_CMP_LEN_SHIFT;
···
1706
1706
rc = 1;
1707
1707
1708
1708
next_rx:
1709
-
rxr->rx_prod = NEXT_RX(prod);
1710
-
rxr->rx_next_cons = NEXT_RX(cons);
1711
-
1712
1709
cpr->rx_packets += 1;
1713
1710
cpr->rx_bytes += len;
1711
+
1712
+
next_rx_no_len:
1713
+
rxr->rx_prod = NEXT_RX(prod);
1714
+
rxr->rx_next_cons = NEXT_RX(cons);
1714
1715
1715
1716
next_rx_no_prod_no_len:
1716
1717
*raw_cons = tmp_raw_cons;
···
5136
5135
for (i = 0; i < bp->tx_nr_rings; i++) {
5137
5136
struct bnxt_tx_ring_info *txr = &bp->tx_ring[i];
5138
5137
struct bnxt_ring_struct *ring = &txr->tx_ring_struct;
5139
-
u32 cmpl_ring_id;
5140
5138
5141
-
cmpl_ring_id = bnxt_cp_ring_for_tx(bp, txr);
5142
5139
if (ring->fw_ring_id != INVALID_HW_RING_ID) {
5140
+
u32 cmpl_ring_id = bnxt_cp_ring_for_tx(bp, txr);
5141
+
5143
5142
hwrm_ring_free_send_msg(bp, ring,
5144
5143
RING_FREE_REQ_RING_TYPE_TX,
5145
5144
close_path ? cmpl_ring_id :
···
5152
5151
struct bnxt_rx_ring_info *rxr = &bp->rx_ring[i];
5153
5152
struct bnxt_ring_struct *ring = &rxr->rx_ring_struct;
5154
5153
u32 grp_idx = rxr->bnapi->index;
5155
-
u32 cmpl_ring_id;
5156
5154
5157
-
cmpl_ring_id = bnxt_cp_ring_for_rx(bp, rxr);
5158
5155
if (ring->fw_ring_id != INVALID_HW_RING_ID) {
5156
+
u32 cmpl_ring_id = bnxt_cp_ring_for_rx(bp, rxr);
5157
+
5159
5158
hwrm_ring_free_send_msg(bp, ring,
5160
5159
RING_FREE_REQ_RING_TYPE_RX,
5161
5160
close_path ? cmpl_ring_id :
···
5174
5173
struct bnxt_rx_ring_info *rxr = &bp->rx_ring[i];
5175
5174
struct bnxt_ring_struct *ring = &rxr->rx_agg_ring_struct;
5176
5175
u32 grp_idx = rxr->bnapi->index;
5177
-
u32 cmpl_ring_id;
5178
5176
5179
-
cmpl_ring_id = bnxt_cp_ring_for_rx(bp, rxr);
5180
5177
if (ring->fw_ring_id != INVALID_HW_RING_ID) {
5178
+
u32 cmpl_ring_id = bnxt_cp_ring_for_rx(bp, rxr);
5179
+
5181
5180
hwrm_ring_free_send_msg(bp, ring, type,
5182
5181
close_path ? cmpl_ring_id :
5183
5182
INVALID_HW_RING_ID);
···
5316
5315
req->num_tx_rings = cpu_to_le16(tx_rings);
5317
5316
if (BNXT_NEW_RM(bp)) {
5318
5317
enables |= rx_rings ? FUNC_CFG_REQ_ENABLES_NUM_RX_RINGS : 0;
5318
+
enables |= stats ? FUNC_CFG_REQ_ENABLES_NUM_STAT_CTXS : 0;
5319
5319
if (bp->flags & BNXT_FLAG_CHIP_P5) {
5320
5320
enables |= cp_rings ? FUNC_CFG_REQ_ENABLES_NUM_MSIX : 0;
5321
5321
enables |= tx_rings + ring_grps ?
5322
-
FUNC_CFG_REQ_ENABLES_NUM_CMPL_RINGS |
5323
-
FUNC_CFG_REQ_ENABLES_NUM_STAT_CTXS : 0;
5322
+
FUNC_CFG_REQ_ENABLES_NUM_CMPL_RINGS : 0;
5324
5323
enables |= rx_rings ?
5325
5324
FUNC_CFG_REQ_ENABLES_NUM_RSSCOS_CTXS : 0;
5326
5325
} else {
5327
5326
enables |= cp_rings ?
5328
-
FUNC_CFG_REQ_ENABLES_NUM_CMPL_RINGS |
5329
-
FUNC_CFG_REQ_ENABLES_NUM_STAT_CTXS : 0;
5327
+
FUNC_CFG_REQ_ENABLES_NUM_CMPL_RINGS : 0;
5330
5328
enables |= ring_grps ?
5331
5329
FUNC_CFG_REQ_ENABLES_NUM_HW_RING_GRPS |
5332
5330
FUNC_CFG_REQ_ENABLES_NUM_RSSCOS_CTXS : 0;
···
5365
5365
enables |= tx_rings ? FUNC_VF_CFG_REQ_ENABLES_NUM_TX_RINGS : 0;
5366
5366
enables |= rx_rings ? FUNC_VF_CFG_REQ_ENABLES_NUM_RX_RINGS |
5367
5367
FUNC_VF_CFG_REQ_ENABLES_NUM_RSSCOS_CTXS : 0;
5368
+
enables |= stats ? FUNC_VF_CFG_REQ_ENABLES_NUM_STAT_CTXS : 0;
5368
5369
if (bp->flags & BNXT_FLAG_CHIP_P5) {
5369
5370
enables |= tx_rings + ring_grps ?
5370
-
FUNC_VF_CFG_REQ_ENABLES_NUM_CMPL_RINGS |
5371
-
FUNC_VF_CFG_REQ_ENABLES_NUM_STAT_CTXS : 0;
5371
+
FUNC_VF_CFG_REQ_ENABLES_NUM_CMPL_RINGS : 0;
5372
5372
} else {
5373
5373
enables |= cp_rings ?
5374
-
FUNC_VF_CFG_REQ_ENABLES_NUM_CMPL_RINGS |
5375
-
FUNC_VF_CFG_REQ_ENABLES_NUM_STAT_CTXS : 0;
5374
+
FUNC_VF_CFG_REQ_ENABLES_NUM_CMPL_RINGS : 0;
5376
5375
enables |= ring_grps ?
5377
5376
FUNC_VF_CFG_REQ_ENABLES_NUM_HW_RING_GRPS : 0;
5378
5377
}
···
6752
6753
struct hwrm_queue_pri2cos_qcfg_input req2 = {0};
6753
6754
struct hwrm_port_qstats_ext_input req = {0};
6754
6755
struct bnxt_pf_info *pf = &bp->pf;
6756
+
u32 tx_stat_size;
6755
6757
int rc;
6756
6758
6757
6759
if (!(bp->flags & BNXT_FLAG_PORT_STATS_EXT))
···
6762
6762
req.port_id = cpu_to_le16(pf->port_id);
6763
6763
req.rx_stat_size = cpu_to_le16(sizeof(struct rx_port_stats_ext));
6764
6764
req.rx_stat_host_addr = cpu_to_le64(bp->hw_rx_port_stats_ext_map);
6765
-
req.tx_stat_size = cpu_to_le16(sizeof(struct tx_port_stats_ext));
6765
+
tx_stat_size = bp->hw_tx_port_stats_ext ?
6766
+
sizeof(*bp->hw_tx_port_stats_ext) : 0;
6767
+
req.tx_stat_size = cpu_to_le16(tx_stat_size);
6766
6768
req.tx_stat_host_addr = cpu_to_le64(bp->hw_tx_port_stats_ext_map);
6767
6769
mutex_lock(&bp->hwrm_cmd_lock);
6768
6770
rc = _hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
6769
6771
if (!rc) {
6770
6772
bp->fw_rx_stats_ext_size = le16_to_cpu(resp->rx_stat_size) / 8;
6771
-
bp->fw_tx_stats_ext_size = le16_to_cpu(resp->tx_stat_size) / 8;
6773
+
bp->fw_tx_stats_ext_size = tx_stat_size ?
6774
+
le16_to_cpu(resp->tx_stat_size) / 8 : 0;
6772
6775
} else {
6773
6776
bp->fw_rx_stats_ext_size = 0;
6774
6777
bp->fw_tx_stats_ext_size = 0;
···
8964
8961
8965
8962
skip_uc:
8966
8963
rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0);
8964
+
if (rc && vnic->mc_list_count) {
8965
+
netdev_info(bp->dev, "Failed setting MC filters rc: %d, turning on ALL_MCAST mode\n",
8966
+
rc);
8967
+
vnic->rx_mask |= CFA_L2_SET_RX_MASK_REQ_MASK_ALL_MCAST;
8968
+
vnic->mc_list_count = 0;
8969
+
rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0);
8970
+
}
8967
8971
if (rc)
8968
-
netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %x\n",
8972
+
netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %d\n",
8969
8973
rc);
8970
8974
8971
8975
return rc;
···
10695
10685
bnxt_clear_int_mode(bp);
10696
10686
10697
10687
init_err_pci_clean:
10688
+
bnxt_free_hwrm_short_cmd_req(bp);
10698
10689
bnxt_free_hwrm_resources(bp);
10699
10690
bnxt_free_ctx_mem(bp);
10700
10691
kfree(bp->ctx);
+3
drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c
+3
drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c
···
333
333
*/
334
334
dwmac->irq_pwr_wakeup = platform_get_irq_byname(pdev,
335
335
"stm32_pwr_wakeup");
336
+
if (dwmac->irq_pwr_wakeup == -EPROBE_DEFER)
337
+
return -EPROBE_DEFER;
338
+
336
339
if (!dwmac->clk_eth_ck && dwmac->irq_pwr_wakeup >= 0) {
337
340
err = device_init_wakeup(&pdev->dev, true);
338
341
if (err) {
+1
-1
drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+1
-1
drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
···
160
160
.driver_data = (void *)&galileo_stmmac_dmi_data,
161
161
},
162
162
/*
163
-
* There are 2 types of SIMATIC IOT2000: IOT20202 and IOT2040.
163
+
* There are 2 types of SIMATIC IOT2000: IOT2020 and IOT2040.
164
164
* The asset tag "6ES7647-0AA00-0YA2" is only for IOT2020 which
165
165
* has only one pci network device while other asset tags are
166
166
* for IOT2040 which has two.
+6
drivers/net/ieee802154/mcr20a.c
+6
drivers/net/ieee802154/mcr20a.c
···
533
533
dev_dbg(printdev(lp), "no slotted operation\n");
534
534
ret = regmap_update_bits(lp->regmap_dar, DAR_PHY_CTRL1,
535
535
DAR_PHY_CTRL1_SLOTTED, 0x0);
536
+
if (ret < 0)
537
+
return ret;
536
538
537
539
/* enable irq */
538
540
enable_irq(lp->spi->irq);
···
542
540
/* Unmask SEQ interrupt */
543
541
ret = regmap_update_bits(lp->regmap_dar, DAR_PHY_CTRL2,
544
542
DAR_PHY_CTRL2_SEQMSK, 0x0);
543
+
if (ret < 0)
544
+
return ret;
545
545
546
546
/* Start the RX sequence */
547
547
dev_dbg(printdev(lp), "start the RX sequence\n");
548
548
ret = regmap_update_bits(lp->regmap_dar, DAR_PHY_CTRL1,
549
549
DAR_PHY_CTRL1_XCVSEQ_MASK, MCR20A_XCVSEQ_RX);
550
+
if (ret < 0)
551
+
return ret;
550
552
551
553
return 0;
552
554
}
+4
-2
drivers/net/phy/marvell.c
+4
-2
drivers/net/phy/marvell.c
···
1489
1489
1490
1490
static void marvell_get_strings(struct phy_device *phydev, u8 *data)
1491
1491
{
1492
+
int count = marvell_get_sset_count(phydev);
1492
1493
int i;
1493
1494
1494
-
for (i = 0; i < ARRAY_SIZE(marvell_hw_stats); i++) {
1495
+
for (i = 0; i < count; i++) {
1495
1496
strlcpy(data + i * ETH_GSTRING_LEN,
1496
1497
marvell_hw_stats[i].string, ETH_GSTRING_LEN);
1497
1498
}
···
1520
1519
static void marvell_get_stats(struct phy_device *phydev,
1521
1520
struct ethtool_stats *stats, u64 *data)
1522
1521
{
1522
+
int count = marvell_get_sset_count(phydev);
1523
1523
int i;
1524
1524
1525
-
for (i = 0; i < ARRAY_SIZE(marvell_hw_stats); i++)
1525
+
for (i = 0; i < count; i++)
1526
1526
data[i] = marvell_get_stat(phydev, i);
1527
1527
}
1528
1528
+10
drivers/net/usb/qmi_wwan.c
+10
drivers/net/usb/qmi_wwan.c
···
1122
1122
{QMI_FIXED_INTF(0x0846, 0x68d3, 8)}, /* Netgear Aircard 779S */
1123
1123
{QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
1124
1124
{QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */
1125
+
{QMI_FIXED_INTF(0x1435, 0x0918, 3)}, /* Wistron NeWeb D16Q1 */
1126
+
{QMI_FIXED_INTF(0x1435, 0x0918, 4)}, /* Wistron NeWeb D16Q1 */
1127
+
{QMI_FIXED_INTF(0x1435, 0x0918, 5)}, /* Wistron NeWeb D16Q1 */
1128
+
{QMI_FIXED_INTF(0x1435, 0x3185, 4)}, /* Wistron NeWeb M18Q5 */
1129
+
{QMI_FIXED_INTF(0x1435, 0xd111, 4)}, /* M9615A DM11-1 D51QC */
1125
1130
{QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */
1126
1131
{QMI_FIXED_INTF(0x1435, 0xd181, 4)}, /* Wistron NeWeb D18Q1 */
1127
1132
{QMI_FIXED_INTF(0x1435, 0xd181, 5)}, /* Wistron NeWeb D18Q1 */
1133
+
{QMI_FIXED_INTF(0x1435, 0xd182, 4)}, /* Wistron NeWeb D18 */
1134
+
{QMI_FIXED_INTF(0x1435, 0xd182, 5)}, /* Wistron NeWeb D18 */
1128
1135
{QMI_FIXED_INTF(0x1435, 0xd191, 4)}, /* Wistron NeWeb D19Q1 */
1129
1136
{QMI_QUIRK_SET_DTR(0x1508, 0x1001, 4)}, /* Fibocom NL668 series */
1130
1137
{QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */
···
1187
1180
{QMI_FIXED_INTF(0x19d2, 0x0265, 4)}, /* ONDA MT8205 4G LTE */
1188
1181
{QMI_FIXED_INTF(0x19d2, 0x0284, 4)}, /* ZTE MF880 */
1189
1182
{QMI_FIXED_INTF(0x19d2, 0x0326, 4)}, /* ZTE MF821D */
1183
+
{QMI_FIXED_INTF(0x19d2, 0x0396, 3)}, /* ZTE ZM8620 */
1190
1184
{QMI_FIXED_INTF(0x19d2, 0x0412, 4)}, /* Telewell TW-LTE 4G */
1191
1185
{QMI_FIXED_INTF(0x19d2, 0x1008, 4)}, /* ZTE (Vodafone) K3570-Z */
1192
1186
{QMI_FIXED_INTF(0x19d2, 0x1010, 4)}, /* ZTE (Vodafone) K3571-Z */
···
1208
1200
{QMI_FIXED_INTF(0x19d2, 0x1425, 2)},
1209
1201
{QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */
1210
1202
{QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */
1203
+
{QMI_FIXED_INTF(0x19d2, 0x1432, 3)}, /* ZTE ME3620 */
1211
1204
{QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */
1205
+
{QMI_FIXED_INTF(0x2001, 0x7e16, 3)}, /* D-Link DWM-221 */
1212
1206
{QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */
1213
1207
{QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */
1214
1208
{QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */
+1
-1
drivers/net/wireless/ath/ath10k/ce.c
+1
-1
drivers/net/wireless/ath/ath10k/ce.c
+1
drivers/net/wireless/ath/ath10k/core.c
+1
drivers/net/wireless/ath/ath10k/core.c
+3
drivers/net/wireless/ath/ath10k/core.h
+3
drivers/net/wireless/ath/ath10k/core.h
+3
-3
drivers/net/wireless/ath/ath10k/coredump.c
+3
-3
drivers/net/wireless/ath/ath10k/coredump.c
···
1102
1102
{
1103
1103
struct ath10k_fw_crash_data *crash_data = ar->coredump.fw_crash_data;
1104
1104
1105
-
lockdep_assert_held(&ar->data_lock);
1105
+
lockdep_assert_held(&ar->dump_mutex);
1106
1106
1107
1107
if (ath10k_coredump_mask == 0)
1108
1108
/* coredump disabled */
···
1146
1146
if (!buf)
1147
1147
return NULL;
1148
1148
1149
-
spin_lock_bh(&ar->data_lock);
1149
+
mutex_lock(&ar->dump_mutex);
1150
1150
1151
1151
dump_data = (struct ath10k_dump_file_data *)(buf);
1152
1152
strlcpy(dump_data->df_magic, "ATH10K-FW-DUMP",
···
1213
1213
sofar += sizeof(*dump_tlv) + crash_data->ramdump_buf_len;
1214
1214
}
1215
1215
1216
-
spin_unlock_bh(&ar->data_lock);
1216
+
mutex_unlock(&ar->dump_mutex);
1217
1217
1218
1218
return dump_data;
1219
1219
}
+2
-2
drivers/net/wireless/ath/ath10k/mac.c
+2
-2
drivers/net/wireless/ath/ath10k/mac.c
···
5774
5774
}
5775
5775
5776
5776
if (changed & BSS_CHANGED_MCAST_RATE &&
5777
-
!WARN_ON(ath10k_mac_vif_chan(arvif->vif, &def))) {
5777
+
!ath10k_mac_vif_chan(arvif->vif, &def)) {
5778
5778
band = def.chan->band;
5779
5779
rateidx = vif->bss_conf.mcast_rate[band] - 1;
5780
5780
···
5812
5812
}
5813
5813
5814
5814
if (changed & BSS_CHANGED_BASIC_RATES) {
5815
-
if (WARN_ON(ath10k_mac_vif_chan(vif, &def))) {
5815
+
if (ath10k_mac_vif_chan(vif, &def)) {
5816
5816
mutex_unlock(&ar->conf_mutex);
5817
5817
return;
5818
5818
}
+19
-5
drivers/net/wireless/ath/ath10k/pci.c
+19
-5
drivers/net/wireless/ath/ath10k/pci.c
···
1441
1441
__le32 reg_dump_values[REG_DUMP_COUNT_QCA988X] = {};
1442
1442
int i, ret;
1443
1443
1444
-
lockdep_assert_held(&ar->data_lock);
1444
+
lockdep_assert_held(&ar->dump_mutex);
1445
1445
1446
1446
ret = ath10k_pci_diag_read_hi(ar, ®_dump_values[0],
1447
1447
hi_failure_state,
···
1656
1656
int ret, i;
1657
1657
u8 *buf;
1658
1658
1659
-
lockdep_assert_held(&ar->data_lock);
1659
+
lockdep_assert_held(&ar->dump_mutex);
1660
1660
1661
1661
if (!crash_data)
1662
1662
return;
···
1734
1734
}
1735
1735
}
1736
1736
1737
-
static void ath10k_pci_fw_crashed_dump(struct ath10k *ar)
1737
+
static void ath10k_pci_fw_dump_work(struct work_struct *work)
1738
1738
{
1739
+
struct ath10k_pci *ar_pci = container_of(work, struct ath10k_pci,
1740
+
dump_work);
1739
1741
struct ath10k_fw_crash_data *crash_data;
1742
+
struct ath10k *ar = ar_pci->ar;
1740
1743
char guid[UUID_STRING_LEN + 1];
1741
1744
1742
-
spin_lock_bh(&ar->data_lock);
1745
+
mutex_lock(&ar->dump_mutex);
1743
1746
1747
+
spin_lock_bh(&ar->data_lock);
1744
1748
ar->stats.fw_crash_counter++;
1749
+
spin_unlock_bh(&ar->data_lock);
1745
1750
1746
1751
crash_data = ath10k_coredump_new(ar);
1747
1752
···
1761
1756
ath10k_ce_dump_registers(ar, crash_data);
1762
1757
ath10k_pci_dump_memory(ar, crash_data);
1763
1758
1764
-
spin_unlock_bh(&ar->data_lock);
1759
+
mutex_unlock(&ar->dump_mutex);
1765
1760
1766
1761
queue_work(ar->workqueue, &ar->restart_work);
1762
+
}
1763
+
1764
+
static void ath10k_pci_fw_crashed_dump(struct ath10k *ar)
1765
+
{
1766
+
struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
1767
+
1768
+
queue_work(ar->workqueue, &ar_pci->dump_work);
1767
1769
}
1768
1770
1769
1771
void ath10k_pci_hif_send_complete_check(struct ath10k *ar, u8 pipe,
···
3453
3441
spin_lock_init(&ce->ce_lock);
3454
3442
spin_lock_init(&ar_pci->ps_lock);
3455
3443
mutex_init(&ar_pci->ce_diag_mutex);
3444
+
3445
+
INIT_WORK(&ar_pci->dump_work, ath10k_pci_fw_dump_work);
3456
3446
3457
3447
timer_setup(&ar_pci->rx_post_retry, ath10k_pci_rx_replenish_retry, 0);
3458
3448
+2
drivers/net/wireless/ath/ath10k/pci.h
+2
drivers/net/wireless/ath/ath10k/pci.h
+1
-1
drivers/net/wireless/intel/iwlwifi/cfg/22000.c
+1
-1
drivers/net/wireless/intel/iwlwifi/cfg/22000.c
+2
-1
drivers/net/wireless/intel/iwlwifi/cfg/5000.c
+2
-1
drivers/net/wireless/intel/iwlwifi/cfg/5000.c
···
1
1
/******************************************************************************
2
2
*
3
3
* Copyright(c) 2007 - 2014 Intel Corporation. All rights reserved.
4
-
* Copyright(c) 2018 Intel Corporation
4
+
* Copyright(c) 2018 - 2019 Intel Corporation
5
5
*
6
6
* This program is free software; you can redistribute it and/or modify it
7
7
* under the terms of version 2 of the GNU General Public License as
···
136
136
.ht_params = &iwl5000_ht_params,
137
137
.led_mode = IWL_LED_BLINK,
138
138
.internal_wimax_coex = true,
139
+
.csr = &iwl_csr_v1,
139
140
};
140
141
141
142
#define IWL_DEVICE_5150 \
+9
-6
drivers/net/wireless/intel/iwlwifi/fw/file.h
+9
-6
drivers/net/wireless/intel/iwlwifi/fw/file.h
···
93
93
} u;
94
94
};
95
95
96
-
#define IWL_UCODE_INI_TLV_GROUP BIT(24)
96
+
#define IWL_UCODE_INI_TLV_GROUP 0x1000000
97
97
98
98
/*
99
99
* new TLV uCode file layout
···
148
148
IWL_UCODE_TLV_UMAC_DEBUG_ADDRS = 54,
149
149
IWL_UCODE_TLV_LMAC_DEBUG_ADDRS = 55,
150
150
IWL_UCODE_TLV_FW_RECOVERY_INFO = 57,
151
-
IWL_UCODE_TLV_TYPE_BUFFER_ALLOCATION = IWL_UCODE_INI_TLV_GROUP | 0x1,
152
-
IWL_UCODE_TLV_TYPE_HCMD = IWL_UCODE_INI_TLV_GROUP | 0x2,
153
-
IWL_UCODE_TLV_TYPE_REGIONS = IWL_UCODE_INI_TLV_GROUP | 0x3,
154
-
IWL_UCODE_TLV_TYPE_TRIGGERS = IWL_UCODE_INI_TLV_GROUP | 0x4,
155
-
IWL_UCODE_TLV_TYPE_DEBUG_FLOW = IWL_UCODE_INI_TLV_GROUP | 0x5,
151
+
152
+
IWL_UCODE_TLV_TYPE_BUFFER_ALLOCATION = IWL_UCODE_INI_TLV_GROUP + 0x1,
153
+
IWL_UCODE_TLV_DEBUG_BASE = IWL_UCODE_TLV_TYPE_BUFFER_ALLOCATION,
154
+
IWL_UCODE_TLV_TYPE_HCMD = IWL_UCODE_INI_TLV_GROUP + 0x2,
155
+
IWL_UCODE_TLV_TYPE_REGIONS = IWL_UCODE_INI_TLV_GROUP + 0x3,
156
+
IWL_UCODE_TLV_TYPE_TRIGGERS = IWL_UCODE_INI_TLV_GROUP + 0x4,
157
+
IWL_UCODE_TLV_TYPE_DEBUG_FLOW = IWL_UCODE_INI_TLV_GROUP + 0x5,
158
+
IWL_UCODE_TLV_DEBUG_MAX = IWL_UCODE_TLV_TYPE_DEBUG_FLOW,
156
159
157
160
/* TLVs 0x1000-0x2000 are for internal driver usage */
158
161
IWL_UCODE_TLV_FW_DBG_DUMP_LST = 0x1000,
+2
-1
drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
+2
-1
drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
+1
-2
drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c
+1
-2
drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c
+3
-1
drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+3
-1
drivers/net/wireless/intel/iwlwifi/mvm/fw.c
···
1121
1121
ret = iwl_mvm_load_rt_fw(mvm);
1122
1122
if (ret) {
1123
1123
IWL_ERR(mvm, "Failed to start RT ucode: %d\n", ret);
1124
-
iwl_fw_dbg_error_collect(&mvm->fwrt, FW_DBG_TRIGGER_DRIVER);
1124
+
if (ret != -ERFKILL)
1125
+
iwl_fw_dbg_error_collect(&mvm->fwrt,
1126
+
FW_DBG_TRIGGER_DRIVER);
1125
1127
goto error;
1126
1128
}
1127
1129
+1
-1
drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+1
-1
drivers/net/wireless/intel/iwlwifi/mvm/ops.c
···
834
834
mutex_lock(&mvm->mutex);
835
835
iwl_mvm_ref(mvm, IWL_MVM_REF_INIT_UCODE);
836
836
err = iwl_run_init_mvm_ucode(mvm, true);
837
-
if (err)
837
+
if (err && err != -ERFKILL)
838
838
iwl_fw_dbg_error_collect(&mvm->fwrt, FW_DBG_TRIGGER_DRIVER);
839
839
if (!iwlmvm_mod_params.init_dbg || !err)
840
840
iwl_mvm_stop_device(mvm);
+24
-4
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+24
-4
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
···
169
169
}
170
170
171
171
/* iwl_mvm_create_skb Adds the rxb to a new skb */
172
-
static void iwl_mvm_create_skb(struct sk_buff *skb, struct ieee80211_hdr *hdr,
173
-
u16 len, u8 crypt_len,
174
-
struct iwl_rx_cmd_buffer *rxb)
172
+
static int iwl_mvm_create_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
173
+
struct ieee80211_hdr *hdr, u16 len, u8 crypt_len,
174
+
struct iwl_rx_cmd_buffer *rxb)
175
175
{
176
176
struct iwl_rx_packet *pkt = rxb_addr(rxb);
177
177
struct iwl_rx_mpdu_desc *desc = (void *)pkt->data;
···
204
204
* present before copying packet data.
205
205
*/
206
206
hdrlen += crypt_len;
207
+
208
+
if (WARN_ONCE(headlen < hdrlen,
209
+
"invalid packet lengths (hdrlen=%d, len=%d, crypt_len=%d)\n",
210
+
hdrlen, len, crypt_len)) {
211
+
/*
212
+
* We warn and trace because we want to be able to see
213
+
* it in trace-cmd as well.
214
+
*/
215
+
IWL_DEBUG_RX(mvm,
216
+
"invalid packet lengths (hdrlen=%d, len=%d, crypt_len=%d)\n",
217
+
hdrlen, len, crypt_len);
218
+
return -EINVAL;
219
+
}
220
+
207
221
skb_put_data(skb, hdr, hdrlen);
208
222
skb_put_data(skb, (u8 *)hdr + hdrlen + pad_len, headlen - hdrlen);
209
223
···
230
216
skb_add_rx_frag(skb, 0, rxb_steal_page(rxb), offset,
231
217
fraglen, rxb->truesize);
232
218
}
219
+
220
+
return 0;
233
221
}
234
222
235
223
static void iwl_mvm_add_rtap_sniffer_config(struct iwl_mvm *mvm,
···
1687
1671
rx_status->boottime_ns = ktime_get_boot_ns();
1688
1672
}
1689
1673
1690
-
iwl_mvm_create_skb(skb, hdr, len, crypt_len, rxb);
1674
+
if (iwl_mvm_create_skb(mvm, skb, hdr, len, crypt_len, rxb)) {
1675
+
kfree_skb(skb);
1676
+
goto out;
1677
+
}
1678
+
1691
1679
if (!iwl_mvm_reorder(mvm, napi, queue, sta, skb, desc))
1692
1680
iwl_mvm_pass_packet_to_mac80211(mvm, napi, skb, queue,
1693
1681
sta, csi);
+13
-6
drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+13
-6
drivers/net/wireless/intel/iwlwifi/pcie/trans.c
···
3644
3644
3645
3645
void iwl_trans_pcie_sync_nmi(struct iwl_trans *trans)
3646
3646
{
3647
+
struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
3647
3648
unsigned long timeout = jiffies + IWL_TRANS_NMI_TIMEOUT;
3649
+
u32 inta_addr, sw_err_bit;
3650
+
3651
+
if (trans_pcie->msix_enabled) {
3652
+
inta_addr = CSR_MSIX_HW_INT_CAUSES_AD;
3653
+
sw_err_bit = MSIX_HW_INT_CAUSES_REG_SW_ERR;
3654
+
} else {
3655
+
inta_addr = CSR_INT;
3656
+
sw_err_bit = CSR_INT_BIT_SW_ERR;
3657
+
}
3648
3658
3649
3659
iwl_disable_interrupts(trans);
3650
3660
iwl_force_nmi(trans);
3651
3661
while (time_after(timeout, jiffies)) {
3652
-
u32 inta_hw = iwl_read32(trans,
3653
-
CSR_MSIX_HW_INT_CAUSES_AD);
3662
+
u32 inta_hw = iwl_read32(trans, inta_addr);
3654
3663
3655
3664
/* Error detected by uCode */
3656
-
if (inta_hw & MSIX_HW_INT_CAUSES_REG_SW_ERR) {
3665
+
if (inta_hw & sw_err_bit) {
3657
3666
/* Clear causes register */
3658
-
iwl_write32(trans, CSR_MSIX_HW_INT_CAUSES_AD,
3659
-
inta_hw &
3660
-
MSIX_HW_INT_CAUSES_REG_SW_ERR);
3667
+
iwl_write32(trans, inta_addr, inta_hw & sw_err_bit);
3661
3668
break;
3662
3669
}
3663
3670
+1
-1
drivers/net/wireless/marvell/mwifiex/sdio.c
+1
-1
drivers/net/wireless/marvell/mwifiex/sdio.c
+1
-1
include/linux/bpf.h
+1
-1
include/linux/bpf.h
-1
include/net/sctp/command.h
-1
include/net/sctp/command.h
···
105
105
SCTP_CMD_T1_RETRAN, /* Mark for retransmission after T1 timeout */
106
106
SCTP_CMD_UPDATE_INITTAG, /* Update peer inittag */
107
107
SCTP_CMD_SEND_MSG, /* Send the whole use message */
108
-
SCTP_CMD_SEND_NEXT_ASCONF, /* Send the next ASCONF after ACK */
109
108
SCTP_CMD_PURGE_ASCONF_QUEUE, /* Purge all asconf queues.*/
110
109
SCTP_CMD_SET_ASOC, /* Restore association context */
111
110
SCTP_CMD_LAST
+19
-1
include/net/xfrm.h
+19
-1
include/net/xfrm.h
···
295
295
};
296
296
297
297
struct xfrm_if_cb {
298
-
struct xfrm_if *(*decode_session)(struct sk_buff *skb);
298
+
struct xfrm_if *(*decode_session)(struct sk_buff *skb,
299
+
unsigned short family);
299
300
};
300
301
301
302
void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
···
1405
1404
return atomic_read(&x->tunnel_users);
1406
1405
}
1407
1406
1407
+
static inline bool xfrm_id_proto_valid(u8 proto)
1408
+
{
1409
+
switch (proto) {
1410
+
case IPPROTO_AH:
1411
+
case IPPROTO_ESP:
1412
+
case IPPROTO_COMP:
1413
+
#if IS_ENABLED(CONFIG_IPV6)
1414
+
case IPPROTO_ROUTING:
1415
+
case IPPROTO_DSTOPTS:
1416
+
#endif
1417
+
return true;
1418
+
default:
1419
+
return false;
1420
+
}
1421
+
}
1422
+
1423
+
/* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1408
1424
static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1409
1425
{
1410
1426
return (!userproto || proto == userproto ||
+46
-30
kernel/bpf/verifier.c
+46
-30
kernel/bpf/verifier.c
···
4138
4138
return 0;
4139
4139
}
4140
4140
4141
+
static void __find_good_pkt_pointers(struct bpf_func_state *state,
4142
+
struct bpf_reg_state *dst_reg,
4143
+
enum bpf_reg_type type, u16 new_range)
4144
+
{
4145
+
struct bpf_reg_state *reg;
4146
+
int i;
4147
+
4148
+
for (i = 0; i < MAX_BPF_REG; i++) {
4149
+
reg = &state->regs[i];
4150
+
if (reg->type == type && reg->id == dst_reg->id)
4151
+
/* keep the maximum range already checked */
4152
+
reg->range = max(reg->range, new_range);
4153
+
}
4154
+
4155
+
bpf_for_each_spilled_reg(i, state, reg) {
4156
+
if (!reg)
4157
+
continue;
4158
+
if (reg->type == type && reg->id == dst_reg->id)
4159
+
reg->range = max(reg->range, new_range);
4160
+
}
4161
+
}
4162
+
4141
4163
static void find_good_pkt_pointers(struct bpf_verifier_state *vstate,
4142
4164
struct bpf_reg_state *dst_reg,
4143
4165
enum bpf_reg_type type,
4144
4166
bool range_right_open)
4145
4167
{
4146
-
struct bpf_func_state *state = vstate->frame[vstate->curframe];
4147
-
struct bpf_reg_state *regs = state->regs, *reg;
4148
4168
u16 new_range;
4149
-
int i, j;
4169
+
int i;
4150
4170
4151
4171
if (dst_reg->off < 0 ||
4152
4172
(dst_reg->off == 0 && range_right_open))
···
4231
4211
* the range won't allow anything.
4232
4212
* dst_reg->off is known < MAX_PACKET_OFF, therefore it fits in a u16.
4233
4213
*/
4234
-
for (i = 0; i < MAX_BPF_REG; i++)
4235
-
if (regs[i].type == type && regs[i].id == dst_reg->id)
4236
-
/* keep the maximum range already checked */
4237
-
regs[i].range = max(regs[i].range, new_range);
4238
-
4239
-
for (j = 0; j <= vstate->curframe; j++) {
4240
-
state = vstate->frame[j];
4241
-
bpf_for_each_spilled_reg(i, state, reg) {
4242
-
if (!reg)
4243
-
continue;
4244
-
if (reg->type == type && reg->id == dst_reg->id)
4245
-
reg->range = max(reg->range, new_range);
4246
-
}
4247
-
}
4214
+
for (i = 0; i <= vstate->curframe; i++)
4215
+
__find_good_pkt_pointers(vstate->frame[i], dst_reg, type,
4216
+
new_range);
4248
4217
}
4249
4218
4250
4219
/* compute branch direction of the expression "if (reg opcode val) goto target;"
···
4707
4698
}
4708
4699
}
4709
4700
4701
+
static void __mark_ptr_or_null_regs(struct bpf_func_state *state, u32 id,
4702
+
bool is_null)
4703
+
{
4704
+
struct bpf_reg_state *reg;
4705
+
int i;
4706
+
4707
+
for (i = 0; i < MAX_BPF_REG; i++)
4708
+
mark_ptr_or_null_reg(state, &state->regs[i], id, is_null);
4709
+
4710
+
bpf_for_each_spilled_reg(i, state, reg) {
4711
+
if (!reg)
4712
+
continue;
4713
+
mark_ptr_or_null_reg(state, reg, id, is_null);
4714
+
}
4715
+
}
4716
+
4710
4717
/* The logic is similar to find_good_pkt_pointers(), both could eventually
4711
4718
* be folded together at some point.
4712
4719
*/
···
4730
4705
bool is_null)
4731
4706
{
4732
4707
struct bpf_func_state *state = vstate->frame[vstate->curframe];
4733
-
struct bpf_reg_state *reg, *regs = state->regs;
4708
+
struct bpf_reg_state *regs = state->regs;
4734
4709
u32 ref_obj_id = regs[regno].ref_obj_id;
4735
4710
u32 id = regs[regno].id;
4736
-
int i, j;
4711
+
int i;
4737
4712
4738
4713
if (ref_obj_id && ref_obj_id == id && is_null)
4739
4714
/* regs[regno] is in the " == NULL" branch.
···
4742
4717
*/
4743
4718
WARN_ON_ONCE(release_reference_state(state, id));
4744
4719
4745
-
for (i = 0; i < MAX_BPF_REG; i++)
4746
-
mark_ptr_or_null_reg(state, ®s[i], id, is_null);
4747
-
4748
-
for (j = 0; j <= vstate->curframe; j++) {
4749
-
state = vstate->frame[j];
4750
-
bpf_for_each_spilled_reg(i, state, reg) {
4751
-
if (!reg)
4752
-
continue;
4753
-
mark_ptr_or_null_reg(state, reg, id, is_null);
4754
-
}
4755
-
}
4720
+
for (i = 0; i <= vstate->curframe; i++)
4721
+
__mark_ptr_or_null_regs(vstate->frame[i], id, is_null);
4756
4722
}
4757
4723
4758
4724
static bool try_match_pkt_pointers(const struct bpf_insn *insn,
+1
net/appletalk/ddp.c
+1
net/appletalk/ddp.c
+15
-5
net/ipv4/esp4.c
+15
-5
net/ipv4/esp4.c
···
226
226
tail[plen - 1] = proto;
227
227
}
228
228
229
-
static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
229
+
static int esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
230
230
{
231
231
int encap_type;
232
232
struct udphdr *uh;
···
234
234
__be16 sport, dport;
235
235
struct xfrm_encap_tmpl *encap = x->encap;
236
236
struct ip_esp_hdr *esph = esp->esph;
237
+
unsigned int len;
237
238
238
239
spin_lock_bh(&x->lock);
239
240
sport = encap->encap_sport;
···
242
241
encap_type = encap->encap_type;
243
242
spin_unlock_bh(&x->lock);
244
243
244
+
len = skb->len + esp->tailen - skb_transport_offset(skb);
245
+
if (len + sizeof(struct iphdr) >= IP_MAX_MTU)
246
+
return -EMSGSIZE;
247
+
245
248
uh = (struct udphdr *)esph;
246
249
uh->source = sport;
247
250
uh->dest = dport;
248
-
uh->len = htons(skb->len + esp->tailen
249
-
- skb_transport_offset(skb));
251
+
uh->len = htons(len);
250
252
uh->check = 0;
251
253
252
254
switch (encap_type) {
···
266
262
267
263
*skb_mac_header(skb) = IPPROTO_UDP;
268
264
esp->esph = esph;
265
+
266
+
return 0;
269
267
}
270
268
271
269
int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
···
281
275
int tailen = esp->tailen;
282
276
283
277
/* this is non-NULL only with UDP Encapsulation */
284
-
if (x->encap)
285
-
esp_output_udp_encap(x, skb, esp);
278
+
if (x->encap) {
279
+
int err = esp_output_udp_encap(x, skb, esp);
280
+
281
+
if (err < 0)
282
+
return err;
283
+
}
286
284
287
285
if (!skb_cloned(skb)) {
288
286
if (tailen <= skb_tailroom(skb)) {
+5
-3
net/ipv4/esp4_offload.c
+5
-3
net/ipv4/esp4_offload.c
···
52
52
goto out;
53
53
54
54
if (sp->len == XFRM_MAX_DEPTH)
55
-
goto out;
55
+
goto out_reset;
56
56
57
57
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
58
58
(xfrm_address_t *)&ip_hdr(skb)->daddr,
59
59
spi, IPPROTO_ESP, AF_INET);
60
60
if (!x)
61
-
goto out;
61
+
goto out_reset;
62
62
63
63
sp->xvec[sp->len++] = x;
64
64
sp->olen++;
···
66
66
xo = xfrm_offload(skb);
67
67
if (!xo) {
68
68
xfrm_state_put(x);
69
-
goto out;
69
+
goto out_reset;
70
70
}
71
71
}
72
72
···
82
82
xfrm_input(skb, IPPROTO_ESP, spi, -2);
83
83
84
84
return ERR_PTR(-EINPROGRESS);
85
+
out_reset:
86
+
secpath_reset(skb);
85
87
out:
86
88
skb_push(skb, offset);
87
89
NAPI_GRO_CB(skb)->same_flow = 0;
+1
net/ipv4/ip_output.c
+1
net/ipv4/ip_output.c
+4
-5
net/ipv4/ip_vti.c
+4
-5
net/ipv4/ip_vti.c
···
646
646
647
647
msg = "ipip tunnel";
648
648
err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
649
-
if (err < 0) {
650
-
pr_info("%s: cant't register tunnel\n",__func__);
649
+
if (err < 0)
651
650
goto xfrm_tunnel_failed;
652
-
}
653
651
654
652
msg = "netlink interface";
655
653
err = rtnl_link_register(&vti_link_ops);
···
657
659
return err;
658
660
659
661
rtnl_link_failed:
660
-
xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
661
-
xfrm_tunnel_failed:
662
662
xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
663
+
xfrm_tunnel_failed:
664
+
xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
663
665
xfrm_proto_comp_failed:
664
666
xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
665
667
xfrm_proto_ah_failed:
···
674
676
static void __exit vti_fini(void)
675
677
{
676
678
rtnl_link_unregister(&vti_link_ops);
679
+
xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
677
680
xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
678
681
xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
679
682
xfrm4_protocol_deregister(&vti_esp4_protocol, IPPROTO_ESP);
+12
-1
net/ipv4/tcp_ipv4.c
+12
-1
net/ipv4/tcp_ipv4.c
···
1673
1673
if (TCP_SKB_CB(tail)->end_seq != TCP_SKB_CB(skb)->seq ||
1674
1674
TCP_SKB_CB(tail)->ip_dsfield != TCP_SKB_CB(skb)->ip_dsfield ||
1675
1675
((TCP_SKB_CB(tail)->tcp_flags |
1676
-
TCP_SKB_CB(skb)->tcp_flags) & TCPHDR_URG) ||
1676
+
TCP_SKB_CB(skb)->tcp_flags) & (TCPHDR_SYN | TCPHDR_RST | TCPHDR_URG)) ||
1677
+
!((TCP_SKB_CB(tail)->tcp_flags &
1678
+
TCP_SKB_CB(skb)->tcp_flags) & TCPHDR_ACK) ||
1677
1679
((TCP_SKB_CB(tail)->tcp_flags ^
1678
1680
TCP_SKB_CB(skb)->tcp_flags) & (TCPHDR_ECE | TCPHDR_CWR)) ||
1679
1681
#ifdef CONFIG_TLS_DEVICE
···
1694
1692
if (after(TCP_SKB_CB(skb)->ack_seq, TCP_SKB_CB(tail)->ack_seq))
1695
1693
TCP_SKB_CB(tail)->ack_seq = TCP_SKB_CB(skb)->ack_seq;
1696
1694
1695
+
/* We have to update both TCP_SKB_CB(tail)->tcp_flags and
1696
+
* thtail->fin, so that the fast path in tcp_rcv_established()
1697
+
* is not entered if we append a packet with a FIN.
1698
+
* SYN, RST, URG are not present.
1699
+
* ACK is set on both packets.
1700
+
* PSH : we do not really care in TCP stack,
1701
+
* at least for 'GRO' packets.
1702
+
*/
1703
+
thtail->fin |= th->fin;
1697
1704
TCP_SKB_CB(tail)->tcp_flags |= TCP_SKB_CB(skb)->tcp_flags;
1698
1705
1699
1706
if (TCP_SKB_CB(skb)->has_rxtstamp) {
+12
-4
net/ipv4/udp_offload.c
+12
-4
net/ipv4/udp_offload.c
···
352
352
struct sk_buff *pp = NULL;
353
353
struct udphdr *uh2;
354
354
struct sk_buff *p;
355
+
unsigned int ulen;
355
356
356
357
/* requires non zero csum, for symmetry with GSO */
357
358
if (!uh->check) {
···
360
359
return NULL;
361
360
}
362
361
362
+
/* Do not deal with padded or malicious packets, sorry ! */
363
+
ulen = ntohs(uh->len);
364
+
if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) {
365
+
NAPI_GRO_CB(skb)->flush = 1;
366
+
return NULL;
367
+
}
363
368
/* pull encapsulating udp header */
364
369
skb_gro_pull(skb, sizeof(struct udphdr));
365
370
skb_gro_postpull_rcsum(skb, uh, sizeof(struct udphdr));
···
384
377
385
378
/* Terminate the flow on len mismatch or if it grow "too much".
386
379
* Under small packet flood GRO count could elsewhere grow a lot
387
-
* leading to execessive truesize values
380
+
* leading to excessive truesize values.
381
+
* On len mismatch merge the first packet shorter than gso_size,
382
+
* otherwise complete the GRO packet.
388
383
*/
389
-
if (!skb_gro_receive(p, skb) &&
384
+
if (ulen > ntohs(uh2->len) || skb_gro_receive(p, skb) ||
385
+
ulen != ntohs(uh2->len) ||
390
386
NAPI_GRO_CB(p)->count >= UDP_GRO_CNT_MAX)
391
-
pp = p;
392
-
else if (uh->len != uh2->len)
393
387
pp = p;
394
388
395
389
return pp;
+13
-11
net/ipv4/xfrm4_policy.c
+13
-11
net/ipv4/xfrm4_policy.c
···
111
111
_decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
112
112
{
113
113
const struct iphdr *iph = ip_hdr(skb);
114
-
u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
114
+
int ihl = iph->ihl;
115
+
u8 *xprth = skb_network_header(skb) + ihl * 4;
115
116
struct flowi4 *fl4 = &fl->u.ip4;
116
117
int oif = 0;
117
118
···
122
121
memset(fl4, 0, sizeof(struct flowi4));
123
122
fl4->flowi4_mark = skb->mark;
124
123
fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
124
+
125
+
fl4->flowi4_proto = iph->protocol;
126
+
fl4->daddr = reverse ? iph->saddr : iph->daddr;
127
+
fl4->saddr = reverse ? iph->daddr : iph->saddr;
128
+
fl4->flowi4_tos = iph->tos;
125
129
126
130
if (!ip_is_fragment(iph)) {
127
131
switch (iph->protocol) {
···
139
133
pskb_may_pull(skb, xprth + 4 - skb->data)) {
140
134
__be16 *ports;
141
135
142
-
xprth = skb_network_header(skb) + iph->ihl * 4;
136
+
xprth = skb_network_header(skb) + ihl * 4;
143
137
ports = (__be16 *)xprth;
144
138
145
139
fl4->fl4_sport = ports[!!reverse];
···
152
146
pskb_may_pull(skb, xprth + 2 - skb->data)) {
153
147
u8 *icmp;
154
148
155
-
xprth = skb_network_header(skb) + iph->ihl * 4;
149
+
xprth = skb_network_header(skb) + ihl * 4;
156
150
icmp = xprth;
157
151
158
152
fl4->fl4_icmp_type = icmp[0];
···
165
159
pskb_may_pull(skb, xprth + 4 - skb->data)) {
166
160
__be32 *ehdr;
167
161
168
-
xprth = skb_network_header(skb) + iph->ihl * 4;
162
+
xprth = skb_network_header(skb) + ihl * 4;
169
163
ehdr = (__be32 *)xprth;
170
164
171
165
fl4->fl4_ipsec_spi = ehdr[0];
···
177
171
pskb_may_pull(skb, xprth + 8 - skb->data)) {
178
172
__be32 *ah_hdr;
179
173
180
-
xprth = skb_network_header(skb) + iph->ihl * 4;
174
+
xprth = skb_network_header(skb) + ihl * 4;
181
175
ah_hdr = (__be32 *)xprth;
182
176
183
177
fl4->fl4_ipsec_spi = ah_hdr[1];
···
189
183
pskb_may_pull(skb, xprth + 4 - skb->data)) {
190
184
__be16 *ipcomp_hdr;
191
185
192
-
xprth = skb_network_header(skb) + iph->ihl * 4;
186
+
xprth = skb_network_header(skb) + ihl * 4;
193
187
ipcomp_hdr = (__be16 *)xprth;
194
188
195
189
fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
···
202
196
__be16 *greflags;
203
197
__be32 *gre_hdr;
204
198
205
-
xprth = skb_network_header(skb) + iph->ihl * 4;
199
+
xprth = skb_network_header(skb) + ihl * 4;
206
200
greflags = (__be16 *)xprth;
207
201
gre_hdr = (__be32 *)xprth;
208
202
···
219
213
break;
220
214
}
221
215
}
222
-
fl4->flowi4_proto = iph->protocol;
223
-
fl4->daddr = reverse ? iph->saddr : iph->daddr;
224
-
fl4->saddr = reverse ? iph->daddr : iph->saddr;
225
-
fl4->flowi4_tos = iph->tos;
226
216
}
227
217
228
218
static void xfrm4_update_pmtu(struct dst_entry *dst, struct sock *sk,
+5
-3
net/ipv6/esp6_offload.c
+5
-3
net/ipv6/esp6_offload.c
···
74
74
goto out;
75
75
76
76
if (sp->len == XFRM_MAX_DEPTH)
77
-
goto out;
77
+
goto out_reset;
78
78
79
79
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
80
80
(xfrm_address_t *)&ipv6_hdr(skb)->daddr,
81
81
spi, IPPROTO_ESP, AF_INET6);
82
82
if (!x)
83
-
goto out;
83
+
goto out_reset;
84
84
85
85
sp->xvec[sp->len++] = x;
86
86
sp->olen++;
···
88
88
xo = xfrm_offload(skb);
89
89
if (!xo) {
90
90
xfrm_state_put(x);
91
-
goto out;
91
+
goto out_reset;
92
92
}
93
93
}
94
94
···
109
109
xfrm_input(skb, IPPROTO_ESP, spi, -2);
110
110
111
111
return ERR_PTR(-EINPROGRESS);
112
+
out_reset:
113
+
secpath_reset(skb);
112
114
out:
113
115
skb_push(skb, offset);
114
116
NAPI_GRO_CB(skb)->same_flow = 0;
+1
-3
net/ipv6/ip6_fib.c
+1
-3
net/ipv6/ip6_fib.c
···
921
921
if (pcpu_rt) {
922
922
struct fib6_info *from;
923
923
924
-
from = rcu_dereference_protected(pcpu_rt->from,
925
-
lockdep_is_held(&table->tb6_lock));
926
-
rcu_assign_pointer(pcpu_rt->from, NULL);
924
+
from = xchg((__force struct fib6_info **)&pcpu_rt->from, NULL);
927
925
fib6_info_release(from);
928
926
}
929
927
}
+14
-8
net/ipv6/ip6_flowlabel.c
+14
-8
net/ipv6/ip6_flowlabel.c
···
94
94
return fl;
95
95
}
96
96
97
+
static void fl_free_rcu(struct rcu_head *head)
98
+
{
99
+
struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu);
100
+
101
+
if (fl->share == IPV6_FL_S_PROCESS)
102
+
put_pid(fl->owner.pid);
103
+
kfree(fl->opt);
104
+
kfree(fl);
105
+
}
106
+
97
107
98
108
static void fl_free(struct ip6_flowlabel *fl)
99
109
{
100
-
if (fl) {
101
-
if (fl->share == IPV6_FL_S_PROCESS)
102
-
put_pid(fl->owner.pid);
103
-
kfree(fl->opt);
104
-
kfree_rcu(fl, rcu);
105
-
}
110
+
if (fl)
111
+
call_rcu(&fl->rcu, fl_free_rcu);
106
112
}
107
113
108
114
static void fl_release(struct ip6_flowlabel *fl)
···
639
633
if (fl1->share == IPV6_FL_S_EXCL ||
640
634
fl1->share != fl->share ||
641
635
((fl1->share == IPV6_FL_S_PROCESS) &&
642
-
(fl1->owner.pid == fl->owner.pid)) ||
636
+
(fl1->owner.pid != fl->owner.pid)) ||
643
637
((fl1->share == IPV6_FL_S_USER) &&
644
-
uid_eq(fl1->owner.uid, fl->owner.uid)))
638
+
!uid_eq(fl1->owner.uid, fl->owner.uid)))
645
639
goto release;
646
640
647
641
err = -ENOMEM;
+37
-33
net/ipv6/route.c
+37
-33
net/ipv6/route.c
···
379
379
in6_dev_put(idev);
380
380
}
381
381
382
-
rcu_read_lock();
383
-
from = rcu_dereference(rt->from);
384
-
rcu_assign_pointer(rt->from, NULL);
382
+
from = xchg((__force struct fib6_info **)&rt->from, NULL);
385
383
fib6_info_release(from);
386
-
rcu_read_unlock();
387
384
}
388
385
389
386
static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
···
1285
1288
/* purge completely the exception to allow releasing the held resources:
1286
1289
* some [sk] cache may keep the dst around for unlimited time
1287
1290
*/
1288
-
from = rcu_dereference_protected(rt6_ex->rt6i->from,
1289
-
lockdep_is_held(&rt6_exception_lock));
1290
-
rcu_assign_pointer(rt6_ex->rt6i->from, NULL);
1291
+
from = xchg((__force struct fib6_info **)&rt6_ex->rt6i->from, NULL);
1291
1292
fib6_info_release(from);
1292
1293
dst_dev_put(&rt6_ex->rt6i->dst);
1293
1294
···
3392
3397
3393
3398
rcu_read_lock();
3394
3399
from = rcu_dereference(rt->from);
3395
-
/* This fib6_info_hold() is safe here because we hold reference to rt
3396
-
* and rt already holds reference to fib6_info.
3397
-
*/
3398
-
fib6_info_hold(from);
3399
-
rcu_read_unlock();
3400
+
if (!from)
3401
+
goto out;
3400
3402
3401
3403
nrt = ip6_rt_cache_alloc(from, &msg->dest, NULL);
3402
3404
if (!nrt)
···
3405
3413
3406
3414
nrt->rt6i_gateway = *(struct in6_addr *)neigh->primary_key;
3407
3415
3408
-
/* No need to remove rt from the exception table if rt is
3409
-
* a cached route because rt6_insert_exception() will
3410
-
* takes care of it
3411
-
*/
3416
+
/* rt6_insert_exception() will take care of duplicated exceptions */
3412
3417
if (rt6_insert_exception(nrt, from)) {
3413
3418
dst_release_immediate(&nrt->dst);
3414
3419
goto out;
···
3418
3429
call_netevent_notifiers(NETEVENT_REDIRECT, &netevent);
3419
3430
3420
3431
out:
3421
-
fib6_info_release(from);
3432
+
rcu_read_unlock();
3422
3433
neigh_release(neigh);
3423
3434
}
3424
3435
···
3657
3668
3658
3669
static int ip6_pkt_drop(struct sk_buff *skb, u8 code, int ipstats_mib_noroutes)
3659
3670
{
3660
-
int type;
3661
3671
struct dst_entry *dst = skb_dst(skb);
3672
+
struct net *net = dev_net(dst->dev);
3673
+
struct inet6_dev *idev;
3674
+
int type;
3675
+
3676
+
if (netif_is_l3_master(skb->dev) &&
3677
+
dst->dev == net->loopback_dev)
3678
+
idev = __in6_dev_get_safely(dev_get_by_index_rcu(net, IP6CB(skb)->iif));
3679
+
else
3680
+
idev = ip6_dst_idev(dst);
3681
+
3662
3682
switch (ipstats_mib_noroutes) {
3663
3683
case IPSTATS_MIB_INNOROUTES:
3664
3684
type = ipv6_addr_type(&ipv6_hdr(skb)->daddr);
3665
3685
if (type == IPV6_ADDR_ANY) {
3666
-
IP6_INC_STATS(dev_net(dst->dev),
3667
-
__in6_dev_get_safely(skb->dev),
3668
-
IPSTATS_MIB_INADDRERRORS);
3686
+
IP6_INC_STATS(net, idev, IPSTATS_MIB_INADDRERRORS);
3669
3687
break;
3670
3688
}
3671
3689
/* FALLTHROUGH */
3672
3690
case IPSTATS_MIB_OUTNOROUTES:
3673
-
IP6_INC_STATS(dev_net(dst->dev), ip6_dst_idev(dst),
3674
-
ipstats_mib_noroutes);
3691
+
IP6_INC_STATS(net, idev, ipstats_mib_noroutes);
3675
3692
break;
3676
3693
}
3694
+
3695
+
/* Start over by dropping the dst for l3mdev case */
3696
+
if (netif_is_l3_master(skb->dev))
3697
+
skb_dst_drop(skb);
3698
+
3677
3699
icmpv6_send(skb, ICMPV6_DEST_UNREACH, code, 0);
3678
3700
kfree_skb(skb);
3679
3701
return 0;
···
5017
5017
5018
5018
rcu_read_lock();
5019
5019
from = rcu_dereference(rt->from);
5020
-
5021
-
if (fibmatch)
5022
-
err = rt6_fill_node(net, skb, from, NULL, NULL, NULL, iif,
5023
-
RTM_NEWROUTE, NETLINK_CB(in_skb).portid,
5024
-
nlh->nlmsg_seq, 0);
5025
-
else
5026
-
err = rt6_fill_node(net, skb, from, dst, &fl6.daddr,
5027
-
&fl6.saddr, iif, RTM_NEWROUTE,
5028
-
NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
5029
-
0);
5020
+
if (from) {
5021
+
if (fibmatch)
5022
+
err = rt6_fill_node(net, skb, from, NULL, NULL, NULL,
5023
+
iif, RTM_NEWROUTE,
5024
+
NETLINK_CB(in_skb).portid,
5025
+
nlh->nlmsg_seq, 0);
5026
+
else
5027
+
err = rt6_fill_node(net, skb, from, dst, &fl6.daddr,
5028
+
&fl6.saddr, iif, RTM_NEWROUTE,
5029
+
NETLINK_CB(in_skb).portid,
5030
+
nlh->nlmsg_seq, 0);
5031
+
} else {
5032
+
err = -ENETUNREACH;
5033
+
}
5030
5034
rcu_read_unlock();
5031
5035
5032
5036
if (err < 0) {
+5
-1
net/ipv6/xfrm6_tunnel.c
+5
-1
net/ipv6/xfrm6_tunnel.c
···
345
345
unsigned int i;
346
346
347
347
xfrm_flush_gc();
348
-
xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
348
+
xfrm_state_flush(net, 0, false, true);
349
349
350
350
for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
351
351
WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i]));
···
402
402
xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
403
403
xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
404
404
unregister_pernet_subsys(&xfrm6_tunnel_net_ops);
405
+
/* Someone maybe has gotten the xfrm6_tunnel_spi.
406
+
* So need to wait it.
407
+
*/
408
+
rcu_barrier();
405
409
kmem_cache_destroy(xfrm6_tunnel_spi_kmem);
406
410
}
407
411
+3
-1
net/key/af_key.c
+3
-1
net/key/af_key.c
···
1951
1951
1952
1952
if (rq->sadb_x_ipsecrequest_mode == 0)
1953
1953
return -EINVAL;
1954
+
if (!xfrm_id_proto_valid(rq->sadb_x_ipsecrequest_proto))
1955
+
return -EINVAL;
1954
1956
1955
-
t->id.proto = rq->sadb_x_ipsecrequest_proto; /* XXX check proto */
1957
+
t->id.proto = rq->sadb_x_ipsecrequest_proto;
1956
1958
if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0)
1957
1959
return -EINVAL;
1958
1960
t->mode = mode;
+5
-5
net/l2tp/l2tp_core.c
+5
-5
net/l2tp/l2tp_core.c
···
169
169
170
170
rcu_read_lock_bh();
171
171
list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
172
-
if (tunnel->tunnel_id == tunnel_id) {
173
-
l2tp_tunnel_inc_refcount(tunnel);
172
+
if (tunnel->tunnel_id == tunnel_id &&
173
+
refcount_inc_not_zero(&tunnel->ref_count)) {
174
174
rcu_read_unlock_bh();
175
175
176
176
return tunnel;
···
190
190
191
191
rcu_read_lock_bh();
192
192
list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
193
-
if (++count > nth) {
194
-
l2tp_tunnel_inc_refcount(tunnel);
193
+
if (++count > nth &&
194
+
refcount_inc_not_zero(&tunnel->ref_count)) {
195
195
rcu_read_unlock_bh();
196
196
return tunnel;
197
197
}
···
909
909
{
910
910
struct l2tp_tunnel *tunnel;
911
911
912
-
tunnel = l2tp_tunnel(sk);
912
+
tunnel = rcu_dereference_sk_user_data(sk);
913
913
if (tunnel == NULL)
914
914
goto pass_up;
915
915
+1
-1
net/mac80211/debugfs_netdev.c
+1
-1
net/mac80211/debugfs_netdev.c
+3
-2
net/mac80211/ht.c
+3
-2
net/mac80211/ht.c
···
112
112
IEEE80211_HT_CAP_TX_STBC);
113
113
114
114
/* Allow user to configure RX STBC bits */
115
-
if (ht_capa_mask->cap_info & IEEE80211_HT_CAP_RX_STBC)
116
-
ht_cap->cap |= ht_capa->cap_info & IEEE80211_HT_CAP_RX_STBC;
115
+
if (ht_capa_mask->cap_info & cpu_to_le16(IEEE80211_HT_CAP_RX_STBC))
116
+
ht_cap->cap |= le16_to_cpu(ht_capa->cap_info) &
117
+
IEEE80211_HT_CAP_RX_STBC;
117
118
118
119
/* Allow user to decrease AMPDU factor */
119
120
if (ht_capa_mask->ampdu_params_info &
+3
net/mac80211/iface.c
+3
net/mac80211/iface.c
+2
-2
net/netlink/genetlink.c
+2
-2
net/netlink/genetlink.c
···
362
362
} else
363
363
family->attrbuf = NULL;
364
364
365
-
family->id = idr_alloc(&genl_fam_idr, family,
366
-
start, end + 1, GFP_KERNEL);
365
+
family->id = idr_alloc_cyclic(&genl_fam_idr, family,
366
+
start, end + 1, GFP_KERNEL);
367
367
if (family->id < 0) {
368
368
err = family->id;
369
369
goto errout_free;
+25
-12
net/packet/af_packet.c
+25
-12
net/packet/af_packet.c
···
2602
2602
void *ph;
2603
2603
DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name);
2604
2604
bool need_wait = !(msg->msg_flags & MSG_DONTWAIT);
2605
+
unsigned char *addr = NULL;
2605
2606
int tp_len, size_max;
2606
-
unsigned char *addr;
2607
2607
void *data;
2608
2608
int len_sum = 0;
2609
2609
int status = TP_STATUS_AVAILABLE;
···
2614
2614
if (likely(saddr == NULL)) {
2615
2615
dev = packet_cached_dev_get(po);
2616
2616
proto = po->num;
2617
-
addr = NULL;
2618
2617
} else {
2619
2618
err = -EINVAL;
2620
2619
if (msg->msg_namelen < sizeof(struct sockaddr_ll))
···
2623
2624
sll_addr)))
2624
2625
goto out;
2625
2626
proto = saddr->sll_protocol;
2626
-
addr = saddr->sll_halen ? saddr->sll_addr : NULL;
2627
2627
dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
2628
-
if (addr && dev && saddr->sll_halen < dev->addr_len)
2629
-
goto out_put;
2628
+
if (po->sk.sk_socket->type == SOCK_DGRAM) {
2629
+
if (dev && msg->msg_namelen < dev->addr_len +
2630
+
offsetof(struct sockaddr_ll, sll_addr))
2631
+
goto out_put;
2632
+
addr = saddr->sll_addr;
2633
+
}
2630
2634
}
2631
2635
2632
2636
err = -ENXIO;
···
2801
2799
struct sk_buff *skb;
2802
2800
struct net_device *dev;
2803
2801
__be16 proto;
2804
-
unsigned char *addr;
2802
+
unsigned char *addr = NULL;
2805
2803
int err, reserve = 0;
2806
2804
struct sockcm_cookie sockc;
2807
2805
struct virtio_net_hdr vnet_hdr = { 0 };
···
2818
2816
if (likely(saddr == NULL)) {
2819
2817
dev = packet_cached_dev_get(po);
2820
2818
proto = po->num;
2821
-
addr = NULL;
2822
2819
} else {
2823
2820
err = -EINVAL;
2824
2821
if (msg->msg_namelen < sizeof(struct sockaddr_ll))
···
2825
2824
if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
2826
2825
goto out;
2827
2826
proto = saddr->sll_protocol;
2828
-
addr = saddr->sll_halen ? saddr->sll_addr : NULL;
2829
2827
dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
2830
-
if (addr && dev && saddr->sll_halen < dev->addr_len)
2831
-
goto out_unlock;
2828
+
if (sock->type == SOCK_DGRAM) {
2829
+
if (dev && msg->msg_namelen < dev->addr_len +
2830
+
offsetof(struct sockaddr_ll, sll_addr))
2831
+
goto out_unlock;
2832
+
addr = saddr->sll_addr;
2833
+
}
2832
2834
}
2833
2835
2834
2836
err = -ENXIO;
···
3348
3344
sock_recv_ts_and_drops(msg, sk, skb);
3349
3345
3350
3346
if (msg->msg_name) {
3347
+
int copy_len;
3348
+
3351
3349
/* If the address length field is there to be filled
3352
3350
* in, we fill it in now.
3353
3351
*/
3354
3352
if (sock->type == SOCK_PACKET) {
3355
3353
__sockaddr_check_size(sizeof(struct sockaddr_pkt));
3356
3354
msg->msg_namelen = sizeof(struct sockaddr_pkt);
3355
+
copy_len = msg->msg_namelen;
3357
3356
} else {
3358
3357
struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll;
3359
3358
3360
3359
msg->msg_namelen = sll->sll_halen +
3361
3360
offsetof(struct sockaddr_ll, sll_addr);
3361
+
copy_len = msg->msg_namelen;
3362
+
if (msg->msg_namelen < sizeof(struct sockaddr_ll)) {
3363
+
memset(msg->msg_name +
3364
+
offsetof(struct sockaddr_ll, sll_addr),
3365
+
0, sizeof(sll->sll_addr));
3366
+
msg->msg_namelen = sizeof(struct sockaddr_ll);
3367
+
}
3362
3368
}
3363
-
memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa,
3364
-
msg->msg_namelen);
3369
+
memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
3365
3370
}
3366
3371
3367
3372
if (pkt_sk(sk)->auxdata) {
+3
-5
net/rds/ib_recv.c
+3
-5
net/rds/ib_recv.c
···
772
772
unsigned long frag_off;
773
773
unsigned long to_copy;
774
774
unsigned long copied;
775
-
uint64_t uncongested = 0;
775
+
__le64 uncongested = 0;
776
776
void *addr;
777
777
778
778
/* catch completely corrupt packets */
···
789
789
copied = 0;
790
790
791
791
while (copied < RDS_CONG_MAP_BYTES) {
792
-
uint64_t *src, *dst;
792
+
__le64 *src, *dst;
793
793
unsigned int k;
794
794
795
795
to_copy = min(RDS_FRAG_SIZE - frag_off, PAGE_SIZE - map_off);
···
824
824
}
825
825
826
826
/* the congestion map is in little endian order */
827
-
uncongested = le64_to_cpu(uncongested);
828
-
829
-
rds_cong_map_updated(map, uncongested);
827
+
rds_cong_map_updated(map, le64_to_cpu(uncongested));
830
828
}
831
829
832
830
static void rds_ib_process_recv(struct rds_connection *conn,
+16
-16
net/rxrpc/call_object.c
+16
-16
net/rxrpc/call_object.c
···
604
604
605
605
_enter("");
606
606
607
-
if (list_empty(&rxnet->calls))
608
-
return;
607
+
if (!list_empty(&rxnet->calls)) {
608
+
write_lock(&rxnet->call_lock);
609
609
610
-
write_lock(&rxnet->call_lock);
610
+
while (!list_empty(&rxnet->calls)) {
611
+
call = list_entry(rxnet->calls.next,
612
+
struct rxrpc_call, link);
613
+
_debug("Zapping call %p", call);
611
614
612
-
while (!list_empty(&rxnet->calls)) {
613
-
call = list_entry(rxnet->calls.next, struct rxrpc_call, link);
614
-
_debug("Zapping call %p", call);
615
+
rxrpc_see_call(call);
616
+
list_del_init(&call->link);
615
617
616
-
rxrpc_see_call(call);
617
-
list_del_init(&call->link);
618
+
pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n",
619
+
call, atomic_read(&call->usage),
620
+
rxrpc_call_states[call->state],
621
+
call->flags, call->events);
618
622
619
-
pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n",
620
-
call, atomic_read(&call->usage),
621
-
rxrpc_call_states[call->state],
622
-
call->flags, call->events);
623
+
write_unlock(&rxnet->call_lock);
624
+
cond_resched();
625
+
write_lock(&rxnet->call_lock);
626
+
}
623
627
624
628
write_unlock(&rxnet->call_lock);
625
-
cond_resched();
626
-
write_lock(&rxnet->call_lock);
627
629
}
628
-
629
-
write_unlock(&rxnet->call_lock);
630
630
631
631
atomic_dec(&rxnet->nr_calls);
632
632
wait_var_event(&rxnet->nr_calls, !atomic_read(&rxnet->nr_calls));
-29
net/sctp/sm_sideeffect.c
-29
net/sctp/sm_sideeffect.c
···
1112
1112
}
1113
1113
1114
1114
1115
-
/* Sent the next ASCONF packet currently stored in the association.
1116
-
* This happens after the ASCONF_ACK was succeffully processed.
1117
-
*/
1118
-
static void sctp_cmd_send_asconf(struct sctp_association *asoc)
1119
-
{
1120
-
struct net *net = sock_net(asoc->base.sk);
1121
-
1122
-
/* Send the next asconf chunk from the addip chunk
1123
-
* queue.
1124
-
*/
1125
-
if (!list_empty(&asoc->addip_chunk_list)) {
1126
-
struct list_head *entry = asoc->addip_chunk_list.next;
1127
-
struct sctp_chunk *asconf = list_entry(entry,
1128
-
struct sctp_chunk, list);
1129
-
list_del_init(entry);
1130
-
1131
-
/* Hold the chunk until an ASCONF_ACK is received. */
1132
-
sctp_chunk_hold(asconf);
1133
-
if (sctp_primitive_ASCONF(net, asoc, asconf))
1134
-
sctp_chunk_free(asconf);
1135
-
else
1136
-
asoc->addip_last_asconf = asconf;
1137
-
}
1138
-
}
1139
-
1140
-
1141
1115
/* These three macros allow us to pull the debugging code out of the
1142
1116
* main flow of sctp_do_sm() to keep attention focused on the real
1143
1117
* functionality there.
···
1756
1782
local_cork = 1;
1757
1783
}
1758
1784
sctp_cmd_send_msg(asoc, cmd->obj.msg, gfp);
1759
-
break;
1760
-
case SCTP_CMD_SEND_NEXT_ASCONF:
1761
-
sctp_cmd_send_asconf(asoc);
1762
1785
break;
1763
1786
case SCTP_CMD_PURGE_ASCONF_QUEUE:
1764
1787
sctp_asconf_queue_teardown(asoc);
+27
-8
net/sctp/sm_statefuns.c
+27
-8
net/sctp/sm_statefuns.c
···
3824
3824
return SCTP_DISPOSITION_CONSUME;
3825
3825
}
3826
3826
3827
+
static enum sctp_disposition sctp_send_next_asconf(
3828
+
struct net *net,
3829
+
const struct sctp_endpoint *ep,
3830
+
struct sctp_association *asoc,
3831
+
const union sctp_subtype type,
3832
+
struct sctp_cmd_seq *commands)
3833
+
{
3834
+
struct sctp_chunk *asconf;
3835
+
struct list_head *entry;
3836
+
3837
+
if (list_empty(&asoc->addip_chunk_list))
3838
+
return SCTP_DISPOSITION_CONSUME;
3839
+
3840
+
entry = asoc->addip_chunk_list.next;
3841
+
asconf = list_entry(entry, struct sctp_chunk, list);
3842
+
3843
+
list_del_init(entry);
3844
+
sctp_chunk_hold(asconf);
3845
+
asoc->addip_last_asconf = asconf;
3846
+
3847
+
return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands);
3848
+
}
3849
+
3827
3850
/*
3828
3851
* ADDIP Section 4.3 General rules for address manipulation
3829
3852
* When building TLV parameters for the ASCONF Chunk that will add or
···
3938
3915
SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
3939
3916
3940
3917
if (!sctp_process_asconf_ack((struct sctp_association *)asoc,
3941
-
asconf_ack)) {
3942
-
/* Successfully processed ASCONF_ACK. We can
3943
-
* release the next asconf if we have one.
3944
-
*/
3945
-
sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF,
3946
-
SCTP_NULL());
3947
-
return SCTP_DISPOSITION_CONSUME;
3948
-
}
3918
+
asconf_ack))
3919
+
return sctp_send_next_asconf(net, ep,
3920
+
(struct sctp_association *)asoc,
3921
+
type, commands);
3949
3922
3950
3923
abort = sctp_make_abort(asoc, asconf_ack,
3951
3924
sizeof(struct sctp_errhdr));
+32
-15
net/tls/tls_device.c
+32
-15
net/tls/tls_device.c
···
597
597
static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
598
598
{
599
599
struct strp_msg *rxm = strp_msg(skb);
600
-
int err = 0, offset = rxm->offset, copy, nsg;
600
+
int err = 0, offset = rxm->offset, copy, nsg, data_len, pos;
601
601
struct sk_buff *skb_iter, *unused;
602
602
struct scatterlist sg[1];
603
603
char *orig_buf, *buf;
···
628
628
else
629
629
err = 0;
630
630
631
-
copy = min_t(int, skb_pagelen(skb) - offset,
632
-
rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
631
+
data_len = rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE;
633
632
634
-
if (skb->decrypted)
635
-
skb_store_bits(skb, offset, buf, copy);
633
+
if (skb_pagelen(skb) > offset) {
634
+
copy = min_t(int, skb_pagelen(skb) - offset, data_len);
636
635
637
-
offset += copy;
638
-
buf += copy;
639
-
640
-
skb_walk_frags(skb, skb_iter) {
641
-
copy = min_t(int, skb_iter->len,
642
-
rxm->full_len - offset + rxm->offset -
643
-
TLS_CIPHER_AES_GCM_128_TAG_SIZE);
644
-
645
-
if (skb_iter->decrypted)
646
-
skb_store_bits(skb_iter, offset, buf, copy);
636
+
if (skb->decrypted)
637
+
skb_store_bits(skb, offset, buf, copy);
647
638
648
639
offset += copy;
649
640
buf += copy;
641
+
}
642
+
643
+
pos = skb_pagelen(skb);
644
+
skb_walk_frags(skb, skb_iter) {
645
+
int frag_pos;
646
+
647
+
/* Practically all frags must belong to msg if reencrypt
648
+
* is needed with current strparser and coalescing logic,
649
+
* but strparser may "get optimized", so let's be safe.
650
+
*/
651
+
if (pos + skb_iter->len <= offset)
652
+
goto done_with_frag;
653
+
if (pos >= data_len + rxm->offset)
654
+
break;
655
+
656
+
frag_pos = offset - pos;
657
+
copy = min_t(int, skb_iter->len - frag_pos,
658
+
data_len + rxm->offset - offset);
659
+
660
+
if (skb_iter->decrypted)
661
+
skb_store_bits(skb_iter, frag_pos, buf, copy);
662
+
663
+
offset += copy;
664
+
buf += copy;
665
+
done_with_frag:
666
+
pos += skb_iter->len;
650
667
}
651
668
652
669
free_buf:
+2
-1
net/tls/tls_device_fallback.c
+2
-1
net/tls/tls_device_fallback.c
···
201
201
202
202
skb_put(nskb, skb->len);
203
203
memcpy(nskb->data, skb->data, headln);
204
-
update_chksum(nskb, headln);
205
204
206
205
nskb->destructor = skb->destructor;
207
206
nskb->sk = sk;
208
207
skb->destructor = NULL;
209
208
skb->sk = NULL;
209
+
210
+
update_chksum(nskb, headln);
210
211
211
212
delta = nskb->truesize - skb->truesize;
212
213
if (likely(delta < 0))
+2
-3
net/wireless/reg.c
+2
-3
net/wireless/reg.c
···
3778
3778
/*
3779
3779
* The last request may have been received before this
3780
3780
* registration call. Call the driver notifier if
3781
-
* initiator is USER and user type is CELL_BASE.
3781
+
* initiator is USER.
3782
3782
*/
3783
-
if (lr->initiator == NL80211_REGDOM_SET_BY_USER &&
3784
-
lr->user_reg_hint_type == NL80211_USER_REG_HINT_CELL_BASE)
3783
+
if (lr->initiator == NL80211_REGDOM_SET_BY_USER)
3785
3784
reg_call_notifier(wiphy, lr);
3786
3785
}
3787
3786
+14
-3
net/xfrm/xfrm_interface.c
+14
-3
net/xfrm/xfrm_interface.c
···
70
70
return NULL;
71
71
}
72
72
73
-
static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb)
73
+
static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb,
74
+
unsigned short family)
74
75
{
75
76
struct xfrmi_net *xfrmn;
76
-
int ifindex;
77
77
struct xfrm_if *xi;
78
+
int ifindex = 0;
78
79
79
80
if (!secpath_exists(skb) || !skb->dev)
80
81
return NULL;
81
82
83
+
switch (family) {
84
+
case AF_INET6:
85
+
ifindex = inet6_sdif(skb);
86
+
break;
87
+
case AF_INET:
88
+
ifindex = inet_sdif(skb);
89
+
break;
90
+
}
91
+
if (!ifindex)
92
+
ifindex = skb->dev->ifindex;
93
+
82
94
xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id);
83
-
ifindex = skb->dev->ifindex;
84
95
85
96
for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {
86
97
if (ifindex == xi->dev->ifindex &&
+1
-1
net/xfrm/xfrm_policy.c
+1
-1
net/xfrm/xfrm_policy.c
+1
-1
net/xfrm/xfrm_state.c
+1
-1
net/xfrm/xfrm_state.c
+2
-14
net/xfrm/xfrm_user.c
+2
-14
net/xfrm/xfrm_user.c
···
1424
1424
ret = verify_policy_dir(p->dir);
1425
1425
if (ret)
1426
1426
return ret;
1427
-
if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir))
1427
+
if (p->index && (xfrm_policy_id2dir(p->index) != p->dir))
1428
1428
return -EINVAL;
1429
1429
1430
1430
return 0;
···
1513
1513
return -EINVAL;
1514
1514
}
1515
1515
1516
-
switch (ut[i].id.proto) {
1517
-
case IPPROTO_AH:
1518
-
case IPPROTO_ESP:
1519
-
case IPPROTO_COMP:
1520
-
#if IS_ENABLED(CONFIG_IPV6)
1521
-
case IPPROTO_ROUTING:
1522
-
case IPPROTO_DSTOPTS:
1523
-
#endif
1524
-
case IPSEC_PROTO_ANY:
1525
-
break;
1526
-
default:
1516
+
if (!xfrm_id_proto_valid(ut[i].id.proto))
1527
1517
return -EINVAL;
1528
-
}
1529
-
1530
1518
}
1531
1519
1532
1520
return 0;
+3
tools/bpf/bpftool/map.c
+3
tools/bpf/bpftool/map.c
+1
tools/lib/bpf/.gitignore
+1
tools/lib/bpf/.gitignore
+25
tools/testing/selftests/bpf/verifier/calls.c
+25
tools/testing/selftests/bpf/verifier/calls.c
···
375
375
.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
376
376
},
377
377
{
378
+
"calls: ptr null check in subprog",
379
+
.insns = {
380
+
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
381
+
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
382
+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
383
+
BPF_LD_MAP_FD(BPF_REG_1, 0),
384
+
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
385
+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
386
+
BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
387
+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
388
+
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
389
+
BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
390
+
BPF_EXIT_INSN(),
391
+
BPF_MOV64_IMM(BPF_REG_0, 0),
392
+
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
393
+
BPF_MOV64_IMM(BPF_REG_0, 1),
394
+
BPF_EXIT_INSN(),
395
+
},
396
+
.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
397
+
.fixup_map_hash_48b = { 3 },
398
+
.result_unpriv = REJECT,
399
+
.result = ACCEPT,
400
+
.retval = 0,
401
+
},
402
+
{
378
403
"calls: two calls with args",
379
404
.insns = {
380
405
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
+22
tools/testing/selftests/bpf/verifier/direct_packet_access.c
+22
tools/testing/selftests/bpf/verifier/direct_packet_access.c
···
631
631
.errstr = "invalid access to packet",
632
632
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
633
633
},
634
+
{
635
+
"direct packet access: test29 (reg > pkt_end in subprog)",
636
+
.insns = {
637
+
BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
638
+
offsetof(struct __sk_buff, data)),
639
+
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
640
+
offsetof(struct __sk_buff, data_end)),
641
+
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
642
+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
643
+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
644
+
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
645
+
BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
646
+
BPF_MOV64_IMM(BPF_REG_0, 0),
647
+
BPF_EXIT_INSN(),
648
+
BPF_MOV64_IMM(BPF_REG_0, 0),
649
+
BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_2, 1),
650
+
BPF_MOV64_IMM(BPF_REG_0, 1),
651
+
BPF_EXIT_INSN(),
652
+
},
653
+
.result = ACCEPT,
654
+
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
655
+
},
+8
-2
tools/testing/selftests/net/fib_rule_tests.sh
+8
-2
tools/testing/selftests/net/fib_rule_tests.sh
···
27
27
nsuccess=$((nsuccess+1))
28
28
printf "\n TEST: %-50s [ OK ]\n" "${msg}"
29
29
else
30
+
ret=1
30
31
nfail=$((nfail+1))
31
32
printf "\n TEST: %-50s [FAIL]\n" "${msg}"
32
33
if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
···
148
147
149
148
fib_check_iproute_support "ipproto" "ipproto"
150
149
if [ $? -eq 0 ]; then
151
-
match="ipproto icmp"
152
-
fib_rule6_test_match_n_redirect "$match" "$match" "ipproto icmp match"
150
+
match="ipproto ipv6-icmp"
151
+
fib_rule6_test_match_n_redirect "$match" "$match" "ipproto ipv6-icmp match"
153
152
fi
154
153
}
155
154
···
245
244
setup
246
245
run_fibrule_tests
247
246
cleanup
247
+
248
+
if [ "$TESTS" != "none" ]; then
249
+
printf "\nTests passed: %3d\n" ${nsuccess}
250
+
printf "Tests failed: %3d\n" ${nfail}
251
+
fi
248
252
249
253
exit $ret