Re: net: BUG in unix_notinflight

On Sat, Nov 26, 2016 at 7:05 PM, Dmitry Vyukov wrote: > Hello, > > I am hitting the following BUG while running syzkaller fuzzer: > > kernel BUG at net/unix/garbage.c:149! > invalid opcode: [#1] SMP DEBUG_PAGEALLOC KASAN > Dumping ftrace buffer: >(ftrace buffer empty)

Re: [PATCH iproute2 net-next] devlink: Add json and pretty options to help and man

Mon, Mar 06, 2017 at 10:06:18AM CET, r...@mellanox.com wrote: >While at it also fixed missing double dash for long opts. > >Signed-off-by: Roi Dayan Acked-by: Jiri Pirko

Re: [PATCH 1/2] net: sched: make default fifo qdiscs appear in the dump

On Wed, 1 Mar 2017, David Miller wrote: > > @@ -1066,6 +1066,7 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 > > parentid, > > _qdisc_ops, classid); > > if (cl->qdisc == NULL) > > cl->qdisc = _qdisc; > > + qdisc_hash_add(cl->qdisc,

Re: [PATCH 07/26] brcmsmac: reduce stack size with KASAN

On Mon, Mar 6, 2017 at 12:16 PM, Arnd Bergmann wrote: > On Mon, Mar 6, 2017 at 12:02 PM, Arend Van Spriel > wrote: >> On 6-3-2017 11:38, Arnd Bergmann wrote: >>> On Mon, Mar 6, 2017 at 10:16 AM, Arend Van Spriel >>>

Re: [E1000-devel] jitter / latency reduction

2017-03-03 20:52 GMT-03:00 Mahmood Qazen : > > this week I read a presentation by Jesse and towards the end it asks if we > can help. Hello, Can you please share this presentation? I'm interested in this subject too. Thanks! Leonardo Amaral about.me/leonardo.amaral

Re: [PATCH 07/26] brcmsmac: reduce stack size with KASAN

On Mon, Mar 6, 2017 at 12:02 PM, Arend Van Spriel wrote: > On 6-3-2017 11:38, Arnd Bergmann wrote: >> On Mon, Mar 6, 2017 at 10:16 AM, Arend Van Spriel >> wrote: >>> On 2-3-2017 17:38, Arnd Bergmann wrote: The

Re: [Patch net] bonding: use ETH_MAX_MTU as max mtu

On 2017-03-02 3:24 PM, Cong Wang wrote: This restores the ability of setting bond device's mtu to 9000. Fixes: 91572088e3fd ("net: use core MTU range checking in core net infra") Reported-by: daz...@gmail.com Reported-by: Brad Campbell Cc: Jarod Wilson

Re: [PATCH 07/26] brcmsmac: reduce stack size with KASAN

On 6-3-2017 11:38, Arnd Bergmann wrote: > On Mon, Mar 6, 2017 at 10:16 AM, Arend Van Spriel > wrote: >> On 2-3-2017 17:38, Arnd Bergmann wrote: >>> The wlc_phy_table_write_nphy/wlc_phy_table_read_nphy functions always put >>> an object >>> on the stack, which will

Re: 4.11-rc1 regression: e1000e "BUG at drivers/pci/msi.c" on unplugged suspend+resume

Bjørn Mork writes: > This is new with v4.11-rc1, so I strongly suspect commit 7e54d9d063fa > ("e1000e: driver trying to free already-free irq"), which looks more > than suspicious in this context. Haven't had time to test a revert > yet. Just wanted to give an advance warning in

Re: [PATCH] 4.9.13 brcmfmac: fix use-after-free on resume

+ linux-wireless On 6-3-2017 8:14, Daniel J Blueman wrote: > KASAN reported 'struct wireless_dev wdev' was read after being freed. > Fix by freeing after the access. I would rather like to see the KASAN report, because something is off here. This function is called with wdev as a parameter so

Re: [PATCH] mac80211: Use setup_timer instead of init_timer

On Mon, 2017-03-06 at 13:25 +0100, Johannes Berg wrote: > On Fri, 2017-03-03 at 13:45 +0100, Jiri Slaby wrote: > > From: Ondřej Lysoněk > > > > Use setup_timer() and setup_deferrable_timer() to set the data and > > function timer fields. It makes the code cleaner and

Re: [PATCH] mac80211: Use setup_timer instead of init_timer

On 03/06/2017, 01:25 PM, Johannes Berg wrote: > On Fri, 2017-03-03 at 13:45 +0100, Jiri Slaby wrote: >> From: Ondřej Lysoněk >> >> Use setup_timer() and setup_deferrable_timer() to set the data and >> function timer fields. It makes the code cleaner and will allow for >>

[PATCH] net: ibm: emac: fix regression caused by emac_dt_phy_probe()

Julian Margetson reported a panic on his SAM460EX with Kernel 4.11-rc1: | Unable to handle kernel paging request for data at address 0x0014 | Oops: Kernel access of bad area, sig: 11 [#1] | PREEMPT | Canyonlands | Modules linked in: | CPU: 0 PID: 1 Comm: swapper Not tainted [...] | task:

Re: [4.9.13] brcmf use-after-free on resume

+ linux-wireless On 6-3-2017 8:04, Daniel J Blueman wrote: > When resuming from suspend with a BCM43602 on Ubuntu 16.04 with > 4.9.13, we see use after free [1]. > > We see the struct cfg80211_ops is accessed in the resume path, after > it was previously freed: > > (gdb) list

netlink: GPF in netlink_unicast

Hello, I've got the following crash while running syzkaller fuzzer on net-next/8d70eeb84ab277377c017af6a21d0a337025dede: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked

Re: [PATCH v2] can: m_can: enable transmission of FD frame on latest version

On 03/06/2017 03:21 AM, Wenyou Yang wrote: > Enables the transmission of CAN FD frames on M_CAN IP core >= v3.1.x > and with the bit rate switching. > > Tested on M_CAN IP 3.1.0 (CREL = 0x31040730) of SAMA5D2 SoC. Does this patch work still with the old version of the silicon? Marc --

Re: [PATCH] mac80211: Use setup_timer instead of init_timer

> Not really. This is one of assignments for students I lead, so this > is done by hand every end of winter semester (Note the From line.) You really should teach them about coccinelle then :-) > > Care to send a patch for that one too? > > I am just a forwarder, he received this request too,

Re: [PATCH 1/4] net: thunderx: Fix IOMMU translation faults

>> >> We are seeing a 0.75Mpps drop with IP forwarding rate due to that. >> Hence I have restricted calling DMA interfaces to only when IOMMU is enabled. > > What's 0.07Mpps as a percentage of baseline? On a correctly configured > coherent arm64 system, in the absence of an IOMMU, dma_map_*() is >

Re: [Patch net] ipv6: reorder icmpv6_init() and ip6_mr_init()

On Sun, Mar 5, 2017 at 9:34 PM, Cong Wang wrote: > Andrey reported the following kernel crash: > > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN > Dumping ftrace buffer: >(ftrace buffer empty) >

Re: [PATCH 1/4] net: thunderx: Fix IOMMU translation faults

On 04/03/17 05:54, Sunil Kovvuri wrote: > On Fri, Mar 3, 2017 at 11:26 PM, David Miller wrote: >> From: sunil.kovv...@gmail.com >> Date: Fri, 3 Mar 2017 16:17:47 +0530 >> >>> @@ -1643,6 +1650,9 @@ static int nicvf_probe(struct pci_dev *pdev, const >>> struct pci_device_id

Re: [PATCH] mac80211: Use setup_timer instead of init_timer

On Fri, 2017-03-03 at 13:45 +0100, Jiri Slaby wrote: > From: Ondřej Lysoněk > > Use setup_timer() and setup_deferrable_timer() to set the data and > function timer fields. It makes the code cleaner and will allow for > easier change of the timer struct internals. Btw,

Re: [PATCH] mac80211: Use setup_timer instead of init_timer

On Fri, 2017-03-03 at 13:45 +0100, Jiri Slaby wrote: > From: Ondřej Lysoněk > > Use setup_timer() and setup_deferrable_timer() to set the data and > function timer fields. It makes the code cleaner and will allow for > easier change of the timer struct internals.

Re: [4.9.13] use after free in ipv4_mtu

On Mon, 2017-03-06 at 14:33 +0800, Daniel J Blueman wrote: > On 2 March 2017 at 21:28, Eric Dumazet wrote: > > On Thu, 2017-03-02 at 05:08 -0800, Eric Dumazet wrote: > > > >> Thanks for the report ! > >> > >> This patch should solve this precise issue, but we need more

[PATCH net] team: use ETH_MAX_MTU as max mtu

This restores the ability to set a team device's mtu to anything higher than 1500. Similar to the reported issue with bonding, the team driver calls ether_setup(), which sets an initial max_mtu of 1500, while the underlying hardware can handle something much larger. Just set it to ETH_MAX_MTU to

Re: [Patch net] bonding: use ETH_MAX_MTU as max mtu

On 2017-03-06 8:40 AM, Jiri Pirko wrote: Mon, Mar 06, 2017 at 02:36:47PM CET, ja...@redhat.com wrote: On 2017-03-02 3:24 PM, Cong Wang wrote: This restores the ability of setting bond device's mtu to 9000. Fixes: 91572088e3fd ("net: use core MTU range checking in core net infra") Reported-by:

[PATCH 12/29] drivers, media: convert s2255_dev.num_channels from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 11/29] drivers, media: convert cx88_core.refcount from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 25/29] drivers, usb: convert ffs_data.ref from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 29/29] drivers, xen: convert grant_map.users from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 07/29] drivers, md: convert dm_dev_internal.count from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 01/29] drivers, block: convert xen_blkif.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 18/29] drivers, s390: convert urdev.ref_count from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

Re: [PATCH net] team: use ETH_MAX_MTU as max mtu

Mon, Mar 06, 2017 at 02:48:58PM CET, ja...@redhat.com wrote: >This restores the ability to set a team device's mtu to anything higher >than 1500. Similar to the reported issue with bonding, the team driver >calls ether_setup(), which sets an initial max_mtu of 1500, while the >underlying hardware

[PATCH 26/29] drivers, usb: convert dev_data.count from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 10/29] drivers, md: convert stripe_head.count from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 08/29] drivers, md: convert mddev.active from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 16/29] drivers, media: convert vb2_vmalloc_buf.refcount from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 14/29] drivers, media: convert vb2_dc_buf.refcount from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 13/29] drivers, media: convert vb2_vmarea_handler.refcount from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

Re: [PATCH 21/29] drivers, s390: convert fc_fcp_pkt.ref_cnt from atomic_t to refcount_t

On 03/06/2017 03:21 PM, Elena Reshetova wrote: > refcount_t type and corresponding API should be > used instead of atomic_t when the variable is used as > a reference counter. This allows to avoid accidental > refcounter overflows that might lead to use-after-free > situations. The subject is

Re: [Patch net] bonding: use ETH_MAX_MTU as max mtu

Mon, Mar 06, 2017 at 02:36:47PM CET, ja...@redhat.com wrote: >On 2017-03-02 3:24 PM, Cong Wang wrote: >> This restores the ability of setting bond device's mtu to 9000. >> >> Fixes: 91572088e3fd ("net: use core MTU range checking in core net infra") >> Reported-by: daz...@gmail.com >>

[PATCH 22/29] drivers, scsi: convert iscsi_task.refcount from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

Re: [PATCH net v2] xen-netback: fix race condition on XenBus disconnect

On 06/03/17 08:58, Paul Durrant wrote: >> -Original Message- >> From: Igor Druzhinin [mailto:igor.druzhi...@citrix.com] >> Sent: 03 March 2017 20:23 >> To: netdev@vger.kernel.org; xen-de...@lists.xenproject.org >> Cc: Paul Durrant ; jgr...@suse.com; Wei Liu >>

[PATCH 06/29] drivers, md: convert dm_cache_metadata.ref_count from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 09/29] drivers, md: convert table_device.count from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 23/29] drivers: convert vme_user_vma_priv.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[patch net-next 2/5] flow_dissector: Move MPLS dissection into a separate function

From: Jiri Pirko Make the main flow_dissect function a bit smaller and move the MPLS dissection into a separate function. Along with that, do the MPLS header processing only in case the flow dissection user requires it. Signed-off-by: Jiri Pirko ---

[patch net-next 0/5] make flow dissector great again

From: Jiri Pirko This patchset follows-up the discussion about future extensions of flow dissector and tries to address the mentioned concerns. Some parts are cut out into sub-functions. Also, the processing of the code (ARP, MPLS) is made dependent on user actually requiring

[patch net-next 4/5] flow_dissector: rename "proto again" goto label

From: Jiri Pirko Align with "ip_proto_again" label used in the same function and rename vague "again" to "proto_again". Signed-off-by: Jiri Pirko --- net/core/flow_dissector.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git

[patch net-next 1/5] flow_dissector: Move ARP dissection into a separate function

From: Jiri Pirko Make the main flow_dissect function a bit smaller and move the ARP dissection into a separate function. Along with that, do the ARP header processing only in case the flow dissection user requires it. Signed-off-by: Jiri Pirko ---

[patch net-next 3/5] flow_dissector: Fix GRE header error path

From: Jiri Pirko Now, when an unexpected element in the GRE header appears, we break so the l4 ports are processed. But since the ports are processed unconditionally, there will be certainly random values dissected. Fix this by just bailing out in such situations.

[patch net-next 5/5] flow_dissector: Move GRE dissection into a separate function

From: Jiri Pirko Make the main flow_dissect function a bit smaller and move the GRE dissection into a separate function. Signed-off-by: Jiri Pirko --- net/core/flow_dissector.c | 244 +- 1 file changed, 134

[PATCH net-next] net: ipv4: add support for ECMP hash policy choice

This patch adds support for ECMP hash policy choice via a new sysctl called fib_multipath_hash_policy and also adds support for L4 hashes. The current values for fib_multipath_hash_policy are: 0 - layer 3 1 - layer 4 (new default) If there's an skb hash already set and it matches the chosen

[RFC PATCH net] net: Work around lockdep limitation in sockets that use sockets

Lockdep issues a circular dependency warning when AFS issues an operation through AF_RXRPC from a context in which the VFS/VM holds the mmap_sem. The theory lockdep comes up with is as follows: (1) If the pagefault handler decides it needs to read pages from AFS, it calls AFS with mmap_sem

[PATCH 28/29] drivers: convert sbd_duart.map_guard from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 05/29] drivers, md, bcache: convert cached_dev.count from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 27/29] drivers, usb: convert ep_data.count from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 15/29] drivers, media: convert vb2_dma_sg_buf.refcount from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 17/29] drivers, pci: convert hv_pci_dev.refs from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

Re: [PATCH v3 17/20] usb: gadget: pch_udc: Replace PCI pool old API

Peter Senna Tschudin writes: > On Sun, Feb 26, 2017 at 08:24:22PM +0100, Romain Perier wrote: >> The PCI pool API is deprecated. This commits replaces the PCI pool old >> API by the appropriated function with the DMA pool API. >> > Reviewed-by: Peter Senna Tschudin

[PATCH 03/29] drivers, char: convert vma_data.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 00/29] drivers, mics refcount conversions

This series, for various different drivers, replaces atomic_t reference counters with the new refcount_t type and API (see include/linux/refcount.h). By doing this we prevent intentional or accidental underflows or overflows that can led to use-after-free vulnerabilities. The below patches are

[PATCH 04/29] drivers, connector: convert cn_callback_entry.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 21/29] drivers, s390: convert fc_fcp_pkt.ref_cnt from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 20/29] drivers, s390: convert qeth_reply.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH net 3/7 v2] bnx2x: fix possible overrun of VFPF multicast addresses array

It is too late to check for the limit of the number of VF multicast addresses after they have already been copied to the req->multicast[] array, possibly overflowing it. Do the check before copying. Checking early also avoids having to (and forgetting to) unlock vf2pf_mutex. While we're

Re: [PATCH] 4.9.13 brcmfmac: fix use-after-free on resume

On 6 March 2017 at 21:00, Arend Van Spriel wrote: > + linux-wireless > > On 6-3-2017 8:14, Daniel J Blueman wrote: >> KASAN reported 'struct wireless_dev wdev' was read after being freed. >> Fix by freeing after the access. > > I would rather like to see the KASAN

[PATCH 24/29] drivers: convert iblock_req.pending from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 02/29] drivers, firewire: convert fw_node.ref_count from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

[PATCH 19/29] drivers, s390: convert lcs_reply.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by:

Re: [PATCH net 5/7] bnx2x: do not rollback VF MAC/VLAN filters we did not configure

Dne 5.3.2017 v 11:13 Mintz, Yuval napsal(a): On failure to configure a VF MAC/VLAN filter we should not attempt to rollback filters that we failed to configure with -EEXIST. Is this theoretical or did you actually manage to hit it? If so, did it involve non-linux VFs? Asking as linux VFs

Re: [PATCH net 1/7] bnx2x: prevent crash when accessing PTP with interface down

Dne 5.3.2017 v 10:43 Mintz, Yuval napsal(a): It is possible to crash the kernel by accessing a PTP device while its associated bnx2x interface is down. Before the interface is brought up, the timecounter is not initialized, so accessing it results in NULL dereference. Fix it by checking if the

Re: [PATCH net-next] packet: fix panic in __packet_set_timestamp on tpacket_v3 in tx mode

>> >> Gosh. Can we also replace this BUG() into something less aggressive ? > > > There are currently 5 of these WARN() + BUG() constructs and 1 BUG()-only > for the 'default' TPACKET version spread all over af_packet, so probably > makes sense to rather make all of them less aggressive. > > Very

Re: [patch net-next RFC 1/2] flow_dissecror: Move ARP dissection into a separate function

Tue, Feb 21, 2017 at 07:50:53PM CET, t...@herbertland.com wrote: >On Tue, Feb 21, 2017 at 6:33 AM, Jiri Pirko wrote: >> From: Jiri Pirko >> >> Make the main flow_dissect function a bit smaller and move the ARP >> dissection into a separate function. Along

Re: [PATCH] bridge: Add support for IEEE 802.11 Proxy ARP for IPv6

On Fri, Feb 24, 2017 at 11:55:37AM -0800, Stephen Hemminger wrote: > The concept is fine. Thanks for taking a look. > Please add some comments to the code about what is happening and why. > The proposed patch is too sparse and has no comments. Sure, will do that for the next version. > > +

Re: [PATCH net-next] net: ipv4: add support for ECMP hash policy choice

On 3/6/17 7:59 AM, Nikolay Aleksandrov wrote: > diff --git a/include/net/route.h b/include/net/route.h > index c0874c87c173..77a5c613a290 100644 > --- a/include/net/route.h > +++ b/include/net/route.h > @@ -113,13 +113,12 @@ struct in_device; > int ip_rt_init(void); > void rt_cache_flush(struct

Re: [PATCH net-next] net: ipv4: add support for ECMP hash policy choice

On 06/03/17 18:24, David Ahern wrote: > On 3/6/17 7:59 AM, Nikolay Aleksandrov wrote: >> diff --git a/include/net/route.h b/include/net/route.h >> index c0874c87c173..77a5c613a290 100644 >> --- a/include/net/route.h >> +++ b/include/net/route.h >> @@ -113,13 +113,12 @@ struct in_device; >> int

Re: [PATCH] netfilter: Use pr_cont where appropriate

On Tue, Feb 28, 2017 at 02:09:24PM -0800, Joe Perches wrote: > Logging output was changed when simple printks without KERN_CONT > are now emitted on a new line and KERN_CONT is required to continue > lines so use pr_cont. > > Miscellanea: > > o realign arguments > o use print_hex_dump instead of

Re: [PATCH 11/29] drivers, media: convert cx88_core.refcount from atomic_t to refcount_t

Hello. On 03/06/2017 05:20 PM, Elena Reshetova wrote: refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by:

Re: [PATCH net-next RFC 3/4] vhost: interrupt coalescing support

On Mon, Mar 6, 2017 at 4:28 AM, Jason Wang wrote: > > > On 2017年03月03日 22:39, Willem de Bruijn wrote: >> >> +void vhost_signal(struct vhost_dev *dev, struct vhost_virtqueue *vq); >> +static enum hrtimer_restart vhost_coalesce_timer(struct hrtimer *timer) >> +{ >> +

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/4/17 1:15 PM, Eric Dumazet wrote: > On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote: >> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: >>> On 3/3/17 6:39 AM, Dmitry Vyukov wrote: I am getting heap out-of-bounds reports in

Please view the attached file.

Hello.docx Description: MS-Word 2007 document

Re: [PATCH 1/4] net: thunderx: Fix IOMMU translation faults

On 06/03/17 12:57, Sunil Kovvuri wrote: >>> >>> We are seeing a 0.75Mpps drop with IP forwarding rate due to that. >>> Hence I have restricted calling DMA interfaces to only when IOMMU is >>> enabled. >> >> What's 0.07Mpps as a percentage of baseline? On a correctly configured >> coherent arm64

Re: [PATCH 08/26] brcmsmac: make some local variables 'static const' to reduce stack size

Arend Van Spriel writes: > On 2-3-2017 17:38, Arnd Bergmann wrote: >> With KASAN and a couple of other patches applied, this driver is one >> of the few remaining ones that actually use more than 2048 bytes of >> kernel stack: >> >>

Re: [PATCH] netfilter: remove redundant check on ret being non-zero

On Tue, Feb 28, 2017 at 11:31:15AM +, Colin King wrote: > From: Colin Ian King > > ret is initialized to zero and if it is set to non-zero in the > xt_entry_foreach loop then we exit via the out_free label. Hence > the check for ret being non-zero is redundant and

Re: [PATCH net] bpf: disable broken write protection on i386

From: Daniel Borkmann Date: Mon, 06 Mar 2017 19:35:47 +0100 > I can do a few more tests with the kernel I have. I'm also totally > fine if we drop this patch; it's just rc1, so there's plenty of time > till a final release. I would really prefer we get to the bottom of

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Mon, Mar 6, 2017 at 6:31 PM, David Ahern wrote: > On 3/4/17 1:15 PM, Eric Dumazet wrote: >> On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote: >>> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern >>> wrote: On 3/3/17 6:39 AM, Dmitry

Re: [PATCH net-next RFC 2/4] virtio-net: transmit napi

>> drivers/net/virtio_net.c | 73 >> >> 1 file changed, 61 insertions(+), 12 deletions(-) >> >> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c >> index 8c21e9a4adc7..9a9031640179 100644 >> --- a/drivers/net/virtio_net.c >> +++

Re: [PATCH net] bpf: disable broken write protection on i386

On 03/06/2017 07:11 PM, Kees Cook wrote: On Fri, Mar 3, 2017 at 7:23 PM, Daniel Borkmann wrote: Since d2852a224050 ("arch: add ARCH_HAS_SET_MEMORY config") and 9d876e79df6a ("bpf: fix unlocking of jited image when module ronx not set") that uses the former, Fengguang

[PATCH v2] selinux: check for address length in selinux_socket_bind()

KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of uninitialized memory in selinux_socket_bind(): == BUG: KMSAN: use of unitialized memory inter: 0 CPU: 3 PID: 1074 Comm: packet2 Tainted: GB

Re: [Xen-devel] [PATCH 29/29] drivers, xen: convert grant_map.users from atomic_t to refcount_t

On 03/06/2017 09:21 AM, Elena Reshetova wrote: > refcount_t type and corresponding API should be > used instead of atomic_t when the variable is used as > a reference counter. This allows to avoid accidental > refcounter overflows that might lead to use-after-free > situations. > > Signed-off-by:

Re: [PATCH 1/2] net: sched: make default fifo qdiscs appear in the dump

From: Jiri Kosina Date: Mon, 6 Mar 2017 12:03:38 +0100 (CET) > Ah, right you are, thanks. The complete fix is not super trivial, as it > needs some more surgery to tc_dump_qdisc_root(), tc_dump_tclass_root() and > qdisc_match_from_root() (see 69012ae42 for some details). > >

Re: [PATCH net-next RFC 4/4] virtio-net: clean tx descriptors from rx napi

On Mon, Mar 6, 2017 at 12:43 PM, Willem de Bruijn wrote: >>> +static void virtnet_poll_cleantx(struct receive_queue *rq) >>> +{ >>> + struct virtnet_info *vi = rq->vq->vdev->priv; >>> + unsigned int index = vq2rxq(rq->vq); >>> + struct send_queue

Re: [PATCH net-next RFC 4/4] virtio-net: clean tx descriptors from rx napi

>> +static void virtnet_poll_cleantx(struct receive_queue *rq) >> +{ >> + struct virtnet_info *vi = rq->vq->vdev->priv; >> + unsigned int index = vq2rxq(rq->vq); >> + struct send_queue *sq = >sq[index]; >> + struct netdev_queue *txq = netdev_get_tx_queue(vi->dev, index); >>

Re: [PATCH net] dccp: fix use-after-free in dccp_feat_activate_values

On Sun, Mar 5, 2017 at 10:42 PM, Eric Dumazet wrote: > On Sun, 2017-03-05 at 21:38 -0800, Cong Wang wrote: > >> Do you really want to disable BH again here? >> >> dccp_check_req() should be always called on RX path where BH >> is already disabled and BH can't be disabled

Re: [PATCH net-next RFC 2/4] virtio-net: transmit napi

From: Willem de Bruijn Date: Mon, 6 Mar 2017 12:50:19 -0500 >>> drivers/net/virtio_net.c | 73 >>> >>> 1 file changed, 61 insertions(+), 12 deletions(-) >>> >>> diff --git a/drivers/net/virtio_net.c

[PATCH] vrf: Fix use-after-free in vrf_xmit

KASAN detected a use-after-free: [ 269.467067] BUG: KASAN: use-after-free in vrf_xmit+0x7f1/0x827 [vrf] at addr 8800350a21c0 [ 269.467067] Read of size 4 by task ssh/1879 [ 269.467067] CPU: 1 PID: 1879 Comm: ssh Not tainted 4.10.0+ #249 [ 269.467067] Hardware name: QEMU Standard PC

Re: [PATCH net-next] packet: fix panic in __packet_set_timestamp on tpacket_v3 in tx mode

On Mon, Mar 6, 2017 at 12:13 PM, chetan loke wrote: >>> >>> Gosh. Can we also replace this BUG() into something less aggressive ? >> >> >> There are currently 5 of these WARN() + BUG() constructs and 1 BUG()-only >> for the 'default' TPACKET version spread all over

Re: [PATCH net] bpf: disable broken write protection on i386

On Fri, Mar 3, 2017 at 7:23 PM, Daniel Borkmann wrote: > Since d2852a224050 ("arch: add ARCH_HAS_SET_MEMORY config") and > 9d876e79df6a ("bpf: fix unlocking of jited image when module ronx > not set") that uses the former, Fengguang reported random corruptions > on his i386

Re: [PATCH v2] selinux: check for address length in selinux_socket_bind()

On Mon, 2017-03-06 at 19:46 +0100, Alexander Potapenko wrote: > KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of > uninitialized memory in selinux_socket_bind(): > ... > Signed-off-by: Alexander Potapenko > --- > Changes since v1: > - fixed patch

  1   2   >