1. 15 Mar, 2022 3 commits
    • Jiasheng Jiang's avatar
      atm: eni: Add check for dma_map_single · 0f74b29a
      Jiasheng Jiang authored
      As the potential failure of the dma_map_single(),
      it should be better to check it and return error
      if fails.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJiasheng Jiang <jiasheng@iscas.ac.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0f74b29a
    • Eric Dumazet's avatar
      net/packet: fix slab-out-of-bounds access in packet_recvmsg() · c700525f
      Eric Dumazet authored
      syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH
      and mmap operations, tpacket_rcv() is queueing skbs with
      garbage in skb->cb[], triggering a too big copy [1]
      
      Presumably, users of af_packet using mmap() already gets correct
      metadata from the mapped buffer, we can simply make sure
      to clear 12 bytes that might be copied to user space later.
      
      BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
      BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
      Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631
      
      CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b366069 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
       print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255
       __kasan_report mm/kasan/report.c:442 [inline]
       kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
       check_region_inline mm/kasan/generic.c:183 [inline]
       kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
       memcpy+0x39/0x60 mm/kasan/shadow.c:66
       memcpy include/linux/fortify-string.h:225 [inline]
       packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
       sock_recvmsg_nosec net/socket.c:948 [inline]
       sock_recvmsg net/socket.c:966 [inline]
       sock_recvmsg net/socket.c:962 [inline]
       ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632
       ___sys_recvmsg+0x127/0x200 net/socket.c:2674
       __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      RIP: 0033:0x7fdfd5954c29
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29
      RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005
      RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60
      R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54
       </TASK>
      
      addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:
       ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246
      
      this frame has 1 object:
       [32, 160) 'addr'
      
      Memory state around the buggy address:
       ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
       ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
      >ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
                                                                      ^
       ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1
       ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00
      ==================================================================
      
      Fixes: 0fb375fb ("[AF_PACKET]: Allow for > 8 byte hardware addresses.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20220312232958.3535620-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c700525f
    • Michael Walle's avatar
      net: mdio: mscc-miim: fix duplicate debugfs entry · 0f8946ae
      Michael Walle authored
      This driver can have up to two regmaps. If the second one is registered
      its debugfs entry will have the same name as the first one and the
      following error will be printed:
      
      [    3.833521] debugfs: Directory 'e200413c.mdio' with parent 'regmap' already present!
      
      Give the second regmap a name to avoid this.
      
      Fixes: a27a7628 ("net: mdio: mscc-miim: convert to a regmap implementation")
      Signed-off-by: default avatarMichael Walle <michael@walle.cc>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20220312224140.4173930-1-michael@walle.ccSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0f8946ae
  2. 14 Mar, 2022 3 commits
  3. 12 Mar, 2022 4 commits
  4. 11 Mar, 2022 2 commits
    • Linus Torvalds's avatar
      Merge tag 'net-5.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 186d32bb
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bluetooth, and ipsec.
      
        Current release - regressions:
      
         - Bluetooth: fix unbalanced unlock in set_device_flags()
      
         - Bluetooth: fix not processing all entries on cmd_sync_work, make
           connect with qualcomm and intel adapters reliable
      
         - Revert "xfrm: state and policy should fail if XFRMA_IF_ID 0"
      
         - xdp: xdp_mem_allocator can be NULL in trace_mem_connect()
      
         - eth: ice: fix race condition and deadlock during interface enslave
      
        Current release - new code bugs:
      
         - tipc: fix incorrect order of state message data sanity check
      
        Previous releases - regressions:
      
         - esp: fix possible buffer overflow in ESP transformation
      
         - dsa: unlock the rtnl_mutex when dsa_master_setup() fails
      
         - phy: meson-gxl: fix interrupt handling in forced mode
      
         - smsc95xx: ignore -ENODEV errors when device is unplugged
      
        Previous releases - always broken:
      
         - xfrm: fix tunnel mode fragmentation behavior
      
         - esp: fix inter address family tunneling on GSO
      
         - tipc: fix null-deref due to race when enabling bearer
      
         - sctp: fix kernel-infoleak for SCTP sockets
      
         - eth: macb: fix lost RX packet wakeup race in NAPI receive
      
         - eth: intel stop disabling VFs due to PF error responses
      
         - eth: bcmgenet: don't claim WOL when its not available"
      
      * tag 'net-5.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (50 commits)
        xdp: xdp_mem_allocator can be NULL in trace_mem_connect().
        ice: Fix race condition during interface enslave
        net: phy: meson-gxl: improve link-up behavior
        net: bcmgenet: Don't claim WOL when its not available
        net: arc_emac: Fix use after free in arc_mdio_probe()
        sctp: fix kernel-infoleak for SCTP sockets
        net: phy: correct spelling error of media in documentation
        net: phy: DP83822: clear MISR2 register to disable interrupts
        gianfar: ethtool: Fix refcount leak in gfar_get_ts_info
        selftests: pmtu.sh: Kill nettest processes launched in subshell.
        selftests: pmtu.sh: Kill tcpdump processes launched by subshell.
        NFC: port100: fix use-after-free in port100_send_complete
        net/mlx5e: SHAMPO, reduce TIR indication
        net/mlx5e: Lag, Only handle events from highest priority multipath entry
        net/mlx5: Fix offloading with ESWITCH_IPV4_TTL_MODIFY_ENABLE
        net/mlx5: Fix a race on command flush flow
        net/mlx5: Fix size field in bufferx_reg struct
        ax25: Fix NULL pointer dereference in ax25_kill_by_device
        net: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr
        net: ethernet: lpc_eth: Handle error for clk_enable
        ...
      186d32bb
    • Sebastian Andrzej Siewior's avatar
      xdp: xdp_mem_allocator can be NULL in trace_mem_connect(). · e0ae7130
      Sebastian Andrzej Siewior authored
      Since the commit mentioned below __xdp_reg_mem_model() can return a NULL
      pointer. This pointer is dereferenced in trace_mem_connect() which leads
      to segfault.
      
      The trace points (mem_connect + mem_disconnect) were put in place to
      pair connect/disconnect using the IDs. The ID is only assigned if
      __xdp_reg_mem_model() does not return NULL. That connect trace point is
      of no use if there is no ID.
      
      Skip that connect trace point if xdp_alloc is NULL.
      
      [ Toke Høiland-Jørgensen delivered the reasoning for skipping the trace
        point ]
      
      Fixes: 4a48ef70 ("xdp: Allow registering memory model without rxq reference")
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Link: https://lore.kernel.org/r/YikmmXsffE+QajTB@linutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e0ae7130
  5. 10 Mar, 2022 26 commits
    • Ivan Vecera's avatar
      ice: Fix race condition during interface enslave · 5cb1ebdb
      Ivan Vecera authored
      Commit 5dbbbd01 ("ice: Avoid RTNL lock when re-creating
      auxiliary device") changes a process of re-creation of aux device
      so ice_plug_aux_dev() is called from ice_service_task() context.
      This unfortunately opens a race window that can result in dead-lock
      when interface has left LAG and immediately enters LAG again.
      
      Reproducer:
      ```
      #!/bin/sh
      
      ip link add lag0 type bond mode 1 miimon 100
      ip link set lag0
      
      for n in {1..10}; do
              echo Cycle: $n
              ip link set ens7f0 master lag0
              sleep 1
              ip link set ens7f0 nomaster
      done
      ```
      
      This results in:
      [20976.208697] Workqueue: ice ice_service_task [ice]
      [20976.213422] Call Trace:
      [20976.215871]  __schedule+0x2d1/0x830
      [20976.219364]  schedule+0x35/0xa0
      [20976.222510]  schedule_preempt_disabled+0xa/0x10
      [20976.227043]  __mutex_lock.isra.7+0x310/0x420
      [20976.235071]  enum_all_gids_of_dev_cb+0x1c/0x100 [ib_core]
      [20976.251215]  ib_enum_roce_netdev+0xa4/0xe0 [ib_core]
      [20976.256192]  ib_cache_setup_one+0x33/0xa0 [ib_core]
      [20976.261079]  ib_register_device+0x40d/0x580 [ib_core]
      [20976.266139]  irdma_ib_register_device+0x129/0x250 [irdma]
      [20976.281409]  irdma_probe+0x2c1/0x360 [irdma]
      [20976.285691]  auxiliary_bus_probe+0x45/0x70
      [20976.289790]  really_probe+0x1f2/0x480
      [20976.298509]  driver_probe_device+0x49/0xc0
      [20976.302609]  bus_for_each_drv+0x79/0xc0
      [20976.306448]  __device_attach+0xdc/0x160
      [20976.310286]  bus_probe_device+0x9d/0xb0
      [20976.314128]  device_add+0x43c/0x890
      [20976.321287]  __auxiliary_device_add+0x43/0x60
      [20976.325644]  ice_plug_aux_dev+0xb2/0x100 [ice]
      [20976.330109]  ice_service_task+0xd0c/0xed0 [ice]
      [20976.342591]  process_one_work+0x1a7/0x360
      [20976.350536]  worker_thread+0x30/0x390
      [20976.358128]  kthread+0x10a/0x120
      [20976.365547]  ret_from_fork+0x1f/0x40
      ...
      [20976.438030] task:ip              state:D stack:    0 pid:213658 ppid:213627 flags:0x00004084
      [20976.446469] Call Trace:
      [20976.448921]  __schedule+0x2d1/0x830
      [20976.452414]  schedule+0x35/0xa0
      [20976.455559]  schedule_preempt_disabled+0xa/0x10
      [20976.460090]  __mutex_lock.isra.7+0x310/0x420
      [20976.464364]  device_del+0x36/0x3c0
      [20976.467772]  ice_unplug_aux_dev+0x1a/0x40 [ice]
      [20976.472313]  ice_lag_event_handler+0x2a2/0x520 [ice]
      [20976.477288]  notifier_call_chain+0x47/0x70
      [20976.481386]  __netdev_upper_dev_link+0x18b/0x280
      [20976.489845]  bond_enslave+0xe05/0x1790 [bonding]
      [20976.494475]  do_setlink+0x336/0xf50
      [20976.502517]  __rtnl_newlink+0x529/0x8b0
      [20976.543441]  rtnl_newlink+0x43/0x60
      [20976.546934]  rtnetlink_rcv_msg+0x2b1/0x360
      [20976.559238]  netlink_rcv_skb+0x4c/0x120
      [20976.563079]  netlink_unicast+0x196/0x230
      [20976.567005]  netlink_sendmsg+0x204/0x3d0
      [20976.570930]  sock_sendmsg+0x4c/0x50
      [20976.574423]  ____sys_sendmsg+0x1eb/0x250
      [20976.586807]  ___sys_sendmsg+0x7c/0xc0
      [20976.606353]  __sys_sendmsg+0x57/0xa0
      [20976.609930]  do_syscall_64+0x5b/0x1a0
      [20976.613598]  entry_SYSCALL_64_after_hwframe+0x65/0xca
      
      1. Command 'ip link ... set nomaster' causes that ice_plug_aux_dev()
         is called from ice_service_task() context, aux device is created
         and associated device->lock is taken.
      2. Command 'ip link ... set master...' calls ice's notifier under
         RTNL lock and that notifier calls ice_unplug_aux_dev(). That
         function tries to take aux device->lock but this is already taken
         by ice_plug_aux_dev() in step 1
      3. Later ice_plug_aux_dev() tries to take RTNL lock but this is already
         taken in step 2
      4. Dead-lock
      
      The patch fixes this issue by following changes:
      - Bit ICE_FLAG_PLUG_AUX_DEV is kept to be set during ice_plug_aux_dev()
        call in ice_service_task()
      - The bit is checked in ice_clear_rdma_cap() and only if it is not set
        then ice_unplug_aux_dev() is called. If it is set (in other words
        plugging of aux device was requested and ice_plug_aux_dev() is
        potentially running) then the function only clears the bit
      - Once ice_plug_aux_dev() call (in ice_service_task) is finished
        the bit ICE_FLAG_PLUG_AUX_DEV is cleared but it is also checked
        whether it was already cleared by ice_clear_rdma_cap(). If so then
        aux device is unplugged.
      Signed-off-by: default avatarIvan Vecera <ivecera@redhat.com>
      Co-developed-by: default avatarPetr Oros <poros@redhat.com>
      Signed-off-by: default avatarPetr Oros <poros@redhat.com>
      Reviewed-by: default avatarDave Ertman <david.m.ertman@intel.com>
      Link: https://lore.kernel.org/r/20220310171641.3863659-1-ivecera@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5cb1ebdb
    • Heiner Kallweit's avatar
      net: phy: meson-gxl: improve link-up behavior · 2c87c6f9
      Heiner Kallweit authored
      Sometimes the link comes up but no data flows. This patch fixes
      this behavior. It's not clear what's the root cause of the issue.
      
      According to the tests one other link-up issue remains.
      In very rare cases the link isn't even reported as up.
      
      Fixes: 84c8f773 ("net: phy: meson-gxl: remove the use of .ack_callback()")
      Tested-by: default avatarErico Nunes <nunes.erico@gmail.com>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Link: https://lore.kernel.org/r/e3473452-a1f9-efcf-5fdd-02b6f44c3fcd@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2c87c6f9
    • Jeremy Linton's avatar
      net: bcmgenet: Don't claim WOL when its not available · 00b022f8
      Jeremy Linton authored
      Some of the bcmgenet platforms don't correctly support WOL, yet
      ethtool returns:
      
      "Supports Wake-on: gsf"
      
      which is false.
      
      Ideally if there isn't a wol_irq, or there is something else that
      keeps the device from being able to wakeup it should display:
      
      "Supports Wake-on: d"
      
      This patch checks whether the device can wakup, before using the
      hard-coded supported flags. This corrects the ethtool reporting, as
      well as the WOL configuration because ethtool verifies that the mode
      is supported before attempting it.
      
      Fixes: c51de7f3 ("net: bcmgenet: add Wake-on-LAN support code")
      Signed-off-by: default avatarJeremy Linton <jeremy.linton@arm.com>
      Tested-by: default avatarPeter Robinson <pbrobinson@gmail.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/20220310045535.224450-1-jeremy.linton@arm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      00b022f8
    • Jianglei Nie's avatar
      net: arc_emac: Fix use after free in arc_mdio_probe() · bc0e610a
      Jianglei Nie authored
      If bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free
      the "bus". But bus->name is still used in the next line, which will lead
      to a use after free.
      
      We can fix it by putting the name in a local variable and make the
      bus->name point to the rodata section "name",then use the name in the
      error message without referring to bus to avoid the uaf.
      
      Fixes: 95b5fc03 ("net: arc_emac: Make use of the helper function dev_err_probe()")
      Signed-off-by: default avatarJianglei Nie <niejianglei2021@163.com>
      Link: https://lore.kernel.org/r/20220309121824.36529-1-niejianglei2021@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      bc0e610a
    • Eric Dumazet's avatar
      sctp: fix kernel-infoleak for SCTP sockets · 633593a8
      Eric Dumazet authored
      syzbot reported a kernel infoleak [1] of 4 bytes.
      
      After analysis, it turned out r->idiag_expires is not initialized
      if inet_sctp_diag_fill() calls inet_diag_msg_common_fill()
      
      Make sure to clear idiag_timer/idiag_retrans/idiag_expires
      and let inet_diag_msg_sctpasoc_fill() fill them again if needed.
      
      [1]
      
      BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
      BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]
      BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
       instrument_copy_to_user include/linux/instrumented.h:121 [inline]
       copyout lib/iov_iter.c:154 [inline]
       _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
       copy_to_iter include/linux/uio.h:162 [inline]
       simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
       __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425
       skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
       skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]
       netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977
       sock_recvmsg_nosec net/socket.c:948 [inline]
       sock_recvmsg net/socket.c:966 [inline]
       __sys_recvfrom+0x795/0xa10 net/socket.c:2097
       __do_sys_recvfrom net/socket.c:2115 [inline]
       __se_sys_recvfrom net/socket.c:2111 [inline]
       __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was created at:
       slab_post_alloc_hook mm/slab.h:737 [inline]
       slab_alloc_node mm/slub.c:3247 [inline]
       __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975
       kmalloc_reserve net/core/skbuff.c:354 [inline]
       __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
       alloc_skb include/linux/skbuff.h:1158 [inline]
       netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248
       __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373
       netlink_dump_start include/linux/netlink.h:254 [inline]
       inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341
       sock_diag_rcv_msg+0x24a/0x620
       netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494
       sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277
       netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
       netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343
       netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919
       sock_sendmsg_nosec net/socket.c:705 [inline]
       sock_sendmsg net/socket.c:725 [inline]
       sock_write_iter+0x594/0x690 net/socket.c:1061
       do_iter_readv_writev+0xa7f/0xc70
       do_iter_write+0x52c/0x1500 fs/read_write.c:851
       vfs_writev fs/read_write.c:924 [inline]
       do_writev+0x645/0xe00 fs/read_write.c:967
       __do_sys_writev fs/read_write.c:1040 [inline]
       __se_sys_writev fs/read_write.c:1037 [inline]
       __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Bytes 68-71 of 2508 are uninitialized
      Memory access of size 2508 starts at ffff888114f9b000
      Data copied to user address 00007f7fe09ff2e0
      
      CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 8f840e47 ("sctp: add the sctp_diag.c file")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Link: https://lore.kernel.org/r/20220310001145.297371-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      633593a8
    • Colin Foster's avatar
      net: phy: correct spelling error of media in documentation · 26183cfe
      Colin Foster authored
      The header file incorrectly referenced "median-independant interface"
      instead of media. Correct this typo.
      Signed-off-by: default avatarColin Foster <colin.foster@in-advantage.com>
      Fixes: 4069a572 ("net: phy: Document core PHY structures")
      Reviewed-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Link: https://lore.kernel.org/r/20220309062544.3073-1-colin.foster@in-advantage.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      26183cfe
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2022-03-09' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 55c4bf4d
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2022-03-09
      
      This series provides bug fixes to mlx5 driver.
      
      * tag 'mlx5-fixes-2022-03-09' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5e: SHAMPO, reduce TIR indication
        net/mlx5e: Lag, Only handle events from highest priority multipath entry
        net/mlx5: Fix offloading with ESWITCH_IPV4_TTL_MODIFY_ENABLE
        net/mlx5: Fix a race on command flush flow
        net/mlx5: Fix size field in bufferx_reg struct
      ====================
      
      Link: https://lore.kernel.org/r/20220309201517.589132-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      55c4bf4d
    • Linus Torvalds's avatar
      Merge tag 'block-5.17-2022-03-10' of git://git.kernel.dk/linux-block · 3bcb6451
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "Just a single fix for a regression that occured in this merge window"
      
      * tag 'block-5.17-2022-03-10' of git://git.kernel.dk/linux-block:
        block: fix blk_mq_attempt_bio_merge and rq_qos_throttle protection
      3bcb6451
    • Linus Torvalds's avatar
      Merge tag 'staging-5.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · c30b5b8c
      Linus Torvalds authored
      Pull staging driver fixes from Greg KH:
       "Here are three small fixes for staging drivers for 5.17-rc8 or -final,
        which ever comes next.
      
        They resolve some reported problems:
      
         - rtl8723bs wifi driver deadlock fix for reported problem that is a
           revert of a previous patch. Also a documentation fix is added so
           that the same problem hopefully can not come back again.
      
         - gdm724x driver use-after-free fix for a reported problem.
      
        All of these have been in linux-next for a while with no reported
        problems"
      
      * tag 'staging-5.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: rtl8723bs: Improve the comment explaining the locking rules
        staging: rtl8723bs: Fix access-point mode deadlock
        staging: gdm724x: fix use after free in gdm_lte_rx()
      c30b5b8c
    • Clément Léger's avatar
      net: phy: DP83822: clear MISR2 register to disable interrupts · 37c9d66c
      Clément Léger authored
      MISR1 was cleared twice but the original author intention was probably
      to clear MISR1 & MISR2 to completely disable interrupts. Fix it to
      clear MISR2.
      
      Fixes: 87461f7a ("net: phy: DP83822 initial driver submission")
      Signed-off-by: default avatarClément Léger <clement.leger@bootlin.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/20220309142228.761153-1-clement.leger@bootlin.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      37c9d66c
    • Miaoqian Lin's avatar
      gianfar: ethtool: Fix refcount leak in gfar_get_ts_info · 2ac5b58e
      Miaoqian Lin authored
      The of_find_compatible_node() function returns a node pointer with
      refcount incremented, We should use of_node_put() on it when done
      Add the missing of_node_put() to release the refcount.
      
      Fixes: 7349a74e ("net: ethernet: gianfar_ethtool: get phc index through drvdata")
      Signed-off-by: default avatarMiaoqian Lin <linmq006@gmail.com>
      Reviewed-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Reviewed-by: default avatarClaudiu Manoil <claudiu.manoil@nxp.com>
      Link: https://lore.kernel.org/r/20220310015313.14938-1-linmq006@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2ac5b58e
    • Linus Torvalds's avatar
      Merge tag 'soc-fixes-5.17-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 55b4083b
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "Here is a third set of fixes for the soc tree, well within the
        expected set of changes.
      
        Maintainer list changes:
         - Krzysztof Kozlowski and Jisheng Zhang both have new email addresses
         - Broadcom iProc has a new git tree
      
        Regressions:
         - Robert Foss sends a revert for a Mediatek DPI bridge patch that
           caused an inadvertent break in the DT binding
         - mstar timers need to be included in Kconfig
      
        Devicetree fixes for:
         - Aspeed ast2600 spi pinmux
         - Tegra eDP panels on Nyan FHD
         - Tegra display IOMMU
         - Qualcomm sm8350 UFS clocks
         - minor DT changes for Marvell Armada, Qualcomm sdx65, Qualcomm
           sm8450, and Broadcom BCM2711"
      
      * tag 'soc-fixes-5.17-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        arm64: dts: marvell: armada-37xx: Remap IO space to bus address 0x0
        MAINTAINERS: Update Jisheng's email address
        Revert "arm64: dts: mt8183: jacuzzi: Fix bus properties in anx's DSI endpoint"
        dt-bindings: drm/bridge: anx7625: Revert DPI support
        ARM: dts: aspeed: Fix AST2600 quad spi group
        MAINTAINERS: update Krzysztof Kozlowski's email
        MAINTAINERS: Update git tree for Broadcom iProc SoCs
        ARM: tegra: Move Nyan FHD panels to AUX bus
        arm64: dts: armada-3720-turris-mox: Add missing ethernet0 alias
        ARM: mstar: Select HAVE_ARM_ARCH_TIMER
        soc: mediatek: mt8192-mmsys: Fix dither to dsi0 path's input sel
        arm64: dts: mt8183: jacuzzi: Fix bus properties in anx's DSI endpoint
        ARM: boot: dts: bcm2711: Fix HVS register range
        arm64: dts: qcom: c630: disable crypto due to serror
        arm64: dts: qcom: sm8450: fix apps_smmu interrupts
        arm64: dts: qcom: sm8450: enable GCC_USB3_0_CLKREF_EN for usb
        arm64: dts: qcom: sm8350: Correct UFS symbol clocks
        arm64: tegra: Disable ISO SMMU for Tegra194
        Revert "dt-bindings: arm: qcom: Document SDX65 platform and boards"
      55b4083b
    • Linus Torvalds's avatar
      mm: gup: make fault_in_safe_writeable() use fixup_user_fault() · fe673d3f
      Linus Torvalds authored
      Instead of using GUP, make fault_in_safe_writeable() actually force a
      'handle_mm_fault()' using the same fixup_user_fault() machinery that
      futexes already use.
      
      Using the GUP machinery meant that fault_in_safe_writeable() did not do
      everything that a real fault would do, ranging from not auto-expanding
      the stack segment, to not updating accessed or dirty flags in the page
      tables (GUP sets those flags on the pages themselves).
      
      The latter causes problems on architectures (like s390) that do accessed
      bit handling in software, which meant that fault_in_safe_writeable()
      didn't actually do all the fault handling it needed to, and trying to
      access the user address afterwards would still cause faults.
      Reported-and-tested-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Fixes: cdd591fc ("iov_iter: Introduce fault_in_iov_iter_writeable")
      Link: https://lore.kernel.org/all/CAHc6FU5nP+nziNGG0JAF1FUx-GV7kKFvM7aZuU_XD2_1v4vnvg@mail.gmail.com/Acked-by: default avatarDavid Hildenbrand <david@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fe673d3f
    • Arnd Bergmann's avatar
      Merge tag 'mvebu-fixes-5.17-2' of... · 7e606eda
      Arnd Bergmann authored
      Merge tag 'mvebu-fixes-5.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/gclement/mvebu into arm/fixes
      
      mvebu fixes for 5.17 (part 2)
      
      Allow using old PCIe card on Armada 37xx
      
      * tag 'mvebu-fixes-5.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/gclement/mvebu:
        arm64: dts: marvell: armada-37xx: Remap IO space to bus address 0x0
      
      Link: https://lore.kernel.org/r/87bkydj4fn.fsf@BL-laptopSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      7e606eda
    • Pali Rohár's avatar
      arm64: dts: marvell: armada-37xx: Remap IO space to bus address 0x0 · a1cc1697
      Pali Rohár authored
      Legacy and old PCI I/O based cards do not support 32-bit I/O addressing.
      
      Since commit 64f160e1 ("PCI: aardvark: Configure PCIe resources from
      'ranges' DT property") kernel can set different PCIe address on CPU and
      different on the bus for the one A37xx address mapping without any firmware
      support in case the bus address does not conflict with other A37xx mapping.
      
      So remap I/O space to the bus address 0x0 to enable support for old legacy
      I/O port based cards which have hardcoded I/O ports in low address space.
      
      Note that DDR on A37xx is mapped to bus address 0x0. And mapping of I/O
      space can be set to address 0x0 too because MEM space and I/O space are
      separate and so do not conflict.
      
      Remapping IO space on Turris Mox to different address is not possible to
      due bootloader bug.
      Signed-off-by: default avatarPali Rohár <pali@kernel.org>
      Reported-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 76f6386b ("arm64: dts: marvell: Add Aardvark PCIe support for Armada 3700")
      Cc: stable@vger.kernel.org # 64f160e1 ("PCI: aardvark: Configure PCIe resources from 'ranges' DT property")
      Cc: stable@vger.kernel.org # 514ef1e6 ("arm64: dts: marvell: armada-37xx: Extend PCIe MEM space")
      Reviewed-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@bootlin.com>
      a1cc1697
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v5.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 1db333d9
      Linus Torvalds authored
      Pull spi fix from Mark Brown:
       "One fix for type conversion issues when working out maximum
        scatter/gather segment sizes.
      
        It caused problems for some systems where the limits overflow
        due to the type conversion"
      
      * tag 'spi-fix-v5.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: Fix invalid sgs value
      1db333d9
    • Russell King (Oracle)'s avatar
      ARM: fix build warning in proc-v7-bugs.c · b1a384d2
      Russell King (Oracle) authored
      The kernel test robot discovered that building without
      HARDEN_BRANCH_PREDICTOR issues a warning due to a missing
      argument to pr_info().
      
      Add the missing argument.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Fixes: 9dd78194 ("ARM: report Spectre v2 status through sysfs")
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b1a384d2
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · cef06913
      Linus Torvalds authored
      Pull gpio fixes from Bartosz Golaszewski:
      
       - fix a probe failure for Tegra241 GPIO controller in gpio-tegra186
      
       - revert changes that caused a regression in the sysfs user-space
         interface
      
       - correct the debounce time conversion in GPIO ACPI
      
       - statify a struct in gpio-sim and fix a typo
      
       - update registers in correct order (hardware quirk) in gpio-ts4900
      
      * tag 'gpio-fixes-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpio: sim: fix a typo
        gpio: ts4900: Do not set DAT and OE together
        gpio: sim: Declare gpio_sim_hog_config_item_ops static
        gpiolib: acpi: Convert ACPI value of debounce to microseconds
        gpio: Revert regression in sysfs-gpio (gpiolib.c)
        gpio: tegra186: Add IRQ per bank for Tegra241
      cef06913
    • Bartosz Golaszewski's avatar
      gpio: sim: fix a typo · 55d01c98
      Bartosz Golaszewski authored
      Just noticed this when applying Andy's patch. s/childred/children/
      
      Fixes: cb8c474e ("gpio: sim: new testing module")
      Signed-off-by: default avatarBartosz Golaszewski <brgl@bgdev.pl>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      55d01c98
    • Mark Featherston's avatar
      gpio: ts4900: Do not set DAT and OE together · 03fe0035
      Mark Featherston authored
      This works around an issue with the hardware where both OE and
      DAT are exposed in the same register. If both are updated
      simultaneously, the harware makes no guarantees that OE or DAT
      will actually change in any given order and may result in a
      glitch of a few ns on a GPIO pin when changing direction and value
      in a single write.
      
      Setting direction to input now only affects OE bit. Setting
      direction to output updates DAT first, then OE.
      
      Fixes: 9c668632 ("gpio: add Technologic I2C-FPGA gpio support")
      Signed-off-by: default avatarMark Featherston <mark@embeddedTS.com>
      Signed-off-by: default avatarKris Bahnsen <kris@embeddedTS.com>
      Signed-off-by: default avatarBartosz Golaszewski <brgl@bgdev.pl>
      03fe0035
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 9c674947
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "One more small batch of clk driver fixes:
      
         - A fix for the Qualcomm GDSC power domain delays that avoids black
           screens at boot on some more recent SoCs that use a different delay
           than the hard-coded delays in the driver.
      
         - A build fix LAN966X clk driver that let it be built on
           architectures that didn't have IOMEM"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: lan966x: Fix linking error
        clk: qcom: dispcc: Update the transition delay for MDSS GDSC
        clk: qcom: gdsc: Add support to update GDSC transition delay
      9c674947
    • Linus Torvalds's avatar
      Merge tag 'xsa396-5.17-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · b5521fe9
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "Several Linux PV device frontends are using the grant table interfaces
        for removing access rights of the backends in ways being subject to
        race conditions, resulting in potential data leaks, data corruption by
        malicious backends, and denial of service triggered by malicious
        backends:
      
         - blkfront, netfront, scsifront and the gntalloc driver are testing
           whether a grant reference is still in use. If this is not the case,
           they assume that a following removal of the granted access will
           always succeed, which is not true in case the backend has mapped
           the granted page between those two operations.
      
           As a result the backend can keep access to the memory page of the
           guest no matter how the page will be used after the frontend I/O
           has finished. The xenbus driver has a similar problem, as it
           doesn't check the success of removing the granted access of a
           shared ring buffer.
      
         - blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p,
           kbdfront, and pvcalls are using a functionality to delay freeing a
           grant reference until it is no longer in use, but the freeing of
           the related data page is not synchronized with dropping the granted
           access.
      
           As a result the backend can keep access to the memory page even
           after it has been freed and then re-used for a different purpose.
      
         - netfront will fail a BUG_ON() assertion if it fails to revoke
           access in the rx path.
      
           This will result in a Denial of Service (DoS) situation of the
           guest which can be triggered by the backend"
      
      * tag 'xsa396-5.17-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/netfront: react properly to failing gnttab_end_foreign_access_ref()
        xen/gnttab: fix gnttab_end_foreign_access() without page specified
        xen/pvcalls: use alloc/free_pages_exact()
        xen/9p: use alloc/free_pages_exact()
        xen/usb: don't use gnttab_end_foreign_access() in xenhcd_gnttab_done()
        xen: remove gnttab_query_foreign_access()
        xen/gntalloc: don't use gnttab_query_foreign_access()
        xen/scsifront: don't use gnttab_query_foreign_access() for mapped status
        xen/netfront: don't use gnttab_query_foreign_access() for mapped status
        xen/blkfront: don't use gnttab_query_foreign_access() for mapped status
        xen/grant-table: add gnttab_try_end_foreign_access()
        xen/xenbus: don't let xenbus_grant_ring() remove grants in error case
      b5521fe9
    • Jakub Kicinski's avatar
      Merge branch 'selftests-pmtu-sh-fix-cleanup-of-processes-launched-in-subshell' · 5f147476
      Jakub Kicinski authored
      Guillaume Nault says:
      
      ====================
      selftests: pmtu.sh: Fix cleanup of processes launched in subshell.
      
      Depending on the options used, pmtu.sh may launch tcpdump and nettest
      processes in the background. However it fails to clean them up after
      the tests complete.
      
      Patch 1 allows the cleanup() function to read the list of PIDs launched
      by the tests.
      Patch 2 fixes the way the nettest PIDs are retrieved.
      ====================
      
      Link: https://lore.kernel.org/r/cover.1646776561.git.gnault@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5f147476
    • Guillaume Nault's avatar
      selftests: pmtu.sh: Kill nettest processes launched in subshell. · 94a4a4fe
      Guillaume Nault authored
      When using "run_cmd <command> &", then "$!" refers to the PID of the
      subshell used to run <command>, not the command itself. Therefore
      nettest_pids actually doesn't contain the list of the nettest commands
      running in the background. So cleanup() can't kill them and the nettest
      processes run until completion (fortunately they have a 5s timeout).
      
      Fix this by defining a new command for running processes in the
      background, for which "$!" really refers to the PID of the command run.
      
      Also, double quote variables on the modified lines, to avoid shellcheck
      warnings.
      
      Fixes: ece1278a ("selftests: net: add ESP-in-UDP PMTU test")
      Signed-off-by: default avatarGuillaume Nault <gnault@redhat.com>
      Reviewed-by: default avatarShuah Khan <skhan@linuxfoundation.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      94a4a4fe
    • Guillaume Nault's avatar
      selftests: pmtu.sh: Kill tcpdump processes launched by subshell. · 18dfc667
      Guillaume Nault authored
      The cleanup() function takes care of killing processes launched by the
      test functions. It relies on variables like ${tcpdump_pids} to get the
      relevant PIDs. But tests are run in their own subshell, so updated
      *_pids values are invisible to other shells. Therefore cleanup() never
      sees any process to kill:
      
      $ ./tools/testing/selftests/net/pmtu.sh -t pmtu_ipv4_exception
      TEST: ipv4: PMTU exceptions                                         [ OK ]
      TEST: ipv4: PMTU exceptions - nexthop objects                       [ OK ]
      
      $ pgrep -af tcpdump
      6084 tcpdump -s 0 -i veth_A-R1 -w pmtu_ipv4_exception_veth_A-R1.pcap
      6085 tcpdump -s 0 -i veth_R1-A -w pmtu_ipv4_exception_veth_R1-A.pcap
      6086 tcpdump -s 0 -i veth_R1-B -w pmtu_ipv4_exception_veth_R1-B.pcap
      6087 tcpdump -s 0 -i veth_B-R1 -w pmtu_ipv4_exception_veth_B-R1.pcap
      6088 tcpdump -s 0 -i veth_A-R2 -w pmtu_ipv4_exception_veth_A-R2.pcap
      6089 tcpdump -s 0 -i veth_R2-A -w pmtu_ipv4_exception_veth_R2-A.pcap
      6090 tcpdump -s 0 -i veth_R2-B -w pmtu_ipv4_exception_veth_R2-B.pcap
      6091 tcpdump -s 0 -i veth_B-R2 -w pmtu_ipv4_exception_veth_B-R2.pcap
      6228 tcpdump -s 0 -i veth_A-R1 -w pmtu_ipv4_exception_veth_A-R1.pcap
      6229 tcpdump -s 0 -i veth_R1-A -w pmtu_ipv4_exception_veth_R1-A.pcap
      6230 tcpdump -s 0 -i veth_R1-B -w pmtu_ipv4_exception_veth_R1-B.pcap
      6231 tcpdump -s 0 -i veth_B-R1 -w pmtu_ipv4_exception_veth_B-R1.pcap
      6232 tcpdump -s 0 -i veth_A-R2 -w pmtu_ipv4_exception_veth_A-R2.pcap
      6233 tcpdump -s 0 -i veth_R2-A -w pmtu_ipv4_exception_veth_R2-A.pcap
      6234 tcpdump -s 0 -i veth_R2-B -w pmtu_ipv4_exception_veth_R2-B.pcap
      6235 tcpdump -s 0 -i veth_B-R2 -w pmtu_ipv4_exception_veth_B-R2.pcap
      
      Fix this by running cleanup() in the context of the test subshell.
      Now that each test cleans the environment after completion, there's no
      need for calling cleanup() again when the next test starts. So let's
      drop it from the setup() function. This is okay because cleanup() is
      also called when pmtu.sh starts, so even the first test starts in a
      clean environment.
      
      Also, use tcpdump's immediate mode. Otherwise it might not have time to
      process buffered packets, resulting in missing packets or even empty
      pcap files for short tests.
      
      Note: PAUSE_ON_FAIL is still evaluated before cleanup(), so one can
      still inspect the test environment upon failure when using -p.
      
      Fixes: a92a0a7b ("selftests: pmtu: Simplify cleanup and namespace names")
      Signed-off-by: default avatarGuillaume Nault <gnault@redhat.com>
      Reviewed-by: default avatarShuah Khan <skhan@linuxfoundation.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      18dfc667
    • Pavel Skripkin's avatar
      NFC: port100: fix use-after-free in port100_send_complete · f80cfe2f
      Pavel Skripkin authored
      Syzbot reported UAF in port100_send_complete(). The root case is in
      missing usb_kill_urb() calls on error handling path of ->probe function.
      
      port100_send_complete() accesses devm allocated memory which will be
      freed on probe failure. We should kill this urbs before returning an
      error from probe function to prevent reported use-after-free
      
      Fail log:
      
      BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
      Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26
      ...
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
       print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
       __kasan_report mm/kasan/report.c:442 [inline]
       kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
       port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
       __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670
      
      ...
      
      Allocated by task 1255:
       kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
       kasan_set_track mm/kasan/common.c:45 [inline]
       set_alloc_info mm/kasan/common.c:436 [inline]
       ____kasan_kmalloc mm/kasan/common.c:515 [inline]
       ____kasan_kmalloc mm/kasan/common.c:474 [inline]
       __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
       alloc_dr drivers/base/devres.c:116 [inline]
       devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823
       devm_kzalloc include/linux/device.h:209 [inline]
       port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502
      
      Freed by task 1255:
       kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
       kasan_set_track+0x21/0x30 mm/kasan/common.c:45
       kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
       ____kasan_slab_free mm/kasan/common.c:366 [inline]
       ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
       kasan_slab_free include/linux/kasan.h:236 [inline]
       __cache_free mm/slab.c:3437 [inline]
       kfree+0xf8/0x2b0 mm/slab.c:3794
       release_nodes+0x112/0x1a0 drivers/base/devres.c:501
       devres_release_all+0x114/0x190 drivers/base/devres.c:530
       really_probe+0x626/0xcc0 drivers/base/dd.c:670
      
      Reported-and-tested-by: syzbot+16bcb127fb73baeecb14@syzkaller.appspotmail.com
      Fixes: 0347a6ab ("NFC: port100: Commands mechanism implementation")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
      Link: https://lore.kernel.org/r/20220308185007.6987-1-paskripkin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f80cfe2f
  6. 09 Mar, 2022 2 commits