1. 23 Aug, 2021 6 commits
    • Oleksij Rempel's avatar
      net: usb: asix: do not call phy_disconnect() for ax88178 · 1406e8cb
      Oleksij Rempel authored
      Fix crash on reboot on a system with ASIX AX88178 USB adapter attached
      to it:
      | asix 1-1.4:1.0 eth0: unregister 'asix' usb-ci_hdrc.0-1.4, ASIX AX88178 USB 2.0 Ethernet
      | 8<--- cut here ---
      | Unable to handle kernel NULL pointer dereference at virtual address 0000028c
      | pgd = 5ec93aee
      | [0000028c] *pgd=00000000
      | Internal error: Oops: 5 [#1] PREEMPT SMP ARM
      | Modules linked in:
      | CPU: 1 PID: 1 Comm: systemd-shutdow Not tainted 5.14.0-rc1-20210811-1 #4
      | Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      | PC is at phy_disconnect+0x8/0x48
      | LR is at ax88772_unbind+0x14/0x20
      | [<80650d04>] (phy_disconnect) from [<80741aa4>] (ax88772_unbind+0x14/0x20)
      | [<80741aa4>] (ax88772_unbind) from [<8074e250>] (usbnet_disconnect+0x48/0xd8)
      | [<8074e250>] (usbnet_disconnect) from [<807655e0>] (usb_unbind_interface+0x78/0x25c)
      | [<807655e0>] (usb_unbind_interface) from [<805b03a0>] (__device_release_driver+0x154/0x20c)
      | [<805b03a0>] (__device_release_driver) from [<805b0478>] (device_release_driver+0x20/0x2c)
      | [<805b0478>] (device_release_driver) from [<805af944>] (bus_remove_device+0xcc/0xf8)
      | [<805af944>] (bus_remove_device) from [<805ab26c>] (device_del+0x178/0x4b0)
      | [<805ab26c>] (device_del) from [<807634a4>] (usb_disable_device+0xcc/0x178)
      | [<807634a4>] (usb_disable_device) from [<8075a060>] (usb_disconnect+0xd8/0x238)
      | [<8075a060>] (usb_disconnect) from [<8075a02c>] (usb_disconnect+0xa4/0x238)
      | [<8075a02c>] (usb_disconnect) from [<8075a02c>] (usb_disconnect+0xa4/0x238)
      | [<8075a02c>] (usb_disconnect) from [<80af3520>] (usb_remove_hcd+0xa0/0x198)
      | [<80af3520>] (usb_remove_hcd) from [<807902e0>] (host_stop+0x38/0xa8)
      | [<807902e0>] (host_stop) from [<8078d9e4>] (ci_hdrc_remove+0x3c/0x118)
      | [<8078d9e4>] (ci_hdrc_remove) from [<805b27ec>] (platform_remove+0x20/0x50)
      | [<805b27ec>] (platform_remove) from [<805b03a0>] (__device_release_driver+0x154/0x20c)
      | [<805b03a0>] (__device_release_driver) from [<805b0478>] (device_release_driver+0x20/0x2c)
      | [<805b0478>] (device_release_driver) from [<805af944>] (bus_remove_device+0xcc/0xf8)
      | [<805af944>] (bus_remove_device) from [<805ab26c>] (device_del+0x178/0x4b0)
      
      For this adapter we call ax88178_bind() and ax88772_unbind(), which is
      related to different chip version and different counter part *bind()
      function.
      
      Since this chip is currently not ported to the PHYLIB, we do not need to
      call phy_disconnect() here. So, to fix this crash, we need to add
      ax88178_unbind().
      
      Fixes: e532a096 ("net: usb: asix: ax88772: add phylib support")
      Reported-by: default avatarRobin van der Gracht <robin@protonic.nl>
      Tested-by: default avatarRobin van der Gracht <robin@protonic.nl>
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1406e8cb
    • Oleksij Rempel's avatar
      net: usb: asix: ax88772: move embedded PHY detection as early as possible · 7a141e64
      Oleksij Rempel authored
      Some HW revisions need additional MAC configuration before the embedded PHY
      can be enabled. If this is not done, we won't be able to get response
      from the internal PHY.
      
      This issue was detected on chipcode == AX_AX88772_CHIPCODE variant,
      where ax88772_hw_reset() was executed with missing embd_phy flag.
      
      Fixes: e532a096 ("net: usb: asix: ax88772: add phylib support")
      Reported-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Tested-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7a141e64
    • Maxim Kiselev's avatar
      net: marvell: fix MVNETA_TX_IN_PRGRS bit number · 359f4cdd
      Maxim Kiselev authored
      According to Armada XP datasheet bit at 0 position is corresponding for
      TxInProg indication.
      
      Fixes: c5aff182 ("net: mvneta: driver for Marvell Armada 370/XP network unit")
      Signed-off-by: default avatarMaxim Kiselev <bigunclemax@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      359f4cdd
    • Wong Vee Khee's avatar
      net: stmmac: fix kernel panic due to NULL pointer dereference of plat->est · 82a44ae1
      Wong Vee Khee authored
      In the case of taprio offload is not enabled, the error handling path
      causes a kernel crash due to kernel NULL pointer deference.
      
      Fix this by adding check for NULL before attempt to access 'plat->est'
      on the mutex_lock() call.
      
      The following kernel panic is observed without this patch:
      
      RIP: 0010:mutex_lock+0x10/0x20
      Call Trace:
      tc_setup_taprio+0x482/0x560 [stmmac]
      kmem_cache_alloc_trace+0x13f/0x490
      taprio_disable_offload.isra.0+0x9d/0x180 [sch_taprio]
      taprio_destroy+0x6c/0x100 [sch_taprio]
      qdisc_create+0x2e5/0x4f0
      tc_modify_qdisc+0x126/0x740
      rtnetlink_rcv_msg+0x12b/0x380
      _raw_spin_lock_irqsave+0x19/0x40
      _raw_spin_unlock_irqrestore+0x18/0x30
      create_object+0x212/0x340
      rtnl_calcit.isra.0+0x110/0x110
      netlink_rcv_skb+0x50/0x100
      netlink_unicast+0x191/0x230
      netlink_sendmsg+0x243/0x470
      sock_sendmsg+0x5e/0x60
      ____sys_sendmsg+0x20b/0x280
      copy_msghdr_from_user+0x5c/0x90
      __mod_memcg_state+0x87/0xf0
       ___sys_sendmsg+0x7c/0xc0
      lru_cache_add+0x7f/0xa0
      _raw_spin_unlock+0x16/0x30
      wp_page_copy+0x449/0x890
      handle_mm_fault+0x921/0xfc0
      __sys_sendmsg+0x59/0xa0
      do_syscall_64+0x33/0x40
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
      ---[ end trace b1f19b24368a96aa ]---
      
      Fixes: b60189e0 ("net: stmmac: Integrate EST with TAPRIO scheduler API")
      Cc: <stable@vger.kernel.org> # 5.10.x
      Signed-off-by: default avatarWong Vee Khee <vee.khee.wong@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      82a44ae1
    • David S. Miller's avatar
      Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 46002bf3
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2021-08-20
      
      This series contains updates to igc and e1000e drivers.
      
      Aaron Ma resolves a page fault which occurs when thunderbolt is
      unplugged for igc.
      
      Toshiki Nishioka fixes Tx queue looping to use actual number of queues
      instead of max value for igc.
      
      Sasha fixes an incorrect latency comparison by decoding the values before
      comparing and prevents attempted writes to read-only NVMs for e1000e.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      46002bf3
    • Christophe JAILLET's avatar
      xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' · 5ed74b03
      Christophe JAILLET authored
      A successful 'xge_mdio_config()' call should be balanced by a corresponding
      'xge_mdio_remove()' call in the error handling path of the probe, as
      already done in the remove function.
      
      Update the error handling path accordingly.
      
      Fixes: ea8ab16a ("drivers: net: xgene-v2: Add MDIO support")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ed74b03
  2. 22 Aug, 2021 2 commits
  3. 20 Aug, 2021 8 commits
  4. 19 Aug, 2021 14 commits
    • Linus Torvalds's avatar
      Merge tag 'net-5.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · f87d6431
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes, including fixes from bpf, wireless and mac80211
        trees.
      
        Current release - regressions:
      
         - tipc: call tipc_wait_for_connect only when dlen is not 0
      
         - mac80211: fix locking in ieee80211_restart_work()
      
        Current release - new code bugs:
      
         - bpf: add rcu_read_lock in bpf_get_current_[ancestor_]cgroup_id()
      
         - ethernet: ice: fix perout start time rounding
      
         - wwan: iosm: prevent underflow in ipc_chnl_cfg_get()
      
        Previous releases - regressions:
      
         - bpf: clear zext_dst of dead insns
      
         - sch_cake: fix srchost/dsthost hashing mode
      
         - vrf: reset skb conntrack connection on VRF rcv
      
         - net/rds: dma_map_sg is entitled to merge entries
      
        Previous releases - always broken:
      
         - ethernet: bnxt: fix Tx path locking and races, add Rx path
           barriers"
      
      * tag 'net-5.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (42 commits)
        net: dpaa2-switch: disable the control interface on error path
        Revert "flow_offload: action should not be NULL when it is referenced"
        iavf: Fix ping is lost after untrusted VF had tried to change MAC
        i40e: Fix ATR queue selection
        r8152: fix the maximum number of PLA bp for RTL8153C
        r8152: fix writing USB_BP2_EN
        mptcp: full fully established support after ADD_ADDR
        mptcp: fix memory leak on address flush
        net/rds: dma_map_sg is entitled to merge entries
        net: mscc: ocelot: allow forwarding from bridge ports to the tag_8021q CPU port
        net: asix: fix uninit value bugs
        ovs: clear skb->tstamp in forwarding path
        net: mdio-mux: Handle -EPROBE_DEFER correctly
        net: mdio-mux: Don't ignore memory allocation errors
        net: mdio-mux: Delete unnecessary devm_kfree
        net: dsa: sja1105: fix use-after-free after calling of_find_compatible_node, or worse
        sch_cake: fix srchost/dsthost hashing mode
        ixgbe, xsk: clean up the resources in ixgbe_xsk_pool_enable error path
        net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32
        mac80211: fix locking in ieee80211_restart_work()
        ...
      f87d6431
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v5.14-4' of... · e649e4c8
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v5.14-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Hans de Goede:
      
       - Enable SW_TABLET_MODE support for the TP200s
      
       - Enable WMI on two more Gigabyte motherboards
      
      * tag 'platform-drivers-x86-v5.14-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86: gigabyte-wmi: add support for B450M S2H V2
        platform/x86: gigabyte-wmi: add support for X570 GAMING X
        platform/x86: asus-nb-wmi: Add tablet_mode_sw=lid-flip quirk for the TP200s
        platform/x86: asus-nb-wmi: Allow configuring SW_TABLET_MODE method with a module option
      e649e4c8
    • Vladimir Oltean's avatar
      net: dpaa2-switch: disable the control interface on error path · cd0a719f
      Vladimir Oltean authored
      Currently dpaa2_switch_takedown has a funny name and does not do the
      opposite of dpaa2_switch_init, which makes probing fail when we need to
      handle an -EPROBE_DEFER.
      
      A sketch of what dpaa2_switch_init does:
      
      	dpsw_open
      
      	dpaa2_switch_detect_features
      
      	dpsw_reset
      
      	for (i = 0; i < ethsw->sw_attr.num_ifs; i++) {
      		dpsw_if_disable
      
      		dpsw_if_set_stp
      
      		dpsw_vlan_remove_if_untagged
      
      		dpsw_if_set_tci
      
      		dpsw_vlan_remove_if
      	}
      
      	dpsw_vlan_remove
      
      	alloc_ordered_workqueue
      
      	dpsw_fdb_remove
      
      	dpaa2_switch_ctrl_if_setup
      
      When dpaa2_switch_takedown is called from the error path of
      dpaa2_switch_probe(), the control interface, enabled by
      dpaa2_switch_ctrl_if_setup from dpaa2_switch_init, remains enabled,
      because dpaa2_switch_takedown does not call
      dpaa2_switch_ctrl_if_teardown.
      
      Since dpaa2_switch_probe might fail due to EPROBE_DEFER of a PHY, this
      means that a second probe of the driver will happen with the control
      interface directly enabled.
      
      This will trigger a second error:
      
      [   93.273528] fsl_dpaa2_switch dpsw.0: dpsw_ctrl_if_set_pools() failed
      [   93.281966] fsl_dpaa2_switch dpsw.0: fsl_mc_driver_probe failed: -13
      [   93.288323] fsl_dpaa2_switch: probe of dpsw.0 failed with error -13
      
      Which if we investigate the /dev/dpaa2_mc_console log, we find out is
      caused by:
      
      [E, ctrl_if_set_pools:2211, DPMNG]  ctrl_if must be disabled
      
      So make dpaa2_switch_takedown do the opposite of dpaa2_switch_init (in
      reasonable limits, no reason to change STP state, re-add VLANs etc), and
      rename it to something more conventional, like dpaa2_switch_teardown.
      
      Fixes: 613c0a58 ("staging: dpaa2-switch: enable the control interface")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Link: https://lore.kernel.org/r/20210819141755.1931423-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cd0a719f
    • Ido Schimmel's avatar
      Revert "flow_offload: action should not be NULL when it is referenced" · fa05bdb8
      Ido Schimmel authored
      This reverts commit 9ea3e52c.
      
      Cited commit added a check to make sure 'action' is not NULL, but
      'action' is already dereferenced before the check, when calling
      flow_offload_has_one_action().
      
      Therefore, the check does not make any sense and results in a smatch
      warning:
      
      include/net/flow_offload.h:322 flow_action_mixed_hw_stats_check() warn:
      variable dereferenced before check 'action' (see line 319)
      
      Fix by reverting this commit.
      
      Cc: gushengxian <gushengxian@yulong.com>
      Fixes: 9ea3e52c ("flow_offload: action should not be NULL when it is referenced")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Link: https://lore.kernel.org/r/20210819105842.1315705-1-idosch@idosch.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fa05bdb8
    • Jakub Kicinski's avatar
      Merge branch 'intel-wired-lan-driver-updates-2021-08-18' · d584566c
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2021-08-18
      
      This series contains updates to i40e and iavf drivers.
      
      Arkadiusz fixes Flow Director not using the correct queue due to calling
      the wrong pick Tx function for i40e.
      
      Sylwester resolves traffic loss for iavf when it attempts to change its
      MAC address when it does not have permissions to do so.
      ====================
      
      Link: https://lore.kernel.org/r/20210818174217.4138922-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d584566c
    • Sylwester Dziedziuch's avatar
      iavf: Fix ping is lost after untrusted VF had tried to change MAC · 8da80c9d
      Sylwester Dziedziuch authored
      Make changes to MAC address dependent on the response of PF.
      Disallow changes to HW MAC address and MAC filter from untrusted
      VF, thanks to that ping is not lost if VF tries to change MAC.
      Add a new field in iavf_mac_filter, to indicate whether there
      was response from PF for given filter. Based on this field pass
      or discard the filter.
      If untrusted VF tried to change it's address, it's not changed.
      Still filter was changed, because of that ping couldn't go through.
      
      Fixes: c5c922b3 ("iavf: fix MAC address setting for VFs when filter is rejected")
      Signed-off-by: default avatarPrzemyslaw Patynowski <przemyslawx.patynowski@intel.com>
      Signed-off-by: default avatarSylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
      Signed-off-by: default avatarMateusz Palczewski <mateusz.palczewski@intel.com>
      Tested-by: default avatarGurucharan G <Gurucharanx.g@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8da80c9d
    • Arkadiusz Kubalewski's avatar
      i40e: Fix ATR queue selection · a222be59
      Arkadiusz Kubalewski authored
      Without this patch, ATR does not work. Receive/transmit uses queue
      selection based on SW DCB hashing method.
      
      If traffic classes are not configured for PF, then use
      netdev_pick_tx function for selecting queue for packet transmission.
      Instead of calling i40e_swdcb_skb_tx_hash, call netdev_pick_tx,
      which ensures that packet is transmitted/received from CPU that is
      running the application.
      
      Reproduction steps:
      1. Load i40e driver
      2. Map each MSI interrupt of i40e port for each CPU
      3. Disable ntuple, enable ATR i.e.:
      ethtool -K $interface ntuple off
      ethtool --set-priv-flags $interface flow-director-atr
      4. Run application that is generating traffic and is bound to a
      single CPU, i.e.:
      taskset -c 9 netperf -H 1.1.1.1 -t TCP_RR -l 10
      5. Observe behavior:
      Application's traffic should be restricted to the CPU provided in
      taskset.
      
      Fixes: 89ec1f08 ("i40e: Fix queue-to-TC mapping on Tx")
      Signed-off-by: default avatarPrzemyslaw Patynowski <przemyslawx.patynowski@intel.com>
      Signed-off-by: default avatarArkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
      Tested-by: default avatarDave Switzer <david.switzer@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a222be59
    • Jakub Kicinski's avatar
      Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 31674900
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2021-08-19
      
      We've added 3 non-merge commits during the last 3 day(s) which contain
      a total of 3 files changed, 29 insertions(+), 6 deletions(-).
      
      The main changes are:
      
      1) Fix to clear zext_dst for dead instructions which was causing invalid program
         rejections on JITs with bpf_jit_needs_zext such as s390x, from Ilya Leoshkevich.
      
      2) Fix RCU splat in bpf_get_current_{ancestor_,}cgroup_id() helpers when they are
         invoked from sleepable programs, from Yonghong Song.
      
      * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        selftests, bpf: Test that dead ldx_w insns are accepted
        bpf: Clear zext_dst of dead insns
        bpf: Add rcu_read_lock in bpf_get_current_[ancestor_]cgroup_id() helpers
      ====================
      
      Link: https://lore.kernel.org/r/20210819144904.20069-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      31674900
    • David S. Miller's avatar
      Merge branch 'r8152-bp-settings' · c15128c9
      David S. Miller authored
      Hayes Wang says:
      
      ====================
      r8152: fix bp settings
      
      Fix the wrong bp settings of the firmware.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c15128c9
    • Hayes Wang's avatar
      r8152: fix the maximum number of PLA bp for RTL8153C · 6633fb83
      Hayes Wang authored
      The maximum PLA bp number of RTL8153C is 16, not 8. That is, the
      bp 0 ~ 15 are at 0xfc28 ~ 0xfc46, and the bp_en is at 0xfc48.
      
      Fixes: 195aae32 ("r8152: support new chips")
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6633fb83
    • Hayes Wang's avatar
      r8152: fix writing USB_BP2_EN · a876a33d
      Hayes Wang authored
      The register of USB_BP2_EN is 16 bits, so we should use
      ocp_write_word(), not ocp_write_byte().
      
      Fixes: 9370f2d0 ("support request_firmware for RTL8153")
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a876a33d
    • David S. Miller's avatar
      Merge branch 'mptcp-fixes' · d98c8210
      David S. Miller authored
      Mat Martineau says:
      
      ====================
      mptcp: Bug fixes
      
      Here are two bug fixes for the net tree:
      
      Patch 1 fixes a memory leak that could be encountered when clearing the
      list of advertised MPTCP addresses.
      
      Patch 2 fixes a protocol issue early in an MPTCP connection, to ensure
      both peers correctly understand that the full MPTCP connection handshake
      has completed even when the server side quickly sends an ADD_ADDR
      option.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d98c8210
    • Matthieu Baerts's avatar
      mptcp: full fully established support after ADD_ADDR · 67b12f79
      Matthieu Baerts authored
      If directly after an MP_CAPABLE 3WHS, the client receives an ADD_ADDR
      with HMAC from the server, it is enough to switch to a "fully
      established" mode because it has received more MPTCP options.
      
      It was then OK to enable the "fully_established" flag on the MPTCP
      socket. Still, best to check if the ADD_ADDR looks valid by looking if
      it contains an HMAC (no 'echo' bit). If an ADD_ADDR echo is received
      while we are not in "fully established" mode, it is strange and then
      we should not switch to this mode now.
      
      But that is not enough. On one hand, the path-manager has be notified
      the state has changed. On the other hand, the "fully_established" flag
      on the subflow socket should be turned on as well not to re-send the
      MP_CAPABLE 3rd ACK content with the next ACK.
      
      Fixes: 84dfe367 ("mptcp: send out dedicated ADD_ADDR packet")
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67b12f79
    • Paolo Abeni's avatar
      mptcp: fix memory leak on address flush · a0eea5f1
      Paolo Abeni authored
      The endpoint cleanup path is prone to a memory leak, as reported
      by syzkaller:
      
       BUG: memory leak
       unreferenced object 0xffff88810680ea00 (size 64):
         comm "syz-executor.6", pid 6191, jiffies 4295756280 (age 24.138s)
         hex dump (first 32 bytes):
           58 75 7d 3c 80 88 ff ff 22 01 00 00 00 00 ad de  Xu}<....".......
           01 00 02 00 00 00 00 00 ac 1e 00 07 00 00 00 00  ................
         backtrace:
           [<0000000072a9f72a>] kmalloc include/linux/slab.h:591 [inline]
           [<0000000072a9f72a>] mptcp_nl_cmd_add_addr+0x287/0x9f0 net/mptcp/pm_netlink.c:1170
           [<00000000f6e931bf>] genl_family_rcv_msg_doit.isra.0+0x225/0x340 net/netlink/genetlink.c:731
           [<00000000f1504a2c>] genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]
           [<00000000f1504a2c>] genl_rcv_msg+0x341/0x5b0 net/netlink/genetlink.c:792
           [<0000000097e76f6a>] netlink_rcv_skb+0x148/0x430 net/netlink/af_netlink.c:2504
           [<00000000ceefa2b8>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:803
           [<000000008ff91aec>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
           [<000000008ff91aec>] netlink_unicast+0x537/0x750 net/netlink/af_netlink.c:1340
           [<0000000041682c35>] netlink_sendmsg+0x846/0xd80 net/netlink/af_netlink.c:1929
           [<00000000df3aa8e7>] sock_sendmsg_nosec net/socket.c:704 [inline]
           [<00000000df3aa8e7>] sock_sendmsg+0x14e/0x190 net/socket.c:724
           [<000000002154c54c>] ____sys_sendmsg+0x709/0x870 net/socket.c:2403
           [<000000001aab01d7>] ___sys_sendmsg+0xff/0x170 net/socket.c:2457
           [<00000000fa3b1446>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2486
           [<00000000db2ee9c7>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
           [<00000000db2ee9c7>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
           [<000000005873517d>] entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      We should not require an allocation to cleanup stuff.
      
      Rework the code a bit so that the additional RCU work is no more needed.
      
      Fixes: 1729cf18 ("mptcp: create the listening socket for new port")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a0eea5f1
  5. 18 Aug, 2021 10 commits