1. 06 Jan, 2022 6 commits
    • Wen Gu's avatar
      net/smc: Reset conn->lgr when link group registration fails · 36595d8a
      Wen Gu authored
      SMC connections might fail to be registered in a link group due to
      unable to find a usable link during its creation. As a result,
      smc_conn_create() will return a failure and most resources related
      to the connection won't be applied or initialized, such as
      conn->abort_work or conn->lnk.
      
      If smc_conn_free() is invoked later, it will try to access the
      uninitialized resources related to the connection, thus causing
      a warning or crash.
      
      This patch tries to fix this by resetting conn->lgr to NULL if an
      abnormal exit occurs in smc_lgr_register_conn(), thus avoiding the
      access to uninitialized resources in smc_conn_free().
      
      Meanwhile, the new created link group should be terminated if smc
      connections can't be registered in it. So smc_lgr_cleanup_early() is
      modified to take care of link group only and invoked to terminate
      unusable link group by smc_conn_create(). The call to smc_conn_free()
      is moved out from smc_lgr_cleanup_early() to smc_conn_abort().
      
      Fixes: 56bc3b20 ("net/smc: assign link to a new connection")
      Suggested-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarWen Gu <guwen@linux.alibaba.com>
      Acked-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      36595d8a
    • Jiasheng Jiang's avatar
      fsl/fman: Check for null pointer after calling devm_ioremap · d5a73ec9
      Jiasheng Jiang authored
      As the possible failure of the allocation, the devm_ioremap() may return
      NULL pointer.
      Take tgec_initialization() as an example.
      If allocation fails, the params->base_addr will be NULL pointer and will
      be assigned to tgec->regs in tgec_config().
      Then it will cause the dereference of NULL pointer in set_mac_address(),
      which is called by tgec_init().
      Therefore, it should be better to add the sanity check after the calling
      of the devm_ioremap().
      
      Fixes: 39339616 ("fsl/fman: Add FMan MAC driver")
      Signed-off-by: default avatarJiasheng Jiang <jiasheng@iscas.ac.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d5a73ec9
    • Dan Carpenter's avatar
      rocker: fix a sleeping in atomic bug · 43d01212
      Dan Carpenter authored
      This code is holding the &ofdpa->flow_tbl_lock spinlock so it is not
      allowed to sleep.  That means we have to pass the OFDPA_OP_FLAG_NOWAIT
      flag to ofdpa_flow_tbl_del().
      
      Fixes: 936bd486 ("rocker: use FIB notifications instead of switchdev calls")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43d01212
    • Eric Dumazet's avatar
      ppp: ensure minimum packet size in ppp_write() · 44073187
      Eric Dumazet authored
      It seems pretty clear ppp layer assumed user space
      would always be kind to provide enough data
      in their write() to a ppp device.
      
      This patch makes sure user provides at least
      2 bytes.
      
      It adds PPP_PROTO_LEN macro that could replace
      in net-next many occurrences of hard-coded 2 value.
      
      I replaced only one occurrence to ease backports
      to stable kernels.
      
      The bug manifests in the following report:
      
      BUG: KMSAN: uninit-value in ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740
       ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740
       __ppp_xmit_process+0x23e/0x4b0 drivers/net/ppp/ppp_generic.c:1640
       ppp_xmit_process+0x1fe/0x480 drivers/net/ppp/ppp_generic.c:1661
       ppp_write+0x5cb/0x5e0 drivers/net/ppp/ppp_generic.c:513
       do_iter_write+0xb0c/0x1500 fs/read_write.c:853
       vfs_writev fs/read_write.c:924 [inline]
       do_writev+0x645/0xe00 fs/read_write.c:967
       __do_sys_writev fs/read_write.c:1040 [inline]
       __se_sys_writev fs/read_write.c:1037 [inline]
       __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was created at:
       slab_post_alloc_hook mm/slab.h:524 [inline]
       slab_alloc_node mm/slub.c:3251 [inline]
       __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
       kmalloc_reserve net/core/skbuff.c:354 [inline]
       __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
       alloc_skb include/linux/skbuff.h:1126 [inline]
       ppp_write+0x11d/0x5e0 drivers/net/ppp/ppp_generic.c:501
       do_iter_write+0xb0c/0x1500 fs/read_write.c:853
       vfs_writev fs/read_write.c:924 [inline]
       do_writev+0x645/0xe00 fs/read_write.c:967
       __do_sys_writev fs/read_write.c:1040 [inline]
       __se_sys_writev fs/read_write.c:1037 [inline]
       __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: linux-ppp@vger.kernel.org
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44073187
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · c4251db3
      David S. Miller authored
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2022-01-06
      
      1) Fix xfrm policy lookups for ipv6 gre packets by initializing
         fl6_gre_key properly. From Ghalem Boudour.
      
      2) Fix the dflt policy check on forwarding when there is no
         policy configured. The check was done for the wrong direction.
         From Nicolas Dichtel.
      
      3) Use the correct 'struct xfrm_user_offload' when calculating
         netlink message lenghts in xfrm_sa_len(). From Eric Dumazet.
      
      4) Tread inserting xfrm interface id 0 as an error.
         From Antony Antony.
      
      5) Fail if xfrm state or policy is inserted with XFRMA_IF_ID 0,
         xfrm interfaces with id 0 are not allowed.
         From Antony Antony.
      
      6) Fix inner_ipproto setting in the sec_path for tunnel mode.
         From  Raed Salem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4251db3
    • Jakub Kicinski's avatar
      Merge tag 'linux-can-fixes-for-5.16-20220105' of... · 502a2ce9
      Jakub Kicinski authored
      Merge tag 'linux-can-fixes-for-5.16-20220105' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2022-01-05
      
      It consists of 2 patches, both by me. The first one fixes the use of
      an uninitialized variable in the gs_usb driver the other one a
      skb_over_panic in the ISOTP stack in case of reception of too large
      ISOTP messages.
      
      * tag 'linux-can-fixes-for-5.16-20220105' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
        can: isotp: convert struct tpcon::{idx,len} to unsigned int
        can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
      ====================
      
      Link: https://lore.kernel.org/r/20220105205443.1274709-1-mkl@pengutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      502a2ce9
  2. 05 Jan, 2022 10 commits
  3. 04 Jan, 2022 17 commits
  4. 03 Jan, 2022 4 commits
  5. 02 Jan, 2022 3 commits