1. 22 Aug, 2023 3 commits
    • Fedor Pchelkin's avatar
      wifi: ath9k: protect WMI command response buffer replacement with a lock · 454994cf
      Fedor Pchelkin authored
      If ath9k_wmi_cmd() has exited with a timeout, it is possible that during
      next ath9k_wmi_cmd() call the wmi_rsp callback for previous wmi command
      writes to new wmi->cmd_rsp_buf and makes a completion. This results in an
      invalid ath9k_wmi_cmd() return value.
      
      Move the replacement of WMI command response buffer and length under
      wmi_lock. Note that last_seq_id value is updated there, too.
      
      Thus, the buffer cannot be written to by a belated wmi_rsp callback
      because that path is properly rejected by the last_seq_id check.
      
      Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
      
      Fixes: fb9987d0 ("ath9k_htc: Support for AR9271 chipset.")
      Signed-off-by: default avatarFedor Pchelkin <pchelkin@ispras.ru>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@toke.dk>
      Signed-off-by: default avatarKalle Valo <quic_kvalo@quicinc.com>
      Link: https://lore.kernel.org/r/20230425192607.18015-2-pchelkin@ispras.ru
      454994cf
    • Fedor Pchelkin's avatar
      wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx · b674fb51
      Fedor Pchelkin authored
      Currently, the synchronization between ath9k_wmi_cmd() and
      ath9k_wmi_ctrl_rx() is exposed to a race condition which, although being
      rather unlikely, can lead to invalid behaviour of ath9k_wmi_cmd().
      
      Consider the following scenario:
      
      CPU0					CPU1
      
      ath9k_wmi_cmd(...)
        mutex_lock(&wmi->op_mutex)
        ath9k_wmi_cmd_issue(...)
        wait_for_completion_timeout(...)
        ---
        timeout
        ---
      					/* the callback is being processed
      					 * before last_seq_id became zero
      					 */
      					ath9k_wmi_ctrl_rx(...)
      					  spin_lock_irqsave(...)
      					  /* wmi->last_seq_id check here
      					   * doesn't detect timeout yet
      					   */
      					  spin_unlock_irqrestore(...)
        /* last_seq_id is zeroed to
         * indicate there was a timeout
         */
        wmi->last_seq_id = 0
        mutex_unlock(&wmi->op_mutex)
        return -ETIMEDOUT
      
      ath9k_wmi_cmd(...)
        mutex_lock(&wmi->op_mutex)
        /* the buffer is replaced with
         * another one
         */
        wmi->cmd_rsp_buf = rsp_buf
        wmi->cmd_rsp_len = rsp_len
        ath9k_wmi_cmd_issue(...)
          spin_lock_irqsave(...)
          spin_unlock_irqrestore(...)
        wait_for_completion_timeout(...)
      					/* the continuation of the
      					 * callback left after the first
      					 * ath9k_wmi_cmd call
      					 */
      					  ath9k_wmi_rsp_callback(...)
      					    /* copying data designated
      					     * to already timeouted
      					     * WMI command into an
      					     * inappropriate wmi_cmd_buf
      					     */
      					    memcpy(...)
      					    complete(&wmi->cmd_wait)
        /* awakened by the bogus callback
         * => invalid return result
         */
        mutex_unlock(&wmi->op_mutex)
        return 0
      
      To fix this, update last_seq_id on timeout path inside ath9k_wmi_cmd()
      under the wmi_lock. Move ath9k_wmi_rsp_callback() under wmi_lock inside
      ath9k_wmi_ctrl_rx() so that the wmi->cmd_wait can be completed only for
      initially designated wmi_cmd call, otherwise the path would be rejected
      with last_seq_id check.
      
      Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
      
      Fixes: fb9987d0 ("ath9k_htc: Support for AR9271 chipset.")
      Signed-off-by: default avatarFedor Pchelkin <pchelkin@ispras.ru>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@toke.dk>
      Signed-off-by: default avatarKalle Valo <quic_kvalo@quicinc.com>
      Link: https://lore.kernel.org/r/20230425192607.18015-1-pchelkin@ispras.ru
      b674fb51
    • Ruan Jinjie's avatar
      wifi: ath5k: Remove redundant dev_err() · f708ed71
      Ruan Jinjie authored
      There is no need to call the dev_err() function directly to print a custom
      message when handling an error from platform_get_irq() function as it is
      going to display an appropriate error message in case of a failure.
      Signed-off-by: default avatarRuan Jinjie <ruanjinjie@huawei.com>
      Signed-off-by: default avatarKalle Valo <quic_kvalo@quicinc.com>
      Link: https://lore.kernel.org/r/20230726171235.2475625-1-ruanjinjie@huawei.com
      f708ed71
  2. 21 Aug, 2023 3 commits
  3. 20 Aug, 2023 12 commits
    • Furong Xu's avatar
      net: stmmac: Check more MAC HW features for XGMAC Core 3.20 · 669a5556
      Furong Xu authored
      1. XGMAC Core does not have hash_filter definition, it uses
      vlhash(VLAN Hash Filtering) instead, skip hash_filter when XGMAC.
      2. Show exact size of Hash Table instead of raw register value.
      3. Show full description of safety features defined by Synopsys Databook.
      4. When safety feature is configured with no parity, or ECC only,
      keep FSM Parity Checking disabled.
      Signed-off-by: default avatarFurong Xu <0x1207@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      669a5556
    • David S. Miller's avatar
      Merge branch 'ipv6-update-route-when-delete-saddr' · 43bc9bd6
      David S. Miller authored
      Hangbin Liu says:
      
      ====================
      ipv6: update route when delete source address
      
      Currently, when remove an address, the IPv6 route will not remove the
      prefer source address when the address is bond to other device. Fix this
      issue and add related tests as Ido and David suggested.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43bc9bd6
    • Hangbin Liu's avatar
      selftests: fib_test: add a test case for IPv6 source address delete · 429b55b4
      Hangbin Liu authored
      Add a test case for IPv6 source address delete.
      
      As David suggested, add tests:
      - Single device using src address
      - Two devices with the same source address
      - VRF with single device using src address
      - VRF with two devices using src address
      
      As Ido points out, in IPv6, the preferred source address is looked up in
      the same VRF as the first nexthop device. This will give us similar results
      to IPv4 if the route is installed in the same VRF as the nexthop device, but
      not when the nexthop device is enslaved to a different VRF. So add tests:
      - src address and nexthop dev in same VR
      - src address and nexthop device in different VRF
      
      The link local address delete logic is different from the global address.
      It should only affect the associate device it bonds to. So add tests cases
      for link local address testing.
      
      Here is the test result:
      
      IPv6 delete address route tests
          Single device using src address
          TEST: Prefsrc removed when src address removed on other device      [ OK ]
          Two devices with the same source address
          TEST: Prefsrc not removed when src address exist on other device    [ OK ]
          TEST: Prefsrc removed when src address removed on all devices       [ OK ]
          VRF with single device using src address
          TEST: Prefsrc removed when src address removed on other device      [ OK ]
          VRF with two devices using src address
          TEST: Prefsrc not removed when src address exist on other device    [ OK ]
          TEST: Prefsrc removed when src address removed on all devices       [ OK ]
          src address and nexthop dev in same VRF
          TEST: Prefsrc removed from VRF when source address deleted          [ OK ]
          TEST: Prefsrc in default VRF not removed                            [ OK ]
          TEST: Prefsrc not removed from VRF when source address exist        [ OK ]
          TEST: Prefsrc in default VRF removed                                [ OK ]
          src address and nexthop device in different VRF
          TEST: Prefsrc not removed from VRF when nexthop dev in diff VRF     [ OK ]
          TEST: Prefsrc not removed in default VRF                            [ OK ]
          TEST: Prefsrc removed from VRF when nexthop dev in diff VRF         [ OK ]
          TEST: Prefsrc removed in default VRF                                [ OK ]
          Table ID 0
          TEST: Prefsrc removed from default VRF when source address deleted  [ OK ]
          Link local source route
          TEST: Prefsrc not removed when delete ll addr from other dev        [ OK ]
          TEST: Prefsrc removed when delete ll addr                           [ OK ]
          TEST: Prefsrc not removed when delete ll addr from other dev        [ OK ]
          TEST: Prefsrc removed even ll addr still exist on other dev         [ OK ]
      
      Tests passed:  19
      Tests failed:   0
      Suggested-by: default avatarIdo Schimmel <idosch@idosch.org>
      Suggested-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      429b55b4
    • Hangbin Liu's avatar
      ipv6: do not match device when remove source route · b358f57f
      Hangbin Liu authored
      After deleting an IPv6 address on an interface and cleaning up the
      related preferred source entries, it is important to ensure that all
      routes associated with the deleted address are properly cleared. The
      current implementation of rt6_remove_prefsrc() only checks the preferred
      source addresses bound to the current device. However, there may be
      routes that are bound to other devices but still utilize the same
      preferred source address.
      
      To address this issue, it is necessary to also delete entries that are
      bound to other interfaces but share the same source address with the
      current device. Failure to delete these entries would leave routes that
      are bound to the deleted address unclear. Here is an example reproducer
      (I have omitted unrelated routes):
      
      + ip link add dummy1 type dummy
      + ip link add dummy2 type dummy
      + ip link set dummy1 up
      + ip link set dummy2 up
      + ip addr add 1:2:3:4::5/64 dev dummy1
      + ip route add 7:7:7:0::1 dev dummy1 src 1:2:3:4::5
      + ip route add 7:7:7:0::2 dev dummy2 src 1:2:3:4::5
      + ip -6 route show
      1:2:3:4::/64 dev dummy1 proto kernel metric 256 pref medium
      7:7:7::1 dev dummy1 src 1:2:3:4::5 metric 1024 pref medium
      7:7:7::2 dev dummy2 src 1:2:3:4::5 metric 1024 pref medium
      + ip addr del 1:2:3:4::5/64 dev dummy1
      + ip -6 route show
      7:7:7::1 dev dummy1 metric 1024 pref medium
      7:7:7::2 dev dummy2 src 1:2:3:4::5 metric 1024 pref medium
      
      As Ido reminds, in IPv6, the preferred source address is looked up in
      the same VRF as the first nexthop device, which is different with IPv4.
      So, while removing the device checking, we also need to add an
      ipv6_chk_addr() check to make sure the address does not exist on the other
      devices of the rt nexthop device's VRF.
      
      After fix:
      + ip addr del 1:2:3:4::5/64 dev dummy1
      + ip -6 route show
      7:7:7::1 dev dummy1 metric 1024 pref medium
      7:7:7::2 dev dummy2 metric 1024 pref medium
      Reported-by: default avatarThomas Haller <thaller@redhat.com>
      Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2170513Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b358f57f
    • Hangbin Liu's avatar
      selftests: vrf_route_leaking: remove ipv6_ping_frag from default testing · c4cf2bc0
      Hangbin Liu authored
      As the initial commit 1a017276 ("selftests: Add VRF route leaking
      tests") said, the IPv6 MTU test fails as source address selection
      picking ::1. Every time we run the selftest this one report failed.
      There seems not much meaning  to keep reporting a failure for 3 years
      that no one plan to fix/update. Let't just skip this one first. We can
      add it back when the issue fixed.
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4cf2bc0
    • Patrick Rohr's avatar
      net: release reference to inet6_dev pointer · 5cb24968
      Patrick Rohr authored
      addrconf_prefix_rcv returned early without releasing the inet6_dev
      pointer when the PIO lifetime is less than accept_ra_min_lft.
      
      Fixes: 5027d54a ("net: change accept_ra_min_rtr_lft to affect all RA lifetimes")
      Cc: Maciej Żenczykowski <maze@google.com>
      Cc: Lorenzo Colitti <lorenzo@google.com>
      Cc: David Ahern <dsahern@kernel.org>
      Cc: Simon Horman <horms@kernel.org>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Reviewed-by: default avatarMaciej Żenczykowski <maze@google.com>
      Signed-off-by: default avatarPatrick Rohr <prohr@google.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5cb24968
    • Eric Dumazet's avatar
      net: selectively purge error queue in IP_RECVERR / IPV6_RECVERR · 0f158b32
      Eric Dumazet authored
      Setting IP_RECVERR and IPV6_RECVERR options to zero currently
      purges the socket error queue, which was probably not expected
      for zerocopy and tx_timestamp users.
      
      I discovered this issue while preparing commit 6b5f43ea
      ("inet: move inet->recverr to inet->inet_flags"), I presume this
      change does not need to be backported to stable kernels.
      
      Add skb_errqueue_purge() helper to purge error messages only.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Cc: Soheil Hassas Yeganeh <soheil@google.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0f158b32
    • David S. Miller's avatar
      Merge branch 'fixed_phy_register-return-value' · 412a75dc
      David S. Miller authored
      Ruan Jinjie says:
      
      ====================
      net: Return PTR_ERR() for fixed_phy_register()
      
      fixed_phy_register() returns not only -EIO or -ENODEV, but also
      -EPROBE_DEFER, -EINVAL and -EBUSY. The Best practice is to return these
      error codes with PTR_ERR().
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      412a75dc
    • Ruan Jinjie's avatar
      net: lan743x: Return PTR_ERR() for fixed_phy_register() · 294f48e9
      Ruan Jinjie authored
      fixed_phy_register() returns -EPROBE_DEFER, -EINVAL and -EBUSY,
      etc, in addition to -EIO. The Best practice is to return these
      error codes with PTR_ERR().
      Signed-off-by: default avatarRuan Jinjie <ruanjinjie@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      294f48e9
    • Ruan Jinjie's avatar
      net: bcmgenet: Return PTR_ERR() for fixed_phy_register() · acf50d1a
      Ruan Jinjie authored
      fixed_phy_register() returns -EPROBE_DEFER, -EINVAL and -EBUSY,
      etc, in addition to -ENODEV. The Best practice is to return these
      error codes with PTR_ERR().
      Signed-off-by: default avatarRuan Jinjie <ruanjinjie@huawei.com>
      Acked-by: default avatarDoug Berger <opendmb@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      acf50d1a
    • Ruan Jinjie's avatar
      net: bgmac: Return PTR_ERR() for fixed_phy_register() · d6499f0b
      Ruan Jinjie authored
      fixed_phy_register() returns -EPROBE_DEFER, -EINVAL and -EBUSY,
      etc, in addition to -ENODEV. The best practice is to return
      these error codes with PTR_ERR().
      Signed-off-by: default avatarRuan Jinjie <ruanjinjie@huawei.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d6499f0b
    • Russell King (Oracle)'s avatar
      net: dsa: realtek: add phylink_get_caps implementation · b22eef68
      Russell King (Oracle) authored
      The user ports use RSGMII, but we don't have that, and DT doesn't
      specify a phy interface mode, so phylib defaults to GMII. These support
      1G, 100M and 10M with flow control. It is unknown whether asymetric
      pause is supported at all speeds.
      
      The CPU port uses MII/GMII/RGMII/REVMII by hardware pin strapping,
      and support speeds specific to each, with full duplex only supported
      in some modes. Flow control may be supported again by hardware pin
      strapping, and theoretically is readable through a register but no
      information is given in the datasheet for that.
      
      So, we do a best efforts - and be lenient.
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b22eef68
  4. 19 Aug, 2023 22 commits