1. 21 Jan, 2021 30 commits
  2. 20 Jan, 2021 10 commits
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 0fe2f273
      Jakub Kicinski authored
      Conflicts:
      
      drivers/net/can/dev.c
        commit 03f16c50 ("can: dev: can_restart: fix use after free bug")
        commit 3e77f70e ("can: dev: move driver related infrastructure into separate subdir")
      
        Code move.
      
      drivers/net/dsa/b53/b53_common.c
       commit 8e4052c3 ("net: dsa: b53: fix an off by one in checking "vlan->vid"")
       commit b7a9e0da ("net: switchdev: remove vid_begin -> vid_end range from VLAN objects")
      
       Field rename.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0fe2f273
    • Linus Torvalds's avatar
      Merge tag 'net-5.11-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 75439bc4
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes for 5.11-rc5, including fixes from bpf, wireless, and
        can trees.
      
        Current release - regressions:
      
         - nfc: nci: fix the wrong NCI_CORE_INIT parameters
      
        Current release - new code bugs:
      
         - bpf: allow empty module BTFs
      
        Previous releases - regressions:
      
         - bpf: fix signed_{sub,add32}_overflows type handling
      
         - tcp: do not mess with cloned skbs in tcp_add_backlog()
      
         - bpf: prevent double bpf_prog_put call from bpf_tracing_prog_attach
      
         - bpf: don't leak memory in bpf getsockopt when optlen == 0
      
         - tcp: fix potential use-after-free due to double kfree()
      
         - mac80211: fix encryption issues with WEP
      
         - devlink: use right genl user_ptr when handling port param get/set
      
         - ipv6: set multicast flag on the multicast route
      
         - tcp: fix TCP_USER_TIMEOUT with zero window
      
        Previous releases - always broken:
      
         - bpf: local storage helpers should check nullness of owner ptr passed
      
         - mac80211: fix incorrect strlen of .write in debugfs
      
         - cls_flower: call nla_ok() before nla_next()
      
         - skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too"
      
      * tag 'net-5.11-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (52 commits)
        net: systemport: free dev before on error path
        net: usb: cdc_ncm: don't spew notifications
        net: mscc: ocelot: Fix multicast to the CPU port
        tcp: Fix potential use-after-free due to double kfree()
        bpf: Fix signed_{sub,add32}_overflows type handling
        can: peak_usb: fix use after free bugs
        can: vxcan: vxcan_xmit: fix use after free bug
        can: dev: can_restart: fix use after free bug
        tcp: fix TCP socket rehash stats mis-accounting
        net: dsa: b53: fix an off by one in checking "vlan->vid"
        tcp: do not mess with cloned skbs in tcp_add_backlog()
        selftests: net: fib_tests: remove duplicate log test
        net: nfc: nci: fix the wrong NCI_CORE_INIT parameters
        sh_eth: Fix power down vs. is_opened flag ordering
        net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled
        netfilter: rpfilter: mask ecn bits before fib lookup
        udp: mask TOS bits in udp_v4_early_demux()
        xsk: Clear pool even for inactive queues
        bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback
        sh_eth: Make PHY access aware of Runtime PM to fix reboot crash
        ...
      75439bc4
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.11-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 2e4ceed6
      Linus Torvalds authored
      Pull xen fix from Juergen Gross:
       "A fix for build failure showing up in some configurations"
      
      * tag 'for-linus-5.11-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        x86/xen: fix 'nopvspin' build error
      2e4ceed6
    • Tianjia Zhang's avatar
      X.509: Fix crash caused by NULL pointer · 7178a107
      Tianjia Zhang authored
      On the following call path, `sig->pkey_algo` is not assigned
      in asymmetric_key_verify_signature(), which causes runtime
      crash in public_key_verify_signature().
      
        keyctl_pkey_verify
          asymmetric_key_verify_signature
            verify_signature
              public_key_verify_signature
      
      This patch simply check this situation and fixes the crash
      caused by NULL pointer.
      
      Fixes: 21552563 ("X.509: support OSCCA SM2-with-SM3 certificate verification")
      Reported-by: default avatarTobias Markus <tobias@markus-regensburg.de>
      Signed-off-by: default avatarTianjia Zhang <tianjia.zhang@linux.alibaba.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-and-tested-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Tested-by: default avatarJoão Fonseca <jpedrofonseca@ua.pt>
      Acked-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Cc: stable@vger.kernel.org # v5.10+
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7178a107
    • Takashi Iwai's avatar
      cachefiles: Drop superfluous readpages aops NULL check · db58465f
      Takashi Iwai authored
      After the recent actions to convert readpages aops to readahead, the
      NULL checks of readpages aops in cachefiles_read_or_alloc_page() may
      hit falsely.  More badly, it's an ASSERT() call, and this panics.
      
      Drop the superfluous NULL checks for fixing this regression.
      
      [DH: Note that cachefiles never actually used readpages, so this check was
       never actually necessary]
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208883
      BugLink: https://bugzilla.opensuse.org/show_bug.cgi?id=1175245
      Fixes: 9ae326a6 ("CacheFiles: A cache that backs onto a mounted filesystem")
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      db58465f
    • Jakub Kicinski's avatar
      Merge tag 'linux-can-fixes-for-5.11-20210120' of... · 535d3159
      Jakub Kicinski authored
      Merge tag 'linux-can-fixes-for-5.11-20210120' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      linux-can-fixes-for-5.11-20210120
      
      All three patches are by Vincent Mailhol and fix a potential use after free bug
      in the CAN device infrastructure, the vxcan driver, and the peak_usk driver. In
      the TX-path the skb is used to read from after it was passed to the networking
      stack with netif_rx_ni().
      
      * tag 'linux-can-fixes-for-5.11-20210120' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
        can: peak_usb: fix use after free bugs
        can: vxcan: vxcan_xmit: fix use after free bug
        can: dev: can_restart: fix use after free bug
      ====================
      
      Link: https://lore.kernel.org/r/20210120125202.2187358-1-mkl@pengutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      535d3159
    • Pan Bian's avatar
      net: systemport: free dev before on error path · 0c630a66
      Pan Bian authored
      On the error path, it should goto the error handling label to free
      allocated memory rather than directly return.
      
      Fixes: 31bc72d9 ("net: systemport: fetch and use clock resources")
      Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/20210120044423.1704-1-bianpan2016@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0c630a66
    • Grant Grundler's avatar
      net: usb: cdc_ncm: don't spew notifications · de658a19
      Grant Grundler authored
      RTL8156 sends notifications about every 32ms.
      Only display/log notifications when something changes.
      
      This issue has been reported by others:
      	https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1832472
      	https://lkml.org/lkml/2020/8/27/1083
      
      ...
      [785962.779840] usb 1-1: new high-speed USB device number 5 using xhci_hcd
      [785962.929944] usb 1-1: New USB device found, idVendor=0bda, idProduct=8156, bcdDevice=30.00
      [785962.929949] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=6
      [785962.929952] usb 1-1: Product: USB 10/100/1G/2.5G LAN
      [785962.929954] usb 1-1: Manufacturer: Realtek
      [785962.929956] usb 1-1: SerialNumber: 000000001
      [785962.991755] usbcore: registered new interface driver cdc_ether
      [785963.017068] cdc_ncm 1-1:2.0: MAC-Address: 00:24:27:88:08:15
      [785963.017072] cdc_ncm 1-1:2.0: setting rx_max = 16384
      [785963.017169] cdc_ncm 1-1:2.0: setting tx_max = 16384
      [785963.017682] cdc_ncm 1-1:2.0 usb0: register 'cdc_ncm' at usb-0000:00:14.0-1, CDC NCM, 00:24:27:88:08:15
      [785963.019211] usbcore: registered new interface driver cdc_ncm
      [785963.023856] usbcore: registered new interface driver cdc_wdm
      [785963.025461] usbcore: registered new interface driver cdc_mbim
      [785963.038824] cdc_ncm 1-1:2.0 enx002427880815: renamed from usb0
      [785963.089586] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected
      [785963.121673] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected
      [785963.153682] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected
      ...
      
      This is about 2KB per second and will overwrite all contents of a 1MB
      dmesg buffer in under 10 minutes rendering them useless for debugging
      many kernel problems.
      
      This is also an extra 180 MB/day in /var/logs (or 1GB per week) rendering
      the majority of those logs useless too.
      
      When the link is up (expected state), spew amount is >2x higher:
      ...
      [786139.600992] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected
      [786139.632997] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink
      [786139.665097] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected
      [786139.697100] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink
      [786139.729094] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected
      [786139.761108] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink
      ...
      
      Chrome OS cannot support RTL8156 until this is fixed.
      Signed-off-by: default avatarGrant Grundler <grundler@chromium.org>
      Reviewed-by: default avatarHayes Wang <hayeswang@realtek.com>
      Link: https://lore.kernel.org/r/20210120011208.3768105-1-grundler@chromium.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      de658a19
    • Alban Bedel's avatar
      net: mscc: ocelot: Fix multicast to the CPU port · 584b7cfc
      Alban Bedel authored
      Multicast entries in the MAC table use the high bits of the MAC
      address to encode the ports that should get the packets. But this port
      mask does not work for the CPU port, to receive these packets on the
      CPU port the MAC_CPU_COPY flag must be set.
      
      Because of this IPv6 was effectively not working because neighbor
      solicitations were never received. This was not apparent before commit
      9403c158 (net: mscc: ocelot: support IPv4, IPv6 and plain Ethernet mdb
      entries) as the IPv6 entries were broken so all incoming IPv6
      multicast was then treated as unknown and flooded on all ports.
      
      To fix this problem rework the ocelot_mact_learn() to set the
      MAC_CPU_COPY flag when a multicast entry that target the CPU port is
      added. For this we have to read back the ports endcoded in the pseudo
      MAC address by the caller. It is not a very nice design but that avoid
      changing the callers and should make backporting easier.
      Signed-off-by: default avatarAlban Bedel <alban.bedel@aerq.com>
      Fixes: 9403c158 ("net: mscc: ocelot: support IPv4, IPv6 and plain Ethernet mdb entries")
      Link: https://lore.kernel.org/r/20210119140638.203374-1-alban.bedel@aerq.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      584b7cfc
    • Kuniyuki Iwashima's avatar
      tcp: Fix potential use-after-free due to double kfree() · c89dffc7
      Kuniyuki Iwashima authored
      Receiving ACK with a valid SYN cookie, cookie_v4_check() allocates struct
      request_sock and then can allocate inet_rsk(req)->ireq_opt. After that,
      tcp_v4_syn_recv_sock() allocates struct sock and copies ireq_opt to
      inet_sk(sk)->inet_opt. Normally, tcp_v4_syn_recv_sock() inserts the full
      socket into ehash and sets NULL to ireq_opt. Otherwise,
      tcp_v4_syn_recv_sock() has to reset inet_opt by NULL and free the full
      socket.
      
      The commit 01770a16 ("tcp: fix race condition when creating child
      sockets from syncookies") added a new path, in which more than one cores
      create full sockets for the same SYN cookie. Currently, the core which
      loses the race frees the full socket without resetting inet_opt, resulting
      in that both sock_put() and reqsk_put() call kfree() for the same memory:
      
        sock_put
          sk_free
            __sk_free
              sk_destruct
                __sk_destruct
                  sk->sk_destruct/inet_sock_destruct
                    kfree(rcu_dereference_protected(inet->inet_opt, 1));
      
        reqsk_put
          reqsk_free
            __reqsk_free
              req->rsk_ops->destructor/tcp_v4_reqsk_destructor
                kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1));
      
      Calling kmalloc() between the double kfree() can lead to use-after-free, so
      this patch fixes it by setting NULL to inet_opt before sock_put().
      
      As a side note, this kind of issue does not happen for IPv6. This is
      because tcp_v6_syn_recv_sock() clones both ipv6_opt and pktopts which
      correspond to ireq_opt in IPv4.
      
      Fixes: 01770a16 ("tcp: fix race condition when creating child sockets from syncookies")
      CC: Ricardo Dias <rdias@singlestore.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.co.jp>
      Reviewed-by: default avatarBenjamin Herrenschmidt <benh@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20210118055920.82516-1-kuniyu@amazon.co.jpSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c89dffc7