1. 30 Jun, 2020 14 commits
    • Alex Elder's avatar
      net: ipa: introduce ipa_cmd_tag_process() · 6cb63ea6
      Alex Elder authored
      Create a new function ipa_cmd_tag_process() that simply allocates a
      transaction, adds a tag process command to it to clear the hardware
      pipeline, and commits the transaction.
      
      Call it in from ipa_endpoint_suspend(), after suspending the modem
      endpoints but before suspending the AP command TX and AP LAN RX
      endpoints (which are used by the tag sequence).
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6cb63ea6
    • Alex Elder's avatar
      net: ipa: no checksum offload for SDM845 LAN RX · 41af5436
      Alex Elder authored
      The AP LAN RX endpoint should not have download checksum offload
      enabled.
      
      The receive handler does properly accommodate the trailer that's
      added by the hardware, but we ignore it.
      
      Fixes: 1ed7d0c0 ("soc: qcom: ipa: configuration data")
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      41af5436
    • Alex Elder's avatar
      net: ipa: always check for stopped channel · 5468cbcd
      Alex Elder authored
      In gsi_channel_stop(), there's a check to see if the channel might
      have entered STOPPED state since a previous call, which might have
      timed out before stopping completed.
      
      That check actually belongs in gsi_channel_stop_command(), which is
      called repeatedly by gsi_channel_stop() for RX channels.
      
      Fixes: 650d1603 ("soc: qcom: ipa: the generic software interface")
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5468cbcd
    • Russell King's avatar
      net: mvneta: fix use of state->speed · f2ca673d
      Russell King authored
      When support for short preambles was added, it incorrectly keyed its
      decision off state->speed instead of state->interface.  state->speed
      is not guaranteed to be correct for in-band modes, which can lead to
      short preambles being unexpectedly disabled.
      
      Fix this by keying off the interface mode, which is the only way that
      mvneta can operate at 2.5Gbps.
      
      Fixes: da58a931 ("net: mvneta: Add support for 2500Mbps SGMII")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f2ca673d
    • David S. Miller's avatar
      Merge branch 'support-AF_PACKET-for-layer-3-devices' · b9fcf0a0
      David S. Miller authored
      Jason A. Donenfeld says:
      
      ====================
      support AF_PACKET for layer 3 devices
      
      Hans reported that packets injected by a correct-looking and trivial
      libpcap-based program were not being accepted by wireguard. In
      investigating that, I noticed that a few devices weren't properly
      handling AF_PACKET-injected packets, and so this series introduces a bit
      of shared infrastructure to support that.
      
      The basic problem begins with socket(AF_PACKET, SOCK_RAW,
      htons(ETH_P_ALL)) sockets. When sendto is called, AF_PACKET examines the
      headers of the packet with this logic:
      
      static void packet_parse_headers(struct sk_buff *skb, struct socket *sock)
      {
          if ((!skb->protocol || skb->protocol == htons(ETH_P_ALL)) &&
              sock->type == SOCK_RAW) {
              skb_reset_mac_header(skb);
              skb->protocol = dev_parse_header_protocol(skb);
          }
      
          skb_probe_transport_header(skb);
      }
      
      The middle condition there triggers, and we jump to
      dev_parse_header_protocol. Note that this is the only caller of
      dev_parse_header_protocol in the kernel, and I assume it was designed
      for this purpose:
      
      static inline __be16 dev_parse_header_protocol(const struct sk_buff *skb)
      {
          const struct net_device *dev = skb->dev;
      
          if (!dev->header_ops || !dev->header_ops->parse_protocol)
              return 0;
          return dev->header_ops->parse_protocol(skb);
      }
      
      Since AF_PACKET already knows which netdev the packet is going to, the
      dev_parse_header_protocol function can see if that netdev has a way it
      prefers to figure out the protocol from the header. This, again, is the
      only use of parse_protocol in the kernel. At the moment, it's only used
      with ethernet devices, via eth_header_parse_protocol. This makes sense,
      as mostly people are used to AF_PACKET-injecting ethernet frames rather
      than layer 3 frames. But with nothing in place for layer 3 netdevs, this
      function winds up returning 0, and skb->protocol then is set to 0, and
      then by the time it hits the netdev's ndo_start_xmit, the driver doesn't
      know what to do with it.
      
      This is a problem because drivers very much rely on skb->protocol being
      correct, and routinely reject packets where it's incorrect. That's why
      having this parsing happen for injected packets is quite important. In
      wireguard, ipip, and ipip6, for example, packets from AF_PACKET are just
      dropped entirely. For tun devices, it's sort of uglier, with the tun
      "packet information" header being passed to userspace containing a bogus
      protocol value. Some userspace programs are ill-equipped to deal with
      that. (But of course, that doesn't happen with tap devices, which
      benefit from the similar shared infrastructure for layer 2 netdevs,
      further motiviating this patchset for layer 3 netdevs.)
      
      This patchset addresses the issue by first adding a layer 3 header parse
      function, much akin to the existing one for layer 2 packets, and then
      adds a shared header_ops structure that, also much akin to the existing
      one for layer 2 packets. Then it wires it up to a few immediate places
      that stuck out as requiring it, and does a bit of cleanup.
      
      This patchset seems like it's fixing real bugs, so it might be
      appropriate for stable. But they're also very old bugs, so if you'd
      rather not backport to stable, that'd make sense to me too.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b9fcf0a0
    • Jason A. Donenfeld's avatar
      net: xfrmi: implement header_ops->parse_protocol for AF_PACKET · 8f9a1fa4
      Jason A. Donenfeld authored
      The xfrm interface uses skb->protocol to determine packet type, and
      bails out if it's not set. For AF_PACKET injection, we need to support
      its call chain of:
      
          packet_sendmsg -> packet_snd -> packet_parse_headers ->
            dev_parse_header_protocol -> parse_protocol
      
      Without a valid parse_protocol, this returns zero, and xfrmi rejects the
      skb. So, this wires up the ip_tunnel handler for layer 3 packets for
      that case.
      Reported-by: default avatarWillem de Bruijn <willemdebruijn.kernel@gmail.com>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8f9a1fa4
    • Jason A. Donenfeld's avatar
      net: sit: implement header_ops->parse_protocol for AF_PACKET · 75ea1f47
      Jason A. Donenfeld authored
      Sit uses skb->protocol to determine packet type, and bails out if it's
      not set. For AF_PACKET injection, we need to support its call chain of:
      
          packet_sendmsg -> packet_snd -> packet_parse_headers ->
            dev_parse_header_protocol -> parse_protocol
      
      Without a valid parse_protocol, this returns zero, and sit rejects the
      skb. So, this wires up the ip_tunnel handler for layer 3 packets for
      that case.
      Reported-by: default avatarWillem de Bruijn <willemdebruijn.kernel@gmail.com>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      75ea1f47
    • Jason A. Donenfeld's avatar
      net: vti: implement header_ops->parse_protocol for AF_PACKET · ab59d2b6
      Jason A. Donenfeld authored
      Vti uses skb->protocol to determine packet type, and bails out if it's
      not set. For AF_PACKET injection, we need to support its call chain of:
      
          packet_sendmsg -> packet_snd -> packet_parse_headers ->
            dev_parse_header_protocol -> parse_protocol
      
      Without a valid parse_protocol, this returns zero, and vti rejects the
      skb. So, this wires up the ip_tunnel handler for layer 3 packets for
      that case.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab59d2b6
    • Jason A. Donenfeld's avatar
      tun: implement header_ops->parse_protocol for AF_PACKET · b9815eb1
      Jason A. Donenfeld authored
      The tun driver passes up skb->protocol to userspace in the form of PI headers.
      For AF_PACKET injection, we need to support its call chain of:
      
          packet_sendmsg -> packet_snd -> packet_parse_headers ->
            dev_parse_header_protocol -> parse_protocol
      
      Without a valid parse_protocol, this returns zero, and the tun driver
      then gives userspace bogus values that it can't deal with.
      
      Note that this isn't the case with tap, because tap already benefits
      from the shared infrastructure for ethernet headers. But with tun,
      there's nothing.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b9815eb1
    • Jason A. Donenfeld's avatar
      wireguard: queueing: make use of ip_tunnel_parse_protocol · 1a574074
      Jason A. Donenfeld authored
      Now that wg_examine_packet_protocol has been added for general
      consumption as ip_tunnel_parse_protocol, it's possible to remove
      wg_examine_packet_protocol and simply use the new
      ip_tunnel_parse_protocol function directly.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1a574074
    • Jason A. Donenfeld's avatar
      wireguard: implement header_ops->parse_protocol for AF_PACKET · 01a4967c
      Jason A. Donenfeld authored
      WireGuard uses skb->protocol to determine packet type, and bails out if
      it's not set or set to something it's not expecting. For AF_PACKET
      injection, we need to support its call chain of:
      
          packet_sendmsg -> packet_snd -> packet_parse_headers ->
            dev_parse_header_protocol -> parse_protocol
      
      Without a valid parse_protocol, this returns zero, and wireguard then
      rejects the skb. So, this wires up the ip_tunnel handler for layer 3
      packets for that case.
      Reported-by: default avatarHans Wippel <ndev@hwipl.net>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      01a4967c
    • Jason A. Donenfeld's avatar
      net: ipip: implement header_ops->parse_protocol for AF_PACKET · e53ac932
      Jason A. Donenfeld authored
      Ipip uses skb->protocol to determine packet type, and bails out if it's
      not set. For AF_PACKET injection, we need to support its call chain of:
      
          packet_sendmsg -> packet_snd -> packet_parse_headers ->
            dev_parse_header_protocol -> parse_protocol
      
      Without a valid parse_protocol, this returns zero, and ipip rejects the
      skb. So, this wires up the ip_tunnel handler for layer 3 packets for
      that case.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e53ac932
    • Jason A. Donenfeld's avatar
      net: ip_tunnel: add header_ops for layer 3 devices · 2606aff9
      Jason A. Donenfeld authored
      Some devices that take straight up layer 3 packets benefit from having a
      shared header_ops so that AF_PACKET sockets can inject packets that are
      recognized. This shared infrastructure will be used by other drivers
      that currently can't inject packets using AF_PACKET. It also exposes the
      parser function, as it is useful in standalone form too.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2606aff9
    • Cong Wang's avatar
      genetlink: get rid of family->attrbuf · bf64ff4c
      Cong Wang authored
      genl_family_rcv_msg_attrs_parse() reuses the global family->attrbuf
      when family->parallel_ops is false. However, family->attrbuf is not
      protected by any lock on the genl_family_rcv_msg_doit() code path.
      
      This leads to several different consequences, one of them is UAF,
      like the following:
      
      genl_family_rcv_msg_doit():		genl_start():
      					  genl_family_rcv_msg_attrs_parse()
      					    attrbuf = family->attrbuf
      					    __nlmsg_parse(attrbuf);
        genl_family_rcv_msg_attrs_parse()
          attrbuf = family->attrbuf
          __nlmsg_parse(attrbuf);
      					  info->attrs = attrs;
      					  cb->data = info;
      
      netlink_unicast_kernel():
       consume_skb()
      					genl_lock_dumpit():
      					  genl_dumpit_info(cb)->attrs
      
      Note family->attrbuf is an array of pointers to the skb data, once
      the skb is freed, any dereference of family->attrbuf will be a UAF.
      
      Maybe we could serialize the family->attrbuf with genl_mutex too, but
      that would make the locking more complicated. Instead, we can just get
      rid of family->attrbuf and always allocate attrbuf from heap like the
      family->parallel_ops==true code path. This may add some performance
      overhead but comparing with taking the global genl_mutex, it still
      looks better.
      
      Fixes: 75cdbdd0 ("net: ieee802154: have genetlink code to parse the attrs during dumpit")
      Fixes: 057af707 ("net: tipc: have genetlink code to parse the attrs during dumpit")
      Reported-and-tested-by: syzbot+3039ddf6d7b13daf3787@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+80cad1e3cb4c41cde6ff@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+736bcbcb11b60d0c0792@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+520f8704db2b68091d44@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+c96e4dfb32f8987fdeed@syzkaller.appspotmail.com
      Cc: Jiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf64ff4c
  2. 29 Jun, 2020 6 commits
    • David S. Miller's avatar
      Merge tag 'mac80211-for-net-2020-06-29' of... · 33c568ba
      David S. Miller authored
      Merge tag 'mac80211-for-net-2020-06-29' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Couple of fixes/small things:
       * TX control port status check fixed to not assume frame format
       * mesh control port fixes
       * error handling/leak fixes when starting AP, with HE attributes
       * fix broadcast packet handling with encapsulation offload
       * add new AKM suites
       * and a small code cleanup
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      33c568ba
    • Eric Dumazet's avatar
      llc: make sure applications use ARPHRD_ETHER · a9b11101
      Eric Dumazet authored
      syzbot was to trigger a bug by tricking AF_LLC with
      non sensible addr->sllc_arphrd
      
      It seems clear LLC requires an Ethernet device.
      
      Back in commit abf9d537 ("llc: add support for SO_BINDTODEVICE")
      Octavian Purdila added possibility for application to use a zero
      value for sllc_arphrd, convert it to ARPHRD_ETHER to not cause
      regressions on existing applications.
      
      BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:199 [inline]
      BUG: KASAN: use-after-free in list_empty include/linux/list.h:268 [inline]
      BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:126 [inline]
      BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:160 [inline]
      BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2092 [inline]
      BUG: KASAN: use-after-free in sock_def_write_space+0x642/0x670 net/core/sock.c:2813
      Read of size 8 at addr ffff88801e0b4078 by task ksoftirqd/3/27
      
      CPU: 3 PID: 27 Comm: ksoftirqd/3 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
       __read_once_size include/linux/compiler.h:199 [inline]
       list_empty include/linux/list.h:268 [inline]
       waitqueue_active include/linux/wait.h:126 [inline]
       wq_has_sleeper include/linux/wait.h:160 [inline]
       skwq_has_sleeper include/net/sock.h:2092 [inline]
       sock_def_write_space+0x642/0x670 net/core/sock.c:2813
       sock_wfree+0x1e1/0x260 net/core/sock.c:1958
       skb_release_head_state+0xeb/0x260 net/core/skbuff.c:652
       skb_release_all+0x16/0x60 net/core/skbuff.c:663
       __kfree_skb net/core/skbuff.c:679 [inline]
       consume_skb net/core/skbuff.c:838 [inline]
       consume_skb+0xfb/0x410 net/core/skbuff.c:832
       __dev_kfree_skb_any+0xa4/0xd0 net/core/dev.c:2967
       dev_kfree_skb_any include/linux/netdevice.h:3650 [inline]
       e1000_unmap_and_free_tx_resource.isra.0+0x21b/0x3a0 drivers/net/ethernet/intel/e1000/e1000_main.c:1963
       e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3854 [inline]
       e1000_clean+0x4cc/0x1d10 drivers/net/ethernet/intel/e1000/e1000_main.c:3796
       napi_poll net/core/dev.c:6532 [inline]
       net_rx_action+0x508/0x1120 net/core/dev.c:6600
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       run_ksoftirqd kernel/softirq.c:603 [inline]
       run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595
       smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165
       kthread+0x361/0x430 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Allocated by task 8247:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       __kasan_kmalloc mm/kasan/common.c:513 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
       kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521
       slab_post_alloc_hook mm/slab.h:584 [inline]
       slab_alloc mm/slab.c:3320 [inline]
       kmem_cache_alloc+0x121/0x710 mm/slab.c:3484
       sock_alloc_inode+0x1c/0x1d0 net/socket.c:240
       alloc_inode+0x68/0x1e0 fs/inode.c:230
       new_inode_pseudo+0x19/0xf0 fs/inode.c:919
       sock_alloc+0x41/0x270 net/socket.c:560
       __sock_create+0xc2/0x730 net/socket.c:1384
       sock_create net/socket.c:1471 [inline]
       __sys_socket+0x103/0x220 net/socket.c:1513
       __do_sys_socket net/socket.c:1522 [inline]
       __se_sys_socket net/socket.c:1520 [inline]
       __ia32_sys_socket+0x73/0xb0 net/socket.c:1520
       do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
       do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408
       entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      
      Freed by task 17:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       kasan_set_free_info mm/kasan/common.c:335 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
       __cache_free mm/slab.c:3426 [inline]
       kmem_cache_free+0x86/0x320 mm/slab.c:3694
       sock_free_inode+0x20/0x30 net/socket.c:261
       i_callback+0x44/0x80 fs/inode.c:219
       __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
       rcu_do_batch kernel/rcu/tree.c:2183 [inline]
       rcu_core+0x570/0x1540 kernel/rcu/tree.c:2408
       rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2417
       __do_softirq+0x262/0x98c kernel/softirq.c:292
      
      The buggy address belongs to the object at ffff88801e0b4000
       which belongs to the cache sock_inode_cache of size 1152
      The buggy address is located 120 bytes inside of
       1152-byte region [ffff88801e0b4000, ffff88801e0b4480)
      The buggy address belongs to the page:
      page:ffffea0000782d00 refcount:1 mapcount:0 mapping:ffff88807aa59c40 index:0xffff88801e0b4ffd
      raw: 00fffe0000000200 ffffea00008e6c88 ffffea0000782d48 ffff88807aa59c40
      raw: ffff88801e0b4ffd ffff88801e0b4000 0000000100000003 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88801e0b3f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       ffff88801e0b3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88801e0b4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                      ^
       ffff88801e0b4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff88801e0b4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: abf9d537 ("llc: add support for SO_BINDTODEVICE")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a9b11101
    • Cong Wang's avatar
      net: explain the lockdep annotations for dev_uc_unsync() · e8280338
      Cong Wang authored
      The lockdep annotations for dev_uc_unsync() and dev_mc_unsync()
      are not easy to understand, so add some comments to explain
      why they are correct.
      
      Similar for the rest netif_addr_lock_bh() cases, they don't
      need nested version.
      
      Cc: Taehee Yoo <ap420073@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e8280338
    • Cong Wang's avatar
      net: get rid of lockdep_set_class_and_subclass() · be74294f
      Cong Wang authored
      lockdep_set_class_and_subclass() is meant to reduce
      the _nested() annotations by assigning a default subclass.
      For addr_list_lock, we have to compute the subclass at
      run-time as the netdevice topology changes after creation.
      
      So, we should just get rid of these
      lockdep_set_class_and_subclass() and stick with our _nested()
      annotations.
      
      Fixes: 845e0ebb ("net: change addr_list_lock back to static key")
      Suggested-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be74294f
    • Vladimir Oltean's avatar
      lib: packing: add documentation for pbuflen argument · 7dea927f
      Vladimir Oltean authored
      Fixes sparse warning:
      
      Function parameter or member 'pbuflen' not described in 'packing'
      
      Fixes: 554aae35 ("lib: Add support for generic packing operations")
      Signed-off-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7dea927f
    • Horatiu Vultur's avatar
      bridge: mrp: Fix endian conversion and some other warnings · 9b14d1f8
      Horatiu Vultur authored
      The following sparse warnings are fixed:
      net/bridge/br_mrp.c:106:18: warning: incorrect type in assignment (different base types)
      net/bridge/br_mrp.c:106:18:    expected unsigned short [usertype]
      net/bridge/br_mrp.c:106:18:    got restricted __be16 [usertype]
      net/bridge/br_mrp.c:281:23: warning: incorrect type in argument 1 (different modifiers)
      net/bridge/br_mrp.c:281:23:    expected struct list_head *entry
      net/bridge/br_mrp.c:281:23:    got struct list_head [noderef] *
      net/bridge/br_mrp.c:332:28: warning: incorrect type in argument 1 (different modifiers)
      net/bridge/br_mrp.c:332:28:    expected struct list_head *new
      net/bridge/br_mrp.c:332:28:    got struct list_head [noderef] *
      net/bridge/br_mrp.c:332:40: warning: incorrect type in argument 2 (different modifiers)
      net/bridge/br_mrp.c:332:40:    expected struct list_head *head
      net/bridge/br_mrp.c:332:40:    got struct list_head [noderef] *
      net/bridge/br_mrp.c:682:29: warning: incorrect type in argument 1 (different modifiers)
      net/bridge/br_mrp.c:682:29:    expected struct list_head const *head
      net/bridge/br_mrp.c:682:29:    got struct list_head [noderef] *
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Fixes: 2f1a11ae ("bridge: mrp: Add MRP interface.")
      Fixes: 4b8d7d4c ("bridge: mrp: Extend bridge interface")
      Fixes: 9a9f26e8 ("bridge: mrp: Connect MRP API with the switchdev API")
      Signed-off-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9b14d1f8
  3. 28 Jun, 2020 1 commit
  4. 26 Jun, 2020 5 commits
    • Claudiu Manoil's avatar
      enetc: Fix tx rings bitmap iteration range, irq handling · 0574e200
      Claudiu Manoil authored
      The rings bitmap of an interrupt vector encodes
      which of the device's rings were assigned to that
      interrupt vector.
      Hence the iteration range of the tx rings bitmap
      (for_each_set_bit()) should be the total number of
      Tx rings of that netdevice instead of the number of
      rings assigned to the interrupt vector.
      Since there are 2 cores, and one interrupt vector for
      each core, the number of rings asigned to an interrupt
      vector is half the number of available rings.
      The impact of this error is that the upper half of the
      tx rings could still generate interrupts during napi
      polling.
      
      Fixes: d4fd0404 ("enetc: Introduce basic PF and VF ENETC ethernet drivers")
      Signed-off-by: default avatarClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0574e200
    • Shannon Nelson's avatar
      ionic: update the queue count on open · fa48494c
      Shannon Nelson authored
      Let the network stack know the real number of queues that
      we are using.
      
      v2: added error checking
      
      Fixes: 49d3b493 ("ionic: disable the queues on link down")
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fa48494c
    • Luca Coelho's avatar
      nl80211: fix memory leak when parsing NL80211_ATTR_HE_BSS_COLOR · 60a0121f
      Luca Coelho authored
      If there is an error when parsing the NL80211_ATTR_HE_BSS_COLOR
      attribute, we return immediately without freeing param.acl.  Fit it by
      using goto out instead of returning immediately.
      
      Fixes: 5c5e52d1 ("nl80211: add handling for BSS color")
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Link: https://lore.kernel.org/r/iwlwifi.20200626124931.7ad2a3eb894f.I60905fb70bd20389a3b170db515a07275e31845e@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      60a0121f
    • Luca Coelho's avatar
      nl80211: don't return err unconditionally in nl80211_start_ap() · bc7a39b4
      Luca Coelho authored
      When a memory leak was fixed, a return err was changed to goto err,
      but, accidentally, the if (err) was removed, so now we always exit at
      this point.
      
      Fix it by adding if (err) back.
      
      Fixes: 9951ebfc ("nl80211: fix potential leak in AP start")
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Link: https://lore.kernel.org/r/iwlwifi.20200626124931.871ba5b31eee.I97340172d92164ee92f3c803fe20a8a6e97714e1@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      bc7a39b4
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 4a21185c
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Don't insert ESP trailer twice in IPSEC code, from Huy Nguyen.
      
       2) The default crypto algorithm selection in Kconfig for IPSEC is out
          of touch with modern reality, fix this up. From Eric Biggers.
      
       3) bpftool is missing an entry for BPF_MAP_TYPE_RINGBUF, from Andrii
          Nakryiko.
      
       4) Missing init of ->frame_sz in xdp_convert_zc_to_xdp_frame(), from
          Hangbin Liu.
      
       5) Adjust packet alignment handling in ax88179_178a driver to match
          what the hardware actually does. From Jeremy Kerr.
      
       6) register_netdevice can leak in the case one of the notifiers fail,
          from Yang Yingliang.
      
       7) Use after free in ip_tunnel_lookup(), from Taehee Yoo.
      
       8) VLAN checks in sja1105 DSA driver need adjustments, from Vladimir
          Oltean.
      
       9) tg3 driver can sleep forever when we get enough EEH errors, fix from
          David Christensen.
      
      10) Missing {READ,WRITE}_ONCE() annotations in various Intel ethernet
          drivers, from Ciara Loftus.
      
      11) Fix scanning loop break condition in of_mdiobus_register(), from
          Florian Fainelli.
      
      12) MTU limit is incorrect in ibmveth driver, from Thomas Falcon.
      
      13) Endianness fix in mlxsw, from Ido Schimmel.
      
      14) Use after free in smsc95xx usbnet driver, from Tuomas Tynkkynen.
      
      15) Missing bridge mrp configuration validation, from Horatiu Vultur.
      
      16) Fix circular netns references in wireguard, from Jason A. Donenfeld.
      
      17) PTP initialization on recovery is not done properly in qed driver,
          from Alexander Lobakin.
      
      18) Endian conversion of L4 ports in filters of cxgb4 driver is wrong,
          from Rahul Lakkireddy.
      
      19) Don't clear bound device TX queue of socket prematurely otherwise we
          get problems with ktls hw offloading, from Tariq Toukan.
      
      20) ipset can do atomics on unaligned memory, fix from Russell King.
      
      21) Align ethernet addresses properly in bridging code, from Thomas
          Martitz.
      
      22) Don't advertise ipv4 addresses on SCTP sockets having ipv6only set,
          from Marcelo Ricardo Leitner.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (149 commits)
        rds: transport module should be auto loaded when transport is set
        sch_cake: fix a few style nits
        sch_cake: don't call diffserv parsing code when it is not needed
        sch_cake: don't try to reallocate or unshare skb unconditionally
        ethtool: fix error handling in linkstate_prepare_data()
        wil6210: account for napi_gro_receive never returning GRO_DROP
        hns: do not cast return value of napi_gro_receive to null
        socionext: account for napi_gro_receive never returning GRO_DROP
        wireguard: receive: account for napi_gro_receive never returning GRO_DROP
        vxlan: fix last fdb index during dump of fdb with nhid
        sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
        tc-testing: avoid action cookies with odd length.
        bpf: tcp: bpf_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
        tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
        net: dsa: sja1105: fix tc-gate schedule with single element
        net: dsa: sja1105: recalculate gating subschedule after deleting tc-gate rules
        net: dsa: sja1105: unconditionally free old gating config
        net: dsa: sja1105: move sja1105_compose_gating_subschedule at the top
        net: macb: free resources on failure path of at91ether_open()
        net: macb: call pm_runtime_put_sync on failure path
        ...
      4a21185c
  5. 25 Jun, 2020 14 commits