1. 02 Jun, 2022 11 commits
    • Hoang Le's avatar
      tipc: check attribute length for bearer name · 7f36f798
      Hoang Le authored
      syzbot reported uninit-value:
      =====================================================
      BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:644 [inline]
      BUG: KMSAN: uninit-value in string+0x4f9/0x6f0 lib/vsprintf.c:725
       string_nocheck lib/vsprintf.c:644 [inline]
       string+0x4f9/0x6f0 lib/vsprintf.c:725
       vsnprintf+0x2222/0x3650 lib/vsprintf.c:2806
       vprintk_store+0x537/0x2150 kernel/printk/printk.c:2158
       vprintk_emit+0x28b/0xab0 kernel/printk/printk.c:2256
       vprintk_default+0x86/0xa0 kernel/printk/printk.c:2283
       vprintk+0x15f/0x180 kernel/printk/printk_safe.c:50
       _printk+0x18d/0x1cf kernel/printk/printk.c:2293
       tipc_enable_bearer net/tipc/bearer.c:371 [inline]
       __tipc_nl_bearer_enable+0x2022/0x22a0 net/tipc/bearer.c:1033
       tipc_nl_bearer_enable+0x6c/0xb0 net/tipc/bearer.c:1042
       genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]
      
      - Do sanity check the attribute length for TIPC_NLA_BEARER_NAME.
      - Do not use 'illegal name' in printing message.
      
      Reported-by: syzbot+e820fdc8ce362f2dea51@syzkaller.appspotmail.com
      Fixes: cb30a633 ("tipc: refactor function tipc_enable_bearer()")
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Signed-off-by: default avatarHoang Le <hoang.h.le@dektech.com.au>
      Link: https://lore.kernel.org/r/20220602063053.5892-1-hoang.h.le@dektech.com.auSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7f36f798
    • Alexander Lobakin's avatar
      ice: fix access-beyond-end in the switch code · 6e1ff618
      Alexander Lobakin authored
      Global `-Warray-bounds` enablement revealed some problems, one of
      which is the way we define and use AQC rules messages.
      In fact, they have a shared header, followed by the actual message,
      which can be of one of several different formats. So it is
      straightforward enough to define that header as a separate struct
      and then embed it into message structures as needed, but currently
      all the formats reside in one union coupled with the header. Then,
      the code allocates only the memory needed for a particular message
      format, leaving the union potentially incomplete.
      There are no actual reads or writes beyond the end of an allocated
      chunk, but at the same time, the whole implementation is fragile and
      backed by an equilibrium rather than strong type and memory checks.
      
      Define the structures the other way around: one for the common
      header and the rest for the actual formats with the header embedded.
      There are no places where several union members would be used at the
      same time anyway. This allows to use proper struct_size() and let
      the compiler know what is going to be done.
      Finally, unsilence `-Warray-bounds` back for ice_switch.c.
      
      Other little things worth mentioning:
      * &ice_sw_rule_vsi_list_query is not used anywhere, remove it. It's
        weird anyway to talk to hardware with purely kernel types
        (bitmaps);
      * expand the ICE_SW_RULE_*_SIZE() macros to pass a structure
        variable name to struct_size() to let it do strict typechecking;
      * rename ice_sw_rule_lkup_rx_tx::hdr to ::hdr_data to keep ::hdr
        for the header structure to have the same name for it constistenly
        everywhere;
      * drop the duplicate of %ICE_SW_RULE_RX_TX_NO_HDR_SIZE residing in
        ice_switch.h.
      
      Fixes: 9daf8208 ("ice: Add support for switch filter programming")
      Fixes: 66486d89 ("ice: replace single-element array used for C struct hack")
      Signed-off-by: default avatarAlexander Lobakin <alexandr.lobakin@intel.com>
      Reviewed-by: default avatarMarcin Szycik <marcin.szycik@linux.intel.com>
      Acked-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Link: https://lore.kernel.org/r/20220601105924.2841410-1-alexandr.lobakin@intel.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      6e1ff618
    • Fei Qin's avatar
      nfp: remove padding in nfp_nfdk_tx_desc · c6fbbf1e
      Fei Qin authored
      NFDK firmware supports 48-bit dma addressing and
      parses 16 high bits of dma addresses.
      
      In nfp_nfdk_tx_desc, dma related structure and tso
      related structure are union. When "mss" be filled
      with nonzero value due to enable tso, the memory used
      by "padding" may be also filled. Then, firmware may
      parse wrong dma addresses which causes TX watchdog
      timeout problem.
      
      This patch removes padding and unifies the dma_addr_hi
      bits with the one in firmware. nfp_nfdk_tx_desc_set_dma_addr
      is also added to match this change.
      
      Fixes: c10d12e3 ("nfp: add support for NFDK data path")
      Signed-off-by: default avatarFei Qin <fei.qin@corigine.com>
      Signed-off-by: default avatarYinjun Zhang <yinjun.zhang@corigine.com>
      Signed-off-by: default avatarLouis Peens <louis.peens@corigine.com>
      Signed-off-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20220601083449.50556-1-simon.horman@corigine.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c6fbbf1e
    • Duoming Zhou's avatar
      ax25: Fix ax25 session cleanup problems · 7d8a3a47
      Duoming Zhou authored
      There are session cleanup problems in ax25_release() and
      ax25_disconnect(). If we setup a session and then disconnect,
      the disconnected session is still in "LISTENING" state that
      is shown below.
      
      Active AX.25 sockets
      Dest       Source     Device  State        Vr/Vs    Send-Q  Recv-Q
      DL9SAU-4   DL9SAU-3   ???     LISTENING    000/000  0       0
      DL9SAU-3   DL9SAU-4   ???     LISTENING    000/000  0       0
      
      The first reason is caused by del_timer_sync() in ax25_release().
      The timers of ax25 are used for correct session cleanup. If we use
      ax25_release() to close ax25 sessions and ax25_dev is not null,
      the del_timer_sync() functions in ax25_release() will execute.
      As a result, the sessions could not be cleaned up correctly,
      because the timers have stopped.
      
      In order to solve this problem, this patch adds a device_up flag
      in ax25_dev in order to judge whether the device is up. If there
      are sessions to be cleaned up, the del_timer_sync() in
      ax25_release() will not execute. What's more, we add ax25_cb_del()
      in ax25_kill_by_device(), because the timers have been stopped
      and there are no functions that could delete ax25_cb if we do not
      call ax25_release(). Finally, we reorder the position of
      ax25_list_lock in ax25_cb_del() in order to synchronize among
      different functions that call ax25_cb_del().
      
      The second reason is caused by improper check in ax25_disconnect().
      The incoming ax25 sessions which ax25->sk is null will close
      heartbeat timer, because the check "if(!ax25->sk || ..)" is
      satisfied. As a result, the session could not be cleaned up properly.
      
      In order to solve this problem, this patch changes the improper
      check to "if(ax25->sk && ..)" in ax25_disconnect().
      
      What`s more, the ax25_disconnect() may be called twice, which is
      not necessary. For example, ax25_kill_by_device() calls
      ax25_disconnect() and sets ax25->state to AX25_STATE_0, but
      ax25_release() calls ax25_disconnect() again.
      
      In order to solve this problem, this patch add a check in
      ax25_release(). If the flag of ax25->sk equals to SOCK_DEAD,
      the ax25_disconnect() in ax25_release() should not be executed.
      
      Fixes: 82e31755 ("ax25: Fix UAF bugs in ax25 timers")
      Fixes: 8a367e74 ("ax25: Fix segfault after sock connection timeout")
      Reported-and-tested-by: default avatarThomas Osterried <thomas@osterried.de>
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Link: https://lore.kernel.org/r/20220530152158.108619-1-duoming@zju.edu.cnSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7d8a3a47
    • Slark Xiao's avatar
      net: usb: qmi_wwan: Add support for Cinterion MV31 with new baseline · 9f4fc18b
      Slark Xiao authored
      Adding support for Cinterion device MV31 with Qualcomm
      new baseline. Use different PIDs to separate it from
      previous base line products.
      All interfaces settings keep same as previous.
      
      T:  Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  7 Spd=480 MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=1e2d ProdID=00b9 Rev=04.14
      S:  Manufacturer=Cinterion
      S:  Product=Cinterion PID 0x00B9 USB Mobile Broadband
      S:  SerialNumber=90418e79
      C:  #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      I:  If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
      I:  If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      Signed-off-by: default avatarSlark Xiao <slark_xiao@163.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Link: https://lore.kernel.org/r/20220601040531.6016-1-slark_xiao@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9f4fc18b
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2022-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · c034ff2b
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2022-05-31
      
      This series provides bug fixes to mlx5 driver.
      Please pull and let me know if there is any problem.
      
      * tag 'mlx5-fixes-2022-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5: Fix mlx5_get_next_dev() peer device matching
        net/mlx5e: Update netdev features after changing XDP state
        net/mlx5: correct ECE offset in query qp output
        net/mlx5e: Disable softirq in mlx5e_activate_rq to avoid race condition
        net/mlx5: CT: Fix header-rewrite re-use for tupels
        net/mlx5e: TC NIC mode, fix tc chains miss table
        net/mlx5: Don't use already freed action pointer
      ====================
      
      Link: https://lore.kernel.org/r/20220531205447.99236-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c034ff2b
    • Jakub Kicinski's avatar
      Merge branch 'sfc-siena-fix-some-efx_separate_tx_channels-errors' · 11049c9e
      Jakub Kicinski authored
      Íñigo Huguet says:
      
      ====================
      sfc/siena: fix some efx_separate_tx_channels errors
      
      Trying to load sfc driver with modparam efx_separate_tx_channels=1
      resulted in errors during initialization and not being able to use the
      NIC. This patches fix a few bugs and make it work again.
      
      This has been already done for sfc, do it also for sfc_siena.
      ====================
      
      Link: https://lore.kernel.org/r/20220601063603.15362-1-ihuguet@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      11049c9e
    • Íñigo Huguet's avatar
      sfc/siena: fix wrong tx channel offset with efx_separate_tx_channels · 25bde571
      Íñigo Huguet authored
      tx_channel_offset is calculated in efx_allocate_msix_channels, but it is
      also calculated again in efx_set_channels because it was originally done
      there, and when efx_allocate_msix_channels was introduced it was
      forgotten to be removed from efx_set_channels.
      
      Moreover, the old calculation is wrong when using
      efx_separate_tx_channels because now we can have XDP channels after the
      TX channels, so n_channels - n_tx_channels doesn't point to the first TX
      channel.
      
      Remove the old calculation from efx_set_channels, and add the
      initialization of this variable if MSI or legacy interrupts are used,
      next to the initialization of the rest of the related variables, where
      it was missing.
      
      This has been already done for sfc, do it also for sfc_siena.
      
      Fixes: 3990a8ff ("sfc: allocate channels for XDP tx queues")
      Reported-by: default avatarTianhao Zhao <tizhao@redhat.com>
      Signed-off-by: default avatarÍñigo Huguet <ihuguet@redhat.com>
      Acked-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      25bde571
    • Martin Habets's avatar
      sfc/siena: fix considering that all channels have TX queues · 183614bf
      Martin Habets authored
      Normally, all channels have RX and TX queues, but this is not true if
      modparam efx_separate_tx_channels=1 is used. In that cases, some
      channels only have RX queues and others only TX queues (or more
      preciselly, they have them allocated, but not initialized).
      
      Fix efx_channel_has_tx_queues to return the correct value for this case
      too.
      
      This has been already done for sfc, do it also for sfc_siena.
      
      Messages shown at probe time before the fix:
       sfc 0000:03:00.0 ens6f0np0: MC command 0x82 inlen 544 failed rc=-22 (raw=0) arg=0
       ------------[ cut here ]------------
       netdevice: ens6f0np0: failed to initialise TXQ -1
       WARNING: CPU: 1 PID: 626 at drivers/net/ethernet/sfc/ef10.c:2393 efx_ef10_tx_init+0x201/0x300 [sfc]
       [...] stripped
       RIP: 0010:efx_ef10_tx_init+0x201/0x300 [sfc]
       [...] stripped
       Call Trace:
        efx_init_tx_queue+0xaa/0xf0 [sfc]
        efx_start_channels+0x49/0x120 [sfc]
        efx_start_all+0x1f8/0x430 [sfc]
        efx_net_open+0x5a/0xe0 [sfc]
        __dev_open+0xd0/0x190
        __dev_change_flags+0x1b3/0x220
        dev_change_flags+0x21/0x60
       [...] stripped
      
      Messages shown at remove time before the fix:
       sfc 0000:03:00.0 ens6f0np0: failed to flush 10 queues
       sfc 0000:03:00.0 ens6f0np0: failed to flush queues
      
      Fixes: 8700aff0 ("sfc: fix channel allocation with brute force")
      Reported-by: default avatarTianhao Zhao <tizhao@redhat.com>
      Signed-off-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Tested-by: default avatarÍñigo Huguet <ihuguet@redhat.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      183614bf
    • Jakub Kicinski's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 2440d206
      Jakub Kicinski authored
      Steffen Klassert says:
      
      ====================
      ipsec 2022-06-01
      
      1) Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process"
         From Michal Kubecek.
      
      2) Don't set IPv4 DF bit when encapsulating IPv6 frames below 1280 bytes.
         From Maciej Żenczykowski.
      
      * 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
        xfrm: do not set IPv4 DF flag when encapsulating IPv6 frames <= 1280 bytes.
        Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process"
      ====================
      
      Link: https://lore.kernel.org/r/20220601103349.2297361-1-steffen.klassert@secunet.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2440d206
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2022-06-01' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 38a4762e
      Jakub Kicinski authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v5.19
      
      First set of fixes for v5.19. Build fixes for iwlwifi and libertas, a
      scheduling while atomic fix for rtw88 and use-after-free fix for
      mac80211.
      
      * tag 'wireless-2022-06-01' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: mac80211: fix use-after-free in chanctx code
        wifi: rtw88: add a work to correct atomic scheduling warning of ::set_tim
        wifi: iwlwifi: pcie: rename CAUSE macro
        wifi: libertas: use variable-size data in assoc req/resp cmd
      ====================
      
      Link: https://lore.kernel.org/r/20220601110741.90B28C385A5@smtp.kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      38a4762e
  2. 01 Jun, 2022 10 commits
  3. 31 May, 2022 17 commits
  4. 30 May, 2022 2 commits