1. 01 Mar, 2022 5 commits
    • Johannes Berg's avatar
      mac80211: treat some SAE auth steps as final · 94d9864c
      Johannes Berg authored
      When we get anti-clogging token required (added by the commit
      mentioned below), or the other status codes added by the later
      commit 4e56cde1 ("mac80211: Handle special status codes in
      SAE commit") we currently just pretend (towards the internal
      state machine of authentication) that we didn't receive anything.
      
      This has the undesirable consequence of retransmitting the prior
      frame, which is not expected, because the timer is still armed.
      
      If we just disarm the timer at that point, it would result in
      the undesirable side effect of being in this state indefinitely
      if userspace crashes, or so.
      
      So to fix this, reset the timer and set a new auth_data->waiting
      in order to have no more retransmissions, but to have the data
      destroyed when the timer actually fires, which will only happen
      if userspace didn't continue (i.e. crashed or abandoned it.)
      
      Fixes: a4055e74 ("mac80211: Don't destroy auth data in case of anti-clogging")
      Reported-by: default avatarJouni Malinen <j@w1.fi>
      Link: https://lore.kernel.org/r/20220224103932.75964e1d7932.Ia487f91556f29daae734bf61f8181404642e1eec@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      94d9864c
    • Jiasheng Jiang's avatar
      nl80211: Handle nla_memdup failures in handle_nan_filter · 6ad27f52
      Jiasheng Jiang authored
      As there's potential for failure of the nla_memdup(),
      check the return value.
      
      Fixes: a442b761 ("cfg80211: add add_nan_func / del_nan_func")
      Signed-off-by: default avatarJiasheng Jiang <jiasheng@iscas.ac.cn>
      Link: https://lore.kernel.org/r/20220301100020.3801187-1-jiasheng@iscas.ac.cnSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      6ad27f52
    • Randy Dunlap's avatar
      iwlwifi: mvm: check debugfs_dir ptr before use · 5a6248c0
      Randy Dunlap authored
      When "debugfs=off" is used on the kernel command line, iwiwifi's
      mvm module uses an invalid/unchecked debugfs_dir pointer and causes
      a BUG:
      
       BUG: kernel NULL pointer dereference, address: 000000000000004f
       #PF: supervisor read access in kernel mode
       #PF: error_code(0x0000) - not-present page
       PGD 0 P4D 0
       Oops: 0000 [#1] PREEMPT SMP
       CPU: 1 PID: 503 Comm: modprobe Tainted: G        W         5.17.0-rc5 #7
       Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021
       RIP: 0010:iwl_mvm_dbgfs_register+0x692/0x700 [iwlmvm]
       Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73
       RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246
       RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328
       RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c
       RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620
       R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000
       R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320
       FS:  00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0
       PKRU: 55555554
       Call Trace:
        <TASK>
        ? iwl_mvm_mac_setup_register+0xbdc/0xda0 [iwlmvm]
        iwl_mvm_start_post_nvm+0x71/0x100 [iwlmvm]
        iwl_op_mode_mvm_start+0xab8/0xb30 [iwlmvm]
        _iwl_op_mode_start+0x6f/0xd0 [iwlwifi]
        iwl_opmode_register+0x6a/0xe0 [iwlwifi]
        ? 0xffffffffa0231000
        iwl_mvm_init+0x35/0x1000 [iwlmvm]
        ? 0xffffffffa0231000
        do_one_initcall+0x5a/0x1b0
        ? kmem_cache_alloc+0x1e5/0x2f0
        ? do_init_module+0x1e/0x220
        do_init_module+0x48/0x220
        load_module+0x2602/0x2bc0
        ? __kernel_read+0x145/0x2e0
        ? kernel_read_file+0x229/0x290
        __do_sys_finit_module+0xc5/0x130
        ? __do_sys_finit_module+0xc5/0x130
        __x64_sys_finit_module+0x13/0x20
        do_syscall_64+0x38/0x90
        entry_SYSCALL_64_after_hwframe+0x44/0xae
       RIP: 0033:0x7f64dda564dd
       Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48
       RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
       RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd
       RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001
       RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002
       R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2
       R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018
        </TASK>
       Modules linked in: btintel(+) btmtk bluetooth vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek snd_hda_codec_generic iwlmvm(+) snd_sof_pci_intel_tgl mac80211 snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence soundwire_bus snd_sof_intel_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core btrfs snd_compress snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec raid6_pq iwlwifi snd_hda_core snd_pcm snd_timer snd soundcore cfg80211 intel_ish_ipc(+) thunderbolt rfkill intel_ishtp ucsi_acpi wmi i2c_hid_acpi i2c_hid evdev
       CR2: 000000000000004f
       ---[ end trace 0000000000000000 ]---
      
      Check the debugfs_dir pointer for an error before using it.
      
      Fixes: 8c082a99 ("iwlwifi: mvm: simplify iwl_mvm_dbgfs_register")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Luca Coelho <luciano.coelho@intel.com>
      Cc: linux-wireless@vger.kernel.org
      Cc: Kalle Valo <kvalo@kernel.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20220223030630.23241-1-rdunlap@infradead.org
      [change to make both conditional]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      5a6248c0
    • Golan Ben Ami's avatar
      iwlwifi: don't advertise TWT support · 1db5fcbb
      Golan Ben Ami authored
      Some APs misbehave when TWT is used and cause our firmware to crash.
      We don't know a reasonable way to detect and work around this problem
      in the FW yet.  To prevent these crashes, disable TWT in the driver by
      stopping to advertise TWT support.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=215523Signed-off-by: default avatarGolan Ben Ami <golan.ben.ami@intel.com>
      [reworded the commit message]
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Link: https://lore.kernel.org/r/20220301072926.153969-1-luca@coelho.fiSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      1db5fcbb
    • Ben Dooks's avatar
      rfkill: define rfill_soft_blocked() if !RFKILL · 50bb467c
      Ben Dooks authored
      If CONFIG_RFKILL is not set, the Intel WiFi driver will not build
      the iw_mvm driver part due to the missing rfill_soft_blocked()
      call. Adding a inline declaration of rfill_soft_blocked() if
      CONFIG_RFKILL=n fixes the following error:
      
      drivers/net/wireless/intel/iwlwifi/mvm/mvm.h: In function 'iwl_mvm_mei_set_sw_rfkill_state':
      drivers/net/wireless/intel/iwlwifi/mvm/mvm.h:2215:38: error: implicit declaration of function 'rfkill_soft_blocked'; did you mean 'rfkill_blocked'? [-Werror=implicit-function-declaration]
       2215 |                 mvm->hw_registered ? rfkill_soft_blocked(mvm->hw->wiphy->rfkill) : false;
            |                                      ^~~~~~~~~~~~~~~~~~~
            |                                      rfkill_blocked
      Signed-off-by: default avatarBen Dooks <ben.dooks@codethink.co.uk>
      Reported-by: default avatarNeill Whillans <neill.whillans@codethink.co.uk>
      Fixes: 5bc9a9dd ("rfkill: allow to get the software rfkill state")
      Link: https://lore.kernel.org/r/20220218093858.1245677-1-ben.dooks@codethink.co.ukSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      50bb467c
  2. 16 Feb, 2022 3 commits
  3. 11 Feb, 2022 8 commits
    • Gatis Peisenieks's avatar
      atl1c: fix tx timeout after link flap on Mikrotik 10/25G NIC · bf8e59fd
      Gatis Peisenieks authored
      If NIC had packets in tx queue at the moment link down event
      happened, it could result in tx timeout when link got back up.
      
      Since device has more than one tx queue we need to reset them
      accordingly.
      
      Fixes: 057f4af2 ("atl1c: add 4 RX/TX queue support for Mikrotik 10/25G NIC")
      Signed-off-by: default avatarGatis Peisenieks <gatis@mikrotik.com>
      Link: https://lore.kernel.org/r/20220211065123.4187615-1-gatis@mikrotik.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      bf8e59fd
    • Jeremy Kerr's avatar
      mctp: serial: Cancel pending work from ndo_uninit handler · 6c342ce2
      Jeremy Kerr authored
      We cannot do the cancel_work_sync from after the unregister_netdev, as
      the dev pointer is no longer valid, causing a uaf on ldisc unregister
      (or device close).
      
      Instead, do the cancel_work_sync from the ndo_uninit op, where the dev
      still exists, but the queue has stopped.
      
      Fixes: 7bd9890f ("mctp: serial: cancel tx work on ldisc close")
      Reported-by: default avatarLuo Likang <luolikang@nsfocus.com>
      Tested-by: default avatarLuo Likang <luolikang@nsfocus.com>
      Signed-off-by: default avatarJeremy Kerr <jk@codeconstruct.com.au>
      Link: https://lore.kernel.org/r/20220211011552.1861886-1-jk@codeconstruct.com.auSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6c342ce2
    • Mans Rullgard's avatar
      net: dsa: lan9303: fix reset on probe · 6bb9681a
      Mans Rullgard authored
      The reset input to the LAN9303 chip is active low, and devicetree
      gpio handles reflect this.  Therefore, the gpio should be requested
      with an initial state of high in order for the reset signal to be
      asserted.  Other uses of the gpio already use the correct polarity.
      
      Fixes: a1292595 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
      Signed-off-by: default avatarMans Rullgard <mans@mansr.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFlorian Fianelil <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/20220209145454.19749-1-mans@mansr.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6bb9681a
    • David S. Miller's avatar
      Merge tag 'wireless-2022-02-11' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 85d24ad3
      David S. Miller authored
      wireless fixes for v5.17
      
      Second set of fixes for v5.17. This is the first pull request with
      both driver and stack patches.
      
      Most important here are a regression fix for brcmfmac USB devices and
      an iwlwifi fix for use after free when the firmware was missing. We
      have new maintainers for ath9k and wcn36xx as well as ath6kl is now
      orphaned. Also smaller fixes to iwlwifi and stack.
      85d24ad3
    • David S. Miller's avatar
      Merge ra.kernel.org:/pub/scm/linux/kernel/git/netfilter/nf · 525de9a7
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Add selftest for nft_synproxy, from Florian Westphal.
      
      2) xt_socket destroy path incorrectly disables IPv4 defrag for
         IPv6 traffic (typo), from Eric Dumazet.
      
      3) Fix exit value selftest nft_concat_range.sh, from Hangbin Liu.
      
      4) nft_synproxy disables the IPv4 hooks if the IPv6 hooks fail
         to be registered.
      
      5) disable rp_filter on router in selftest nft_fib.sh, also
         from Hangbin Liu.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      525de9a7
    • Eric Dumazet's avatar
      drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit · dcd54265
      Eric Dumazet authored
      trace_napi_poll_hit() is reading stat->dev while another thread can write
      on it from dropmon_net_event()
      
      Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already,
      we only have to take care of load/store tearing.
      
      BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit
      
      write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1:
       dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579
       notifier_call_chain kernel/notifier.c:84 [inline]
       raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392
       call_netdevice_notifiers_info net/core/dev.c:1919 [inline]
       call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
       call_netdevice_notifiers net/core/dev.c:1945 [inline]
       unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415
       ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123
       vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515
       ops_exit_list net/core/net_namespace.c:173 [inline]
       cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597
       process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
       worker_thread+0x616/0xa70 kernel/workqueue.c:2454
       kthread+0x1bf/0x1e0 kernel/kthread.c:377
       ret_from_fork+0x1f/0x30
      
      read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0:
       trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292
       trace_napi_poll include/trace/events/napi.h:14 [inline]
       __napi_poll+0x36b/0x3f0 net/core/dev.c:6366
       napi_poll net/core/dev.c:6432 [inline]
       net_rx_action+0x29e/0x650 net/core/dev.c:6519
       __do_softirq+0x158/0x2de kernel/softirq.c:558
       do_softirq+0xb1/0xf0 kernel/softirq.c:459
       __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383
       __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
       _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210
       spin_unlock_bh include/linux/spinlock.h:394 [inline]
       ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
       wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506
       process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
       worker_thread+0x616/0xa70 kernel/workqueue.c:2454
       kthread+0x1bf/0x1e0 kernel/kthread.c:377
       ret_from_fork+0x1f/0x30
      
      value changed: 0xffff88815883e000 -> 0x0000000000000000
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker
      
      Fixes: 4ea7e386 ("dropmon: add ability to detect when hardware dropsrxpackets")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dcd54265
    • Wen Gu's avatar
      net/smc: Avoid overwriting the copies of clcsock callback functions · 1de9770d
      Wen Gu authored
      The callback functions of clcsock will be saved and replaced during
      the fallback. But if the fallback happens more than once, then the
      copies of these callback functions will be overwritten incorrectly,
      resulting in a loop call issue:
      
      clcsk->sk_error_report
       |- smc_fback_error_report() <------------------------------|
           |- smc_fback_forward_wakeup()                          | (loop)
               |- clcsock_callback()  (incorrectly overwritten)   |
                   |- smc->clcsk_error_report() ------------------|
      
      So this patch fixes the issue by saving these function pointers only
      once in the fallback and avoiding overwriting.
      
      Reported-by: syzbot+4de3c0e8a263e1e499bc@syzkaller.appspotmail.com
      Fixes: 341adeec ("net/smc: Forward wakeup to smc socket waitqueue after fallback")
      Link: https://lore.kernel.org/r/0000000000006d045e05d78776f6@google.comSigned-off-by: default avatarWen Gu <guwen@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1de9770d
    • Linus Torvalds's avatar
      Merge tag 'net-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · f1baf68e
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter and can.
      
      Current release - new code bugs:
      
         - sparx5: fix get_stat64 out-of-bound access and crash
      
         - smc: fix netdev ref tracker misuse
      
        Previous releases - regressions:
      
         - eth: ixgbevf: require large buffers for build_skb on 82599VF, avoid
           overflows
      
         - eth: ocelot: fix all IP traffic getting trapped to CPU with PTP
           over IP
      
         - bonding: fix rare link activation misses in 802.3ad mode
      
        Previous releases - always broken:
      
         - tcp: fix tcp sock mem accounting in zero-copy corner cases
      
         - remove the cached dst when uncloning an skb dst and its metadata,
           since we only have one ref it'd lead to an UaF
      
         - netfilter:
            - conntrack: don't refresh sctp entries in closed state
            - conntrack: re-init state for retransmitted syn-ack, avoid
              connection establishment getting stuck with strange stacks
            - ctnetlink: disable helper autoassign, avoid it getting lost
            - nft_payload: don't allow transport header access for fragments
      
         - dsa: fix use of devres for mdio throughout drivers
      
         - eth: amd-xgbe: disable interrupts during pci removal
      
         - eth: dpaa2-eth: unregister netdev before disconnecting the PHY
      
         - eth: ice: fix IPIP and SIT TSO offload"
      
      * tag 'net-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (53 commits)
        net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister
        net: mscc: ocelot: fix mutex lock error during ethtool stats read
        ice: Avoid RTNL lock when re-creating auxiliary device
        ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler
        ice: fix IPIP and SIT TSO offload
        ice: fix an error code in ice_cfg_phy_fec()
        net: mpls: Fix GCC 12 warning
        dpaa2-eth: unregister the netdev before disconnecting from the PHY
        skbuff: cleanup double word in comment
        net: macb: Align the dma and coherent dma masks
        mptcp: netlink: process IPv6 addrs in creating listening sockets
        selftests: mptcp: add missing join check
        net: usb: qmi_wwan: Add support for Dell DW5829e
        vlan: move dev_put into vlan_dev_uninit
        vlan: introduce vlan_dev_free_egress_priority
        ax25: fix UAF bugs of net_device caused by rebinding operation
        net: dsa: fix panic when DSA master device unbinds on shutdown
        net: amd-xgbe: disable interrupts during pci removal
        tipc: rate limit warning for received illegal binding update
        net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE
        ...
      f1baf68e
  4. 10 Feb, 2022 24 commits