1. 11 Dec, 2021 13 commits
  2. 09 Dec, 2021 27 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · c741e491
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Quite a few small bug fixes old and new, also Doug Ledford is retiring
        now, we thank him for his work. Details:
      
         - Use after free in rxe
      
         - mlx5 DM regression
      
         - hns bugs triggred by device reset
      
         - Two fixes for CONFIG_DEBUG_PREEMPT
      
         - Several longstanding corner case bugs in hfi1
      
         - Two irdma data path bugs in rare cases and some memory issues"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/irdma: Don't arm the CQ more than two times if no CE for this CQ
        RDMA/irdma: Report correct WC errors
        RDMA/irdma: Fix a potential memory allocation issue in 'irdma_prm_add_pble_mem()'
        RDMA/irdma: Fix a user-after-free in add_pble_prm
        IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr
        IB/hfi1: Fix early init panic
        IB/hfi1: Insure use of smp_processor_id() is preempt disabled
        IB/hfi1: Correct guard on eager buffer deallocation
        RDMA/rtrs: Call {get,put}_cpu_ptr to silence a debug kernel warning
        RDMA/hns: Do not destroy QP resources in the hw resetting phase
        RDMA/hns: Do not halt commands during reset until later
        Remove Doug Ledford from MAINTAINERS
        RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow
        RDMA: Fix use-after-free in rxe_queue_cleanup
      c741e491
    • Linus Torvalds's avatar
      Merge tag 'net-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · ded746bf
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf, can and netfilter.
      
        Current release - regressions:
      
         - bpf, sockmap: re-evaluate proto ops when psock is removed from
           sockmap
      
        Current release - new code bugs:
      
         - bpf: fix bpf_check_mod_kfunc_call for built-in modules
      
         - ice: fixes for TC classifier offloads
      
         - vrf: don't run conntrack on vrf with !dflt qdisc
      
        Previous releases - regressions:
      
         - bpf: fix the off-by-two error in range markings
      
         - seg6: fix the iif in the IPv6 socket control block
      
         - devlink: fix netns refcount leak in devlink_nl_cmd_reload()
      
         - dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
      
         - dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports
      
        Previous releases - always broken:
      
         - ethtool: do not perform operations on net devices being
           unregistered
      
         - udp: use datalen to cap max gso segments
      
         - ice: fix races in stats collection
      
         - fec: only clear interrupt of handling queue in fec_enet_rx_queue()
      
         - m_can: pci: fix incorrect reference clock rate
      
         - m_can: disable and ignore ELO interrupt
      
         - mvpp2: fix XDP rx queues registering
      
        Misc:
      
         - treewide: add missing includes masked by cgroup -> bpf.h
           dependency"
      
      * tag 'net-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (82 commits)
        net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports
        net: wwan: iosm: fixes unable to send AT command during mbim tx
        net: wwan: iosm: fixes net interface nonfunctional after fw flash
        net: wwan: iosm: fixes unnecessary doorbell send
        net: dsa: felix: Fix memory leak in felix_setup_mmio_filtering
        MAINTAINERS: s390/net: remove myself as maintainer
        net/sched: fq_pie: prevent dismantle issue
        net: mana: Fix memory leak in mana_hwc_create_wq
        seg6: fix the iif in the IPv6 socket control block
        nfp: Fix memory leak in nfp_cpp_area_cache_add()
        nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
        nfc: fix segfault in nfc_genl_dump_devices_done
        udp: using datalen to cap max gso segments
        net: dsa: mv88e6xxx: error handling for serdes_power functions
        can: kvaser_usb: get CAN clock frequency from device
        can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct stats->{rx,tx}_errors counter
        net: mvpp2: fix XDP rx queues registering
        vmxnet3: fix minimum vectors alloc issue
        net, neigh: clear whole pneigh_entry at alloc time
        net: dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
        ...
      ded746bf
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · 27698cd2
      Linus Torvalds authored
      Pull mtd fixes from Miquel Raynal:
       "MTD fixes:
      
         - dataflash: Add device-tree SPI IDs to avoid new warnings
      
        Raw NAND fixes:
      
         - Fix nand_choose_best_timings() on unsupported interface
      
         - Fix nand_erase_op delay (wrong unit)
      
         - fsmc:
            - Fix timing computation
            - Take instruction delay into account
      
         - denali:
            - Add the dependency on HAS_IOMEM to silence robots"
      
      * tag 'mtd/fixes-for-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: dataflash: Add device-tree SPI IDs
        mtd: rawnand: fsmc: Fix timing computation
        mtd: rawnand: fsmc: Take instruction delay into account
        mtd: rawnand: Fix nand_choose_best_timings() on unsupported interface
        mtd: rawnand: Fix nand_erase_op delay
        mtd: rawnand: denali: Add the dependency on HAS_IOMEM
      27698cd2
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 03090cc7
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - fixes for various drivers which assume that a HID device is on USB
         transport, but that might not necessarily be the case, as the device
         can be faked by uhid. (Greg, Benjamin Tissoires)
      
       - fix for spurious wakeups on certain Lenovo notebooks (Thomas
         Weißschuh)
      
       - a few other device-specific quirks
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: Ignore battery for Elan touchscreen on Asus UX550VE
        HID: intel-ish-hid: ipc: only enable IRQ wakeup when requested
        HID: google: add eel USB id
        HID: add USB_HID dependancy to hid-prodikeys
        HID: add USB_HID dependancy to hid-chicony
        HID: bigbenff: prevent null pointer dereference
        HID: sony: fix error path in probe
        HID: add USB_HID dependancy on some USB HID drivers
        HID: check for valid USB device for many HID drivers
        HID: wacom: fix problems when device is not a valid USB device
        HID: add hid_is_usb() function to make it simpler for USB detection
        HID: quirks: Add quirk for the Microsoft Surface 3 type-cover
      03090cc7
    • Linus Torvalds's avatar
      Merge tag 'netfs-fixes-20211207' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 2990c89d
      Linus Torvalds authored
      Pull netfslib fixes from David Howells:
      
       - Fix a lockdep warning and potential deadlock. This is takes the
         simple approach of offloading the write-to-cache done from within a
         network filesystem read to a worker thread to avoid taking the
         sb_writer lock from the cache backing filesystem whilst holding the
         mmap lock on an inode from the network filesystem.
      
         Jan Kara posits a scenario whereby this can cause deadlock[1], though
         it's quite complex and I think requires someone in userspace to
         actually do I/O on the cache files. Matthew Wilcox isn't so certain,
         though[2].
      
         An alternative way to fix this, suggested by Darrick Wong, might be
         to allow cachefiles to prevent userspace from performing I/O upon the
         file - something like an exclusive open - but that's beyond the scope
         of a fix here if we do want to make such a facility in the future.
      
       - In some of the error handling paths where netfs_ops->cleanup() is
         called, the arguments are transposed[3]. gcc doesn't complain because
         one of the parameters is void* and one of the values is void*.
      
      Link: https://lore.kernel.org/r/20210922110420.GA21576@quack2.suse.cz/ [1]
      Link: https://lore.kernel.org/r/Ya9eDiFCE2fO7K/S@casper.infradead.org/ [2]
      Link: https://lore.kernel.org/r/20211207031449.100510-1-jefflexu@linux.alibaba.com/ [3]
      
      * tag 'netfs-fixes-20211207' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        netfs: fix parameter of cleanup()
        netfs: Fix lockdep warning from taking sb_writers whilst holding mmap_lock
      2990c89d
    • Sasha Levin's avatar
      tools/lib/lockdep: drop leftover liblockdep headers · 3a49cc22
      Sasha Levin authored
      Clean up remaining headers that are specific to liblockdep but lived in
      the shared header directory.  These are all unused after the liblockdep
      code was removed in commit 7246f4dc ("tools/lib/lockdep: drop
      liblockdep").
      
      Note that there are still headers that were originally created for
      liblockdep, that still have liblockdep references, but they are used by
      other tools/ code at this point.
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3a49cc22
    • Russell King (Oracle)'s avatar
      net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports · 04ec4e62
      Russell King (Oracle) authored
      Martyn Welch reports that his CPU port is unable to link where it has
      been necessary to use one of the switch ports with an internal PHY for
      the CPU port. The reason behind this is the port control register is
      left forcing the link down, preventing traffic flow.
      
      This occurs because during initialisation, phylink expects the link to
      be down, and DSA forces the link down by synthesising a call to the
      DSA drivers phylink_mac_link_down() method, but we don't touch the
      forced-link state when we later reconfigure the port.
      
      Resolve this by also unforcing the link state when we are operating in
      PHY mode and the PPU is set to poll the PHY to retrieve link status
      information.
      Reported-by: default avatarMartyn Welch <martyn.welch@collabora.com>
      Tested-by: default avatarMartyn Welch <martyn.welch@collabora.com>
      Fixes: 3be98b2d ("net: dsa: Down cpu/dsa ports phylink will control")
      Cc: <stable@vger.kernel.org> # 5.7: 2b29cb9e: net: dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Link: https://lore.kernel.org/r/E1mvFhP-00F8Zb-Ul@rmk-PC.armlinux.org.ukSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      04ec4e62
    • Jakub Kicinski's avatar
      Merge branch 'net-wwan-iosm-bug-fixes' · 19961780
      Jakub Kicinski authored
      M Chetan Kumar says:
      
      ====================
      net: wwan: iosm: bug fixes
      
      This patch series brings in IOSM driver bug fixes. Patch details are
      explained below.
      
      PATCH1: stop sending unnecessary doorbell in IP tx flow.
      PATCH2: Restore the IP channel configuration after fw flash.
      PATCH3: Removed the unnecessary check around control port TX transfer.
      ====================
      
      Link: https://lore.kernel.org/r/20211209101629.2940877-1-m.chetan.kumar@linux.intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      19961780
    • M Chetan Kumar's avatar
      net: wwan: iosm: fixes unable to send AT command during mbim tx · 383451ce
      M Chetan Kumar authored
      ev_cdev_write_pending flag is preventing a TX message post for
      AT port while MBIM transfer is ongoing.
      
      Removed the unnecessary check around control port TX transfer.
      Signed-off-by: default avatarM Chetan Kumar <m.chetan.kumar@linux.intel.com>
      Reviewed-by: default avatarSergey Ryazanov <ryazanov.s.a@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      383451ce
    • M Chetan Kumar's avatar
      net: wwan: iosm: fixes net interface nonfunctional after fw flash · 07d3f274
      M Chetan Kumar authored
      Devlink initialization flow was overwriting the IP traffic
      channel configuration. This was causing wwan0 network interface
      to be unusable after fw flash.
      
      When device boots to fully functional mode restore the IP channel
      configuration.
      Signed-off-by: default avatarM Chetan Kumar <m.chetan.kumar@linux.intel.com>
      Reviewed-by: default avatarSergey Ryazanov <ryazanov.s.a@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      07d3f274
    • M Chetan Kumar's avatar
      net: wwan: iosm: fixes unnecessary doorbell send · 373f121a
      M Chetan Kumar authored
      In TX packet accumulation flow transport layer is
      giving a doorbell to device even though there is
      no pending control TX transfer that needs immediate
      attention.
      
      Introduced a new hpda_ctrl_pending variable to keep
      track of pending control TX transfer. If there is a
      pending control TX transfer which needs an immediate
      attention only then give a doorbell to device.
      Signed-off-by: default avatarM Chetan Kumar <m.chetan.kumar@linux.intel.com>
      Reviewed-by: default avatarSergey Ryazanov <ryazanov.s.a@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      373f121a
    • José Expósito's avatar
      net: dsa: felix: Fix memory leak in felix_setup_mmio_filtering · e8b1d769
      José Expósito authored
      Avoid a memory leak if there is not a CPU port defined.
      
      Fixes: 8d5f7954 ("net: dsa: felix: break at first CPU port during init and teardown")
      Addresses-Coverity-ID: 1492897 ("Resource leak")
      Addresses-Coverity-ID: 1492899 ("Resource leak")
      Signed-off-by: default avatarJosé Expósito <jose.exposito89@gmail.com>
      Reviewed-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/r/20211209110538.11585-1-jose.exposito89@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e8b1d769
    • Julian Wiedmann's avatar
      MAINTAINERS: s390/net: remove myself as maintainer · 37ad4e2a
      Julian Wiedmann authored
      I won't have access to the relevant HW and docs much longer.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Link: https://lore.kernel.org/r/20211209153546.1152921-1-jwi@linux.ibm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      37ad4e2a
    • Eric Dumazet's avatar
      net/sched: fq_pie: prevent dismantle issue · 61c24026
      Eric Dumazet authored
      For some reason, fq_pie_destroy() did not copy
      working code from pie_destroy() and other qdiscs,
      thus causing elusive bug.
      
      Before calling del_timer_sync(&q->adapt_timer),
      we need to ensure timer will not rearm itself.
      
      rcu: INFO: rcu_preempt self-detected stall on CPU
      rcu:    0-....: (4416 ticks this GP) idle=60d/1/0x4000000000000000 softirq=10433/10434 fqs=2579
              (t=10501 jiffies g=13085 q=3989)
      NMI backtrace for cpu 0
      CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
       nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111
       nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
       trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
       rcu_dump_cpu_stacks+0x25e/0x3f0 kernel/rcu/tree_stall.h:343
       print_cpu_stall kernel/rcu/tree_stall.h:627 [inline]
       check_cpu_stall kernel/rcu/tree_stall.h:711 [inline]
       rcu_pending kernel/rcu/tree.c:3878 [inline]
       rcu_sched_clock_irq.cold+0x9d/0x746 kernel/rcu/tree.c:2597
       update_process_times+0x16d/0x200 kernel/time/timer.c:1785
       tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226
       tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428
       __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
       __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749
       hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811
       local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline]
       __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103
       sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097
       </IRQ>
       <TASK>
       asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
      RIP: 0010:write_comp_data kernel/kcov.c:221 [inline]
      RIP: 0010:__sanitizer_cov_trace_const_cmp1+0x1d/0x80 kernel/kcov.c:273
      Code: 54 c8 20 48 89 10 c3 66 0f 1f 44 00 00 53 41 89 fb 41 89 f1 bf 03 00 00 00 65 48 8b 0c 25 40 70 02 00 48 89 ce 4c 8b 54 24 08 <e8> 4e f7 ff ff 84 c0 74 51 48 8b 81 88 15 00 00 44 8b 81 84 15 00
      RSP: 0018:ffffc90000d27b28 EFLAGS: 00000246
      RAX: 0000000000000000 RBX: ffff888064bf1bf0 RCX: ffff888011928000
      RDX: ffff888011928000 RSI: ffff888011928000 RDI: 0000000000000003
      RBP: ffff888064bf1c28 R08: 0000000000000000 R09: 0000000000000000
      R10: ffffffff875d8295 R11: 0000000000000000 R12: 0000000000000000
      R13: ffff8880783dd300 R14: 0000000000000000 R15: 0000000000000000
       pie_calculate_probability+0x405/0x7c0 net/sched/sch_pie.c:418
       fq_pie_timer+0x170/0x2a0 net/sched/sch_fq_pie.c:383
       call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
       expire_timers kernel/time/timer.c:1466 [inline]
       __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734
       __run_timers kernel/time/timer.c:1715 [inline]
       run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
       __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
       run_ksoftirqd kernel/softirq.c:921 [inline]
       run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913
       smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
       kthread+0x405/0x4f0 kernel/kthread.c:327
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
       </TASK>
      
      Fixes: ec97ecf1 ("net: sched: add Flow Queue PIE packet scheduler")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Mohit P. Tahiliani <tahiliani@nitk.edu.in>
      Cc: Sachin D. Patil <sdp.sachin@gmail.com>
      Cc: V. Saicharan <vsaicharan1998@gmail.com>
      Cc: Mohit Bhasi <mohitbhasi1998@gmail.com>
      Cc: Leslie Monis <lesliemonis@gmail.com>
      Cc: Gautam Ramakrishnan <gautamramk@gmail.com>
      Link: https://lore.kernel.org/r/20211209084937.3500020-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      61c24026
    • José Expósito's avatar
      net: mana: Fix memory leak in mana_hwc_create_wq · 9acfc57f
      José Expósito authored
      If allocating the DMA buffer fails, mana_hwc_destroy_wq was called
      without previously storing the pointer to the queue.
      
      In order to avoid leaking the pointer to the queue, store it as soon as
      it is allocated.
      
      Addresses-Coverity-ID: 1484720 ("Resource leak")
      Signed-off-by: default avatarJosé Expósito <jose.exposito89@gmail.com>
      Reviewed-by: default avatarDexuan Cui <decui@microsoft.com>
      Link: https://lore.kernel.org/r/20211208223723.18520-1-jose.exposito89@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9acfc57f
    • Andrea Mayer's avatar
      seg6: fix the iif in the IPv6 socket control block · ae68d933
      Andrea Mayer authored
      When an IPv4 packet is received, the ip_rcv_core(...) sets the receiving
      interface index into the IPv4 socket control block (v5.16-rc4,
      net/ipv4/ip_input.c line 510):
      
          IPCB(skb)->iif = skb->skb_iif;
      
      If that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH
      header, the seg6_do_srh_encap(...) performs the required encapsulation.
      In this case, the seg6_do_srh_encap function clears the IPv6 socket control
      block (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):
      
          memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
      
      The memset(...) was introduced in commit ef489749 ("ipv6: sr: clear
      IP6CB(skb) on SRH ip4ip6 encapsulation") a long time ago (2019-01-29).
      
      Since the IPv6 socket control block and the IPv4 socket control block share
      the same memory area (skb->cb), the receiving interface index info is lost
      (IP6CB(skb)->iif is set to zero).
      
      As a side effect, that condition triggers a NULL pointer dereference if
      commit 0857d6f8 ("ipv6: When forwarding count rx stats on the orig
      netdev") is applied.
      
      To fix that issue, we set the IP6CB(skb)->iif with the index of the
      receiving interface once again.
      
      Fixes: ef489749 ("ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation")
      Signed-off-by: default avatarAndrea Mayer <andrea.mayer@uniroma2.it>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20211208195409.12169-1-andrea.mayer@uniroma2.itSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ae68d933
    • Jianglei Nie's avatar
      nfp: Fix memory leak in nfp_cpp_area_cache_add() · c56c9630
      Jianglei Nie authored
      In line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a
      CPP area structure. But in line 807 (#2), when the cache is allocated
      failed, this CPP area structure is not freed, which will result in
      memory leak.
      
      We can fix it by freeing the CPP area when the cache is allocated
      failed (#2).
      
      792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size)
      793 {
      794 	struct nfp_cpp_area_cache *cache;
      795 	struct nfp_cpp_area *area;
      
      800	area = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0),
      801 				  0, size);
      	// #1: allocates and initializes
      
      802 	if (!area)
      803 		return -ENOMEM;
      
      805 	cache = kzalloc(sizeof(*cache), GFP_KERNEL);
      806 	if (!cache)
      807 		return -ENOMEM; // #2: missing free
      
      817	return 0;
      818 }
      
      Fixes: 4cb584e0 ("nfp: add CPP access core")
      Signed-off-by: default avatarJianglei Nie <niejianglei2021@163.com>
      Acked-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20211209061511.122535-1-niejianglei2021@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c56c9630
    • Krzysztof Kozlowski's avatar
      nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done · 4cd8371a
      Krzysztof Kozlowski authored
      The done() netlink callback nfc_genl_dump_ses_done() should check if
      received argument is non-NULL, because its allocation could fail earlier
      in dumpit() (nfc_genl_dump_ses()).
      
      Fixes: ac22ac46 ("NFC: Add a GET_SE netlink API")
      Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
      Link: https://lore.kernel.org/r/20211209081307.57337-1-krzysztof.kozlowski@canonical.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4cd8371a
    • Tadeusz Struk's avatar
      nfc: fix segfault in nfc_genl_dump_devices_done · fd79a0cb
      Tadeusz Struk authored
      When kmalloc in nfc_genl_dump_devices() fails then
      nfc_genl_dump_devices_done() segfaults as below
      
      KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
      CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65-dirty #5
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014
      Workqueue: events netlink_sock_destruct_work
      RIP: 0010:klist_iter_exit+0x26/0x80
      Call Trace:
      <TASK>
      class_dev_iter_exit+0x15/0x20
      nfc_genl_dump_devices_done+0x3b/0x50
      genl_lock_done+0x84/0xd0
      netlink_sock_destruct+0x8f/0x270
      __sk_destruct+0x64/0x3b0
      sk_destruct+0xa8/0xd0
      __sk_free+0x2e8/0x3d0
      sk_free+0x51/0x90
      netlink_sock_destruct_work+0x1c/0x20
      process_one_work+0x411/0x710
      worker_thread+0x6fd/0xa80
      
      Link: https://syzkaller.appspot.com/bug?id=fc0fa5a53db9edd261d56e74325419faf18bd0df
      Reported-by: syzbot+f9f76f4a0766420b4a02@syzkaller.appspotmail.com
      Signed-off-by: default avatarTadeusz Struk <tadeusz.struk@linaro.org>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
      Link: https://lore.kernel.org/r/20211208182742.340542-1-tadeusz.struk@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fd79a0cb
    • Jianguo Wu's avatar
      udp: using datalen to cap max gso segments · 158390e4
      Jianguo Wu authored
      The max number of UDP gso segments is intended to cap to UDP_MAX_SEGMENTS,
      this is checked in udp_send_skb():
      
          if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS) {
              kfree_skb(skb);
              return -EINVAL;
          }
      
      skb->len contains network and transport header len here, we should use
      only data len instead.
      
      Fixes: bec1f6f6 ("udp: generate gso with UDP_SEGMENT")
      Signed-off-by: default avatarJianguo Wu <wujianguo@chinatelecom.cn>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://lore.kernel.org/r/900742e5-81fb-30dc-6e0b-375c6cdd7982@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      158390e4
    • Ameer Hamza's avatar
      net: dsa: mv88e6xxx: error handling for serdes_power functions · 0416e7af
      Ameer Hamza authored
      Added default case to handle undefined cmode scenario in
      mv88e6393x_serdes_power() and mv88e6393x_serdes_power() methods.
      
      Addresses-Coverity: 1494644 ("Uninitialized scalar variable")
      Fixes: 21635d92 (net: dsa: mv88e6xxx: Fix application of erratum 4.8 for 88E6393X)
      Reviewed-by: default avatarMarek Behún <kabel@kernel.org>
      Signed-off-by: default avatarAmeer Hamza <amhamza.mgc@gmail.com>
      Link: https://lore.kernel.org/r/20211209041552.9810-1-amhamza.mgc@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0416e7af
    • Jakub Kicinski's avatar
      Merge tag 'linux-can-fixes-for-5.16-20211209' of... · 8d6b32aa
      Jakub Kicinski authored
      Merge tag 'linux-can-fixes-for-5.16-20211209' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      can 2021-12-09
      
      Both patches are by Jimmy Assarsson. The first one fixes the
      incrementing of the rx/tx error counters in the Kvaser PCIe FD driver.
      The second one fixes the Kvaser USB driver by using the CAN clock
      frequency provided by the device instead of using a hard coded value.
      
      * tag 'linux-can-fixes-for-5.16-20211209' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
        can: kvaser_usb: get CAN clock frequency from device
        can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct stats->{rx,tx}_errors counter
      ====================
      
      Link: https://lore.kernel.org/r/20211209081312.301036-1-mkl@pengutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8d6b32aa
    • Jimmy Assarsson's avatar
      can: kvaser_usb: get CAN clock frequency from device · fb12797a
      Jimmy Assarsson authored
      The CAN clock frequency is used when calculating the CAN bittiming
      parameters. When wrong clock frequency is used, the device may end up
      with wrong bittiming parameters, depending on user requested bittiming
      parameters.
      
      To avoid this, get the CAN clock frequency from the device. Various
      existing Kvaser Leaf products use different CAN clocks.
      
      Fixes: 080f40a6 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
      Link: https://lore.kernel.org/all/20211208152122.250852-2-extja@kvaser.com
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJimmy Assarsson <extja@kvaser.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      fb12797a
    • Jimmy Assarsson's avatar
      can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct stats->{rx,tx}_errors counter · 36aea60f
      Jimmy Assarsson authored
      Check the direction bit in the error frame packet (EPACK) to determine
      which net_device_stats {rx,tx}_errors counter to increase.
      
      Fixes: 26ad340e ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
      Link: https://lore.kernel.org/all/20211208152122.250852-1-extja@kvaser.com
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJimmy Assarsson <extja@kvaser.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      36aea60f
    • Louis Amas's avatar
      net: mvpp2: fix XDP rx queues registering · a50e659b
      Louis Amas authored
      The registration of XDP queue information is incorrect because the
      RX queue id we use is invalid. When port->id == 0 it appears to works
      as expected yet it's no longer the case when port->id != 0.
      
      The problem arised while using a recent kernel version on the
      MACCHIATOBin. This board has several ports:
       * eth0 and eth1 are 10Gbps interfaces ; both ports has port->id == 0;
       * eth2 is a 1Gbps interface with port->id != 0.
      
      Code from xdp-tutorial (more specifically advanced03-AF_XDP) was used
      to test packet capture and injection on all these interfaces. The XDP
      kernel was simplified to:
      
      	SEC("xdp_sock")
      	int xdp_sock_prog(struct xdp_md *ctx)
      	{
      		int index = ctx->rx_queue_index;
      
      		/* A set entry here means that the correspnding queue_id
      		* has an active AF_XDP socket bound to it. */
      		if (bpf_map_lookup_elem(&xsks_map, &index))
      			return bpf_redirect_map(&xsks_map, index, 0);
      
      		return XDP_PASS;
      	}
      
      Starting the program using:
      
      	./af_xdp_user -d DEV
      
      Gives the following result:
      
       * eth0 : ok
       * eth1 : ok
       * eth2 : no capture, no injection
      
      Investigating the issue shows that XDP rx queues for eth2 are wrong:
      XDP expects their id to be in the range [0..3] but we found them to be
      in the range [32..35].
      
      Trying to force rx queue ids using:
      
      	./af_xdp_user -d eth2 -Q 32
      
      fails as expected (we shall not have more than 4 queues).
      
      When we register the XDP rx queue information (using
      xdp_rxq_info_reg() in function mvpp2_rxq_init()) we tell it to use
      rxq->id as the queue id. This value is computed as:
      
      	rxq->id = port->id * max_rxq_count + queue_id
      
      where max_rxq_count depends on the device version. In the MACCHIATOBin
      case, this value is 32, meaning that rx queues on eth2 are numbered
      from 32 to 35 - there are four of them.
      
      Clearly, this is not the per-port queue id that XDP is expecting:
      it wants a value in the range [0..3]. It shall directly use queue_id
      which is stored in rxq->logic_rxq -- so let's use that value instead.
      
      rxq->id is left untouched ; its value is indeed valid but it should
      not be used in this context.
      
      This is consistent with the remaining part of the code in
      mvpp2_rxq_init().
      
      With this change, packet capture is working as expected on all the
      MACCHIATOBin ports.
      
      Fixes: b27db227 ("mvpp2: use page_pool allocator")
      Signed-off-by: default avatarLouis Amas <louis.amas@eho.link>
      Signed-off-by: default avatarEmmanuel Deloget <emmanuel.deloget@eho.link>
      Reviewed-by: default avatarMarcin Wojtas <mw@semihalf.com>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Link: https://lore.kernel.org/r/20211207143423.916334-1-louis.amas@eho.linkSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a50e659b
    • Ronak Doshi's avatar
      vmxnet3: fix minimum vectors alloc issue · f71ef02f
      Ronak Doshi authored
      'Commit 39f9895a ("vmxnet3: add support for 32 Tx/Rx queues")'
      added support for 32Tx/Rx queues. Within that patch, value of
      VMXNET3_LINUX_MIN_MSIX_VECT was updated.
      
      However, there is a case (numvcpus = 2) which actually requires 3
      intrs which matches VMXNET3_LINUX_MIN_MSIX_VECT which then is
      treated as failure by stack to allocate more vectors. This patch
      fixes this issue.
      
      Fixes: 39f9895a ("vmxnet3: add support for 32 Tx/Rx queues")
      Signed-off-by: default avatarRonak Doshi <doshir@vmware.com>
      Acked-by: default avatarGuolin Yang <gyang@vmware.com>
      Link: https://lore.kernel.org/r/20211207081737.14000-1-doshir@vmware.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f71ef02f
    • Eric Dumazet's avatar
      net, neigh: clear whole pneigh_entry at alloc time · e195e9b5
      Eric Dumazet authored
      Commit 2c611ad9 ("net, neigh: Extend neigh->flags to 32 bit
      to allow for extensions") enables a new KMSAM warning [1]
      
      I think the bug is actually older, because the following intruction
      only occurred if ndm->ndm_flags had NTF_PROXY set.
      
      	pn->flags = ndm->ndm_flags;
      
      Let's clear all pneigh_entry fields at alloc time.
      
      [1]
      BUG: KMSAN: uninit-value in pneigh_fill_info+0x986/0xb30 net/core/neighbour.c:2593
       pneigh_fill_info+0x986/0xb30 net/core/neighbour.c:2593
       pneigh_dump_table net/core/neighbour.c:2715 [inline]
       neigh_dump_info+0x1e3f/0x2c60 net/core/neighbour.c:2832
       netlink_dump+0xaca/0x16a0 net/netlink/af_netlink.c:2265
       __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370
       netlink_dump_start include/linux/netlink.h:254 [inline]
       rtnetlink_rcv_msg+0x181b/0x18c0 net/core/rtnetlink.c:5534
       netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5589
       netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
       netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345
       netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916
       sock_sendmsg_nosec net/socket.c:704 [inline]
       sock_sendmsg net/socket.c:724 [inline]
       sock_write_iter+0x594/0x690 net/socket.c:1057
       call_write_iter include/linux/fs.h:2162 [inline]
       new_sync_write fs/read_write.c:503 [inline]
       vfs_write+0x1318/0x2030 fs/read_write.c:590
       ksys_write+0x28c/0x520 fs/read_write.c:643
       __do_sys_write fs/read_write.c:655 [inline]
       __se_sys_write fs/read_write.c:652 [inline]
       __x64_sys_write+0xdb/0x120 fs/read_write.c:652
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was created at:
       slab_post_alloc_hook mm/slab.h:524 [inline]
       slab_alloc_node mm/slub.c:3251 [inline]
       slab_alloc mm/slub.c:3259 [inline]
       __kmalloc+0xc3c/0x12d0 mm/slub.c:4437
       kmalloc include/linux/slab.h:595 [inline]
       pneigh_lookup+0x60f/0xd70 net/core/neighbour.c:766
       arp_req_set_public net/ipv4/arp.c:1016 [inline]
       arp_req_set+0x430/0x10a0 net/ipv4/arp.c:1032
       arp_ioctl+0x8d4/0xb60 net/ipv4/arp.c:1232
       inet_ioctl+0x4ef/0x820 net/ipv4/af_inet.c:947
       sock_do_ioctl net/socket.c:1118 [inline]
       sock_ioctl+0xa3f/0x13e0 net/socket.c:1235
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:874 [inline]
       __se_sys_ioctl+0x2df/0x4a0 fs/ioctl.c:860
       __x64_sys_ioctl+0xd8/0x110 fs/ioctl.c:860
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      CPU: 1 PID: 20001 Comm: syz-executor.0 Not tainted 5.16.0-rc3-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 62dd9318 ("[IPV6] NDISC: Set per-entry is_router flag in Proxy NA.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Roopa Prabhu <roopa@nvidia.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20211206165329.1049835-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e195e9b5