1. 08 Dec, 2022 8 commits
    • Alexandra Winter's avatar
      s390/qeth: fix use-after-free in hsci · ebaaadc3
      Alexandra Winter authored
      KASAN found that addr was dereferenced after br2dev_event_work was freed.
      
      ==================================================================
      BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0
      Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540
      CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G            E      6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1
      Hardware name: IBM 8561 T01 703 (LPAR)
      Workqueue: 0.0.8000_event qeth_l2_br2dev_worker
      Call Trace:
       [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8
       [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0
       [<000000016942d118>] print_report+0x110/0x1f8
       [<0000000167a7bd04>] kasan_report+0xfc/0x128
       [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0
       [<00000001673edd1e>] process_one_work+0x76e/0x1128
       [<00000001673ee85c>] worker_thread+0x184/0x1098
       [<000000016740718a>] kthread+0x26a/0x310
       [<00000001672c606a>] __ret_from_fork+0x8a/0xe8
       [<00000001694711da>] ret_from_fork+0xa/0x40
      Allocated by task 108338:
       kasan_save_stack+0x40/0x68
       kasan_set_track+0x36/0x48
       __kasan_kmalloc+0xa0/0xc0
       qeth_l2_switchdev_event+0x25a/0x738
       atomic_notifier_call_chain+0x9c/0xf8
       br_switchdev_fdb_notify+0xf4/0x110
       fdb_notify+0x122/0x180
       fdb_add_entry.constprop.0.isra.0+0x312/0x558
       br_fdb_add+0x59e/0x858
       rtnl_fdb_add+0x58a/0x928
       rtnetlink_rcv_msg+0x5f8/0x8d8
       netlink_rcv_skb+0x1f2/0x408
       netlink_unicast+0x570/0x790
       netlink_sendmsg+0x752/0xbe0
       sock_sendmsg+0xca/0x110
       ____sys_sendmsg+0x510/0x6a8
       ___sys_sendmsg+0x12a/0x180
       __sys_sendmsg+0xe6/0x168
       __do_sys_socketcall+0x3c8/0x468
       do_syscall+0x22c/0x328
       __do_syscall+0x94/0xf0
       system_call+0x82/0xb0
      Freed by task 540:
       kasan_save_stack+0x40/0x68
       kasan_set_track+0x36/0x48
       kasan_save_free_info+0x4c/0x68
       ____kasan_slab_free+0x14e/0x1a8
       __kasan_slab_free+0x24/0x30
       __kmem_cache_free+0x168/0x338
       qeth_l2_br2dev_worker+0x154/0x6b0
       process_one_work+0x76e/0x1128
       worker_thread+0x184/0x1098
       kthread+0x26a/0x310
       __ret_from_fork+0x8a/0xe8
       ret_from_fork+0xa/0x40
      Last potentially related work creation:
       kasan_save_stack+0x40/0x68
       __kasan_record_aux_stack+0xbe/0xd0
       insert_work+0x56/0x2e8
       __queue_work+0x4ce/0xd10
       queue_work_on+0xf4/0x100
       qeth_l2_switchdev_event+0x520/0x738
       atomic_notifier_call_chain+0x9c/0xf8
       br_switchdev_fdb_notify+0xf4/0x110
       fdb_notify+0x122/0x180
       fdb_add_entry.constprop.0.isra.0+0x312/0x558
       br_fdb_add+0x59e/0x858
       rtnl_fdb_add+0x58a/0x928
       rtnetlink_rcv_msg+0x5f8/0x8d8
       netlink_rcv_skb+0x1f2/0x408
       netlink_unicast+0x570/0x790
       netlink_sendmsg+0x752/0xbe0
       sock_sendmsg+0xca/0x110
       ____sys_sendmsg+0x510/0x6a8
       ___sys_sendmsg+0x12a/0x180
       __sys_sendmsg+0xe6/0x168
       __do_sys_socketcall+0x3c8/0x468
       do_syscall+0x22c/0x328
       __do_syscall+0x94/0xf0
       system_call+0x82/0xb0
      Second to last potentially related work creation:
       kasan_save_stack+0x40/0x68
       __kasan_record_aux_stack+0xbe/0xd0
       kvfree_call_rcu+0xb2/0x760
       kernfs_unlink_open_file+0x348/0x430
       kernfs_fop_release+0xc2/0x320
       __fput+0x1ae/0x768
       task_work_run+0x1bc/0x298
       exit_to_user_mode_prepare+0x1a0/0x1a8
       __do_syscall+0x94/0xf0
       system_call+0x82/0xb0
      The buggy address belongs to the object at 00000000fdcea400
       which belongs to the cache kmalloc-96 of size 96
      The buggy address is located 64 bytes inside of
       96-byte region [00000000fdcea400, 00000000fdcea460)
      The buggy address belongs to the physical page:
      page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea
      flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)
      raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00
      raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000
      page dumped because: kasan: bad access detected
      Memory state around the buggy address:
       00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       00000000fdcea380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      >00000000fdcea400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                                 ^
       00000000fdcea480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       00000000fdcea500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      ==================================================================
      
      Fixes: f7936b7b ("s390/qeth: Update MACs of LEARNING_SYNC device")
      Reported-by: default avatarThorsten Winkler <twinkler@linux.ibm.com>
      Signed-off-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
      Reviewed-by: default avatarThorsten Winkler <twinkler@linux.ibm.com>
      Link: https://lore.kernel.org/r/20221207105304.20494-1-wintera@linux.ibm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ebaaadc3
    • Emeel Hakim's avatar
      macsec: add missing attribute validation for offload · 38099024
      Emeel Hakim authored
      Add missing attribute validation for IFLA_MACSEC_OFFLOAD
      to the netlink policy.
      
      Fixes: 791bb3fc ("net: macsec: add support for specifying offload upon link creation")
      Signed-off-by: default avatarEmeel Hakim <ehakim@nvidia.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Reviewed-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Link: https://lore.kernel.org/r/20221207101618.989-1-ehakim@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      38099024
    • Dan Carpenter's avatar
      net: mvneta: Fix an out of bounds check · cdd97383
      Dan Carpenter authored
      In an earlier commit, I added a bounds check to prevent an out of bounds
      read and a WARN().  On further discussion and consideration that check
      was probably too aggressive.  Instead of returning -EINVAL, a better fix
      would be to just prevent the out of bounds read but continue the process.
      
      Background: The value of "pp->rxq_def" is a number between 0-7 by default,
      or even higher depending on the value of "rxq_number", which is a module
      parameter. If the value is more than the number of available CPUs then
      it will trigger the WARN() in cpu_max_bits_warn().
      
      Fixes: e8b4fc13 ("net: mvneta: Prevent out of bounds read in mvneta_config_rss()")
      Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Link: https://lore.kernel.org/r/Y5A7d1E5ccwHTYPf@kadamSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cdd97383
    • Zhengchao Shao's avatar
      net: thunderbolt: fix memory leak in tbnet_open() · ed14e590
      Zhengchao Shao authored
      When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in
      tb_xdomain_alloc_out_hopid() is not released. Add
      tb_xdomain_release_out_hopid() to the error path to release ida.
      
      Fixes: 180b0689 ("thunderbolt: Allow multiple DMA tunnels over a single XDomain connection")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Acked-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/20221207015001.1755826-1-shaozhengchao@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ed14e590
    • Eric Dumazet's avatar
      ipv6: avoid use-after-free in ip6_fragment() · 803e8486
      Eric Dumazet authored
      Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.
      
      It seems to not be always true, at least for UDP stack.
      
      syzbot reported:
      
      BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]
      BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
      Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618
      
      CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098b #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
       print_address_description mm/kasan/report.c:284 [inline]
       print_report+0x15e/0x45d mm/kasan/report.c:395
       kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
       ip6_dst_idev include/net/ip6_fib.h:245 [inline]
       ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
       __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
       ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
       NF_HOOK_COND include/linux/netfilter.h:291 [inline]
       ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
       dst_output include/net/dst.h:445 [inline]
       ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
       ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
       udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
       udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
       udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
       inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg+0xd3/0x120 net/socket.c:734
       sock_write_iter+0x295/0x3d0 net/socket.c:1108
       call_write_iter include/linux/fs.h:2191 [inline]
       new_sync_write fs/read_write.c:491 [inline]
       vfs_write+0x9ed/0xdd0 fs/read_write.c:584
       ksys_write+0x1ec/0x250 fs/read_write.c:637
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7fde3588c0d9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9
      RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a
      RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000
       </TASK>
      
      Allocated by task 7618:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       kasan_set_track+0x25/0x30 mm/kasan/common.c:52
       __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325
       kasan_slab_alloc include/linux/kasan.h:201 [inline]
       slab_post_alloc_hook mm/slab.h:737 [inline]
       slab_alloc_node mm/slub.c:3398 [inline]
       slab_alloc mm/slub.c:3406 [inline]
       __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
       kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422
       dst_alloc+0x14a/0x1f0 net/core/dst.c:92
       ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
       ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]
       rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]
       ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254
       pol_lookup_func include/net/ip6_fib.h:582 [inline]
       fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121
       ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625
       ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638
       ip6_route_output include/net/ip6_route.h:98 [inline]
       ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092
       ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222
       ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260
       udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554
       inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg+0xd3/0x120 net/socket.c:734
       __sys_sendto+0x23a/0x340 net/socket.c:2117
       __do_sys_sendto net/socket.c:2129 [inline]
       __se_sys_sendto net/socket.c:2125 [inline]
       __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Freed by task 7599:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       kasan_set_track+0x25/0x30 mm/kasan/common.c:52
       kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:511
       ____kasan_slab_free mm/kasan/common.c:236 [inline]
       ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
       kasan_slab_free include/linux/kasan.h:177 [inline]
       slab_free_hook mm/slub.c:1724 [inline]
       slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750
       slab_free mm/slub.c:3661 [inline]
       kmem_cache_free+0xee/0x5c0 mm/slub.c:3683
       dst_destroy+0x2ea/0x400 net/core/dst.c:127
       rcu_do_batch kernel/rcu/tree.c:2250 [inline]
       rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
       __do_softirq+0x1fb/0xadc kernel/softirq.c:571
      
      Last potentially related work creation:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
       call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
       dst_release net/core/dst.c:177 [inline]
       dst_release+0x7d/0xe0 net/core/dst.c:167
       refdst_drop include/net/dst.h:256 [inline]
       skb_dst_drop include/net/dst.h:268 [inline]
       skb_release_head_state+0x250/0x2a0 net/core/skbuff.c:838
       skb_release_all net/core/skbuff.c:852 [inline]
       __kfree_skb net/core/skbuff.c:868 [inline]
       kfree_skb_reason+0x151/0x4b0 net/core/skbuff.c:891
       kfree_skb_list_reason+0x4b/0x70 net/core/skbuff.c:901
       kfree_skb_list include/linux/skbuff.h:1227 [inline]
       ip6_fragment+0x2026/0x2770 net/ipv6/ip6_output.c:949
       __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
       ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
       NF_HOOK_COND include/linux/netfilter.h:291 [inline]
       ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
       dst_output include/net/dst.h:445 [inline]
       ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
       ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
       udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
       udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
       udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
       inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg+0xd3/0x120 net/socket.c:734
       sock_write_iter+0x295/0x3d0 net/socket.c:1108
       call_write_iter include/linux/fs.h:2191 [inline]
       new_sync_write fs/read_write.c:491 [inline]
       vfs_write+0x9ed/0xdd0 fs/read_write.c:584
       ksys_write+0x1ec/0x250 fs/read_write.c:637
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Second to last potentially related work creation:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
       call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
       dst_release net/core/dst.c:177 [inline]
       dst_release+0x7d/0xe0 net/core/dst.c:167
       refdst_drop include/net/dst.h:256 [inline]
       skb_dst_drop include/net/dst.h:268 [inline]
       __dev_queue_xmit+0x1b9d/0x3ba0 net/core/dev.c:4211
       dev_queue_xmit include/linux/netdevice.h:3008 [inline]
       neigh_resolve_output net/core/neighbour.c:1552 [inline]
       neigh_resolve_output+0x51b/0x840 net/core/neighbour.c:1532
       neigh_output include/net/neighbour.h:546 [inline]
       ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134
       __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
       ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206
       NF_HOOK_COND include/linux/netfilter.h:291 [inline]
       ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
       dst_output include/net/dst.h:445 [inline]
       NF_HOOK include/linux/netfilter.h:302 [inline]
       NF_HOOK include/linux/netfilter.h:296 [inline]
       mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820
       mld_send_cr net/ipv6/mcast.c:2121 [inline]
       mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653
       process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
       worker_thread+0x669/0x1090 kernel/workqueue.c:2436
       kthread+0x2e8/0x3a0 kernel/kthread.c:376
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
      
      The buggy address belongs to the object at ffff88801d403dc0
       which belongs to the cache ip6_dst_cache of size 240
      The buggy address is located 192 bytes inside of
       240-byte region [ffff88801d403dc0, ffff88801d403eb0)
      
      The buggy address belongs to the physical page:
      page:ffffea00007500c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d403
      memcg:ffff888022f49c81
      flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
      raw: 00fff00000000200 ffffea0001ef6580 dead000000000002 ffff88814addf640
      raw: 0000000000000000 00000000800c000c 00000001ffffffff ffff888022f49c81
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 3719, tgid 3719 (kworker/0:6), ts 136223432244, free_ts 136222971441
       prep_new_page mm/page_alloc.c:2539 [inline]
       get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4288
       __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5555
       alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285
       alloc_slab_page mm/slub.c:1794 [inline]
       allocate_slab+0x213/0x300 mm/slub.c:1939
       new_slab mm/slub.c:1992 [inline]
       ___slab_alloc+0xa91/0x1400 mm/slub.c:3180
       __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
       slab_alloc_node mm/slub.c:3364 [inline]
       slab_alloc mm/slub.c:3406 [inline]
       __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
       kmem_cache_alloc+0x31a/0x3d0 mm/slub.c:3422
       dst_alloc+0x14a/0x1f0 net/core/dst.c:92
       ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
       icmp6_dst_alloc+0x71/0x680 net/ipv6/route.c:3261
       mld_sendpack+0x5de/0xe70 net/ipv6/mcast.c:1809
       mld_send_cr net/ipv6/mcast.c:2121 [inline]
       mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653
       process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
       worker_thread+0x669/0x1090 kernel/workqueue.c:2436
       kthread+0x2e8/0x3a0 kernel/kthread.c:376
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
      page last free stack trace:
       reset_page_owner include/linux/page_owner.h:24 [inline]
       free_pages_prepare mm/page_alloc.c:1459 [inline]
       free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509
       free_unref_page_prepare mm/page_alloc.c:3387 [inline]
       free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483
       __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586
       qlink_free mm/kasan/quarantine.c:168 [inline]
       qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
       kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294
       __kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302
       kasan_slab_alloc include/linux/kasan.h:201 [inline]
       slab_post_alloc_hook mm/slab.h:737 [inline]
       slab_alloc_node mm/slub.c:3398 [inline]
       kmem_cache_alloc_node+0x304/0x410 mm/slub.c:3443
       __alloc_skb+0x214/0x300 net/core/skbuff.c:497
       alloc_skb include/linux/skbuff.h:1267 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1191 [inline]
       netlink_sendmsg+0x9a6/0xe10 net/netlink/af_netlink.c:1896
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg+0xd3/0x120 net/socket.c:734
       __sys_sendto+0x23a/0x340 net/socket.c:2117
       __do_sys_sendto net/socket.c:2129 [inline]
       __se_sys_sendto net/socket.c:2125 [inline]
       __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: 1758fd46 ("ipv6: remove unnecessary dst_hold() in ip6_fragment()")
      Reported-by: syzbot+8c0ac31aa9681abb9e2d@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Wei Wang <weiwan@google.com>
      Cc: Martin KaFai Lau <kafai@fb.com>
      Link: https://lore.kernel.org/r/20221206101351.2037285-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      803e8486
    • Yang Yingliang's avatar
      net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() · 7d8c19bf
      Yang Yingliang authored
      It is not allowed to call kfree_skb() or consume_skb() from
      hardware interrupt context or with interrupts being disabled.
      So replace kfree_skb/dev_kfree_skb() with dev_kfree_skb_irq()
      and dev_consume_skb_irq() under spin_lock_irq().
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/20221207015310.2984909-1-yangyingliang@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7d8c19bf
    • Michael Walle's avatar
      net: phy: mxl-gpy: add MDINT workaround · 5f4d487d
      Michael Walle authored
      At least the GPY215B and GPY215C has a bug where it is still driving the
      interrupt line (MDINT) even after the interrupt status register is read
      and its bits are cleared. This will cause an interrupt storm.
      
      Although the MDINT is multiplexed with a GPIO pin and theoretically we
      could switch the pinmux to GPIO input mode, this isn't possible because
      the access to this register will stall exactly as long as the interrupt
      line is asserted. We exploit this very fact and just read a random
      internal register in our interrupt handler. This way, it will be delayed
      until the external interrupt line is released and an interrupt storm is
      avoided.
      
      The internal register access via the mailbox was deduced by looking at
      the downstream PHY API because the datasheet doesn't mention any of
      this.
      
      Fixes: 7d901a1e ("net: phy: add Maxlinear GPY115/21x/24x driver")
      Signed-off-by: default avatarMichael Walle <michael@walle.cc>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20221205200453.3447866-1-michael@walle.ccSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5f4d487d
    • Jakub Kicinski's avatar
      Merge tag 'linux-can-fixes-for-6.1-20221207' of... · 65e349f7
      Jakub Kicinski authored
      Merge tag 'linux-can-fixes-for-6.1-20221207' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2022-12-07
      
      The 1st patch is by Oliver Hartkopp and fixes a potential NULL pointer
      deref found by syzbot in the AF_CAN protocol.
      
      The next 2 patches are by Jiri Slaby and Max Staudt and add the
      missing flush_work() before freeing the underlying memory in the slcan
      and can327 driver.
      
      The last patch is by Frank Jungclaus and target the esd_usb driver and
      fixes the CAN error counters, allowing them to return to zero.
      
      * tag 'linux-can-fixes-for-6.1-20221207' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
        can: esd_usb: Allow REC and TEC to return to zero
        can: can327: flush TX_work on ldisc .close()
        can: slcan: fix freed work crash
        can: af_can: fix NULL pointer dereference in can_rcv_filter
      ====================
      
      Link: https://lore.kernel.org/r/20221207105243.2483884-1-mkl@pengutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      65e349f7
  2. 07 Dec, 2022 17 commits
    • Vladimir Oltean's avatar
      net: dsa: mv88e6xxx: accept phy-mode = "internal" for internal PHY ports · 87a39882
      Vladimir Oltean authored
      The ethernet-controller dt-schema, mostly pushed forward by Linux, has
      the "internal" PHY mode for denoting MAC connections to an internal PHY.
      
      U-Boot may provide device tree blobs where this phy-mode is specified,
      so make the Linux driver accept them.
      
      It appears that the current behavior with phy-mode = "internal" was
      introduced when mv88e6xxx started reporting supported_interfaces to
      phylink. Prior to that, I don't think it would have any issues accepting
      this phy-mode.
      
      Fixes: d4ebf12b ("net: dsa: mv88e6xxx: populate supported_interfaces and mac_capabilities")
      Link: https://lore.kernel.org/linux-arm-kernel/20221205172709.kglithpbhdbsakvd@skbuf/T/Reported-by: default avatarTim Harvey <tharvey@gateworks.com>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Tested-by: Tim Harvey <tharvey@gateworks.com> # imx6q-gw904.dts
      Link: https://lore.kernel.org/r/20221205194845.2131161-1-vladimir.oltean@nxp.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      87a39882
    • Yang Yingliang's avatar
      xen/netback: don't call kfree_skb() under spin_lock_irqsave() · 9e624651
      Yang Yingliang authored
      It is not allowed to call kfree_skb() from hardware interrupt
      context or with interrupts being disabled. So replace kfree_skb()
      with dev_kfree_skb_irq() under spin_lock_irqsave().
      
      Fixes: be81992f ("xen/netback: don't queue unlimited number of packages")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Reviewed-by: default avatarPaul Durrant <paul@xen.org>
      Link: https://lore.kernel.org/r/20221205141333.3974565-1-yangyingliang@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      9e624651
    • Paolo Abeni's avatar
      Merge tag 'ieee802154-for-net-2022-12-05' of... · 92439a85
      Paolo Abeni authored
      Merge tag 'ieee802154-for-net-2022-12-05' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan
      
      Stefan Schmidt says:
      
      ====================
      pull-request: ieee802154 for net 2022-12-05
      
      An update from ieee802154 for your *net* tree:
      
      Three small fixes this time around.
      
      Ziyang Xuan fixed an error code for a timeout during initialization of the
      cc2520 driver.
      Hauke Mehrtens fixed a crash in the ca8210 driver SPI communication due
      uninitialized SPI structures.
      Wei Yongjun added INIT_LIST_HEAD ieee802154_if_add() to avoid a potential
      null pointer dereference.
      ====================
      
      Link: https://lore.kernel.org/r/20221205122515.1720539-1-stefan@datenfreihafen.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      92439a85
    • Yuan Can's avatar
      dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove() · 4fad22a1
      Yuan Can authored
      The cmd_buff needs to be freed when error happened in
      dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().
      
      Fixes: 1110318d ("dpaa2-switch: add tc flower hardware offload on ingress traffic")
      Signed-off-by: default avatarYuan Can <yuancan@huawei.com>
      Link: https://lore.kernel.org/r/20221205061515.115012-1-yuancan@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4fad22a1
    • Zhang Changzhong's avatar
      ethernet: aeroflex: fix potential skb leak in greth_init_rings() · 063a932b
      Zhang Changzhong authored
      The greth_init_rings() function won't free the newly allocated skb when
      dma_mapping_error() returns error, so add dev_kfree_skb() to fix it.
      
      Compile tested only.
      
      Fixes: d4c41139 ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
      Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Link: https://lore.kernel.org/r/1670134149-29516-1-git-send-email-zhangchangzhong@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      063a932b
    • Xin Long's avatar
      tipc: call tipc_lxc_xmit without holding node_read_lock · 88956177
      Xin Long authored
      When sending packets between nodes in netns, it calls tipc_lxc_xmit() for
      peer node to receive the packets where tipc_sk_mcast_rcv()/tipc_sk_rcv()
      might be called, and it's pretty much like in tipc_rcv().
      
      Currently the local 'node rw lock' is held during calling tipc_lxc_xmit()
      to protect the peer_net not being freed by another thread. However, when
      receiving these packets, tipc_node_add_conn() might be called where the
      peer 'node rw lock' is acquired. Then a dead lock warning is triggered by
      lockdep detector, although it is not a real dead lock:
      
          WARNING: possible recursive locking detected
          --------------------------------------------
          conn_server/1086 is trying to acquire lock:
          ffff8880065cb020 (&n->lock#2){++--}-{2:2}, \
                           at: tipc_node_add_conn.cold.76+0xaa/0x211 [tipc]
      
          but task is already holding lock:
          ffff8880065cd020 (&n->lock#2){++--}-{2:2}, \
                           at: tipc_node_xmit+0x285/0xb30 [tipc]
      
          other info that might help us debug this:
           Possible unsafe locking scenario:
      
                 CPU0
                 ----
            lock(&n->lock#2);
            lock(&n->lock#2);
      
           *** DEADLOCK ***
      
           May be due to missing lock nesting notation
      
          4 locks held by conn_server/1086:
           #0: ffff8880036d1e40 (sk_lock-AF_TIPC){+.+.}-{0:0}, \
                                at: tipc_accept+0x9c0/0x10b0 [tipc]
           #1: ffff8880036d5f80 (sk_lock-AF_TIPC/1){+.+.}-{0:0}, \
                                at: tipc_accept+0x363/0x10b0 [tipc]
           #2: ffff8880065cd020 (&n->lock#2){++--}-{2:2}, \
                                at: tipc_node_xmit+0x285/0xb30 [tipc]
           #3: ffff888012e13370 (slock-AF_TIPC){+...}-{2:2}, \
                                at: tipc_sk_rcv+0x2da/0x1b40 [tipc]
      
          Call Trace:
           <TASK>
           dump_stack_lvl+0x44/0x5b
           __lock_acquire.cold.77+0x1f2/0x3d7
           lock_acquire+0x1d2/0x610
           _raw_write_lock_bh+0x38/0x80
           tipc_node_add_conn.cold.76+0xaa/0x211 [tipc]
           tipc_sk_finish_conn+0x21e/0x640 [tipc]
           tipc_sk_filter_rcv+0x147b/0x3030 [tipc]
           tipc_sk_rcv+0xbb4/0x1b40 [tipc]
           tipc_lxc_xmit+0x225/0x26b [tipc]
           tipc_node_xmit.cold.82+0x4a/0x102 [tipc]
           __tipc_sendstream+0x879/0xff0 [tipc]
           tipc_accept+0x966/0x10b0 [tipc]
           do_accept+0x37d/0x590
      
      This patch avoids this warning by not holding the 'node rw lock' before
      calling tipc_lxc_xmit(). As to protect the 'peer_net', rcu_read_lock()
      should be enough, as in cleanup_net() when freeing the netns, it calls
      synchronize_rcu() before the free is continued.
      
      Also since tipc_lxc_xmit() is like the RX path in tipc_rcv(), it makes
      sense to call it under rcu_read_lock(). Note that the right lock order
      must be:
      
         rcu_read_lock();
         tipc_node_read_lock(n);
         tipc_node_read_unlock(n);
         tipc_lxc_xmit();
         rcu_read_unlock();
      
      instead of:
      
         tipc_node_read_lock(n);
         rcu_read_lock();
         tipc_node_read_unlock(n);
         tipc_lxc_xmit();
         rcu_read_unlock();
      
      and we have to call tipc_node_read_lock/unlock() twice in
      tipc_node_xmit().
      
      Fixes: f73b1281 ("tipc: improve throughput between nodes in netns")
      Reported-by: default avatarShuang Li <shuali@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Link: https://lore.kernel.org/r/5bdd1f8fee9db695cfff4528a48c9b9d0523fb00.1670110641.git.lucien.xin@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      88956177
    • Frank Jungclaus's avatar
      can: esd_usb: Allow REC and TEC to return to zero · 918ee491
      Frank Jungclaus authored
      We don't get any further EVENT from an esd CAN USB device for changes
      on REC or TEC while those counters converge to 0 (with ecc == 0). So
      when handling the "Back to Error Active"-event force txerr = rxerr =
      0, otherwise the berr-counters might stay on values like 95 forever.
      
      Also, to make life easier during the ongoing development a
      netdev_dbg() has been introduced to allow dumping error events send by
      an esd CAN USB device.
      
      Fixes: 96d8e903 ("can: Add driver for esd CAN-USB/2 device")
      Signed-off-by: default avatarFrank Jungclaus <frank.jungclaus@esd.eu>
      Link: https://lore.kernel.org/all/20221130202242.3998219-2-frank.jungclaus@esd.eu
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      918ee491
    • Max Staudt's avatar
      can: can327: flush TX_work on ldisc .close() · f4a4d121
      Max Staudt authored
      Additionally, remove it from .ndo_stop().
      
      This ensures that the worker is not called after being freed, and that
      the UART TX queue remains active to send final commands when the
      netdev is stopped.
      
      Thanks to Jiri Slaby for finding this in slcan:
      
        https://lore.kernel.org/linux-can/20221201073426.17328-1-jirislaby@kernel.org/
      
      A variant of this patch for slcan, with the flush in .ndo_stop() still
      present, has been tested successfully on physical hardware:
      
        https://bugzilla.suse.com/show_bug.cgi?id=1205597
      
      Fixes: 43da2f07 ("can: can327: CAN/ldisc driver for ELM327 based OBD-II adapters")
      Cc: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
      Cc: Max Staudt <max@enpas.org>
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Cc: Marc Kleine-Budde <mkl@pengutronix.de>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: linux-can@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMax Staudt <max@enpas.org>
      Link: https://lore.kernel.org/all/20221202160148.282564-1-max@enpas.org
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      f4a4d121
    • Jiri Slaby (SUSE)'s avatar
      can: slcan: fix freed work crash · fb855e9f
      Jiri Slaby (SUSE) authored
      The LTP test pty03 is causing a crash in slcan:
        BUG: kernel NULL pointer dereference, address: 0000000000000008
        #PF: supervisor read access in kernel mode
        #PF: error_code(0x0000) - not-present page
        PGD 0 P4D 0
        Oops: 0000 [#1] PREEMPT SMP NOPTI
        CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
        Workqueue:  0x0 (events)
        RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185)
        Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e
        RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046
        RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968
        RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0
        RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734
        R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000
        R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0
        FS:  0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0
        Call Trace:
         <TASK>
        worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436)
        kthread (/home/rich/kernel/linux/kernel/kthread.c:376)
        ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312)
      
      Apparently, the slcan's tx_work is freed while being scheduled. While
      slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work),
      slcan_close() (tty side) does not. So when the netdev is never set UP,
      but the tty is stuffed with bytes and forced to wakeup write, the work
      is scheduled, but never flushed.
      
      So add an additional flush_work() to slcan_close() to be sure the work
      is flushed under all circumstances.
      
      The Fixes commit below moved flush_work() from slcan_close() to
      slcan_netdev_close(). What was the rationale behind it? Maybe we can
      drop the one in slcan_netdev_close()?
      
      I see the same pattern in can327. So it perhaps needs the very same fix.
      
      Fixes: cfcb4465 ("can: slcan: remove legacy infrastructure")
      Link: https://bugzilla.suse.com/show_bug.cgi?id=1205597Reported-by: default avatarRichard Palethorpe <richard.palethorpe@suse.com>
      Tested-by: default avatarPetr Vorel <petr.vorel@suse.com>
      Cc: Dario Binacchi <dario.binacchi@amarulasolutions.com>
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Cc: Marc Kleine-Budde <mkl@pengutronix.de>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: linux-can@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      Cc: Max Staudt <max@enpas.org>
      Signed-off-by: default avatarJiri Slaby (SUSE) <jirislaby@kernel.org>
      Reviewed-by: default avatarMax Staudt <max@enpas.org>
      Link: https://lore.kernel.org/all/20221201073426.17328-1-jirislaby@kernel.orgSigned-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      fb855e9f
    • Oliver Hartkopp's avatar
      can: af_can: fix NULL pointer dereference in can_rcv_filter · 0acc4423
      Oliver Hartkopp authored
      Analogue to commit 8aa59e35 ("can: af_can: fix NULL pointer
      dereference in can_rx_register()") we need to check for a missing
      initialization of ml_priv in the receive path of CAN frames.
      
      Since commit 4e096a18 ("net: introduce CAN specific pointer in the
      struct net_device") the check for dev->type to be ARPHRD_CAN is not
      sufficient anymore since bonding or tun netdevices claim to be CAN
      devices but do not initialize ml_priv accordingly.
      
      Fixes: 4e096a18 ("net: introduce CAN specific pointer in the struct net_device")
      Reported-by: syzbot+2d7f58292cb5b29eb5ad@syzkaller.appspotmail.com
      Reported-by: default avatarWei Chen <harperchen1110@gmail.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Link: https://lore.kernel.org/all/20221206201259.3028-1-socketcan@hartkopp.net
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      0acc4423
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 1799c1b8
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2022-12-05 (i40e)
      
      Michal clears XPS init flag on reset to allow for updated values to be
      written.
      
      Sylwester adds sleep to VF reset to resolve issue of VFs not getting
      resources.
      
      Przemyslaw rejects filters for raw IPv4 or IPv6 l4_4_bytes filters as they
       are not supported.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        i40e: Disallow ip4 and ip6 l4_4_bytes
        i40e: Fix for VF MAC address 0
        i40e: Fix not setting default xps_cpus after reset
      ====================
      
      Link: https://lore.kernel.org/r/20221205212523.3197565-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1799c1b8
    • Zhengchao Shao's avatar
      net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions() · 78a9ea43
      Zhengchao Shao authored
      When dsa_devlink_region_create failed in sja1105_setup_devlink_regions(),
      priv->regions is not released.
      
      Fixes: bf425b82 ("net: dsa: sja1105: expose static config as devlink region")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/20221205012132.2110979-1-shaozhengchao@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      78a9ea43
    • Jakub Kicinski's avatar
      Merge branch 'ipv4-two-bug-fixes' · e40febfb
      Jakub Kicinski authored
      Ido Schimmel says:
      
      ====================
      ipv4: Two small fixes for bugs in IPv4 routing code.
      
      A variation of the second bug was reported by an FRR 5.0 (released
      06/18) user as this version was setting a table ID of 0 for the
      default VRF, unlike iproute2 and newer FRR versions.
      
      The first bug was discovered while fixing the second.
      
      Both bugs are not regressions (never worked) and are not critical
      in my opinion, so the fixes can be applied to net-next, if desired.
      
      No regressions in other tests:
      
       # ./fib_tests.sh
       ...
       Tests passed: 191
       Tests failed:   0
      ====================
      
      Link: https://lore.kernel.org/r/20221204075045.3780097-1-idosch@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e40febfb
    • Ido Schimmel's avatar
      ipv4: Fix incorrect route flushing when table ID 0 is used · c0d99934
      Ido Schimmel authored
      Cited commit added the table ID to the FIB info structure, but did not
      properly initialize it when table ID 0 is used. This can lead to a route
      in the default VRF with a preferred source address not being flushed
      when the address is deleted.
      
      Consider the following example:
      
       # ip address add dev dummy1 192.0.2.1/28
       # ip address add dev dummy1 192.0.2.17/28
       # ip route add 198.51.100.0/24 via 192.0.2.2 src 192.0.2.17 metric 100
       # ip route add table 0 198.51.100.0/24 via 192.0.2.2 src 192.0.2.17 metric 200
       # ip route show 198.51.100.0/24
       198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 100
       198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 200
      
      Both routes are installed in the default VRF, but they are using two
      different FIB info structures. One with a metric of 100 and table ID of
      254 (main) and one with a metric of 200 and table ID of 0. Therefore,
      when the preferred source address is deleted from the default VRF,
      the second route is not flushed:
      
       # ip address del dev dummy1 192.0.2.17/28
       # ip route show 198.51.100.0/24
       198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 200
      
      Fix by storing a table ID of 254 instead of 0 in the route configuration
      structure.
      
      Add a test case that fails before the fix:
      
       # ./fib_tests.sh -t ipv4_del_addr
      
       IPv4 delete address route tests
           Regular FIB info
           TEST: Route removed from VRF when source address deleted            [ OK ]
           TEST: Route in default VRF not removed                              [ OK ]
           TEST: Route removed in default VRF when source address deleted      [ OK ]
           TEST: Route in VRF is not removed by address delete                 [ OK ]
           Identical FIB info with different table ID
           TEST: Route removed from VRF when source address deleted            [ OK ]
           TEST: Route in default VRF not removed                              [ OK ]
           TEST: Route removed in default VRF when source address deleted      [ OK ]
           TEST: Route in VRF is not removed by address delete                 [ OK ]
           Table ID 0
           TEST: Route removed in default VRF when source address deleted      [FAIL]
      
       Tests passed:   8
       Tests failed:   1
      
      And passes after:
      
       # ./fib_tests.sh -t ipv4_del_addr
      
       IPv4 delete address route tests
           Regular FIB info
           TEST: Route removed from VRF when source address deleted            [ OK ]
           TEST: Route in default VRF not removed                              [ OK ]
           TEST: Route removed in default VRF when source address deleted      [ OK ]
           TEST: Route in VRF is not removed by address delete                 [ OK ]
           Identical FIB info with different table ID
           TEST: Route removed from VRF when source address deleted            [ OK ]
           TEST: Route in default VRF not removed                              [ OK ]
           TEST: Route removed in default VRF when source address deleted      [ OK ]
           TEST: Route in VRF is not removed by address delete                 [ OK ]
           Table ID 0
           TEST: Route removed in default VRF when source address deleted      [ OK ]
      
       Tests passed:   9
       Tests failed:   0
      
      Fixes: 5a56a0b3 ("net: Don't delete routes in different VRFs")
      Reported-by: default avatarDonald Sharp <sharpd@nvidia.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c0d99934
    • Ido Schimmel's avatar
      ipv4: Fix incorrect route flushing when source address is deleted · f96a3d74
      Ido Schimmel authored
      Cited commit added the table ID to the FIB info structure, but did not
      prevent structures with different table IDs from being consolidated.
      This can lead to routes being flushed from a VRF when an address is
      deleted from a different VRF.
      
      Fix by taking the table ID into account when looking for a matching FIB
      info. This is already done for FIB info structures backed by a nexthop
      object in fib_find_info_nh().
      
      Add test cases that fail before the fix:
      
       # ./fib_tests.sh -t ipv4_del_addr
      
       IPv4 delete address route tests
           Regular FIB info
           TEST: Route removed from VRF when source address deleted            [ OK ]
           TEST: Route in default VRF not removed                              [ OK ]
           TEST: Route removed in default VRF when source address deleted      [ OK ]
           TEST: Route in VRF is not removed by address delete                 [ OK ]
           Identical FIB info with different table ID
           TEST: Route removed from VRF when source address deleted            [FAIL]
           TEST: Route in default VRF not removed                              [ OK ]
       RTNETLINK answers: File exists
           TEST: Route removed in default VRF when source address deleted      [ OK ]
           TEST: Route in VRF is not removed by address delete                 [FAIL]
      
       Tests passed:   6
       Tests failed:   2
      
      And pass after:
      
       # ./fib_tests.sh -t ipv4_del_addr
      
       IPv4 delete address route tests
           Regular FIB info
           TEST: Route removed from VRF when source address deleted            [ OK ]
           TEST: Route in default VRF not removed                              [ OK ]
           TEST: Route removed in default VRF when source address deleted      [ OK ]
           TEST: Route in VRF is not removed by address delete                 [ OK ]
           Identical FIB info with different table ID
           TEST: Route removed from VRF when source address deleted            [ OK ]
           TEST: Route in default VRF not removed                              [ OK ]
           TEST: Route removed in default VRF when source address deleted      [ OK ]
           TEST: Route in VRF is not removed by address delete                 [ OK ]
      
       Tests passed:   8
       Tests failed:   0
      
      Fixes: 5a56a0b3 ("net: Don't delete routes in different VRFs")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f96a3d74
    • Rasmus Villemoes's avatar
      net: fec: properly guard irq coalesce setup · 7e630356
      Rasmus Villemoes authored
      Prior to the Fixes: commit, the initialization code went through the
      same fec_enet_set_coalesce() function as used by ethtool, and that
      function correctly checks whether the current variant has support for
      irq coalescing.
      
      Now that the initialization code instead calls fec_enet_itr_coal_set()
      directly, that call needs to be guarded by a check for the
      FEC_QUIRK_HAS_COALESCE bit.
      
      Fixes: df727d45 (net: fec: don't reset irq coalesce settings to defaults on "ip link up")
      Reported-by: default avatarGreg Ungerer <gregungerer@westnet.com.au>
      Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/20221205204604.869853-1-linux@rasmusvillemoes.dkSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7e630356
    • Hangbin Liu's avatar
      bonding: get correct NA dest address · 1f154f3b
      Hangbin Liu authored
      In commit 4d633d1b ("bonding: fix ICMPv6 header handling when receiving
      IPv6 messages"), there is a copy/paste issue for NA daddr. I found that
      in my testing and fixed it in my local branch. But I forgot to re-format
      the patch and sent the wrong mail.
      
      Fix it by reading the correct dest address.
      
      Fixes: 4d633d1b ("bonding: fix ICMPv6 header handling when receiving IPv6 messages")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Acked-by: default avatarJonathan Toppins <jtoppins@redhat.com>
      Link: https://lore.kernel.org/r/20221206032055.7517-1-liuhangbin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1f154f3b
  3. 06 Dec, 2022 12 commits
  4. 05 Dec, 2022 3 commits