1. 08 Oct, 2020 10 commits
    • Wilken Gottwalt's avatar
      net: usb: qmi_wwan: add Cellient MPL200 card · 28802e7c
      Wilken Gottwalt authored
      Add usb ids of the Cellient MPL200 card.
      Signed-off-by: default avatarWilken Gottwalt <wilken.gottwalt@mailbox.org>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      28802e7c
    • Eric Dumazet's avatar
      macsec: avoid use-after-free in macsec_handle_frame() · c7cc9200
      Eric Dumazet authored
      De-referencing skb after call to gro_cells_receive() is not allowed.
      We need to fetch skb->len earlier.
      
      Fixes: 5491e7c6 ("macsec: enable GRO and RPS on macsec devices")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c7cc9200
    • Heiner Kallweit's avatar
      r8169: consider that PHY reset may still be in progress after applying firmware · 47dda786
      Heiner Kallweit authored
      Some firmware files trigger a PHY soft reset and don't wait for it to
      be finished. PHY register writes directly after applying the firmware
      may fail or provide unexpected results therefore. Fix this by waiting
      for bit BMCR_RESET to be cleared after applying firmware.
      
      There's nothing wrong with the referenced change, it's just that the
      fix will apply cleanly only after this change.
      
      Fixes: 89fbd26c ("r8169: fix firmware not resetting tp->ocp_base")
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      47dda786
    • Dumitru Ceara's avatar
      openvswitch: handle DNAT tuple collision · 8aa7b526
      Dumitru Ceara authored
      With multiple DNAT rules it's possible that after destination
      translation the resulting tuples collide.
      
      For example, two openvswitch flows:
      nw_dst=10.0.0.10,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20))
      nw_dst=10.0.0.20,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20))
      
      Assuming two TCP clients initiating the following connections:
      10.0.0.10:5000->10.0.0.10:10
      10.0.0.10:5000->10.0.0.20:10
      
      Both tuples would translate to 10.0.0.10:5000->20.0.0.1:20 causing
      nf_conntrack_confirm() to fail because of tuple collision.
      
      Netfilter handles this case by allocating a null binding for SNAT at
      egress by default.  Perform the same operation in openvswitch for DNAT
      if no explicit SNAT is requested by the user and allocate a null binding
      for SNAT for packets in the "original" direction.
      
      Reported-at: https://bugzilla.redhat.com/1877128Suggested-by: default avatarFlorian Westphal <fw@strlen.de>
      Fixes: 05752523 ("openvswitch: Interface with NAT.")
      Signed-off-by: default avatarDumitru Ceara <dceara@redhat.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8aa7b526
    • Eric Dumazet's avatar
      sctp: fix sctp_auth_init_hmacs() error path · d42ee76e
      Eric Dumazet authored
      After freeing ep->auth_hmacs we have to clear the pointer
      or risk use-after-free as reported by syzbot:
      
      BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline]
      BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
      BUG: KASAN: use-after-free in sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070
      Read of size 8 at addr ffff8880a8ff52c0 by task syz-executor941/6874
      
      CPU: 0 PID: 6874 Comm: syz-executor941 Not tainted 5.9.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x198/0x1fd lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
       __kasan_report mm/kasan/report.c:513 [inline]
       kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
       sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline]
       sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
       sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070
       sctp_endpoint_destroy+0x95/0x240 net/sctp/endpointola.c:203
       sctp_endpoint_put net/sctp/endpointola.c:236 [inline]
       sctp_endpoint_free+0xd6/0x110 net/sctp/endpointola.c:183
       sctp_destroy_sock+0x9c/0x3c0 net/sctp/socket.c:4981
       sctp_v6_destroy_sock+0x11/0x20 net/sctp/socket.c:9415
       sk_common_release+0x64/0x390 net/core/sock.c:3254
       sctp_close+0x4ce/0x8b0 net/sctp/socket.c:1533
       inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
       inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:475
       __sock_release+0xcd/0x280 net/socket.c:596
       sock_close+0x18/0x20 net/socket.c:1277
       __fput+0x285/0x920 fs/file_table.c:281
       task_work_run+0xdd/0x190 kernel/task_work.c:141
       exit_task_work include/linux/task_work.h:25 [inline]
       do_exit+0xb7d/0x29f0 kernel/exit.c:806
       do_group_exit+0x125/0x310 kernel/exit.c:903
       __do_sys_exit_group kernel/exit.c:914 [inline]
       __se_sys_exit_group kernel/exit.c:912 [inline]
       __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:912
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x43f278
      Code: Bad RIP value.
      RSP: 002b:00007fffe0995c38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f278
      RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
      RBP: 00000000004bf068 R08: 00000000000000e7 R09: ffffffffffffffd0
      R10: 0000000020000000 R11: 0000000000000246 R12: 0000000000000001
      R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
      
      Allocated by task 6874:
       kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
       kasan_set_track mm/kasan/common.c:56 [inline]
       __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
       kmem_cache_alloc_trace+0x174/0x300 mm/slab.c:3554
       kmalloc include/linux/slab.h:554 [inline]
       kmalloc_array include/linux/slab.h:593 [inline]
       kcalloc include/linux/slab.h:605 [inline]
       sctp_auth_init_hmacs+0xdb/0x3b0 net/sctp/auth.c:464
       sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049
       sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline]
       sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631
       __sys_setsockopt+0x2db/0x610 net/socket.c:2132
       __do_sys_setsockopt net/socket.c:2143 [inline]
       __se_sys_setsockopt net/socket.c:2140 [inline]
       __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Freed by task 6874:
       kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
       kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
       kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
       __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
       __cache_free mm/slab.c:3422 [inline]
       kfree+0x10e/0x2b0 mm/slab.c:3760
       sctp_auth_destroy_hmacs net/sctp/auth.c:511 [inline]
       sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
       sctp_auth_init_hmacs net/sctp/auth.c:496 [inline]
       sctp_auth_init_hmacs+0x2b7/0x3b0 net/sctp/auth.c:454
       sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049
       sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline]
       sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631
       __sys_setsockopt+0x2db/0x610 net/socket.c:2132
       __do_sys_setsockopt net/socket.c:2143 [inline]
       __se_sys_setsockopt net/socket.c:2140 [inline]
       __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 1f485649 ("[SCTP]: Implement SCTP-AUTH internals")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d42ee76e
    • Jakub Kicinski's avatar
      Merge tag 'mac80211-for-net-2020-10-08' of... · a9e54cb3
      Jakub Kicinski authored
      Merge tag 'mac80211-for-net-2020-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      pull-request: mac80211 2020-10-08
      
      A single fix for missing input validation in nl80211.
      ====================
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a9e54cb3
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · cfe90f49
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2020-10-08
      
      The main changes are:
      
      1) Fix "unresolved symbol" build error under CONFIG_NET w/o CONFIG_INET due
         to missing tcp_timewait_sock and inet_timewait_sock BTF, from Yonghong Song.
      
      2) Fix 32 bit sub-register bounds tracking for OR case, from Daniel Borkmann.
      ====================
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cfe90f49
    • Henrik Bjoernlund's avatar
      bridge: Netlink interface fix. · b6c02ef5
      Henrik Bjoernlund authored
      This commit is correcting NETLINK br_fill_ifinfo() to be able to
      handle 'filter_mask' with multiple flags asserted.
      
      Fixes: 36a8e8e2 ("bridge: Extend br_fill_ifinfo to return MPR status")
      Signed-off-by: default avatarHenrik Bjoernlund <henrik.bjoernlund@microchip.com>
      Reviewed-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Suggested-by: default avatarNikolay Aleksandrov <nikolay@nvidia.com>
      Tested-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@nvidia.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b6c02ef5
    • Anant Thazhemadam's avatar
      net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() · 3dc289f8
      Anant Thazhemadam authored
      In nl80211_parse_key(), key.idx is first initialized as -1.
      If this value of key.idx remains unmodified and gets returned, and
      nl80211_key_allowed() also returns 0, then rdev_del_key() gets called
      with key.idx = -1.
      This causes an out-of-bounds array access.
      
      Handle this issue by checking if the value of key.idx after
      nl80211_parse_key() is called and return -EINVAL if key.idx < 0.
      
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
      Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
      Signed-off-by: default avatarAnant Thazhemadam <anant.thazhemadam@gmail.com>
      Link: https://lore.kernel.org/r/20201007035401.9522-1-anant.thazhemadam@gmail.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      3dc289f8
    • Daniel Borkmann's avatar
      bpf: Fix scalar32_min_max_or bounds tracking · 5b9fbeb7
      Daniel Borkmann authored
      Simon reported an issue with the current scalar32_min_max_or() implementation.
      That is, compared to the other 32 bit subreg tracking functions, the code in
      scalar32_min_max_or() stands out that it's using the 64 bit registers instead
      of 32 bit ones. This leads to bounds tracking issues, for example:
      
        [...]
        8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm
        8: (79) r1 = *(u64 *)(r0 +0)
         R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm
        9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm
        9: (b7) r0 = 1
        10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm
        10: (18) r2 = 0x600000002
        12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        12: (ad) if r1 < r2 goto pc+1
         R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        13: (95) exit
        14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        14: (25) if r1 > 0x0 goto pc+1
         R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        15: (95) exit
        16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        16: (47) r1 |= 0
        17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x1; 0x700000000),s32_max_value=1,u32_max_value=1) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        [...]
      
      The bound tests on the map value force the upper unsigned bound to be 25769803777
      in 64 bit (0b11000000000000000000000000000000001) and then lower one to be 1. By
      using OR they are truncated and thus result in the range [1,1] for the 32 bit reg
      tracker. This is incorrect given the only thing we know is that the value must be
      positive and thus 2147483647 (0b1111111111111111111111111111111) at max for the
      subregs. Fix it by using the {u,s}32_{min,max}_value vars instead. This also makes
      sense, for example, for the case where we update dst_reg->s32_{min,max}_value in
      the else branch we need to use the newly computed dst_reg->u32_{min,max}_value as
      we know that these are positive. Previously, in the else branch the 64 bit values
      of umin_value=1 and umax_value=32212254719 were used and latter got truncated to
      be 1 as upper bound there. After the fix the subreg range is now correct:
      
        [...]
        8: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm
        8: (79) r1 = *(u64 *)(r0 +0)
         R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R10=fp0 fp-8=mmmmmmmm
        9: R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm
        9: (b7) r0 = 1
        10: R0_w=inv1 R1_w=inv(id=0) R10=fp0 fp-8=mmmmmmmm
        10: (18) r2 = 0x600000002
        12: R0_w=inv1 R1_w=inv(id=0) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        12: (ad) if r1 < r2 goto pc+1
         R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        13: R0_w=inv1 R1_w=inv(id=0,umin_value=25769803778) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        13: (95) exit
        14: R0_w=inv1 R1_w=inv(id=0,umax_value=25769803777,var_off=(0x0; 0x7ffffffff)) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        14: (25) if r1 > 0x0 goto pc+1
         R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        15: R0_w=inv1 R1_w=inv(id=0,umax_value=0,var_off=(0x0; 0x7fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        15: (95) exit
        16: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=25769803777,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        16: (47) r1 |= 0
        17: R0_w=inv1 R1_w=inv(id=0,umin_value=1,umax_value=32212254719,var_off=(0x0; 0x77fffffff),u32_max_value=2147483647) R2_w=inv25769803778 R10=fp0 fp-8=mmmmmmmm
        [...]
      
      Fixes: 3f50f132 ("bpf: Verifier, do explicit ALU32 bounds tracking")
      Reported-by: default avatarSimon Scannell <scannell.smn@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      5b9fbeb7
  2. 06 Oct, 2020 8 commits
    • David S. Miller's avatar
      Merge tag 'rxrpc-fixes-20201005' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · d91dc434
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Miscellaneous fixes
      
      Here are some miscellaneous rxrpc fixes:
      
       (1) Fix the xdr encoding of the contents read from an rxrpc key.
      
       (2) Fix a BUG() for a unsupported encoding type.
      
       (3) Fix missing _bh lock annotations.
      
       (4) Fix acceptance handling for an incoming call where the incoming call
           is encrypted.
      
       (5) The server token keyring isn't network namespaced - it belongs to the
           server, so there's no need.  Namespacing it means that request_key()
           fails to find it.
      
       (6) Fix a leak of the server keyring.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d91dc434
    • Eric Dumazet's avatar
      tcp: fix receive window update in tcp_add_backlog() · 86bccd03
      Eric Dumazet authored
      We got reports from GKE customers flows being reset by netfilter
      conntrack unless nf_conntrack_tcp_be_liberal is set to 1.
      
      Traces seemed to suggest ACK packet being dropped by the
      packet capture, or more likely that ACK were received in the
      wrong order.
      
       wscale=7, SYN and SYNACK not shown here.
      
       This ACK allows the sender to send 1871*128 bytes from seq 51359321 :
       New right edge of the window -> 51359321+1871*128=51598809
      
       09:17:23.389210 IP A > B: Flags [.], ack 51359321, win 1871, options [nop,nop,TS val 10 ecr 999], length 0
      
       09:17:23.389212 IP B > A: Flags [.], seq 51422681:51424089, ack 1577, win 268, options [nop,nop,TS val 999 ecr 10], length 1408
       09:17:23.389214 IP A > B: Flags [.], ack 51422681, win 1376, options [nop,nop,TS val 10 ecr 999], length 0
       09:17:23.389253 IP B > A: Flags [.], seq 51424089:51488857, ack 1577, win 268, options [nop,nop,TS val 999 ecr 10], length 64768
       09:17:23.389272 IP A > B: Flags [.], ack 51488857, win 859, options [nop,nop,TS val 10 ecr 999], length 0
       09:17:23.389275 IP B > A: Flags [.], seq 51488857:51521241, ack 1577, win 268, options [nop,nop,TS val 999 ecr 10], length 32384
      
       Receiver now allows to send 606*128=77568 from seq 51521241 :
       New right edge of the window -> 51521241+606*128=51598809
      
       09:17:23.389296 IP A > B: Flags [.], ack 51521241, win 606, options [nop,nop,TS val 10 ecr 999], length 0
      
       09:17:23.389308 IP B > A: Flags [.], seq 51521241:51553625, ack 1577, win 268, options [nop,nop,TS val 999 ecr 10], length 32384
      
       It seems the sender exceeds RWIN allowance, since 51611353 > 51598809
      
       09:17:23.389346 IP B > A: Flags [.], seq 51553625:51611353, ack 1577, win 268, options [nop,nop,TS val 999 ecr 10], length 57728
       09:17:23.389356 IP B > A: Flags [.], seq 51611353:51618393, ack 1577, win 268, options [nop,nop,TS val 999 ecr 10], length 7040
      
       09:17:23.389367 IP A > B: Flags [.], ack 51611353, win 0, options [nop,nop,TS val 10 ecr 999], length 0
      
       netfilter conntrack is not happy and sends RST
      
       09:17:23.389389 IP A > B: Flags [R], seq 92176528, win 0, length 0
       09:17:23.389488 IP B > A: Flags [R], seq 174478967, win 0, length 0
      
       Now imagine ACK were delivered out of order and tcp_add_backlog() sets window based on wrong packet.
       New right edge of the window -> 51521241+859*128=51631193
      
      Normally TCP stack handles OOO packets just fine, but it
      turns out tcp_add_backlog() does not. It can update the window
      field of the aggregated packet even if the ACK sequence
      of the last received packet is too old.
      
      Many thanks to Alexandre Ferrieux for independently reporting the issue
      and suggesting a fix.
      
      Fixes: 4f693b55 ("tcp: implement coalescing on backlog queue")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAlexandre Ferrieux <alexandre.ferrieux@orange.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86bccd03
    • Anant Thazhemadam's avatar
      net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails · f45a4248
      Anant Thazhemadam authored
      When get_registers() fails in set_ethernet_addr(),the uninitialized
      value of node_id gets copied over as the address.
      So, check the return value of get_registers().
      
      If get_registers() executed successfully (i.e., it returns
      sizeof(node_id)), copy over the MAC address using ether_addr_copy()
      (instead of using memcpy()).
      
      Else, if get_registers() failed instead, a randomly generated MAC
      address is set as the MAC address instead.
      
      Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
      Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com
      Acked-by: default avatarPetko Manolov <petkan@nucleusys.com>
      Signed-off-by: default avatarAnant Thazhemadam <anant.thazhemadam@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f45a4248
    • Paolo Abeni's avatar
      mptcp: more DATA FIN fixes · 017512a0
      Paolo Abeni authored
      Currently data fin on data packet are not handled properly:
      the 'rcv_data_fin_seq' field is interpreted as the last
      sequence number carrying a valid data, but for data fin
      packet with valid maps we currently store map_seq + map_len,
      that is, the next value.
      
      The 'write_seq' fields carries instead the value subseguent
      to the last valid byte, so in mptcp_write_data_fin() we
      never detect correctly the last DSS map.
      
      Fixes: 7279da61 ("mptcp: Use MPTCP-level flag for sending DATA_FIN")
      Fixes: 1a49b2c2 ("mptcp: Handle incoming 32-bit DATA_FIN values")
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      017512a0
    • David S. Miller's avatar
      Merge branch 'Fix-tail-dropping-watermarks-for-Ocelot-switches' · c88c5ed7
      David S. Miller authored
      Vladimir Oltean says:
      
      ====================
      Fix tail dropping watermarks for Ocelot switches
      
      This series adds a missing division by 60, and a warning to prevent that
      in the future.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c88c5ed7
    • Vladimir Oltean's avatar
      net: mscc: ocelot: warn when encoding an out-of-bounds watermark value · 01326493
      Vladimir Oltean authored
      There is an upper bound to the value that a watermark may hold. That
      upper bound is not immediately obvious during configuration, and it
      might be possible to have accidental truncation.
      
      Actually this has happened already, add a warning to prevent it from
      happening again.
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      01326493
    • Vladimir Oltean's avatar
      net: mscc: ocelot: divide watermark value by 60 when writing to SYS_ATOP · 601e984f
      Vladimir Oltean authored
      Tail dropping is enabled for a port when:
      
      1. A source port consumes more packet buffers than the watermark encoded
         in SYS:PORT:ATOP_CFG.ATOP.
      
      AND
      
      2. Total memory use exceeds the consumption watermark encoded in
         SYS:PAUSE_CFG:ATOP_TOT_CFG.
      
      The unit of these watermarks is a 60 byte memory cell. That unit is
      programmed properly into ATOP_TOT_CFG, but not into ATOP. Actually when
      written into ATOP, it would get truncated and wrap around.
      
      Fixes: a556c76a ("net: mscc: Add initial Ocelot switch support")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      601e984f
    • Manivannan Sadhasivam's avatar
      net: qrtr: ns: Fix the incorrect usage of rcu_read_lock() · 082bb94f
      Manivannan Sadhasivam authored
      The rcu_read_lock() is not supposed to lock the kernel_sendmsg() API
      since it has the lock_sock() in qrtr_sendmsg() which will sleep. Hence,
      fix it by excluding the locking for kernel_sendmsg().
      
      While at it, let's also use radix_tree_deref_retry() to confirm the
      validity of the pointer returned by radix_tree_deref_slot() and use
      radix_tree_iter_resume() to resume iterating the tree properly before
      releasing the lock as suggested by Doug.
      
      Fixes: a7809ff9 ("net: qrtr: ns: Protect radix_tree_deref_slot() using rcu read locks")
      Reported-by: default avatarDouglas Anderson <dianders@chromium.org>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Tested-by: default avatarDouglas Anderson <dianders@chromium.org>
      Tested-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarManivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      082bb94f
  3. 05 Oct, 2020 9 commits
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v5.9-2' of git://git.infradead.org/linux-platform-drivers-x86 · 7575fdda
      Linus Torvalds authored
      Pull x86 platform driver fixes from Andy Shevchenko:
       "We have some fixes for Tablet Mode reporting in particular, that users
        are complaining a lot about.
      
        Summary:
      
         - Attempt #3 of enabling Tablet Mode reporting w/o regressions
      
         - Improve battery recognition code in ASUS WMI driver
      
         - Fix Kconfig dependency warning for Fujitsu and LG laptop drivers
      
         - Add fixes in Thinkpad ACPI driver for _BCL method and NVRAM polling
      
         - Fix power supply extended topology in Mellanox driver
      
         - Fix memory leak in OLPC EC driver
      
         - Avoid static struct device in Intel PMC core driver
      
         - Add support for the touchscreen found in MPMAN Converter9 2-in-1
      
         - Update MAINTAINERS to reflect the real state of affairs"
      
      * tag 'platform-drivers-x86-v5.9-2' of git://git.infradead.org/linux-platform-drivers-x86:
        platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse
        MAINTAINERS: Add Mark Gross and Hans de Goede as x86 platform drivers maintainers
        platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting
        platform/x86: intel-vbtn: Revert "Fix SW_TABLET_MODE always reporting 1 on the HP Pavilion 11 x360"
        platform/x86: intel_pmc_core: do not create a static struct device
        platform/x86: mlx-platform: Fix extended topology configuration for power supply units
        platform/x86: pcengines-apuv2: Fix typo on define of AMD_FCH_GPIO_REG_GPIO55_DEVSLP0
        platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP
        platform/x86: fix kconfig dependency warning for LG_LAPTOP
        platform/x86: thinkpad_acpi: initialize tp_nvram_state variable
        platform/x86: intel-vbtn: Fix SW_TABLET_MODE always reporting 1 on the HP Pavilion 11 x360
        platform/x86: asus-wmi: Add BATC battery name to the list of supported
        platform/x86: asus-nb-wmi: Revert "Do not load on Asus T100TA and T200TA"
        platform/x86: touchscreen_dmi: Add info for the MPMAN Converter9 2-in-1
        Documentation: laptops: thinkpad-acpi: fix underline length build warning
        Platform: OLPC: Fix memleak in olpc_ec_probe
      7575fdda
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 165563c0
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Make sure SKB control block is in the proper state during IPSEC
          ESP-in-TCP encapsulation. From Sabrina Dubroca.
      
       2) Various kinds of attributes were not being cloned properly when we
          build new xfrm_state objects from existing ones. Fix from Antony
          Antony.
      
       3) Make sure to keep BTF sections, from Tony Ambardar.
      
       4) TX DMA channels need proper locking in lantiq driver, from Hauke
          Mehrtens.
      
       5) Honour route MTU during forwarding, always. From Maciej
          Żenczykowski.
      
       6) Fix races in kTLS which can result in crashes, from Rohit
          Maheshwari.
      
       7) Skip TCP DSACKs with rediculous sequence ranges, from Priyaranjan
          Jha.
      
       8) Use correct address family in xfrm state lookups, from Herbert Xu.
      
       9) A bridge FDB flush should not clear out user managed fdb entries
          with the ext_learn flag set, from Nikolay Aleksandrov.
      
      10) Fix nested locking of netdev address lists, from Taehee Yoo.
      
      11) Fix handling of 32-bit DATA_FIN values in mptcp, from Mat Martineau.
      
      12) Fix r8169 data corruptions on RTL8402 chips, from Heiner Kallweit.
      
      13) Don't free command entries in mlx5 while comp handler could still be
          running, from Eran Ben Elisha.
      
      14) Error flow of request_irq() in mlx5 is busted, due to an off by one
          we try to free and IRQ never allocated. From Maor Gottlieb.
      
      15) Fix leak when dumping netlink policies, from Johannes Berg.
      
      16) Sendpage cannot be performed when a page is a slab page, or the page
          count is < 1. Some subsystems such as nvme were doing so. Create a
          "sendpage_ok()" helper and use it as needed, from Coly Li.
      
      17) Don't leak request socket when using syncookes with mptcp, from
          Paolo Abeni.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (111 commits)
        net/core: check length before updating Ethertype in skb_mpls_{push,pop}
        net: mvneta: fix double free of txq->buf
        net_sched: check error pointer in tcf_dump_walker()
        net: team: fix memory leak in __team_options_register
        net: typhoon: Fix a typo Typoon --> Typhoon
        net: hinic: fix DEVLINK build errors
        net: stmmac: Modify configuration method of EEE timers
        tcp: fix syn cookied MPTCP request socket leak
        libceph: use sendpage_ok() in ceph_tcp_sendpage()
        scsi: libiscsi: use sendpage_ok() in iscsi_tcp_segment_map()
        drbd: code cleanup by using sendpage_ok() to check page for kernel_sendpage()
        tcp: use sendpage_ok() to detect misused .sendpage
        nvme-tcp: check page by sendpage_ok() before calling kernel_sendpage()
        net: add WARN_ONCE in kernel_sendpage() for improper zero-copy send
        net: introduce helper sendpage_ok() in include/linux/net.h
        net: usb: pegasus: Proper error handing when setting pegasus' MAC address
        net: core: document two new elements of struct net_device
        netlink: fix policy dump leak
        net/mlx5e: Fix race condition on nhe->n pointer in neigh update
        net/mlx5e: Fix VLAN create flow
        ...
      165563c0
    • David Howells's avatar
      rxrpc: Fix server keyring leak · 38b1dc47
      David Howells authored
      If someone calls setsockopt() twice to set a server key keyring, the first
      keyring is leaked.
      
      Fix it to return an error instead if the server key keyring is already set.
      
      Fixes: 17926a79 ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      38b1dc47
    • David Howells's avatar
      rxrpc: The server keyring isn't network-namespaced · fea99111
      David Howells authored
      The keyring containing the server's tokens isn't network-namespaced, so it
      shouldn't be looked up with a network namespace.  It is expected to be
      owned specifically by the server, so namespacing is unnecessary.
      
      Fixes: a58946c1 ("keys: Pass the network namespace into request_key mechanism")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      fea99111
    • David Howells's avatar
      rxrpc: Fix accept on a connection that need securing · 2d914c1b
      David Howells authored
      When a new incoming call arrives at an userspace rxrpc socket on a new
      connection that has a security class set, the code currently pushes it onto
      the accept queue to hold a ref on it for the socket.  This doesn't work,
      however, as recvmsg() pops it off, notices that it's in the SERVER_SECURING
      state and discards the ref.  This means that the call runs out of refs too
      early and the kernel oopses.
      
      By contrast, a kernel rxrpc socket manually pre-charges the incoming call
      pool with calls that already have user call IDs assigned, so they are ref'd
      by the call tree on the socket.
      
      Change the mode of operation for userspace rxrpc server sockets to work
      like this too.  Although this is a UAPI change, server sockets aren't
      currently functional.
      
      Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      2d914c1b
    • David Howells's avatar
      rxrpc: Fix some missing _bh annotations on locking conn->state_lock · fa1d113a
      David Howells authored
      conn->state_lock may be taken in softirq mode, but a previous patch
      replaced an outer lock in the response-packet event handling code, and lost
      the _bh from that when doing so.
      
      Fix this by applying the _bh annotation to the state_lock locking.
      
      Fixes: a1399f8b ("rxrpc: Call channels should have separate call number spaces")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      fa1d113a
    • David Howells's avatar
      rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() · 9a059cd5
      David Howells authored
      If rxrpc_read() (which allows KEYCTL_READ to read a key), sees a token of a
      type it doesn't recognise, it can BUG in a couple of places, which is
      unnecessary as it can easily get back to userspace.
      
      Fix this to print an error message instead.
      
      Fixes: 99455153 ("RxRPC: Parse security index 5 keys (Kerberos 5)")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      9a059cd5
    • Marc Dionne's avatar
      rxrpc: Fix rxkad token xdr encoding · 56305118
      Marc Dionne authored
      The session key should be encoded with just the 8 data bytes and
      no length; ENCODE_DATA precedes it with a 4 byte length, which
      confuses some existing tools that try to parse this format.
      
      Add an ENCODE_BYTES macro that does not include a length, and use
      it for the key.  Also adjust the expected length.
      
      Note that commit 774521f3 ("rxrpc: Fix an assertion in
      rxrpc_read()") had fixed a BUG by changing the length rather than
      fixing the encoding.  The original length was correct.
      
      Fixes: 99455153 ("RxRPC: Parse security index 5 keys (Kerberos 5)")
      Signed-off-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      56305118
    • Aaron Ma's avatar
      platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse · 720ef73d
      Aaron Ma authored
      Evaluating ACPI _BCL could fail, then ACPI buffer size will be set to 0.
      When reuse this ACPI buffer, AE_BUFFER_OVERFLOW will be triggered.
      
      Re-initialize buffer size will make ACPI evaluate successfully.
      
      Fixes: 46445b6b ("thinkpad-acpi: fix handle locate for video and query of _BCL")
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      720ef73d
  4. 04 Oct, 2020 6 commits
  5. 03 Oct, 2020 7 commits
    • Randy Dunlap's avatar
      net: hinic: fix DEVLINK build errors · 1f7e877c
      Randy Dunlap authored
      Fix many (lots deleted here) build errors in hinic by selecting NET_DEVLINK.
      
      ld: drivers/net/ethernet/huawei/hinic/hinic_hw_dev.o: in function `mgmt_watchdog_timeout_event_handler':
      hinic_hw_dev.c:(.text+0x30a): undefined reference to `devlink_health_report'
      ld: drivers/net/ethernet/huawei/hinic/hinic_devlink.o: in function `hinic_fw_reporter_dump':
      hinic_devlink.c:(.text+0x1c): undefined reference to `devlink_fmsg_u32_pair_put'
      ld: drivers/net/ethernet/huawei/hinic/hinic_devlink.o: in function `hinic_fw_reporter_dump':
      hinic_devlink.c:(.text+0x126): undefined reference to `devlink_fmsg_binary_pair_put'
      ld: drivers/net/ethernet/huawei/hinic/hinic_devlink.o: in function `hinic_hw_reporter_dump':
      hinic_devlink.c:(.text+0x1ba): undefined reference to `devlink_fmsg_string_pair_put'
      ld: hinic_devlink.c:(.text+0x227): undefined reference to `devlink_fmsg_u8_pair_put'
      ld: drivers/net/ethernet/huawei/hinic/hinic_devlink.o: in function `hinic_devlink_alloc':
      hinic_devlink.c:(.text+0xaee): undefined reference to `devlink_alloc'
      ld: drivers/net/ethernet/huawei/hinic/hinic_devlink.o: in function `hinic_devlink_free':
      hinic_devlink.c:(.text+0xb04): undefined reference to `devlink_free'
      ld: drivers/net/ethernet/huawei/hinic/hinic_devlink.o: in function `hinic_devlink_register':
      hinic_devlink.c:(.text+0xb26): undefined reference to `devlink_register'
      ld: drivers/net/ethernet/huawei/hinic/hinic_devlink.o: in function `hinic_devlink_unregister':
      hinic_devlink.c:(.text+0xb46): undefined reference to `devlink_unregister'
      ld: drivers/net/ethernet/huawei/hinic/hinic_devlink.o: in function `hinic_health_reporters_create':
      hinic_devlink.c:(.text+0xb75): undefined reference to `devlink_health_reporter_create'
      ld: hinic_devlink.c:(.text+0xb95): undefined reference to `devlink_health_reporter_create'
      ld: hinic_devlink.c:(.text+0xbac): undefined reference to `devlink_health_reporter_destroy'
      ld: drivers/net/ethernet/huawei/hinic/hinic_devlink.o: in function `hinic_health_reporters_destroy':
      
      Fixes: 51ba902a ("net-next/hinic: Initialize hw interface")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Bin Luo <luobin9@huawei.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Aviad Krawczyk <aviad.krawczyk@huawei.com>
      Cc: Zhao Chen <zhaochen6@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f7e877c
    • Vineetha G. Jaya Kumaran's avatar
      net: stmmac: Modify configuration method of EEE timers · 388e201d
      Vineetha G. Jaya Kumaran authored
      Ethtool manual stated that the tx-timer is the "the amount of time the
      device should stay in idle mode prior to asserting its Tx LPI". The
      previous implementation for "ethtool --set-eee tx-timer" sets the LPI TW
      timer duration which is not correct. Hence, this patch fixes the
      "ethtool --set-eee tx-timer" to configure the EEE LPI timer.
      
      The LPI TW Timer will be using the defined default value instead of
      "ethtool --set-eee tx-timer" which follows the EEE LS timer implementation.
      
      Changelog V2
      *Not removing/modifying the eee_timer.
      *EEE LPI timer can be configured through ethtool and also the eee_timer
      module param.
      *EEE TW Timer will be configured with default value only, not able to be
      configured through ethtool or module param. This follows the implementation
      of the EEE LS Timer.
      
      Fixes: d765955d ("stmmac: add the Energy Efficient Ethernet support")
      Signed-off-by: default avatarVineetha G. Jaya Kumaran <vineetha.g.jaya.kumaran@intel.com>
      Signed-off-by: default avatarVoon Weifeng <weifeng.voon@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      388e201d
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 22fbc037
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "Two bugfixes"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: VMX: update PFEC_MASK/PFEC_MATCH together with PF intercept
        KVM: arm64: Restore missing ISB on nVHE __tlb_switch_to_guest
      22fbc037
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.9b-rc8-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 5ee56135
      Linus Torvalds authored
      Pull xen fix from Juergen Gross:
       "Fix a regression introduced in 5.9-rc3 which caused a system running
        as fully virtualized guest under Xen to crash when using legacy
        devices like a floppy"
      
      * tag 'for-linus-5.9b-rc8-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/events: don't use chip_data for legacy IRQs
      5ee56135
    • Linus Torvalds's avatar
      Merge tag 'usb-5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 5f056638
      Linus Torvalds authored
      Pull USB/PHY fixes from Greg KH:
       "Here are some small USB and PHY driver fixes for 5.9-rc8
      
        The PHY driver fix resolves an issue found by Dan Carpenter for a
        memory leak.
      
        The USB fixes fall into two groups:
      
         - usb gadget fix from Bryan that is a fix for a previous security fix
           that showed up in in-the-wild testing
      
         - usb core driver matching bugfixes. This fixes a bug that has
           plagued the both the usbip driver and syzbot testing tools this -rc
           release cycle. All is now working properly so usbip connections
           will work, and syzbot can get back to fuzzing USB drivers properly.
      
        All have been in linux-next for a while with no reported issues"
      
      * tag 'usb-5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usbcore/driver: Accommodate usbip
        usbcore/driver: Fix incorrect downcast
        usbcore/driver: Fix specific driver selection
        Revert "usbip: Implement a match function to fix usbip"
        USB: gadget: f_ncm: Fix NDP16 datagram validation
        phy: ti: am654: Fix a leak in serdes_am654_probe()
      5f056638
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · f35c08e0
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Some more driver fixes for i2c"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: npcm7xx: Clear LAST bit after a failed transaction.
        i2c: cpm: Fix i2c_ram structure
        i2c: i801: Exclude device from suspend direct complete optimization
      f35c08e0
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 72af7b41
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
       "A couple more driver quirks, now enabling newer trackpoints from
        Synaptics for real"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: i8042 - add nopnp quirk for Acer Aspire 5 A515
        Input: trackpoint - enable Synaptics trackpoints
      72af7b41