1. 12 Aug, 2019 15 commits
    • Balakrishna Godavarthi's avatar
      Bluetooth: btqca: Reset download type to default · 12072a68
      Balakrishna Godavarthi authored
      This patch will reset the download flag to default value
      before retrieving the download mode type.
      
      Fixes: 32646db8 ("Bluetooth: btqca: inject command complete event during fw download")
      Signed-off-by: default avatarBalakrishna Godavarthi <bgodavar@codeaurora.org>
      Tested-by: default avatarClaire Chang <tientzu@chromium.org>
      Reviewed-by: default avatarClaire Chang <tientzu@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      12072a68
    • Claire Chang's avatar
      Bluetooth: btqca: release_firmware after qca_inject_cmd_complete_event · c7c5ae29
      Claire Chang authored
      commit 32646db8 ("Bluetooth: btqca: inject command complete event
      during fw download") added qca_inject_cmd_complete_event() for certain
      qualcomm chips. However, qca_download_firmware() will return without
      calling release_firmware() in this case.
      
      This leads to a memory leak like the following found by kmemleak:
      
      unreferenced object 0xfffffff3868a5880 (size 128):
        comm "kworker/u17:5", pid 347, jiffies 4294676481 (age 312.157s)
        hex dump (first 32 bytes):
          ac fd 00 00 00 00 00 00 00 d0 7e 17 80 ff ff ff  ..........~.....
          00 00 00 00 00 00 00 00 00 59 8a 86 f3 ff ff ff  .........Y......
        backtrace:
          [<00000000978ce31d>] kmem_cache_alloc_trace+0x194/0x298
          [<000000006ea0398c>] _request_firmware+0x74/0x4e4
          [<000000004da31ca0>] request_firmware+0x44/0x64
          [<0000000094572996>] qca_download_firmware+0x74/0x6e4 [btqca]
          [<00000000b24d615a>] qca_uart_setup+0xc0/0x2b0 [btqca]
          [<00000000364a6d5a>] qca_setup+0x204/0x570 [hci_uart]
          [<000000006be1a544>] hci_uart_setup+0xa8/0x148 [hci_uart]
          [<00000000d64c0f4f>] hci_dev_do_open+0x144/0x530 [bluetooth]
          [<00000000f69f5110>] hci_power_on+0x84/0x288 [bluetooth]
          [<00000000d4151583>] process_one_work+0x210/0x420
          [<000000003cf3dcfb>] worker_thread+0x2c4/0x3e4
          [<000000007ccaf055>] kthread+0x124/0x134
          [<00000000bef1f723>] ret_from_fork+0x10/0x18
          [<00000000c36ee3dd>] 0xffffffffffffffff
      unreferenced object 0xfffffff37b16de00 (size 128):
        comm "kworker/u17:5", pid 347, jiffies 4294676873 (age 311.766s)
        hex dump (first 32 bytes):
          da 07 00 00 00 00 00 00 00 50 ff 0b 80 ff ff ff  .........P......
          00 00 00 00 00 00 00 00 00 dd 16 7b f3 ff ff ff  ...........{....
        backtrace:
          [<00000000978ce31d>] kmem_cache_alloc_trace+0x194/0x298
          [<000000006ea0398c>] _request_firmware+0x74/0x4e4
          [<000000004da31ca0>] request_firmware+0x44/0x64
          [<0000000094572996>] qca_download_firmware+0x74/0x6e4 [btqca]
          [<000000000cde20a9>] qca_uart_setup+0x144/0x2b0 [btqca]
          [<00000000364a6d5a>] qca_setup+0x204/0x570 [hci_uart]
          [<000000006be1a544>] hci_uart_setup+0xa8/0x148 [hci_uart]
          [<00000000d64c0f4f>] hci_dev_do_open+0x144/0x530 [bluetooth]
          [<00000000f69f5110>] hci_power_on+0x84/0x288 [bluetooth]
          [<00000000d4151583>] process_one_work+0x210/0x420
          [<000000003cf3dcfb>] worker_thread+0x2c4/0x3e4
          [<000000007ccaf055>] kthread+0x124/0x134
          [<00000000bef1f723>] ret_from_fork+0x10/0x18
          [<00000000c36ee3dd>] 0xffffffffffffffff
      
      Make sure release_firmware() is called aftre
      qca_inject_cmd_complete_event() to avoid the memory leak.
      
      Fixes: 32646db8 ("Bluetooth: btqca: inject command complete event during fw download")
      Signed-off-by: default avatarClaire Chang <tientzu@chromium.org>
      Reviewed-by: default avatarBalakrishna Godavarthi <bgodavar@codeaurora.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      c7c5ae29
    • Fabian Henneke's avatar
      Bluetooth: hidp: Let hidp_send_message return number of queued bytes · 48d9cc9d
      Fabian Henneke authored
      Let hidp_send_message return the number of successfully queued bytes
      instead of an unconditional 0.
      
      With the return value fixed to 0, other drivers relying on hidp, such as
      hidraw, can not return meaningful values from their respective
      implementations of write(). In particular, with the current behavior, a
      hidraw device's write() will have different return values depending on
      whether the device is connected via USB or Bluetooth, which makes it
      harder to abstract away the transport layer.
      Signed-off-by: default avatarFabian Henneke <fabian.henneke@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      48d9cc9d
    • Harish Bandi's avatar
      Bluetooth: hci_qca: Send VS pre shutdown command. · a2780889
      Harish Bandi authored
      WCN399x chips are coex chips, it needs a VS pre shutdown
      command while turning off the BT. So that chip can inform
      BT is OFF to other active clients.
      Signed-off-by: default avatarHarish Bandi <c-hbandi@codeaurora.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      a2780889
    • Matthias Kaehlcke's avatar
      Bluetooth: btqca: Use correct byte format for opcode of injected command · 2fde6afb
      Matthias Kaehlcke authored
      The opcode of the command injected by commit 32646db8 ("Bluetooth:
      btqca: inject command complete event during fw download") uses the CPU
      byte format, however it should always be little endian. In practice it
      shouldn't really matter, since all we need is an opcode != 0, but still
      let's do things correctly and keep sparse happy.
      
      Fixes: 32646db8 ("Bluetooth: btqca: inject command complete event during fw download")
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      2fde6afb
    • Wei Yongjun's avatar
      Bluetooth: hci_qca: Use kfree_skb() instead of kfree() · 4974c839
      Wei Yongjun authored
      Use kfree_skb() instead of kfree() to free sk_buff.
      
      Fixes: 2faa3f15 ("Bluetooth: hci_qca: wcn3990: Drop baudrate change vendor event")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Reviewed-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      4974c839
    • Matthias Kaehlcke's avatar
      Bluetooth: btqca: Add a short delay before downloading the NVM · 8059ba0b
      Matthias Kaehlcke authored
      On WCN3990 downloading the NVM sometimes fails with a "TLV response
      size mismatch" error:
      
      [  174.949955] Bluetooth: btqca.c:qca_download_firmware() hci0: QCA Downloading qca/crnv21.bin
      [  174.958718] Bluetooth: btqca.c:qca_tlv_send_segment() hci0: QCA TLV response size mismatch
      
      It seems the controller needs a short time after downloading the
      firmware before it is ready for the NVM. A delay as short as 1 ms
      seems sufficient, make it 10 ms just in case. No event is received
      during the delay, hence we don't just silently drop an extra event.
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      8059ba0b
    • Wei Yongjun's avatar
      Bluetooth: btusb: Fix error return code in btusb_mtk_setup_firmware() · 5ee6310f
      Wei Yongjun authored
      Fix to return error code -EINVAL from the error handling
      case instead of 0, as done elsewhere in this function.
      
      Fixes: a1c49c43 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      5ee6310f
    • Nathan Chancellor's avatar
      net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx · 125b7e09
      Nathan Chancellor authored
      clang warns:
      
      drivers/net/ethernet/toshiba/tc35815.c:1507:30: warning: use of logical
      '&&' with constant operand [-Wconstant-logical-operand]
                              if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                        ^  ~~~~~~~~~~~~
      drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: use '&' for a
      bitwise operation
                              if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                        ^~
                                                        &
      drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: remove constant to
      silence this warning
                              if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                       ~^~~~~~~~~~~~~~~
      1 warning generated.
      
      Explicitly check that NET_IP_ALIGN is not zero, which matches how this
      is checked in other parts of the tree. Because NET_IP_ALIGN is a build
      time constant, this check will be constant folded away during
      optimization.
      
      Fixes: 82a9928d ("tc35815: Enable StripCRC feature")
      Link: https://github.com/ClangBuiltLinux/linux/issues/608Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      125b7e09
    • Chris Packham's avatar
      tipc: initialise addr_trail_end when setting node addresses · 8874ecae
      Chris Packham authored
      We set the field 'addr_trial_end' to 'jiffies', instead of the current
      value 0, at the moment the node address is initialized. This guarantees
      we don't inadvertently enter an address trial period when the node
      address is explicitly set by the user.
      Signed-off-by: default avatarChris Packham <chris.packham@alliedtelesis.co.nz>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8874ecae
    • Chen-Yu Tsai's avatar
      net: dsa: Check existence of .port_mdb_add callback before calling it · 58799865
      Chen-Yu Tsai authored
      The dsa framework has optional .port_mdb_{prepare,add,del} callback fields
      for drivers to handle multicast database entries. When adding an entry, the
      framework goes through a prepare phase, then a commit phase. Drivers not
      providing these callbacks should be detected in the prepare phase.
      
      DSA core may still bypass the bridge layer and call the dsa_port_mdb_add
      function directly with no prepare phase or no switchdev trans object,
      and the framework ends up calling an undefined .port_mdb_add callback.
      This results in a NULL pointer dereference, as shown in the log below.
      
      The other functions seem to be properly guarded. Do the same for
      .port_mdb_add in dsa_switch_mdb_add_bitmap() as well.
      
          8<--- cut here ---
          Unable to handle kernel NULL pointer dereference at virtual address 00000000
          pgd = (ptrval)
          [00000000] *pgd=00000000
          Internal error: Oops: 80000005 [#1] SMP ARM
          Modules linked in: rtl8xxxu rtl8192cu rtl_usb rtl8192c_common rtlwifi mac80211 cfg80211
          CPU: 1 PID: 134 Comm: kworker/1:2 Not tainted 5.3.0-rc1-00247-gd3519030752a #1
          Hardware name: Allwinner sun7i (A20) Family
          Workqueue: events switchdev_deferred_process_work
          PC is at 0x0
          LR is at dsa_switch_event+0x570/0x620
          pc : [<00000000>]    lr : [<c08533ec>]    psr: 80070013
          sp : ee871db8  ip : 00000000  fp : ee98d0a4
          r10: 0000000c  r9 : 00000008  r8 : ee89f710
          r7 : ee98d040  r6 : ee98d088  r5 : c0f04c48  r4 : ee98d04c
          r3 : 00000000  r2 : ee89f710  r1 : 00000008  r0 : ee98d040
          Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
          Control: 10c5387d  Table: 6deb406a  DAC: 00000051
          Process kworker/1:2 (pid: 134, stack limit = 0x(ptrval))
          Stack: (0xee871db8 to 0xee872000)
          1da0:                                                       ee871e14 103ace2d
          1dc0: 00000000 ffffffff 00000000 ee871e14 00000005 00000000 c08524a0 00000000
          1de0: ffffe000 c014bdfc c0f04c48 ee871e98 c0f04c48 ee9e5000 c0851120 c014bef0
          1e00: 00000000 b643aea2 ee9b4068 c08509a8 ee2bf940 ee89f710 ee871ecb 00000000
          1e20: 00000008 103ace2d 00000000 c087e248 ee29c868 103ace2d 00000001 ffffffff
          1e40: 00000000 ee871e98 00000006 00000000 c0fb2a50 c087e2d0 ffffffff c08523c4
          1e60: ffffffff c014bdfc 00000006 c0fad2d0 ee871e98 ee89f710 00000000 c014c500
          1e80: 00000000 ee89f3c0 c0f04c48 00000000 ee9e5000 c087dfb4 ee9e5000 00000000
          1ea0: ee89f710 ee871ecb 00000001 103ace2d 00000000 c0f04c48 00000000 c087e0a8
          1ec0: 00000000 efd9a3e0 0089f3c0 103ace2d ee89f700 ee89f710 ee9e5000 00000122
          1ee0: 00000100 c087e130 ee89f700 c0fad2c8 c1003ef0 c087de4c 2e928000 c0fad2ec
          1f00: c0fad2ec ee839580 ef7a62c0 ef7a9400 00000000 c087def8 c0fad2ec c01447dc
          1f20: ef315640 ef7a62c0 00000008 ee839580 ee839594 ef7a62c0 00000008 c0f03d00
          1f40: ef7a62d8 ef7a62c0 ffffe000 c0145b84 ffffe000 c0fb2420 c0bfaa8c 00000000
          1f60: ffffe000 ee84b600 ee84b5c0 00000000 ee870000 ee839580 c0145b40 ef0e5ea4
          1f80: ee84b61c c014a6f8 00000001 ee84b5c0 c014a5b0 00000000 00000000 00000000
          1fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
          1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
          1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
          [<c08533ec>] (dsa_switch_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
          [<c014bdfc>] (notifier_call_chain) from [<c014bef0>] (raw_notifier_call_chain+0x18/0x20)
          [<c014bef0>] (raw_notifier_call_chain) from [<c08509a8>] (dsa_port_mdb_add+0x48/0x74)
          [<c08509a8>] (dsa_port_mdb_add) from [<c087e248>] (__switchdev_handle_port_obj_add+0x54/0xd4)
          [<c087e248>] (__switchdev_handle_port_obj_add) from [<c087e2d0>] (switchdev_handle_port_obj_add+0x8/0x14)
          [<c087e2d0>] (switchdev_handle_port_obj_add) from [<c08523c4>] (dsa_slave_switchdev_blocking_event+0x94/0xa4)
          [<c08523c4>] (dsa_slave_switchdev_blocking_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
          [<c014bdfc>] (notifier_call_chain) from [<c014c500>] (blocking_notifier_call_chain+0x50/0x68)
          [<c014c500>] (blocking_notifier_call_chain) from [<c087dfb4>] (switchdev_port_obj_notify+0x44/0xa8)
          [<c087dfb4>] (switchdev_port_obj_notify) from [<c087e0a8>] (switchdev_port_obj_add_now+0x90/0x104)
          [<c087e0a8>] (switchdev_port_obj_add_now) from [<c087e130>] (switchdev_port_obj_add_deferred+0x14/0x5c)
          [<c087e130>] (switchdev_port_obj_add_deferred) from [<c087de4c>] (switchdev_deferred_process+0x64/0x104)
          [<c087de4c>] (switchdev_deferred_process) from [<c087def8>] (switchdev_deferred_process_work+0xc/0x14)
          [<c087def8>] (switchdev_deferred_process_work) from [<c01447dc>] (process_one_work+0x218/0x50c)
          [<c01447dc>] (process_one_work) from [<c0145b84>] (worker_thread+0x44/0x5bc)
          [<c0145b84>] (worker_thread) from [<c014a6f8>] (kthread+0x148/0x150)
          [<c014a6f8>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
          Exception stack(0xee871fb0 to 0xee871ff8)
          1fa0:                                     00000000 00000000 00000000 00000000
          1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
          1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
          Code: bad PC value
          ---[ end trace 1292c61abd17b130 ]---
      
          [<c08533ec>] (dsa_switch_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
          corresponds to
      
      	$ arm-linux-gnueabihf-addr2line -C -i -e vmlinux c08533ec
      
      	linux/net/dsa/switch.c:156
      	linux/net/dsa/switch.c:178
      	linux/net/dsa/switch.c:328
      
      Fixes: e6db98db ("net: dsa: add switch mdb bitmap functions")
      Signed-off-by: default avatarChen-Yu Tsai <wens@csie.org>
      Reviewed-by: default avatarVivien Didelot <vivien.didelot@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58799865
    • Petr Machata's avatar
      mlxsw: spectrum_ptp: Keep unmatched entries in a linked list · 8028ccda
      Petr Machata authored
      To identify timestamps for matching with their packets, Spectrum-1 uses a
      five-tuple of (port, direction, domain number, message type, sequence ID).
      If there are several clients from the same domain behind a single port
      sending Delay_Req's, the only thing differentiating these packets, as far
      as Spectrum-1 is concerned, is the sequence ID. Should sequence IDs between
      individual clients be similar, conflicts may arise. That is not a problem
      to hardware, which will simply deliver timestamps on a first comes, first
      served basis.
      
      However the driver uses a simple hash table to store the unmatched pieces.
      When a new conflicting piece arrives, it pushes out the previously stored
      one, which if it is a packet, is delivered without timestamp. Later on as
      the corresponding timestamps arrive, the first one is mismatched to the
      second packet, and the second one is never matched and eventually is GCd.
      
      To correct this issue, instead of using a simple rhashtable, use rhltable
      to keep the unmatched entries.
      
      Previously, a found unmatched entry would always be removed from the hash
      table. That is not the case anymore--an incompatible entry is left in the
      hash table. Therefore removal from the hash table cannot be used to confirm
      the validity of the looked-up pointer, instead the lookup would simply need
      to be redone. Therefore move it inside the critical section. This
      simplifies a lot of the code.
      
      Fixes: 87486427 ("mlxsw: spectrum: PTP: Support SIOCGHWTSTAMP, SIOCSHWTSTAMP ioctls")
      Reported-by: default avatarAlex Veber <alexve@mellanox.com>
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8028ccda
    • Jonathan Neuschäfer's avatar
      net: nps_enet: Fix function names in doc comments · d81f4141
      Jonathan Neuschäfer authored
      Adjust the function names in two doc comments to match the corresponding
      functions.
      Signed-off-by: default avatarJonathan Neuschäfer <j.neuschaefer@gmx.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d81f4141
    • David Howells's avatar
      rxrpc: Fix local refcounting · 68553f1a
      David Howells authored
      Fix rxrpc_unuse_local() to handle a NULL local pointer as it can be called
      on an unbound socket on which rx->local is not yet set.
      
      The following reproduced (includes omitted):
      
      	int main(void)
      	{
      		socket(AF_RXRPC, SOCK_DGRAM, AF_INET);
      		return 0;
      	}
      
      causes the following oops to occur:
      
      	BUG: kernel NULL pointer dereference, address: 0000000000000010
      	...
      	RIP: 0010:rxrpc_unuse_local+0x8/0x1b
      	...
      	Call Trace:
      	 rxrpc_release+0x2b5/0x338
      	 __sock_release+0x37/0xa1
      	 sock_close+0x14/0x17
      	 __fput+0x115/0x1e9
      	 task_work_run+0x72/0x98
      	 do_exit+0x51b/0xa7a
      	 ? __context_tracking_exit+0x4e/0x10e
      	 do_group_exit+0xab/0xab
      	 __x64_sys_exit_group+0x14/0x17
      	 do_syscall_64+0x89/0x1d4
      	 entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Reported-by: syzbot+20dee719a2e090427b5f@syzkaller.appspotmail.com
      Fixes: 730c5fd4 ("rxrpc: Fix local endpoint refcounting")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Jeffrey Altman <jaltman@auristor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      68553f1a
    • David Ahern's avatar
      netdevsim: Restore per-network namespace accounting for fib entries · 59c84b9f
      David Ahern authored
      Prior to the commit in the fixes tag, the resource controller in netdevsim
      tracked fib entries and rules per network namespace. Restore that behavior.
      
      Fixes: 5fc49422 ("netdevsim: create devlink instance per netdevsim instance")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59c84b9f
  2. 11 Aug, 2019 1 commit
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 9481382b
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2019-08-11
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) x64 JIT code generation fix for backward-jumps to 1st insn, from Alexei.
      
      2) Fix buggy multi-closing of BTF file descriptor in libbpf, from Andrii.
      
      3) Fix libbpf_num_possible_cpus() to make it thread safe, from Takshak.
      
      4) Fix bpftool to dump an error if pinning fails, from Jakub.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9481382b
  3. 10 Aug, 2019 1 commit
  4. 09 Aug, 2019 23 commits