1. 30 Sep, 2022 3 commits
    • Duoming Zhou's avatar
      mISDN: fix use-after-free bugs in l1oip timer handlers · 2568a7e0
      Duoming Zhou authored
      The l1oip_cleanup() traverses the l1oip_ilist and calls
      release_card() to cleanup module and stack. However,
      release_card() calls del_timer() to delete the timers
      such as keep_tl and timeout_tl. If the timer handler is
      running, the del_timer() will not stop it and result in
      UAF bugs. One of the processes is shown below:
      
          (cleanup routine)          |        (timer handler)
      release_card()                 | l1oip_timeout()
       ...                           |
       del_timer()                   | ...
       ...                           |
       kfree(hc) //FREE              |
                                     | hc->timeout_on = 0 //USE
      
      Fix by calling del_timer_sync() in release_card(), which
      makes sure the timer handlers have finished before the
      resources, such as l1oip and so on, have been deallocated.
      
      What's more, the hc->workq and hc->socket_thread can kick
      those timers right back in. We add a bool flag to show
      if card is released. Then, check this flag in hc->workq
      and hc->socket_thread.
      
      Fixes: 3712b42d ("Add layer1 over IP support")
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2568a7e0
    • Jakub Kicinski's avatar
      eth: alx: take rtnl_lock on resume · 6ad1c94e
      Jakub Kicinski authored
      Zbynek reports that alx trips an rtnl assertion on resume:
      
       RTNL: assertion failed at net/core/dev.c (2891)
       RIP: 0010:netif_set_real_num_tx_queues+0x1ac/0x1c0
       Call Trace:
        <TASK>
        __alx_open+0x230/0x570 [alx]
        alx_resume+0x54/0x80 [alx]
        ? pci_legacy_resume+0x80/0x80
        dpm_run_callback+0x4a/0x150
        device_resume+0x8b/0x190
        async_resume+0x19/0x30
        async_run_entry_fn+0x30/0x130
        process_one_work+0x1e5/0x3b0
      
      indeed the driver does not hold rtnl_lock during its internal close
      and re-open functions during suspend/resume. Note that this is not
      a huge bug as the driver implements its own locking, and does not
      implement changing the number of queues, but we need to silence
      the splat.
      
      Fixes: 4a5fe57e ("alx: use fine-grained locking instead of RTNL")
      Reported-and-tested-by: default avatarZbynek Michl <zbynek.michl@gmail.com>
      Reviewed-by: default avatarNiels Dossche <dossche.niels@gmail.com>
      Link: https://lore.kernel.org/r/20220928181236.1053043-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6ad1c94e
    • Junichi Uekawa's avatar
      vhost/vsock: Use kvmalloc/kvfree for larger packets. · 0e3f7293
      Junichi Uekawa authored
      When copying a large file over sftp over vsock, data size is usually 32kB,
      and kmalloc seems to fail to try to allocate 32 32kB regions.
      
       vhost-5837: page allocation failure: order:4, mode:0x24040c0
       Call Trace:
        [<ffffffffb6a0df64>] dump_stack+0x97/0xdb
        [<ffffffffb68d6aed>] warn_alloc_failed+0x10f/0x138
        [<ffffffffb68d868a>] ? __alloc_pages_direct_compact+0x38/0xc8
        [<ffffffffb664619f>] __alloc_pages_nodemask+0x84c/0x90d
        [<ffffffffb6646e56>] alloc_kmem_pages+0x17/0x19
        [<ffffffffb6653a26>] kmalloc_order_trace+0x2b/0xdb
        [<ffffffffb66682f3>] __kmalloc+0x177/0x1f7
        [<ffffffffb66e0d94>] ? copy_from_iter+0x8d/0x31d
        [<ffffffffc0689ab7>] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock]
        [<ffffffffc06828d9>] vhost_worker+0xf7/0x157 [vhost]
        [<ffffffffb683ddce>] kthread+0xfd/0x105
        [<ffffffffc06827e2>] ? vhost_dev_set_owner+0x22e/0x22e [vhost]
        [<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3
        [<ffffffffb6eb332e>] ret_from_fork+0x4e/0x80
        [<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3
      
      Work around by doing kvmalloc instead.
      
      Fixes: 433fc58e ("VSOCK: Introduce vhost_vsock.ko")
      Signed-off-by: default avatarJunichi Uekawa <uekawa@chromium.org>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Link: https://lore.kernel.org/r/20220928064538.667678-1-uekawa@chromium.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0e3f7293
  2. 29 Sep, 2022 13 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.0-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 511cce16
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from wifi and can.
      
        Current release - regressions:
      
         - phy: don't WARN for PHY_UP state in mdio_bus_phy_resume()
      
         - wifi: fix locking in mac80211 mlme
      
         - eth:
            - revert "net: mvpp2: debugfs: fix memory leak when using debugfs_lookup()"
            - mlxbf_gige: fix an IS_ERR() vs NULL bug in mlxbf_gige_mdio_probe
      
        Previous releases - regressions:
      
         - wifi: fix regression with non-QoS drivers
      
        Previous releases - always broken:
      
         - mptcp: fix unreleased socket in accept queue
      
         - wifi:
            - don't start TX with fq->lock to fix deadlock
            - fix memory corruption in minstrel_ht_update_rates()
      
         - eth:
            - macb: fix ZynqMP SGMII non-wakeup source resume failure
            - mt7531: only do PLL once after the reset
            - usbnet: fix memory leak in usbnet_disconnect()
      
        Misc:
      
         - usb: qmi_wwan: add new usb-id for Dell branded EM7455"
      
      * tag 'net-6.0-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (30 commits)
        mptcp: fix unreleased socket in accept queue
        mptcp: factor out __mptcp_close() without socket lock
        net: ethernet: mtk_eth_soc: fix mask of RX_DMA_GET_SPORT{,_V2}
        net: mscc: ocelot: fix tagged VLAN refusal while under a VLAN-unaware bridge
        can: c_can: don't cache TX messages for C_CAN cores
        ice: xsk: drop power of 2 ring size restriction for AF_XDP
        ice: xsk: change batched Tx descriptor cleaning
        net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455
        selftests: Fix the if conditions of in test_extra_filter()
        net: phy: Don't WARN for PHY_UP state in mdio_bus_phy_resume()
        net: stmmac: power up/down serdes in stmmac_open/release
        wifi: mac80211: mlme: Fix double unlock on assoc success handling
        wifi: mac80211: mlme: Fix missing unlock on beacon RX
        wifi: mac80211: fix memory corruption in minstrel_ht_update_rates()
        wifi: mac80211: fix regression with non-QoS drivers
        wifi: mac80211: ensure vif queues are operational after start
        wifi: mac80211: don't start TX with fq->lock to fix deadlock
        wifi: cfg80211: fix MCS divisor value
        net: hippi: Add missing pci_disable_device() in rr_init_one()
        net/mlxbf_gige: Fix an IS_ERR() vs NULL bug in mlxbf_gige_mdio_probe
        ...
      511cce16
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · da9eede6
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - small fixes for iqs62x-keys and melfas_mip4 drivers
      
       - corrected register address in snvs_pwrkey driver
      
       - Synaptic driver will stop trying to use intertouch (native) mode on
         some Lenovo AMD devices
      
      * tag 'input-for-v6.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: snvs_pwrkey - fix SNVS_HPVIDR1 register address
        Input: synaptics - disable Intertouch for Lenovo T14 and P14s AMD G1
        Input: iqs62x-keys - drop unused device node references
        Input: melfas_mip4 - fix return value check in mip4_probe()
      da9eede6
    • Linus Torvalds's avatar
      Merge tag 'ata-6.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · 71f18757
      Linus Torvalds authored
      Pull ATA fixes from Damien Le Moal:
       "Three late patches to fix problems discovered recently:
      
         - Add a horkage to disable link power management by default for the
           Pioneer BDR-207M and BDR-205 DVD drives (from Niklas)
      
         - Two patches to fix setting the maximum queue depth of libsas owned
           ATA devices (from me)"
      
      * tag 'ata-6.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: libata-sata: Fix device queue depth control
        ata: libata-scsi: Fix initialization of device queue depth
        libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205
      71f18757
    • Linus Torvalds's avatar
      Merge tag 'loongarch-fixes-6.0-3' of... · 81bcd4b5
      Linus Torvalds authored
      Merge tag 'loongarch-fixes-6.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
      
      Pull LoongArch fixes from Huacai Chen:
       "Some trivial fixes and cleanup"
      
      * tag 'loongarch-fixes-6.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:
        LoongArch: Clean up loongson3_smp_ops declaration
        LoongArch: Fix and cleanup csr_era handling in do_ri()
        LoongArch: Align the address of kernel_entry to 4KB
      81bcd4b5
    • Yanteng Si's avatar
      LoongArch: Clean up loongson3_smp_ops declaration · 4f196cb6
      Yanteng Si authored
      Since loongson3_smp_ops is not used in LoongArch anymore, let's remove
      it for cleanup.
      
      Fixes: f2ac457a ("LoongArch: Add CPU definition headers")
      Signed-off-by: default avatarYanteng Si <siyanteng@loongson.cn>
      Signed-off-by: default avatarHuacai Chen <chenhuacai@loongson.cn>
      4f196cb6
    • Huacai Chen's avatar
      LoongArch: Fix and cleanup csr_era handling in do_ri() · 06e76ace
      Huacai Chen authored
      We don't emulate reserved instructions and just send a signal to the
      current process now. So we don't need to call compute_return_era() to
      add 4 (point to the next instruction) to csr_era in pt_regs. RA/ERA's
      backup/restore is cleaned up as well.
      Signed-off-by: default avatarJun Yi <yijun@loongson.cn>
      Signed-off-by: default avatarHuacai Chen <chenhuacai@loongson.cn>
      06e76ace
    • Huacai Chen's avatar
      LoongArch: Align the address of kernel_entry to 4KB · 2938431e
      Huacai Chen authored
      Align the address of kernel_entry to 4KB, to avoid early tlb miss
      exception in case the entry code crosses page boundary.
      Signed-off-by: default avatarHuacai Chen <chenhuacai@loongson.cn>
      2938431e
    • Jakub Kicinski's avatar
      Merge branch 'mptcp-properly-clean-up-unaccepted-subflows' · 3b04cba7
      Jakub Kicinski authored
      Mat Martineau says:
      
      ====================
      mptcp: Properly clean up unaccepted subflows
      
      Patch 1 factors out part of the mptcp_close() function for use by a caller
      that already owns the socket lock. This is a prerequisite for patch 2.
      
      Patch 2 is the fix that fully cleans up the unaccepted subflow sockets.
      ====================
      
      Link: https://lore.kernel.org/r/20220927193158.195729-1-mathew.j.martineau@linux.intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3b04cba7
    • Menglong Dong's avatar
      mptcp: fix unreleased socket in accept queue · 30e51b92
      Menglong Dong authored
      The mptcp socket and its subflow sockets in accept queue can't be
      released after the process exit.
      
      While the release of a mptcp socket in listening state, the
      corresponding tcp socket will be released too. Meanwhile, the tcp
      socket in the unaccept queue will be released too. However, only init
      subflow is in the unaccept queue, and the joined subflow is not in the
      unaccept queue, which makes the joined subflow won't be released, and
      therefore the corresponding unaccepted mptcp socket will not be released
      to.
      
      This can be reproduced easily with following steps:
      
      1. create 2 namespace and veth:
         $ ip netns add mptcp-client
         $ ip netns add mptcp-server
         $ sysctl -w net.ipv4.conf.all.rp_filter=0
         $ ip netns exec mptcp-client sysctl -w net.mptcp.enabled=1
         $ ip netns exec mptcp-server sysctl -w net.mptcp.enabled=1
         $ ip link add red-client netns mptcp-client type veth peer red-server \
           netns mptcp-server
         $ ip -n mptcp-server address add 10.0.0.1/24 dev red-server
         $ ip -n mptcp-server address add 192.168.0.1/24 dev red-server
         $ ip -n mptcp-client address add 10.0.0.2/24 dev red-client
         $ ip -n mptcp-client address add 192.168.0.2/24 dev red-client
         $ ip -n mptcp-server link set red-server up
         $ ip -n mptcp-client link set red-client up
      
      2. configure the endpoint and limit for client and server:
         $ ip -n mptcp-server mptcp endpoint flush
         $ ip -n mptcp-server mptcp limits set subflow 2 add_addr_accepted 2
         $ ip -n mptcp-client mptcp endpoint flush
         $ ip -n mptcp-client mptcp limits set subflow 2 add_addr_accepted 2
         $ ip -n mptcp-client mptcp endpoint add 192.168.0.2 dev red-client id \
           1 subflow
      
      3. listen and accept on a port, such as 9999. The nc command we used
         here is modified, which makes it use mptcp protocol by default.
         $ ip netns exec mptcp-server nc -l -k -p 9999
      
      4. open another *two* terminal and use each of them to connect to the
         server with the following command:
         $ ip netns exec mptcp-client nc 10.0.0.1 9999
         Input something after connect to trigger the connection of the second
         subflow. So that there are two established mptcp connections, with the
         second one still unaccepted.
      
      5. exit all the nc command, and check the tcp socket in server namespace.
         And you will find that there is one tcp socket in CLOSE_WAIT state
         and can't release forever.
      
      Fix this by closing all of the unaccepted mptcp socket in
      mptcp_subflow_queue_clean() with __mptcp_close().
      
      Now, we can ensure that all unaccepted mptcp sockets will be cleaned by
      __mptcp_close() before they are released, so mptcp_sock_destruct(), which
      is used to clean the unaccepted mptcp socket, is not needed anymore.
      
      The selftests for mptcp is ran for this commit, and no new failures.
      
      Fixes: f296234c ("mptcp: Add handling of incoming MP_JOIN requests")
      Fixes: 6aeed904 ("mptcp: fix race on unaccepted mptcp sockets")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJiang Biao <benbjiang@tencent.com>
      Reviewed-by: default avatarMengen Sun <mengensun@tencent.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMenglong Dong <imagedong@tencent.com>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      30e51b92
    • Menglong Dong's avatar
      mptcp: factor out __mptcp_close() without socket lock · 26d3e21c
      Menglong Dong authored
      Factor out __mptcp_close() from mptcp_close(). The caller of
      __mptcp_close() should hold the socket lock, and cancel mptcp work when
      __mptcp_close() returns true.
      
      This function will be used in the next commit.
      
      Fixes: f296234c ("mptcp: Add handling of incoming MP_JOIN requests")
      Fixes: 6aeed904 ("mptcp: fix race on unaccepted mptcp sockets")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJiang Biao <benbjiang@tencent.com>
      Reviewed-by: default avatarMengen Sun <mengensun@tencent.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMenglong Dong <imagedong@tencent.com>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      26d3e21c
    • Jakub Kicinski's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 3e1308a7
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      ice: xsk: ZC changes
      
      Maciej Fijalkowski says:
      
      This set consists of two fixes to issues that were either pointed out on
      indirectly (John was reviewing AF_XDP selftests that were testing ice's
      ZC support) mailing list or were directly reported by customers.
      
      First patch allows user space to see done descriptor in CQ even after a
      single frame being transmitted and second patch removes the need for
      having HW rings sized to power of 2 number of descriptors when used
      against AF_XDP.
      
      I also forgot to mention that due to the current Tx cleaning algorithm,
      4k HW ring was broken and these two patches bring it back to life, so we
      kill two birds with one stone.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        ice: xsk: drop power of 2 ring size restriction for AF_XDP
        ice: xsk: change batched Tx descriptor cleaning
      ====================
      
      Link: https://lore.kernel.org/r/20220927164112.4011983-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3e1308a7
    • Daniel Golle's avatar
      net: ethernet: mtk_eth_soc: fix mask of RX_DMA_GET_SPORT{,_V2} · c9da02bf
      Daniel Golle authored
      The bitmasks applied in RX_DMA_GET_SPORT and RX_DMA_GET_SPORT_V2 macros
      were swapped. Fix that.
      Reported-by: default avatarChen Minqiang <ptpt52@gmail.com>
      Fixes: 160d3a9b ("net: ethernet: mtk_eth_soc: introduce MTK_NETSYS_V2 support")
      Acked-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarDaniel Golle <daniel@makrotopia.org>
      Link: https://lore.kernel.org/r/YzMW+mg9UsaCdKRQ@makrotopia.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c9da02bf
    • Vladimir Oltean's avatar
      net: mscc: ocelot: fix tagged VLAN refusal while under a VLAN-unaware bridge · 276d37eb
      Vladimir Oltean authored
      Currently the following set of commands fails:
      
      $ ip link add br0 type bridge # vlan_filtering 0
      $ ip link set swp0 master br0
      $ bridge vlan
      port              vlan-id
      swp0              1 PVID Egress Untagged
      $ bridge vlan add dev swp0 vid 10
      Error: mscc_ocelot_switch_lib: Port with more than one egress-untagged VLAN cannot have egress-tagged VLANs.
      
      Dumping ocelot->vlans, one can see that the 2 egress-untagged VLANs on swp0 are
      vid 1 (the bridge PVID) and vid 4094, a PVID used privately by the driver for
      VLAN-unaware bridging. So this is why bridge vid 10 is refused, despite
      'bridge vlan' showing a single egress untagged VLAN.
      
      As mentioned in the comment added, having this private VLAN does not impose
      restrictions to the hardware configuration, yet it is a bookkeeping problem.
      
      There are 2 possible solutions.
      
      One is to make the functions that operate on VLAN-unaware pvids:
      - ocelot_add_vlan_unaware_pvid()
      - ocelot_del_vlan_unaware_pvid()
      - ocelot_port_setup_dsa_8021q_cpu()
      - ocelot_port_teardown_dsa_8021q_cpu()
      call something different than ocelot_vlan_member_(add|del)(), the latter being
      the real problem, because it allocates a struct ocelot_bridge_vlan *vlan which
      it adds to ocelot->vlans. We don't really *need* the private VLANs in
      ocelot->vlans, it's just that we have the extra convenience of having the
      vlan->portmask cached in software (whereas without these structures, we'd have
      to create a raw ocelot_vlant_rmw_mask() procedure which reads back the current
      port mask from hardware).
      
      The other solution is to filter out the private VLANs from
      ocelot_port_num_untagged_vlans(), since they aren't what callers care about.
      We only need to do this to the mentioned function and not to
      ocelot_port_num_tagged_vlans(), because private VLANs are never egress-tagged.
      
      Nothing else seems to be broken in either solution, but the first one requires
      more rework which will conflict with the net-next change  36a0bf44 ("net:
      mscc: ocelot: set up tag_8021q CPU ports independent of user port affinity"),
      and I'd like to avoid that. So go with the other one.
      
      Fixes: 54c31984 ("net: mscc: ocelot: enforce FDB isolation when VLAN-unaware")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/r/20220927122042.1100231-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      276d37eb
  3. 28 Sep, 2022 7 commits
  4. 27 Sep, 2022 17 commits