1. 08 Apr, 2021 5 commits
    • Stephen Hemminger's avatar
      ipv6: report errors for iftoken via netlink extack · 3583a4e8
      Stephen Hemminger authored
      Setting iftoken can fail for several different reasons but there
      and there was no report to user as to the cause. Add netlink
      extended errors to the processing of the request.
      
      This requires adding additional argument through rtnl_af_ops
      set_link_af callback.
      Reported-by: default avatarHongren Zheng <li@zenithal.me>
      Signed-off-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3583a4e8
    • David S. Miller's avatar
      Merge branch 'net-sched-action-init-fixes' · f2fbd0aa
      David S. Miller authored
      Vlad Buslov says:
      
      ====================
      Action initalization fixes
      
      This series fixes reference counting of action instances and modules in
      several parts of action init code. The first patch reverts previous fix
      that didn't properly account for rollback from a failure in the middle of
      the loop in tcf_action_init() which is properly fixed by the following
      patch.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f2fbd0aa
    • Vlad Buslov's avatar
      net: sched: fix err handler in tcf_action_init() · b3650bf7
      Vlad Buslov authored
      With recent changes that separated action module load from action
      initialization tcf_action_init() function error handling code was modified
      to manually release the loaded modules if loading/initialization of any
      further action in same batch failed. For the case when all modules
      successfully loaded and some of the actions were initialized before one of
      them failed in init handler. In this case for all previous actions the
      module will be released twice by the error handler: First time by the loop
      that manually calls module_put() for all ops, and second time by the action
      destroy code that puts the module after destroying the action.
      
      Reproduction:
      
      $ sudo tc actions add action simple sdata \"2\" index 2
      $ sudo tc actions add action simple sdata \"1\" index 1 \
                            action simple sdata \"2\" index 2
      RTNETLINK answers: File exists
      We have an error talking to the kernel
      $ sudo tc actions ls action simple
      total acts 1
      
              action order 0: Simple <"2">
               index 2 ref 1 bind 0
      $ sudo tc actions flush action simple
      $ sudo tc actions ls action simple
      $ sudo tc actions add action simple sdata \"2\" index 2
      Error: Failed to load TC action module.
      We have an error talking to the kernel
      $ lsmod | grep simple
      act_simple             20480  -1
      
      Fix the issue by modifying module reference counting handling in action
      initialization code:
      
      - Get module reference in tcf_idr_create() and put it in tcf_idr_release()
      instead of taking over the reference held by the caller.
      
      - Modify users of tcf_action_init_1() to always release the module
      reference which they obtain before calling init function instead of
      assuming that created action takes over the reference.
      
      - Finally, modify tcf_action_init_1() to not release the module reference
      when overwriting existing action as this is no longer necessary since both
      upper and lower layers obtain and manage their own module references
      independently.
      
      Fixes: d349f997 ("net_sched: fix RTNL deadlock again caused by request_module()")
      Suggested-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b3650bf7
    • Vlad Buslov's avatar
      net: sched: fix action overwrite reference counting · 87c750e8
      Vlad Buslov authored
      Action init code increments reference counter when it changes an action.
      This is the desired behavior for cls API which needs to obtain action
      reference for every classifier that points to action. However, act API just
      needs to change the action and releases the reference before returning.
      This sequence breaks when the requested action doesn't exist, which causes
      act API init code to create new action with specified index, but action is
      still released before returning and is deleted (unless it was referenced
      concurrently by cls API).
      
      Reproduction:
      
      $ sudo tc actions ls action gact
      $ sudo tc actions change action gact drop index 1
      $ sudo tc actions ls action gact
      
      Extend tcf_action_init() to accept 'init_res' array and initialize it with
      action->ops->init() result. In tcf_action_add() remove pointers to created
      actions from actions array before passing it to tcf_action_put_many().
      
      Fixes: cae422f3 ("net: sched: use reference counting action init")
      Reported-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      87c750e8
    • Vlad Buslov's avatar
      Revert "net: sched: bump refcount for new action in ACT replace mode" · 4ba86128
      Vlad Buslov authored
      This reverts commit 6855e821.
      
      Following commit in series fixes the issue without introducing regression
      in error rollback of tcf_action_destroy().
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ba86128
  2. 07 Apr, 2021 19 commits
    • Anirudh Rayabharam's avatar
      net: hso: fix null-ptr-deref during tty device unregistration · 8a12f883
      Anirudh Rayabharam authored
      Multiple ttys try to claim the same the minor number causing a double
      unregistration of the same device. The first unregistration succeeds
      but the next one results in a null-ptr-deref.
      
      The get_free_serial_index() function returns an available minor number
      but doesn't assign it immediately. The assignment is done by the caller
      later. But before this assignment, calls to get_free_serial_index()
      would return the same minor number.
      
      Fix this by modifying get_free_serial_index to assign the minor number
      immediately after one is found to be and rename it to obtain_minor()
      to better reflect what it does. Similary, rename set_serial_by_index()
      to release_minor() and modify it to free up the minor number of the
      given hso_serial. Every obtain_minor() should have corresponding
      release_minor() call.
      
      Fixes: 72dc1c09 ("HSO: add option hso driver")
      Reported-by: syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com
      Tested-by: syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarAnirudh Rayabharam <mail@anirudhrb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a12f883
    • David S. Miller's avatar
      Merge tag 'ieee802154-for-davem-2021-04-07' of... · 5d1dbacd
      David S. Miller authored
      Merge tag 'ieee802154-for-davem-2021-04-07' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan
      
      Stefan Schmidt says:
      
      ====================
      pull-request: ieee802154 for net 2021-04-07
      
      An update from ieee802154 for your *net* tree.
      
      Most of these are coming from the flood of syzkaller reports
      lately got for the ieee802154 subsystem. There are likely to
      come more for this, but this is a good batch to get out for now.
      
      Alexander Aring created a patchset to avoid llsec handling on a
      monitor interface, which we do not support.
      Alex Shi removed a unused macro.
      Pavel Skripkin fixed another protection fault found by syzkaller.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5d1dbacd
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-2021-04-07' of... · 107adc69
      David S. Miller authored
      Merge tag 'wireless-drivers-2021-04-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.12
      
      Third, and last, set of fixes for v5.12. Small fixes, iwlwifi having
      most of them. brcmfmac regression caused by cfg80211 changes is the
      most important here.
      
      iwlwifi
      
      * fix a lockdep warning
      
      * fix regulatory feature detection in certain firmware versions
      
      * new hardware support
      
      * fix lockdep warning
      
      * mvm: fix beacon protection checks
      
      mt76
      
      * mt7921: fix airtime reporting
      
      brcmfmac
      
      * fix a deadlock regression
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      107adc69
    • David S. Miller's avatar
      Merge branch 'ethtool-link_mode' · 3cf14828
      David S. Miller authored
      Danielle Ratson says:
      
      ====================
      Fix link_mode derived params functionality
      
      Currently, link_mode parameter derives 3 other link parameters, speed,
      lanes and duplex, and the derived information is sent to user space.
      
      Few bugs were found in that functionality.
      First, some drivers clear the 'ethtool_link_ksettings' struct in their
      get_link_ksettings() callback and cause receiving wrong link mode
      information in user space. And also, some drivers can report random
      values in the 'link_mode' field and cause general protection fault.
      
      Second, the link parameters are only derived in netlink path so in ioctl
      path, we don't any reasonable values.
      
      Third, setting 'speed 10000 lanes 1' fails since the lanes parameter
      wasn't set for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT.
      
      Patch #1 solves the first two problems by removing link_mode parameter
      and deriving the link parameters in driver instead of ethtool.
      Patch #2 solves the third one, by setting the lanes parameter for the
      link_mode.
      
      v3:
      	* Remove the link_mode parameter in the first patch to solve
      	  both two issues from patch#1 and patch#2.
      	* Add the second patch to solve the third issue.
      
      v2:
      	* Add patch #2.
      	* Introduce 'cap_link_mode_supported' instead of adding a
      	  validity field to 'ethtool_link_ksettings' struct in patch #1.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3cf14828
    • Danielle Ratson's avatar
      ethtool: Add lanes parameter for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT · fde32dbe
      Danielle Ratson authored
      Lanes field is missing for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT
      link mode and it causes a failure when trying to set
      'speed 10000 lanes 1' on Spectrum-2 machines when autoneg is set to on.
      
      Add the lanes parameter for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT
      link mode.
      
      Fixes: c8907043 ("ethtool: Get link mode in use instead of speed and duplex parameters")
      Signed-off-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fde32dbe
    • Danielle Ratson's avatar
      ethtool: Remove link_mode param and derive link params from driver · a975d7d8
      Danielle Ratson authored
      Some drivers clear the 'ethtool_link_ksettings' struct in their
      get_link_ksettings() callback, before populating it with actual values.
      Such drivers will set the new 'link_mode' field to zero, resulting in
      user space receiving wrong link mode information given that zero is a
      valid value for the field.
      
      Another problem is that some drivers (notably tun) can report random
      values in the 'link_mode' field. This can result in a general protection
      fault when the field is used as an index to the 'link_mode_params' array
      [1].
      
      This happens because such drivers implement their set_link_ksettings()
      callback by simply overwriting their private copy of
      'ethtool_link_ksettings' struct with the one they get from the stack,
      which is not always properly initialized.
      
      Fix these problems by removing 'link_mode' from 'ethtool_link_ksettings'
      and instead have drivers call ethtool_params_from_link_mode() with the
      current link mode. The function will derive the link parameters (e.g.,
      speed) from the link mode and fill them in the 'ethtool_link_ksettings'
      struct.
      
      v3:
      	* Remove link_mode parameter and derive the link parameters in
      	  the driver instead of passing link_mode parameter to ethtool
      	  and derive it there.
      
      v2:
      	* Introduce 'cap_link_mode_supported' instead of adding a
      	  validity field to 'ethtool_link_ksettings' struct.
      
      [1]
      general protection fault, probably for non-canonical address 0xdffffc00f14cc32c: 0000 [#1] PREEMPT SMP KASAN
      KASAN: probably user-memory-access in range [0x000000078a661960-0x000000078a661967]
      CPU: 0 PID: 8452 Comm: syz-executor360 Not tainted 5.11.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__ethtool_get_link_ksettings+0x1a3/0x3a0 net/ethtool/ioctl.c:446
      Code: b7 3e fa 83 fd ff 0f 84 30 01 00 00 e8 16 b0 3e fa 48 8d 3c ed 60 d5 69 8a 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03
      +38 d0 7c 08 84 d2 0f 85 b9
      RSP: 0018:ffffc900019df7a0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff888026136008 RCX: 0000000000000000
      RDX: 00000000f14cc32c RSI: ffffffff873439ca RDI: 000000078a661960
      RBP: 00000000ffff8880 R08: 00000000ffffffff R09: ffff88802613606f
      R10: ffffffff873439bc R11: 0000000000000000 R12: 0000000000000000
      R13: ffff88802613606c R14: ffff888011d0c210 R15: ffff888011d0c210
      FS:  0000000000749300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000004b60f0 CR3: 00000000185c2000 CR4: 00000000001506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       linkinfo_prepare_data+0xfd/0x280 net/ethtool/linkinfo.c:37
       ethnl_default_notify+0x1dc/0x630 net/ethtool/netlink.c:586
       ethtool_notify+0xbd/0x1f0 net/ethtool/netlink.c:656
       ethtool_set_link_ksettings+0x277/0x330 net/ethtool/ioctl.c:620
       dev_ethtool+0x2b35/0x45d0 net/ethtool/ioctl.c:2842
       dev_ioctl+0x463/0xb70 net/core/dev_ioctl.c:440
       sock_do_ioctl+0x148/0x2d0 net/socket.c:1060
       sock_ioctl+0x477/0x6a0 net/socket.c:1177
       vfs_ioctl fs/ioctl.c:48 [inline]
       __do_sys_ioctl fs/ioctl.c:753 [inline]
       __se_sys_ioctl fs/ioctl.c:739 [inline]
       __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: c8907043 ("ethtool: Get link mode in use instead of speed and duplex parameters")
      Signed-off-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a975d7d8
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2021-04-06' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · bb58023b
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2021-04-06
      
      This series provides some fixes to mlx5 driver.
      Please pull and let me know if there is any problem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb58023b
    • Zheng Yongjun's avatar
      net: tipc: Fix spelling errors in net/tipc module · a79ace4b
      Zheng Yongjun authored
      These patches fix a series of spelling errors in net/tipc module.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarZheng Yongjun <zhengyongjun3@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a79ace4b
    • Kurt Kanzenbach's avatar
      net: hsr: Reset MAC header for Tx path · 9d680392
      Kurt Kanzenbach authored
      Reset MAC header in HSR Tx path. This is needed, because direct packet
      transmission, e.g. by specifying PACKET_QDISC_BYPASS does not reset the MAC
      header.
      
      This has been observed using the following setup:
      
      |$ ip link add name hsr0 type hsr slave1 lan0 slave2 lan1 supervision 45 version 1
      |$ ifconfig hsr0 up
      |$ ./test hsr0
      
      The test binary is using mmap'ed sockets and is specifying the
      PACKET_QDISC_BYPASS socket option.
      
      This patch resolves the following warning on a non-patched kernel:
      
      |[  112.725394] ------------[ cut here ]------------
      |[  112.731418] WARNING: CPU: 1 PID: 257 at net/hsr/hsr_forward.c:560 hsr_forward_skb+0x484/0x568
      |[  112.739962] net/hsr/hsr_forward.c:560: Malformed frame (port_src hsr0)
      
      The warning can be safely removed, because the other call sites of
      hsr_forward_skb() make sure that the skb is prepared correctly.
      
      Fixes: d346a3fa ("packet: introduce PACKET_QDISC_BYPASS socket option")
      Signed-off-by: Kurt Kanzenbach's avatarKurt Kanzenbach <kurt@linutronix.de>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d680392
    • David S. Miller's avatar
      Merge branch 'ethtool-doc' · cd904373
      David S. Miller authored
      Jakub Kicinski says:
      
      ====================
      ethtool: kdoc fixes
      
      Number of kdoc fixes to ethtool headers. All comment changes.
      
      With all the patches posted kdoc script seems happy:
      $ ./scripts/kernel-doc -none include/uapi/linux/ethtool.h include/linux/ethtool.h
      $
      
      Note that some of the changes are in -next, e.g. the FEC
      documentation update so full effect will be seen after
      trees converge.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cd904373
    • Jakub Kicinski's avatar
      ethtool: fix kdoc in headers · d9c65de0
      Jakub Kicinski authored
      Fix remaining issues with kdoc in the ethtool headers.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d9c65de0
    • Jakub Kicinski's avatar
      ethtool: document reserved fields in the uAPI · 83e5feeb
      Jakub Kicinski authored
      Add a note on expected handling of reserved fields,
      and references to all kdocs. This fixes a bunch
      of kdoc warnings.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      83e5feeb
    • Jakub Kicinski's avatar
      ethtool: un-kdocify extended link state · f0ebc2b6
      Jakub Kicinski authored
      Extended link state structures and enums use kdoc headers
      but then do not describe any of the members.
      
      Convert to normal comments.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0ebc2b6
    • Aditya Pakki's avatar
      net/rds: Avoid potential use after free in rds_send_remove_from_sock · 0c85a7e8
      Aditya Pakki authored
      In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
      is freed and later under spinlock, causing potential use-after-free.
      Set the free pointer to NULL to avoid undefined behavior.
      Signed-off-by: default avatarAditya Pakki <pakki001@umn.edu>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c85a7e8
    • Xiaoming Ni's avatar
      net/mlx5: fix kfree mismatch in indir_table.c · d5f9b005
      Xiaoming Ni authored
      Memory allocated by kvzalloc() should be freed by kvfree().
      
      Fixes: 34ca6535 ("net/mlx5: E-Switch, Indirect table infrastructur")
      Signed-off-by: default avatarXiaoming Ni <nixiaoming@huawei.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      d5f9b005
    • Aya Levin's avatar
      net/mlx5: Fix PBMC register mapping · 534b1204
      Aya Levin authored
      Add reserved mapping to cover all the register in order to avoid setting
      arbitrary values to newer FW which implements the reserved fields.
      
      Fixes: 50b4a3c2 ("net/mlx5: PPTB and PBMC register firmware command support")
      Signed-off-by: default avatarAya Levin <ayal@nvidia.com>
      Reviewed-by: default avatarMoshe Shemesh <moshe@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      534b1204
    • Aya Levin's avatar
      net/mlx5: Fix PPLM register mapping · ce28f0fd
      Aya Levin authored
      Add reserved mapping to cover all the register in order to avoid
      setting arbitrary values to newer FW which implements the reserved
      fields.
      
      Fixes: a58837f5 ("net/mlx5e: Expose FEC feilds and related capability bit")
      Signed-off-by: default avatarAya Levin <ayal@nvidia.com>
      Reviewed-by: default avatarMoshe Shemesh <moshe@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      ce28f0fd
    • Raed Salem's avatar
      net/mlx5: Fix placement of log_max_flow_counter · a14587df
      Raed Salem authored
      The cited commit wrongly placed log_max_flow_counter field of
      mlx5_ifc_flow_table_prop_layout_bits, align it to the HW spec intended
      placement.
      
      Fixes: 16f1c5bb ("net/mlx5: Check device capability for maximum flow counters")
      Signed-off-by: default avatarRaed Salem <raeds@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      a14587df
    • Eli Cohen's avatar
      net/mlx5: Fix HW spec violation configuring uplink · 1a73704c
      Eli Cohen authored
      Make sure to modify uplink port to follow only if the uplink_follow
      capability is set as required by the HW spec. Failure to do so causes
      traffic to the uplink representor net device to cease after switching to
      switchdev mode.
      
      Fixes: 7d0314b1 ("net/mlx5e: Modify uplink state on interface up/down")
      Signed-off-by: default avatarEli Cohen <elic@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      1a73704c
  3. 06 Apr, 2021 16 commits