1. 28 Jul, 2023 18 commits
  2. 27 Jul, 2023 22 commits
    • Patrick Rohr's avatar
      net: remove comment in ndisc_router_discovery · ef27ba5c
      Patrick Rohr authored
      Removes superfluous (and misplaced) comment from ndisc_router_discovery.
      Signed-off-by: default avatarPatrick Rohr <prohr@google.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20230726184742.342825-1-prohr@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ef27ba5c
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 014acf26
      Jakub Kicinski authored
      Cross-merge networking fixes after downstream PR.
      
      No conflicts or adjacent changes.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      014acf26
    • Linus Torvalds's avatar
      Merge tag 'net-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 57012c57
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from can, netfilter.
      
        Current release - regressions:
      
         - core: fix splice_to_socket() for O_NONBLOCK socket
      
         - af_unix: fix fortify_panic() in unix_bind_bsd().
      
         - can: raw: fix lockdep issue in raw_release()
      
        Previous releases - regressions:
      
         - tcp: reduce chance of collisions in inet6_hashfn().
      
         - netfilter: skip immediate deactivate in _PREPARE_ERROR
      
         - tipc: stop tipc crypto on failure in tipc_node_create
      
         - eth: igc: fix kernel panic during ndo_tx_timeout callback
      
         - eth: iavf: fix potential deadlock on allocation failure
      
        Previous releases - always broken:
      
         - ipv6: fix bug where deleting a mngtmpaddr can create a new
           temporary address
      
         - eth: ice: fix memory management in ice_ethtool_fdir.c
      
         - eth: hns3: fix the imp capability bit cannot exceed 32 bits issue
      
         - eth: vxlan: calculate correct header length for GPE
      
         - eth: stmmac: apply redundant write work around on 4.xx too"
      
      * tag 'net-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits)
        tipc: stop tipc crypto on failure in tipc_node_create
        af_unix: Terminate sun_path when bind()ing pathname socket.
        tipc: check return value of pskb_trim()
        benet: fix return value check in be_lancer_xmit_workarounds()
        virtio-net: fix race between set queues and probe
        net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64
        splice, net: Fix splice_to_socket() for O_NONBLOCK socket
        net: fec: tx processing does not call XDP APIs if budget is 0
        mptcp: more accurate NL event generation
        selftests: mptcp: join: only check for ip6tables if needed
        tools: ynl-gen: fix parse multi-attr enum attribute
        tools: ynl-gen: fix enum index in _decode_enum(..)
        netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
        netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
        netfilter: nft_set_rbtree: fix overlap expiration walk
        igc: Fix Kernel Panic during ndo_tx_timeout callback
        net: dsa: qca8k: fix mdb add/del case with 0 VID
        net: dsa: qca8k: fix broken search_and_del
        net: dsa: qca8k: fix search_and_insert wrong handling of new rule
        net: dsa: qca8k: enable use_single_write for qca8xxx
        ...
      57012c57
    • Linus Torvalds's avatar
      Merge tag 'soundwire-6.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire · bc168790
      Linus Torvalds authored
      Pull soundwire fixes from Vinod Koul:
      
       - Core fix for enumeration completion
      
       - Qualcomm driver fix to update status
      
       - AMD driver fix for probe error check
      
      * tag 'soundwire-6.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire:
        soundwire: amd: Fix a check for errors in probe()
        soundwire: qcom: update status correctly with mask
        soundwire: fix enumeration completion
      bc168790
    • Linus Torvalds's avatar
      Merge tag 'phy-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy · 53c8621b
      Linus Torvalds authored
      Pull phy fixes from Vinod Koul:
      
       - Out of bound fix for hisilicon phy
      
       - Qualcomm synopsis femto phy for keeping clock enabled during suspend
         and enabling ref clocks
      
       - Mediatek driver fixes for upper limit test and error code
      
      * tag 'phy-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy:
        phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()
        phy: qcom-snps-femto-v2: use qcom_snps_hsphy_suspend/resume error code
        phy: qcom-snps-femto-v2: properly enable ref clock
        phy: qcom-snps-femto-v2: keep cfg_ahb_clk enabled during runtime suspend
        phy: mediatek: hdmi: mt8195: fix prediv bad upper limit test
        phy: phy-mtk-dp: Fix an error code in probe()
      53c8621b
    • Linus Torvalds's avatar
      Merge tag 'for-6.5-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 64de76ce
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - fix accounting of global block reserve size when block group tree is
         enabled
      
       - the async discard has been enabled in 6.2 unconditionally, but for
         zoned mode it does not make that much sense to do it asynchronously
         as the zones are reset as needed
      
       - error handling and proper error value propagation fixes
      
      * tag 'for-6.5-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: check for commit error at btrfs_attach_transaction_barrier()
        btrfs: check if the transaction was aborted at btrfs_wait_for_commit()
        btrfs: remove BUG_ON()'s in add_new_free_space()
        btrfs: account block group tree when calculating global reserve size
        btrfs: zoned: do not enable async discard
      64de76ce
    • Linus Torvalds's avatar
      Merge tag 'fixes-2023-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock · 379e6671
      Linus Torvalds authored
      Pull memblock fix from Mike Rapoport:
       "A call to memblock_free() or memblock_phys_free() issued after
        memblock data is discarded will result in use after free in
        memblock_isolate_range().
      
        Avoid those issues by making sure that memblock_discard points
        memblock.reserved.regions back at the static buffer"
      
      * tag 'fixes-2023-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock:
        mm,memblock: reset memblock.reserved to system init state to prevent UAF
      379e6671
    • Jann Horn's avatar
      mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock · 657b5146
      Jann Horn authored
      lock_vma_under_rcu() tries to guarantee that __anon_vma_prepare() can't
      be called in the VMA-locked page fault path by ensuring that
      vma->anon_vma is set.
      
      However, this check happens before the VMA is locked, which means a
      concurrent move_vma() can concurrently call unlink_anon_vmas(), which
      disassociates the VMA's anon_vma.
      
      This means we can get UAF in the following scenario:
      
        THREAD 1                   THREAD 2
        ========                   ========
        <page fault>
          lock_vma_under_rcu()
            rcu_read_lock()
            mas_walk()
            check vma->anon_vma
      
                                   mremap() syscall
                                     move_vma()
                                      vma_start_write()
                                       unlink_anon_vmas()
                                   <syscall end>
      
          handle_mm_fault()
            __handle_mm_fault()
              handle_pte_fault()
                do_pte_missing()
                  do_anonymous_page()
                    anon_vma_prepare()
                      __anon_vma_prepare()
                        find_mergeable_anon_vma()
                          mas_walk() [looks up VMA X]
      
                                   munmap() syscall (deletes VMA X)
      
                          reusable_anon_vma() [called on freed VMA X]
      
      This is a security bug if you can hit it, although an attacker would
      have to win two races at once where the first race window is only a few
      instructions wide.
      
      This patch is based on some previous discussion with Linus Torvalds on
      the security list.
      
      Cc: stable@vger.kernel.org
      Fixes: 5e31275c ("mm: add per-VMA lock and helper functions to control it")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      657b5146
    • Paolo Abeni's avatar
      Merge branch 'virtio-vsock-some-updates-for-msg_peek-flag' · 9d0cd5d2
      Paolo Abeni authored
      Arseniy Krasnov says:
      
      ====================
      virtio/vsock: some updates for MSG_PEEK flag
      
      This patchset does several things around MSG_PEEK flag support. In
      general words it reworks MSG_PEEK test and adds support for this flag
      in SOCK_SEQPACKET logic. Here is per-patch description:
      
      1) This is cosmetic change for SOCK_STREAM implementation of MSG_PEEK:
         1) I think there is no need of "safe" mode walk here as there is no
            "unlink" of skbs inside loop (it is MSG_PEEK mode - we don't change
            queue).
         2) Nested while loop is removed: in case of MSG_PEEK we just walk
            over skbs and copy data from each one. I guess this nested loop
            even didn't behave as loop - it always executed just for single
            iteration.
      
      2) This adds MSG_PEEK support for SOCK_SEQPACKET. It could be implemented
         be reworking MSG_PEEK callback for SOCK_STREAM to support SOCK_SEQPACKET
         also, but I think it will be more simple and clear from potential
         bugs to implemented it as separate function thus not mixing logics
         for both types of socket. So I've added it as dedicated function.
      
      3) This is reworked MSG_PEEK test for SOCK_STREAM. Previous version just
         sent single byte, then tried to read it with MSG_PEEK flag, then read
         it in normal way. New version is more complex: now sender uses buffer
         instead of single byte and this buffer is initialized with random
         values. Receiver tests several things:
         1) Read empty socket with MSG_PEEK flag.
         2) Read part of buffer with MSG_PEEK flag.
         3) Read whole buffer with MSG_PEEK flag, then checks that it is same
            as buffer from 2) (limited by size of buffer from 2) of course).
         4) Read whole buffer without any flags, then checks that it is same
            as buffer from 3).
      
      4) This is MSG_PEEK test for SOCK_SEQPACKET. It works in the same way
         as for SOCK_STREAM, except it also checks combination of MSG_TRUNC
         and MSG_PEEK.
      ====================
      
      Link: https://lore.kernel.org/r/20230725172912.1659970-1-AVKrasnov@sberdevices.ruSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      9d0cd5d2
    • Arseniy Krasnov's avatar
      vsock/test: MSG_PEEK test for SOCK_SEQPACKET · 8a0697f2
      Arseniy Krasnov authored
      This adds MSG_PEEK test for SOCK_SEQPACKET. It works in the same way as
      SOCK_STREAM test, except it also tests MSG_TRUNC flag.
      Signed-off-by: default avatarArseniy Krasnov <AVKrasnov@sberdevices.ru>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      8a0697f2
    • Arseniy Krasnov's avatar
      vsock/test: rework MSG_PEEK test for SOCK_STREAM · 587ed79f
      Arseniy Krasnov authored
      This new version makes test more complicated by adding empty read,
      partial read and data comparisons between MSG_PEEK and normal reads.
      Signed-off-by: default avatarArseniy Krasnov <AVKrasnov@sberdevices.ru>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      587ed79f
    • Arseniy Krasnov's avatar
      virtio/vsock: support MSG_PEEK for SOCK_SEQPACKET · a75f501d
      Arseniy Krasnov authored
      This adds support of MSG_PEEK flag for SOCK_SEQPACKET type of socket.
      Difference with SOCK_STREAM is that this callback returns either length
      of the message or error.
      Signed-off-by: default avatarArseniy Krasnov <AVKrasnov@sberdevices.ru>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a75f501d
    • Arseniy Krasnov's avatar
      virtio/vsock: rework MSG_PEEK for SOCK_STREAM · 051e77e3
      Arseniy Krasnov authored
      This reworks current implementation of MSG_PEEK logic:
      1) Replaces 'skb_queue_walk_safe()' with 'skb_queue_walk()'. There is
         no need in the first one, as there are no removes of skb in loop.
      2) Removes nested while loop - MSG_PEEK logic could be implemented
         without it: just iterate over skbs without removing it and copy
         data from each until destination buffer is not full.
      Signed-off-by: default avatarArseniy Krasnov <AVKrasnov@sberdevices.ru>
      Reviewed-by: default avatarBobby Eshleman <bobby.eshleman@bytedance.com>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      051e77e3
    • Jeremy Sowden's avatar
      lib/ts_bm: add helper to reduce indentation and improve readability · 86e9c9aa
      Jeremy Sowden authored
      The flow-control of `bm_find` is very deeply nested with a conditional
      comparing a ternary expression against the pattern inside a for-loop
      inside a while-loop inside a for-loop.
      
      Move the inner for-loop into a helper function to reduce the amount of
      indentation and make the code easier to read.
      
      Fix indentation and trailing white-space in preceding debug logging
      statement.
      Signed-off-by: default avatarJeremy Sowden <jeremy@azazel.net>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      86e9c9aa
    • Lin Ma's avatar
      netfilter: conntrack: validate cta_ip via parsing · 0c805e80
      Lin Ma authored
      In current ctnetlink_parse_tuple_ip() function, nested parsing and
      validation is splitting as two parts,  which could be cleanup to a
      simplified form. As the nla_parse_nested_deprecated function
      supports validation in the fly. These two finially reach same place
      __nla_validate_parse with same validate flag.
      
      nla_parse_nested_deprecated
        __nla_parse(.., NL_VALIDATE_LIBERAL, ..)
          __nla_validate_parse
      
      nla_validate_nested_deprecated
        __nla_validate_nested(.., NL_VALIDATE_LIBERAL, ..)
          __nla_validate
            __nla_validate_parse
      
      This commit removes the call to nla_validate_nested_deprecated and pass
      cta_ip_nla_policy when do parsing.
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      0c805e80
    • Florian Westphal's avatar
      netfilter: nf_tables: use NLA_POLICY_MASK to test for valid flag options · 100a11b6
      Florian Westphal authored
      nf_tables relies on manual test of netlink attributes coming from userspace
      even in cases where this could be handled via netlink policy.
      
      Convert a bunch of 'flag' attributes to use NLA_POLICY_MASK checks.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      100a11b6
    • Florian Westphal's avatar
      netlink: allow be16 and be32 types in all uint policy checks · 5fac9b7c
      Florian Westphal authored
      __NLA_IS_BEINT_TYPE(tp) isn't useful.  NLA_BE16/32 are identical to
      NLA_U16/32, the only difference is that it tells the netlink validation
      functions that byteorder conversion might be needed before comparing
      the value to the policy min/max ones.
      
      After this change all policy macros that can be used with UINT types,
      such as NLA_POLICY_MASK() can also be used with NLA_BE16/32.
      
      This will be used to validate nf_tables flag attributes which
      are in bigendian byte order.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      5fac9b7c
    • Zhu Wang's avatar
      nf_conntrack: fix -Wunused-const-variable= · a927d777
      Zhu Wang authored
      When building with W=1, the following warning occurs.
      
      net/netfilter/nf_conntrack_proto_dccp.c:72:27: warning: ‘dccp_state_names’ defined but not used [-Wunused-const-variable=]
       static const char * const dccp_state_names[] = {
      
      We include dccp_state_names in the macro
      CONFIG_NF_CONNTRACK_PROCFS, since it is only used in the place
      which is included in the macro CONFIG_NF_CONNTRACK_PROCFS.
      
      Fixes: 2bc78049 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
      Signed-off-by: default avatarZhu Wang <wangzhu9@huawei.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      a927d777
    • Fedor Pchelkin's avatar
      tipc: stop tipc crypto on failure in tipc_node_create · de52e173
      Fedor Pchelkin authored
      If tipc_link_bc_create() fails inside tipc_node_create() for a newly
      allocated tipc node then we should stop its tipc crypto and free the
      resources allocated with a call to tipc_crypto_start().
      
      As the node ref is initialized to one to that point, just put the ref on
      tipc_link_bc_create() error case that would lead to tipc_node_free() be
      eventually executed and properly clean the node and its crypto resources.
      
      Found by Linux Verification Center (linuxtesting.org).
      
      Fixes: cb8092d7 ("tipc: move bc link creation back to tipc_node_create")
      Suggested-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarFedor Pchelkin <pchelkin@ispras.ru>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Link: https://lore.kernel.org/r/20230725214628.25246-1-pchelkin@ispras.ruSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      de52e173
    • Kuniyuki Iwashima's avatar
      af_unix: Terminate sun_path when bind()ing pathname socket. · ecb4534b
      Kuniyuki Iwashima authored
      kernel test robot reported slab-out-of-bounds access in strlen(). [0]
      
      Commit 06d4c8a8 ("af_unix: Fix fortify_panic() in unix_bind_bsd().")
      removed unix_mkname_bsd() call in unix_bind_bsd().
      
      If sunaddr->sun_path is not terminated by user and we don't enable
      CONFIG_INIT_STACK_ALL_ZERO=y, strlen() will do the out-of-bounds access
      during file creation.
      
      Let's go back to strlen()-with-sockaddr_storage way and pack all 108
      trickiness into unix_mkname_bsd() with bold comments.
      
      [0]:
      BUG: KASAN: slab-out-of-bounds in strlen (lib/string.c:?)
      Read of size 1 at addr ffff000015492777 by task fortify_strlen_/168
      
      CPU: 0 PID: 168 Comm: fortify_strlen_ Not tainted 6.5.0-rc1-00333-g3329b603ebba #16
      Hardware name: linux,dummy-virt (DT)
      Call trace:
       dump_backtrace (arch/arm64/kernel/stacktrace.c:235)
       show_stack (arch/arm64/kernel/stacktrace.c:242)
       dump_stack_lvl (lib/dump_stack.c:107)
       print_report (mm/kasan/report.c:365 mm/kasan/report.c:475)
       kasan_report (mm/kasan/report.c:590)
       __asan_report_load1_noabort (mm/kasan/report_generic.c:378)
       strlen (lib/string.c:?)
       getname_kernel (./include/linux/fortify-string.h:? fs/namei.c:226)
       kern_path_create (fs/namei.c:3926)
       unix_bind (net/unix/af_unix.c:1221 net/unix/af_unix.c:1324)
       __sys_bind (net/socket.c:1792)
       __arm64_sys_bind (net/socket.c:1801)
       invoke_syscall (arch/arm64/kernel/syscall.c:? arch/arm64/kernel/syscall.c:52)
       el0_svc_common (./include/linux/thread_info.h:127 arch/arm64/kernel/syscall.c:147)
       do_el0_svc (arch/arm64/kernel/syscall.c:189)
       el0_svc (./arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:144 arch/arm64/kernel/entry-common.c:648)
       el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:?)
       el0t_64_sync (arch/arm64/kernel/entry.S:591)
      
      Allocated by task 168:
       kasan_set_track (mm/kasan/common.c:45 mm/kasan/common.c:52)
       kasan_save_alloc_info (mm/kasan/generic.c:512)
       __kasan_kmalloc (mm/kasan/common.c:383)
       __kmalloc (mm/slab_common.c:? mm/slab_common.c:998)
       unix_bind (net/unix/af_unix.c:257 net/unix/af_unix.c:1213 net/unix/af_unix.c:1324)
       __sys_bind (net/socket.c:1792)
       __arm64_sys_bind (net/socket.c:1801)
       invoke_syscall (arch/arm64/kernel/syscall.c:? arch/arm64/kernel/syscall.c:52)
       el0_svc_common (./include/linux/thread_info.h:127 arch/arm64/kernel/syscall.c:147)
       do_el0_svc (arch/arm64/kernel/syscall.c:189)
       el0_svc (./arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:144 arch/arm64/kernel/entry-common.c:648)
       el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:?)
       el0t_64_sync (arch/arm64/kernel/entry.S:591)
      
      The buggy address belongs to the object at ffff000015492700
       which belongs to the cache kmalloc-128 of size 128
      The buggy address is located 0 bytes to the right of
       allocated 119-byte region [ffff000015492700, ffff000015492777)
      
      The buggy address belongs to the physical page:
      page:00000000aeab52ba refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x55492
      anon flags: 0x3fffc0000000200(slab|node=0|zone=0|lastcpupid=0xffff)
      page_type: 0xffffffff()
      raw: 03fffc0000000200 ffff0000084018c0 fffffc00003d0e00 0000000000000005
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff000015492600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff000015492680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff000015492700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fc
                                                                   ^
       ffff000015492780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff000015492800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: 06d4c8a8 ("af_unix: Fix fortify_panic() in unix_bind_bsd().")
      Reported-by: default avatarkernel test robot <oliver.sang@intel.com>
      Closes: https://lore.kernel.org/netdev/202307262110.659e5e8-oliver.sang@intel.com/Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20230726190828.47874-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ecb4534b
    • Yuanjun Gong's avatar
      tipc: check return value of pskb_trim() · e46e06ff
      Yuanjun Gong authored
      goto free_skb if an unexpected result is returned by pskb_tirm()
      in tipc_crypto_rcv_complete().
      
      Fixes: fc1b6d6d ("tipc: introduce TIPC encryption & authentication")
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Reviewed-by: default avatarTung Nguyen <tung.q.nguyen@dektech.com.au>
      Link: https://lore.kernel.org/r/20230725064810.5820-1-ruc_gongyuanjun@163.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e46e06ff
    • Yuanjun Gong's avatar
      benet: fix return value check in be_lancer_xmit_workarounds() · 5c85f706
      Yuanjun Gong authored
      in be_lancer_xmit_workarounds(), it should go to label 'tx_drop'
      if an unexpected value is returned by pskb_trim().
      
      Fixes: 93040ae5 ("be2net: Fix to trim skb for padded vlan packets to workaround an ASIC Bug")
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Link: https://lore.kernel.org/r/20230725032726.15002-1-ruc_gongyuanjun@163.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      5c85f706