1. 30 Jun, 2020 9 commits
  2. 29 Jun, 2020 6 commits
    • David S. Miller's avatar
      Merge tag 'mac80211-for-net-2020-06-29' of... · 33c568ba
      David S. Miller authored
      Merge tag 'mac80211-for-net-2020-06-29' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Couple of fixes/small things:
       * TX control port status check fixed to not assume frame format
       * mesh control port fixes
       * error handling/leak fixes when starting AP, with HE attributes
       * fix broadcast packet handling with encapsulation offload
       * add new AKM suites
       * and a small code cleanup
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      33c568ba
    • Eric Dumazet's avatar
      llc: make sure applications use ARPHRD_ETHER · a9b11101
      Eric Dumazet authored
      syzbot was to trigger a bug by tricking AF_LLC with
      non sensible addr->sllc_arphrd
      
      It seems clear LLC requires an Ethernet device.
      
      Back in commit abf9d537 ("llc: add support for SO_BINDTODEVICE")
      Octavian Purdila added possibility for application to use a zero
      value for sllc_arphrd, convert it to ARPHRD_ETHER to not cause
      regressions on existing applications.
      
      BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:199 [inline]
      BUG: KASAN: use-after-free in list_empty include/linux/list.h:268 [inline]
      BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:126 [inline]
      BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:160 [inline]
      BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2092 [inline]
      BUG: KASAN: use-after-free in sock_def_write_space+0x642/0x670 net/core/sock.c:2813
      Read of size 8 at addr ffff88801e0b4078 by task ksoftirqd/3/27
      
      CPU: 3 PID: 27 Comm: ksoftirqd/3 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
       __read_once_size include/linux/compiler.h:199 [inline]
       list_empty include/linux/list.h:268 [inline]
       waitqueue_active include/linux/wait.h:126 [inline]
       wq_has_sleeper include/linux/wait.h:160 [inline]
       skwq_has_sleeper include/net/sock.h:2092 [inline]
       sock_def_write_space+0x642/0x670 net/core/sock.c:2813
       sock_wfree+0x1e1/0x260 net/core/sock.c:1958
       skb_release_head_state+0xeb/0x260 net/core/skbuff.c:652
       skb_release_all+0x16/0x60 net/core/skbuff.c:663
       __kfree_skb net/core/skbuff.c:679 [inline]
       consume_skb net/core/skbuff.c:838 [inline]
       consume_skb+0xfb/0x410 net/core/skbuff.c:832
       __dev_kfree_skb_any+0xa4/0xd0 net/core/dev.c:2967
       dev_kfree_skb_any include/linux/netdevice.h:3650 [inline]
       e1000_unmap_and_free_tx_resource.isra.0+0x21b/0x3a0 drivers/net/ethernet/intel/e1000/e1000_main.c:1963
       e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3854 [inline]
       e1000_clean+0x4cc/0x1d10 drivers/net/ethernet/intel/e1000/e1000_main.c:3796
       napi_poll net/core/dev.c:6532 [inline]
       net_rx_action+0x508/0x1120 net/core/dev.c:6600
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       run_ksoftirqd kernel/softirq.c:603 [inline]
       run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595
       smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165
       kthread+0x361/0x430 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Allocated by task 8247:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       __kasan_kmalloc mm/kasan/common.c:513 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
       kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521
       slab_post_alloc_hook mm/slab.h:584 [inline]
       slab_alloc mm/slab.c:3320 [inline]
       kmem_cache_alloc+0x121/0x710 mm/slab.c:3484
       sock_alloc_inode+0x1c/0x1d0 net/socket.c:240
       alloc_inode+0x68/0x1e0 fs/inode.c:230
       new_inode_pseudo+0x19/0xf0 fs/inode.c:919
       sock_alloc+0x41/0x270 net/socket.c:560
       __sock_create+0xc2/0x730 net/socket.c:1384
       sock_create net/socket.c:1471 [inline]
       __sys_socket+0x103/0x220 net/socket.c:1513
       __do_sys_socket net/socket.c:1522 [inline]
       __se_sys_socket net/socket.c:1520 [inline]
       __ia32_sys_socket+0x73/0xb0 net/socket.c:1520
       do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
       do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408
       entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      
      Freed by task 17:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       kasan_set_free_info mm/kasan/common.c:335 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
       __cache_free mm/slab.c:3426 [inline]
       kmem_cache_free+0x86/0x320 mm/slab.c:3694
       sock_free_inode+0x20/0x30 net/socket.c:261
       i_callback+0x44/0x80 fs/inode.c:219
       __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
       rcu_do_batch kernel/rcu/tree.c:2183 [inline]
       rcu_core+0x570/0x1540 kernel/rcu/tree.c:2408
       rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2417
       __do_softirq+0x262/0x98c kernel/softirq.c:292
      
      The buggy address belongs to the object at ffff88801e0b4000
       which belongs to the cache sock_inode_cache of size 1152
      The buggy address is located 120 bytes inside of
       1152-byte region [ffff88801e0b4000, ffff88801e0b4480)
      The buggy address belongs to the page:
      page:ffffea0000782d00 refcount:1 mapcount:0 mapping:ffff88807aa59c40 index:0xffff88801e0b4ffd
      raw: 00fffe0000000200 ffffea00008e6c88 ffffea0000782d48 ffff88807aa59c40
      raw: ffff88801e0b4ffd ffff88801e0b4000 0000000100000003 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88801e0b3f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       ffff88801e0b3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88801e0b4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                      ^
       ffff88801e0b4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff88801e0b4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: abf9d537 ("llc: add support for SO_BINDTODEVICE")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a9b11101
    • Cong Wang's avatar
      net: explain the lockdep annotations for dev_uc_unsync() · e8280338
      Cong Wang authored
      The lockdep annotations for dev_uc_unsync() and dev_mc_unsync()
      are not easy to understand, so add some comments to explain
      why they are correct.
      
      Similar for the rest netif_addr_lock_bh() cases, they don't
      need nested version.
      
      Cc: Taehee Yoo <ap420073@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e8280338
    • Cong Wang's avatar
      net: get rid of lockdep_set_class_and_subclass() · be74294f
      Cong Wang authored
      lockdep_set_class_and_subclass() is meant to reduce
      the _nested() annotations by assigning a default subclass.
      For addr_list_lock, we have to compute the subclass at
      run-time as the netdevice topology changes after creation.
      
      So, we should just get rid of these
      lockdep_set_class_and_subclass() and stick with our _nested()
      annotations.
      
      Fixes: 845e0ebb ("net: change addr_list_lock back to static key")
      Suggested-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be74294f
    • Vladimir Oltean's avatar
      lib: packing: add documentation for pbuflen argument · 7dea927f
      Vladimir Oltean authored
      Fixes sparse warning:
      
      Function parameter or member 'pbuflen' not described in 'packing'
      
      Fixes: 554aae35 ("lib: Add support for generic packing operations")
      Signed-off-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7dea927f
    • Horatiu Vultur's avatar
      bridge: mrp: Fix endian conversion and some other warnings · 9b14d1f8
      Horatiu Vultur authored
      The following sparse warnings are fixed:
      net/bridge/br_mrp.c:106:18: warning: incorrect type in assignment (different base types)
      net/bridge/br_mrp.c:106:18:    expected unsigned short [usertype]
      net/bridge/br_mrp.c:106:18:    got restricted __be16 [usertype]
      net/bridge/br_mrp.c:281:23: warning: incorrect type in argument 1 (different modifiers)
      net/bridge/br_mrp.c:281:23:    expected struct list_head *entry
      net/bridge/br_mrp.c:281:23:    got struct list_head [noderef] *
      net/bridge/br_mrp.c:332:28: warning: incorrect type in argument 1 (different modifiers)
      net/bridge/br_mrp.c:332:28:    expected struct list_head *new
      net/bridge/br_mrp.c:332:28:    got struct list_head [noderef] *
      net/bridge/br_mrp.c:332:40: warning: incorrect type in argument 2 (different modifiers)
      net/bridge/br_mrp.c:332:40:    expected struct list_head *head
      net/bridge/br_mrp.c:332:40:    got struct list_head [noderef] *
      net/bridge/br_mrp.c:682:29: warning: incorrect type in argument 1 (different modifiers)
      net/bridge/br_mrp.c:682:29:    expected struct list_head const *head
      net/bridge/br_mrp.c:682:29:    got struct list_head [noderef] *
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Fixes: 2f1a11ae ("bridge: mrp: Add MRP interface.")
      Fixes: 4b8d7d4c ("bridge: mrp: Extend bridge interface")
      Fixes: 9a9f26e8 ("bridge: mrp: Connect MRP API with the switchdev API")
      Signed-off-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9b14d1f8
  3. 28 Jun, 2020 1 commit
  4. 26 Jun, 2020 5 commits
    • Claudiu Manoil's avatar
      enetc: Fix tx rings bitmap iteration range, irq handling · 0574e200
      Claudiu Manoil authored
      The rings bitmap of an interrupt vector encodes
      which of the device's rings were assigned to that
      interrupt vector.
      Hence the iteration range of the tx rings bitmap
      (for_each_set_bit()) should be the total number of
      Tx rings of that netdevice instead of the number of
      rings assigned to the interrupt vector.
      Since there are 2 cores, and one interrupt vector for
      each core, the number of rings asigned to an interrupt
      vector is half the number of available rings.
      The impact of this error is that the upper half of the
      tx rings could still generate interrupts during napi
      polling.
      
      Fixes: d4fd0404 ("enetc: Introduce basic PF and VF ENETC ethernet drivers")
      Signed-off-by: default avatarClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0574e200
    • Shannon Nelson's avatar
      ionic: update the queue count on open · fa48494c
      Shannon Nelson authored
      Let the network stack know the real number of queues that
      we are using.
      
      v2: added error checking
      
      Fixes: 49d3b493 ("ionic: disable the queues on link down")
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fa48494c
    • Luca Coelho's avatar
      nl80211: fix memory leak when parsing NL80211_ATTR_HE_BSS_COLOR · 60a0121f
      Luca Coelho authored
      If there is an error when parsing the NL80211_ATTR_HE_BSS_COLOR
      attribute, we return immediately without freeing param.acl.  Fit it by
      using goto out instead of returning immediately.
      
      Fixes: 5c5e52d1 ("nl80211: add handling for BSS color")
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Link: https://lore.kernel.org/r/iwlwifi.20200626124931.7ad2a3eb894f.I60905fb70bd20389a3b170db515a07275e31845e@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      60a0121f
    • Luca Coelho's avatar
      nl80211: don't return err unconditionally in nl80211_start_ap() · bc7a39b4
      Luca Coelho authored
      When a memory leak was fixed, a return err was changed to goto err,
      but, accidentally, the if (err) was removed, so now we always exit at
      this point.
      
      Fix it by adding if (err) back.
      
      Fixes: 9951ebfc ("nl80211: fix potential leak in AP start")
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Link: https://lore.kernel.org/r/iwlwifi.20200626124931.871ba5b31eee.I97340172d92164ee92f3c803fe20a8a6e97714e1@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      bc7a39b4
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 4a21185c
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Don't insert ESP trailer twice in IPSEC code, from Huy Nguyen.
      
       2) The default crypto algorithm selection in Kconfig for IPSEC is out
          of touch with modern reality, fix this up. From Eric Biggers.
      
       3) bpftool is missing an entry for BPF_MAP_TYPE_RINGBUF, from Andrii
          Nakryiko.
      
       4) Missing init of ->frame_sz in xdp_convert_zc_to_xdp_frame(), from
          Hangbin Liu.
      
       5) Adjust packet alignment handling in ax88179_178a driver to match
          what the hardware actually does. From Jeremy Kerr.
      
       6) register_netdevice can leak in the case one of the notifiers fail,
          from Yang Yingliang.
      
       7) Use after free in ip_tunnel_lookup(), from Taehee Yoo.
      
       8) VLAN checks in sja1105 DSA driver need adjustments, from Vladimir
          Oltean.
      
       9) tg3 driver can sleep forever when we get enough EEH errors, fix from
          David Christensen.
      
      10) Missing {READ,WRITE}_ONCE() annotations in various Intel ethernet
          drivers, from Ciara Loftus.
      
      11) Fix scanning loop break condition in of_mdiobus_register(), from
          Florian Fainelli.
      
      12) MTU limit is incorrect in ibmveth driver, from Thomas Falcon.
      
      13) Endianness fix in mlxsw, from Ido Schimmel.
      
      14) Use after free in smsc95xx usbnet driver, from Tuomas Tynkkynen.
      
      15) Missing bridge mrp configuration validation, from Horatiu Vultur.
      
      16) Fix circular netns references in wireguard, from Jason A. Donenfeld.
      
      17) PTP initialization on recovery is not done properly in qed driver,
          from Alexander Lobakin.
      
      18) Endian conversion of L4 ports in filters of cxgb4 driver is wrong,
          from Rahul Lakkireddy.
      
      19) Don't clear bound device TX queue of socket prematurely otherwise we
          get problems with ktls hw offloading, from Tariq Toukan.
      
      20) ipset can do atomics on unaligned memory, fix from Russell King.
      
      21) Align ethernet addresses properly in bridging code, from Thomas
          Martitz.
      
      22) Don't advertise ipv4 addresses on SCTP sockets having ipv6only set,
          from Marcelo Ricardo Leitner.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (149 commits)
        rds: transport module should be auto loaded when transport is set
        sch_cake: fix a few style nits
        sch_cake: don't call diffserv parsing code when it is not needed
        sch_cake: don't try to reallocate or unshare skb unconditionally
        ethtool: fix error handling in linkstate_prepare_data()
        wil6210: account for napi_gro_receive never returning GRO_DROP
        hns: do not cast return value of napi_gro_receive to null
        socionext: account for napi_gro_receive never returning GRO_DROP
        wireguard: receive: account for napi_gro_receive never returning GRO_DROP
        vxlan: fix last fdb index during dump of fdb with nhid
        sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
        tc-testing: avoid action cookies with odd length.
        bpf: tcp: bpf_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
        tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
        net: dsa: sja1105: fix tc-gate schedule with single element
        net: dsa: sja1105: recalculate gating subschedule after deleting tc-gate rules
        net: dsa: sja1105: unconditionally free old gating config
        net: dsa: sja1105: move sja1105_compose_gating_subschedule at the top
        net: macb: free resources on failure path of at91ether_open()
        net: macb: call pm_runtime_put_sync on failure path
        ...
      4a21185c
  5. 25 Jun, 2020 19 commits