1. 04 Apr, 2024 1 commit
    • Wei Fang's avatar
      net: fec: Set mac_managed_pm during probe · cbc17e78
      Wei Fang authored
      Setting mac_managed_pm during interface up is too late.
      
      In situations where the link is not brought up yet and the system suspends
      the regular PHY power management will run. Since the FEC ETHEREN control
      bit is cleared (automatically) on suspend the controller is off in resume.
      When the regular PHY power management resume path runs in this context it
      will write to the MII_DATA register but nothing will be transmitted on the
      MDIO bus.
      
      This can be observed by the following log:
      
          fec 5b040000.ethernet eth0: MDIO read timeout
          Microchip LAN87xx T1 5b040000.ethernet-1:04: PM: dpm_run_callback(): mdio_bus_phy_resume+0x0/0xc8 returns -110
          Microchip LAN87xx T1 5b040000.ethernet-1:04: PM: failed to resume: error -110
      
      The data written will however remain in the MII_DATA register.
      
      When the link later is set to administrative up it will trigger a call to
      fec_restart() which will restore the MII_SPEED register. This triggers the
      quirk explained in f166f890 ("net: ethernet: fec: Replace interrupt
      driven MDIO with polled IO") causing an extra MII_EVENT.
      
      This extra event desynchronizes all the MDIO register reads, causing them
      to complete too early. Leading all reads to read as 0 because
      fec_enet_mdio_wait() returns too early.
      
      When a Microchip LAN8700R PHY is connected to the FEC, the 0 reads causes
      the PHY to be initialized incorrectly and the PHY will not transmit any
      ethernet signal in this state. It cannot be brought out of this state
      without a power cycle of the PHY.
      
      Fixes: 557d5dc8 ("net: fec: use mac-managed PHY PM")
      Closes: https://lore.kernel.org/netdev/1f45bdbe-eab1-4e59-8f24-add177590d27@actia.se/Signed-off-by: default avatarWei Fang <wei.fang@nxp.com>
      [jernberg: commit message]
      Signed-off-by: default avatarJohn Ernberg <john.ernberg@actia.se>
      Link: https://lore.kernel.org/r/20240328155909.59613-2-john.ernberg@actia.seSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cbc17e78
  2. 03 Apr, 2024 7 commits
    • Phil Elwell's avatar
      net: bcmgenet: Reset RBUF on first open · 0a6380cb
      Phil Elwell authored
      If the RBUF logic is not reset when the kernel starts then there
      may be some data left over from any network boot loader. If the
      64-byte packet headers are enabled then this can be fatal.
      
      Extend bcmgenet_dma_disable to do perform the reset, but not when
      called from bcmgenet_resume in order to preserve a wake packet.
      
      N.B. This different handling of resume is just based on a hunch -
      why else wouldn't one reset the RBUF as well as the TBUF? If this
      isn't the case then it's easy to change the patch to make the RBUF
      reset unconditional.
      
      See: https://github.com/raspberrypi/linux/issues/3850
      See: https://github.com/raspberrypi/firmware/issues/1882Signed-off-by: default avatarPhil Elwell <phil@raspberrypi.com>
      Signed-off-by: default avatarMaarten Vanraes <maarten@rmail.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0a6380cb
    • Aleksandr Mishin's avatar
      octeontx2-af: Add array index check · ef15ddee
      Aleksandr Mishin authored
      In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can reach
      value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the array.
      Fix this bug by adding 'iter' value check.
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE.
      
      Fixes: 91c6945e ("octeontx2-af: cn10k: Add RPM MAC support")
      Signed-off-by: default avatarAleksandr Mishin <amishin@t-argos.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef15ddee
    • Tariq Toukan's avatar
      MAINTAINERS: mlx5: Add Tariq Toukan · c53fe72c
      Tariq Toukan authored
      Add myself as mlx5 core and EN maintainer.
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Reviewed-by: default avatarGal Pressman <gal@nvidia.com>
      Acked-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Link: https://lore.kernel.org/r/20240401184347.53884-1-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c53fe72c
    • Kuniyuki Iwashima's avatar
      ipv6: Fix infinite recursion in fib6_dump_done(). · d21d4060
      Kuniyuki Iwashima authored
      syzkaller reported infinite recursive calls of fib6_dump_done() during
      netlink socket destruction.  [1]
      
      From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then
      the response was generated.  The following recvmmsg() resumed the dump
      for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due
      to the fault injection.  [0]
      
        12:01:34 executing program 3:
        r0 = socket$nl_route(0x10, 0x3, 0x0)
        sendmsg$nl_route(r0, ... snip ...)
        recvmmsg(r0, ... snip ...) (fail_nth: 8)
      
      Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call
      of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped
      receiving the response halfway through, and finally netlink_sock_destruct()
      called nlk_sk(sk)->cb.done().
      
      fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it
      is still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by
      nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling
      itself recursively and hitting the stack guard page.
      
      To avoid the issue, let's set the destructor after kzalloc().
      
      [0]:
      FAULT_INJECTION: forcing a failure.
      name failslab, interval 1, probability 0, space 0, times 0
      CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91-dirty #11
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      Call Trace:
       <TASK>
       dump_stack_lvl (lib/dump_stack.c:117)
       should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)
       should_failslab (mm/slub.c:3733)
       kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)
       inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)
       rtnl_dump_all (net/core/rtnetlink.c:4029)
       netlink_dump (net/netlink/af_netlink.c:2269)
       netlink_recvmsg (net/netlink/af_netlink.c:1988)
       ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)
       ___sys_recvmsg (net/socket.c:2846)
       do_recvmmsg (net/socket.c:2943)
       __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)
      
      [1]:
      BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)
      stack guard page: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91-dirty #11
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      Workqueue: events netlink_sock_destruct_work
      RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)
      Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff
      RSP: 0018:ffffc9000d980000 EFLAGS: 00010293
      RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3
      RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358
      RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000
      R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68
      FS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0
      PKRU: 55555554
      Call Trace:
       <#DF>
       </#DF>
       <TASK>
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       ...
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       netlink_sock_destruct (net/netlink/af_netlink.c:401)
       __sk_destruct (net/core/sock.c:2177 (discriminator 2))
       sk_destruct (net/core/sock.c:2224)
       __sk_free (net/core/sock.c:2235)
       sk_free (net/core/sock.c:2246)
       process_one_work (kernel/workqueue.c:3259)
       worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)
       kthread (kernel/kthread.c:388)
       ret_from_fork (arch/x86/kernel/process.c:153)
       ret_from_fork_asm (arch/x86/entry/entry_64.S:256)
      Modules linked in:
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20240401211003.25274-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d21d4060
    • Heiner Kallweit's avatar
      r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d · 5d872c9f
      Heiner Kallweit authored
      On some boards with this chip version the BIOS is buggy and misses
      to reset the PHY page selector. This results in the PHY ID read
      accessing registers on a different page, returning a more or
      less random value. Fix this by resetting the page selector first.
      
      Fixes: f1e911d5 ("r8169: add basic phylib support")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/64f2055e-98b8-45ec-8568-665e3d54d4e6@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5d872c9f
    • Marco Pinna's avatar
      vsock/virtio: fix packet delivery to tap device · b32a09ea
      Marco Pinna authored
      Commit 82dfb540 ("VSOCK: Add virtio vsock vsockmon hooks") added
      virtio_transport_deliver_tap_pkt() for handing packets to the
      vsockmon device. However, in virtio_transport_send_pkt_work(),
      the function is called before actually sending the packet (i.e.
      before placing it in the virtqueue with virtqueue_add_sgs() and checking
      whether it returned successfully).
      Queuing the packet in the virtqueue can fail even multiple times.
      However, in virtio_transport_deliver_tap_pkt() we deliver the packet
      to the monitoring tap interface only the first time we call it.
      This certainly avoids seeing the same packet replicated multiple times
      in the monitoring interface, but it can show the packet sent with the
      wrong timestamp or even before we succeed to queue it in the virtqueue.
      
      Move virtio_transport_deliver_tap_pkt() after calling virtqueue_add_sgs()
      and making sure it returned successfully.
      
      Fixes: 82dfb540 ("VSOCK: Add virtio vsock vsockmon hooks")
      Cc: stable@vge.kernel.org
      Signed-off-by: default avatarMarco Pinna <marco.pinn95@gmail.com>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Link: https://lore.kernel.org/r/20240329161259.411751-1-marco.pinn95@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b32a09ea
    • Duoming Zhou's avatar
      ax25: fix use-after-free bugs caused by ax25_ds_del_timer · fd819ad3
      Duoming Zhou authored
      When the ax25 device is detaching, the ax25_dev_device_down()
      calls ax25_ds_del_timer() to cleanup the slave_timer. When
      the timer handler is running, the ax25_ds_del_timer() that
      calls del_timer() in it will return directly. As a result,
      the use-after-free bugs could happen, one of the scenarios
      is shown below:
      
            (Thread 1)          |      (Thread 2)
                                | ax25_ds_timeout()
      ax25_dev_device_down()    |
        ax25_ds_del_timer()     |
          del_timer()           |
        ax25_dev_put() //FREE   |
                                |  ax25_dev-> //USE
      
      In order to mitigate bugs, when the device is detaching, use
      timer_shutdown_sync() to stop the timer.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240329015023.9223-1-duoming@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fd819ad3
  3. 02 Apr, 2024 7 commits
  4. 29 Mar, 2024 25 commits
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2024-03-29' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 365af7ac
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Bluetooth: Fix TOCTOU in HCI debugfs implementation
       - Bluetooth: hci_event: set the conn encrypted before conn establishes
       - Bluetooth: qca: fix device-address endianness
       - Bluetooth: hci_sync: Fix not checking error on hci_cmd_sync_cancel_sync
      
      * tag 'for-net-2024-03-29' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: Fix TOCTOU in HCI debugfs implementation
        Bluetooth: hci_event: set the conn encrypted before conn establishes
        Bluetooth: hci_sync: Fix not checking error on hci_cmd_sync_cancel_sync
        Bluetooth: qca: fix device-address endianness
        Bluetooth: add quirk for broken address properties
        arm64: dts: qcom: sc7180-trogdor: mark bluetooth address as broken
        dt-bindings: bluetooth: add 'qcom,local-bd-address-broken'
        Revert "Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT"
      ====================
      
      Link: https://lore.kernel.org/r/20240329140453.2016486-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      365af7ac
    • Jakub Kicinski's avatar
      Merge branch 'tcp-fix-bind-regression-and-more-tests' · ec7ef3ea
      Jakub Kicinski authored
      Kuniyuki Iwashima says:
      
      ====================
      tcp: Fix bind() regression and more tests.
      
      bhash2 has not been well tested for IPV6_V6ONLY option.
      
      This series fixes two regression around IPV6_V6ONLY, one of which
      has been there since bhash2 introduction, and another is introduced
      by a recent change.
      
      Also, this series adds as many tests as possible to catch regression
      easily.  The baseline is 28044fc1~ which is pre-bhash2 commit.
      
       Tested on 28044fc1~:
        # PASSED: 132 / 132 tests passed.
        # Totals: pass:132 fail:0 xfail:0 xpass:0 skip:0 error:0
      
       net.git:
        # FAILED: 125 / 132 tests passed.
        # Totals: pass:125 fail:7 xfail:0 xpass:0 skip:0 error:0
      
       With this series:
        # PASSED: 132 / 132 tests passed.
        # Totals: pass:132 fail:0 xfail:0 xpass:0 skip:0 error:0
      
      v1: https://lore.kernel.org/netdev/20240325181923.48769-1-kuniyu@amazon.com/
      ====================
      
      Link: https://lore.kernel.org/r/20240326204251.51301-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ec7ef3ea
    • Kuniyuki Iwashima's avatar
      selftest: tcp: Add bind() tests for SO_REUSEADDR/SO_REUSEPORT. · 7679f096
      Kuniyuki Iwashima authored
      This patch adds two tests using SO_REUSEADDR and SO_REUSEPORT and
      defines errno for each test case.
      
      SO_REUSEADDR/SO_REUSEPORT is set for the per-fixture two bind()
      calls.
      
      The notable pattern is the pair of v6only [::] and plain [::].
      The two sockets are put into the same tb2, where per-bucket v6only
      flag would be useless to detect bind() conflict.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240326204251.51301-9-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7679f096
    • Kuniyuki Iwashima's avatar
      selftest: tcp: Add bind() tests for IPV6_V6ONLY. · d37f2f72
      Kuniyuki Iwashima authored
      bhash2 was not well tested for IPv6-only sockets.
      
      This patch adds test cases where we set IPV6_V6ONLY for per-fixture
      bind() calls if variant->ipv6_only[i] is true.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240326204251.51301-8-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d37f2f72
    • Kuniyuki Iwashima's avatar
      selftest: tcp: Add more bind() calls. · f40742c2
      Kuniyuki Iwashima authored
      In addtition to the two addresses defined in the fixtures, this patch
      add 6 more bind calls():
      
        * 0.0.0.0
        * 127.0.0.1
        * ::
        * ::1
        * ::ffff:0.0.0.0
        * ::ffff:127.0.0.1
      
      The first two per-fixture bind() calls control how inet_bind2_bucket
      is created, and the rest 6 bind() calls cover as many conflicting
      patterns as possible.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240326204251.51301-7-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f40742c2
    • Kuniyuki Iwashima's avatar
      selftest: tcp: Add v4-v4 and v6-v6 bind() conflict tests. · 5e9e9afd
      Kuniyuki Iwashima authored
      We don't have bind() conflict tests for the same protocol pairs.
      
      Let's add them except for the same address pair, which will be
      covered by the following patch adding 6 more bind() calls for
      each test case.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240326204251.51301-6-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5e9e9afd
    • Kuniyuki Iwashima's avatar
      selftest: tcp: Define the reverse order bind() tests explicitly. · 6f9bc755
      Kuniyuki Iwashima authored
      Currently, bind_wildcard.c calls bind() twice for two addresses and
      checks the pre-defined errno against the 2nd call.  Also, the two
      bind() calls are swapped to cover various patterns how bind buckets
      are created.
      
      However, only testing two addresses is insufficient to detect regression.
      So, we will add more bind() calls, and then, we need to define different
      errno for each bind() per test case.
      
      As a prepartion, let's define the reverse order bind() test cases as
      fixtures.
      
      No functional changes are intended.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240326204251.51301-5-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6f9bc755
    • Kuniyuki Iwashima's avatar
      selftest: tcp: Make bind() selftest flexible. · c48baf56
      Kuniyuki Iwashima authored
      Currently, bind_wildcard.c tests only (IPv4, IPv6) pairs, but we will
      add more tests for the same protocol pairs.
      
      This patch makes it possible by changing the address pointer to void.
      
      No functional changes are intended.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240326204251.51301-4-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c48baf56
    • Kuniyuki Iwashima's avatar
      tcp: Fix bind() regression for v6-only wildcard and v4(-mapped-v6) non-wildcard addresses. · d91ef1e1
      Kuniyuki Iwashima authored
      Jianguo Wu reported another bind() regression introduced by bhash2.
      
      Calling bind() for the following 3 addresses on the same port, the
      3rd one should fail but now succeeds.
      
        1. 0.0.0.0 or ::ffff:0.0.0.0
        2. [::] w/ IPV6_V6ONLY
        3. IPv4 non-wildcard address or v4-mapped-v6 non-wildcard address
      
      The first two bind() create tb2 like this:
      
        bhash2 -> tb2(:: w/ IPV6_V6ONLY) -> tb2(0.0.0.0)
      
      The 3rd bind() will match with the IPv6 only wildcard address bucket
      in inet_bind2_bucket_match_addr_any(), however, no conflicting socket
      exists in the bucket.  So, inet_bhash2_conflict() will returns false,
      and thus, inet_bhash2_addr_any_conflict() returns false consequently.
      
      As a result, the 3rd bind() bypasses conflict check, which should be
      done against the IPv4 wildcard address bucket.
      
      So, in inet_bhash2_addr_any_conflict(), we must iterate over all buckets.
      
      Note that we cannot add ipv6_only flag for inet_bind2_bucket as it
      would confuse the following patetrn.
      
        1. [::] w/ SO_REUSE{ADDR,PORT} and IPV6_V6ONLY
        2. [::] w/ SO_REUSE{ADDR,PORT}
        3. IPv4 non-wildcard address or v4-mapped-v6 non-wildcard address
      
      The first bind() would create a bucket with ipv6_only flag true,
      the second bind() would add the [::] socket into the same bucket,
      and the third bind() could succeed based on the wrong assumption
      that ipv6_only bucket would not conflict with v4(-mapped-v6) address.
      
      Fixes: 28044fc1 ("net: Add a bhash2 table hashed by port and address")
      Diagnosed-by: default avatarJianguo Wu <wujianguo106@163.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240326204251.51301-3-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d91ef1e1
    • Kuniyuki Iwashima's avatar
      tcp: Fix bind() regression for v6-only wildcard and v4-mapped-v6 non-wildcard addresses. · ea111449
      Kuniyuki Iwashima authored
      Commit 5e07e672 ("tcp: Use bhash2 for v4-mapped-v6 non-wildcard
      address.") introduced bind() regression for v4-mapped-v6 address.
      
      When we bind() the following two addresses on the same port, the 2nd
      bind() should succeed but fails now.
      
        1. [::] w/ IPV6_ONLY
        2. ::ffff:127.0.0.1
      
      After the chagne, v4-mapped-v6 uses bhash2 instead of bhash to
      detect conflict faster, but I forgot to add a necessary change.
      
      During the 2nd bind(), inet_bind2_bucket_match_addr_any() returns
      the tb2 bucket of [::], and inet_bhash2_conflict() finally calls
      inet_bind_conflict(), which returns true, meaning conflict.
      
        inet_bhash2_addr_any_conflict
        |- inet_bind2_bucket_match_addr_any  <-- return [::] bucket
        `- inet_bhash2_conflict
           `- __inet_bhash2_conflict <-- checks IPV6_ONLY for AF_INET
              |                          but not for v4-mapped-v6 address
              `- inet_bind_conflict  <-- does not check address
      
      inet_bind_conflict() does not check socket addresses because
      __inet_bhash2_conflict() is expected to do so.
      
      However, it checks IPV6_V6ONLY attribute only against AF_INET
      socket, and not for v4-mapped-v6 address.
      
      As a result, v4-mapped-v6 address conflicts with v6-only wildcard
      address.
      
      To avoid that, let's add the missing test to use bhash2 for
      v4-mapped-v6 address.
      
      Fixes: 5e07e672 ("tcp: Use bhash2 for v4-mapped-v6 non-wildcard address.")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240326204251.51301-2-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ea111449
    • Eric Dumazet's avatar
      erspan: make sure erspan_base_hdr is present in skb->head · 17af4205
      Eric Dumazet authored
      syzbot reported a problem in ip6erspan_rcv() [1]
      
      Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
      sure erspan_base_hdr is present in skb linear part (skb->head)
      before getting @ver field from it.
      
      Add the missing pskb_may_pull() calls.
      
      v2: Reload iph pointer in erspan_rcv() after pskb_may_pull()
          because skb->head might have changed.
      
      [1]
      
       BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
       BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]
       BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
       BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
        pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
        pskb_may_pull include/linux/skbuff.h:2756 [inline]
        ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
        gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
        ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438
        ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
        NF_HOOK include/linux/netfilter.h:314 [inline]
        ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
        ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
        dst_input include/net/dst.h:460 [inline]
        ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79
        NF_HOOK include/linux/netfilter.h:314 [inline]
        ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310
        __netif_receive_skb_one_core net/core/dev.c:5538 [inline]
        __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652
        netif_receive_skb_internal net/core/dev.c:5738 [inline]
        netif_receive_skb+0x58/0x660 net/core/dev.c:5798
        tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
        tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
        tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
        call_write_iter include/linux/fs.h:2108 [inline]
        new_sync_write fs/read_write.c:497 [inline]
        vfs_write+0xb63/0x1520 fs/read_write.c:590
        ksys_write+0x20f/0x4c0 fs/read_write.c:643
        __do_sys_write fs/read_write.c:655 [inline]
        __se_sys_write fs/read_write.c:652 [inline]
        __x64_sys_write+0x93/0xe0 fs/read_write.c:652
       do_syscall_64+0xd5/0x1f0
       entry_SYSCALL_64_after_hwframe+0x6d/0x75
      
      Uninit was created at:
        slab_post_alloc_hook mm/slub.c:3804 [inline]
        slab_alloc_node mm/slub.c:3845 [inline]
        kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
        kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
        __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
        alloc_skb include/linux/skbuff.h:1318 [inline]
        alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
        sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
        tun_alloc_skb drivers/net/tun.c:1525 [inline]
        tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846
        tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
        call_write_iter include/linux/fs.h:2108 [inline]
        new_sync_write fs/read_write.c:497 [inline]
        vfs_write+0xb63/0x1520 fs/read_write.c:590
        ksys_write+0x20f/0x4c0 fs/read_write.c:643
        __do_sys_write fs/read_write.c:655 [inline]
        __se_sys_write fs/read_write.c:652 [inline]
        __x64_sys_write+0x93/0xe0 fs/read_write.c:652
       do_syscall_64+0xd5/0x1f0
       entry_SYSCALL_64_after_hwframe+0x6d/0x75
      
      CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g96249052 #0
      
      Fixes: cb73ee40 ("net: ip_gre: use erspan key field for tunnel lookup")
      Reported-by: syzbot+1c1cf138518bf0c53d68@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/netdev/000000000000772f2c0614b66ef7@google.com/Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Lorenzo Bianconi <lorenzo@kernel.org>
      Link: https://lore.kernel.org/r/20240328112248.1101491-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      17af4205
    • Atlas Yu's avatar
      r8169: skip DASH fw status checks when DASH is disabled · 5e864d90
      Atlas Yu authored
      On devices that support DASH, the current code in the "rtl_loop_wait" function
      raises false alarms when DASH is disabled. This occurs because the function
      attempts to wait for the DASH firmware to be ready, even though it's not
      relevant in this case.
      
      r8169 0000:0c:00.0 eth0: RTL8168ep/8111ep, 38:7c:76:49:08:d9, XID 502, IRQ 86
      r8169 0000:0c:00.0 eth0: jumbo features [frames: 9194 bytes, tx checksumming: ko]
      r8169 0000:0c:00.0 eth0: DASH disabled
      ...
      r8169 0000:0c:00.0 eth0: rtl_ep_ocp_read_cond == 0 (loop: 30, delay: 10000).
      
      This patch modifies the driver start/stop functions to skip checking the DASH
      firmware status when DASH is explicitly disabled. This prevents unnecessary
      delays and false alarms.
      
      The patch has been tested on several ThinkStation P8/PX workstations.
      
      Fixes: 0ab0c45d ("r8169: add handling DASH when DASH is disabled")
      Signed-off-by: default avatarAtlas Yu <atlas.yu@canonical.com>
      Reviewed-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Link: https://lore.kernel.org/r/20240328055152.18443-1-atlas.yu@canonical.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5e864d90
    • Su Hui's avatar
      octeontx2-pf: check negative error code in otx2_open() · e709acbd
      Su Hui authored
      otx2_rxtx_enable() return negative error code such as -EIO,
      check -EIO rather than EIO to fix this problem.
      
      Fixes: c9262522 ("octeontx2-pf: Disable packet I/O for graceful exit")
      Signed-off-by: default avatarSu Hui <suhui@nfschina.com>
      Reviewed-by: default avatarSubbaraya Sundeep <sbhatta@marvell.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Reviewed-by: default avatarKalesh AP <kalesh-anakkur.purayil@broadcom.com>
      Link: https://lore.kernel.org/r/20240328020620.4054692-1-suhui@nfschina.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e709acbd
    • Eric Dumazet's avatar
      net: do not consume a cacheline for system_page_pool · 5086f0fe
      Eric Dumazet authored
      There is no reason to consume a full cacheline to store system_page_pool.
      
      We can eventually move it to softnet_data later for full locality control.
      
      Fixes: 2b0cfa6e ("net: add generic percpu page_pool allocator")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Lorenzo Bianconi <lorenzo@kernel.org>
      Cc: Toke Høiland-Jørgensen <toke@redhat.com>
      Acked-by: default avatarJesper Dangaard Brouer <hawk@kernel.org>
      Link: https://lore.kernel.org/r/20240328173448.2262593-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5086f0fe
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 50ba9d7e
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2024-03-26 (i40e)
      
      This series contains updates to i40e driver only.
      
      Ivan Vecera resolves an issue where descriptors could be missed when
      exiting busy poll.
      
      Aleksandr corrects counting of MAC filters to only include new or active
      filters and resolves possible use of incorrect/stale 'vf' variable.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        i40e: fix vf may be used uninitialized in this function warning
        i40e: fix i40e_count_filters() to count only active/new filters
        i40e: Enforce software interrupt during busy-poll exit
      ====================
      
      Link: https://lore.kernel.org/r/20240326162358.1224145-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      50ba9d7e
    • Mahmoud Adam's avatar
      net/rds: fix possible cp null dereference · 62fc3357
      Mahmoud Adam authored
      cp might be null, calling cp->cp_conn would produce null dereference
      
      [Simon Horman adds:]
      
      Analysis:
      
      * cp is a parameter of __rds_rdma_map and is not reassigned.
      
      * The following call-sites pass a NULL cp argument to __rds_rdma_map()
      
        - rds_get_mr()
        - rds_get_mr_for_dest
      
      * Prior to the code above, the following assumes that cp may be NULL
        (which is indicative, but could itself be unnecessary)
      
      	trans_private = rs->rs_transport->get_mr(
      		sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,
      		args->vec.addr, args->vec.bytes,
      		need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);
      
      * The code modified by this patch is guarded by IS_ERR(trans_private),
        where trans_private is assigned as per the previous point in this analysis.
      
        The only implementation of get_mr that I could locate is rds_ib_get_mr()
        which can return an ERR_PTR if the conn (4th) argument is NULL.
      
      * ret is set to PTR_ERR(trans_private).
        rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.
        Thus ret may be -ENODEV in which case the code in question will execute.
      
      Conclusion:
      * cp may be NULL at the point where this patch adds a check;
        this patch does seem to address a possible bug
      
      Fixes: c055fc00 ("net/rds: fix WARNING in rds_conn_connect_if_down")
      Cc: stable@vger.kernel.org # v4.19+
      Signed-off-by: default avatarMahmoud Adam <mngyadam@amazon.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240326153132.55580-1-mngyadam@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      62fc3357
    • Michael Krummsdorf's avatar
      net: dsa: mv88e6xxx: fix usable ports on 88e6020 · 625aefac
      Michael Krummsdorf authored
      The switch has 4 ports with 2 internal PHYs, but ports are numbered up
      to 6, with ports 0, 1, 5 and 6 being usable.
      
      Fixes: 71d94a43 ("net: dsa: mv88e6xxx: add support for MV88E6020 switch")
      Signed-off-by: default avatarMichael Krummsdorf <michael.krummsdorf@tq-group.com>
      Signed-off-by: default avatarMatthias Schiffer <matthias.schiffer@ew.tq-group.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240326123655.40666-1-matthias.schiffer@ew.tq-group.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      625aefac
    • David Thompson's avatar
      mlxbf_gige: stop interface during shutdown · 09ba28e1
      David Thompson authored
      The mlxbf_gige driver intermittantly encounters a NULL pointer
      exception while the system is shutting down via "reboot" command.
      The mlxbf_driver will experience an exception right after executing
      its shutdown() method.  One example of this exception is:
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070
      Mem abort info:
        ESR = 0x0000000096000004
        EC = 0x25: DABT (current EL), IL = 32 bits
        SET = 0, FnV = 0
        EA = 0, S1PTW = 0
        FSC = 0x04: level 0 translation fault
      Data abort info:
        ISV = 0, ISS = 0x00000004
        CM = 0, WnR = 0
      user pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000
      [0000000000000070] pgd=0000000000000000, p4d=0000000000000000
      Internal error: Oops: 96000004 [#1] SMP
      CPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S         OE     5.15.0-bf.6.gef6992a #1
      Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023
      pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      pc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]
      lr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]
      sp : ffff8000080d3c10
      x29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58
      x26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008
      x23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128
      x20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff
      x17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7
      x14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101
      x11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404
      x8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080
      x5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001
      x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
      Call trace:
       mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]
       mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]
       __napi_poll+0x40/0x1c8
       net_rx_action+0x314/0x3a0
       __do_softirq+0x128/0x334
       run_ksoftirqd+0x54/0x6c
       smpboot_thread_fn+0x14c/0x190
       kthread+0x10c/0x110
       ret_from_fork+0x10/0x20
      Code: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)
      ---[ end trace 7cc3941aa0d8e6a4 ]---
      Kernel panic - not syncing: Oops: Fatal exception in interrupt
      Kernel Offset: 0x4ce722520000 from 0xffff800008000000
      PHYS_OFFSET: 0x80000000
      CPU features: 0x000005c1,a3330e5a
      Memory Limit: none
      ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---
      
      During system shutdown, the mlxbf_gige driver's shutdown() is always executed.
      However, the driver's stop() method will only execute if networking interface
      configuration logic within the Linux distribution has been setup to do so.
      
      If shutdown() executes but stop() does not execute, NAPI remains enabled
      and this can lead to an exception if NAPI is scheduled while the hardware
      interface has only been partially deinitialized.
      
      The networking interface managed by the mlxbf_gige driver must be properly
      stopped during system shutdown so that IFF_UP is cleared, the hardware
      interface is put into a clean state, and NAPI is fully deinitialized.
      
      Fixes: f92e1869 ("Add Mellanox BlueField Gigabit Ethernet driver")
      Signed-off-by: default avatarDavid Thompson <davthompson@nvidia.com>
      Link: https://lore.kernel.org/r/20240325210929.25362-1-davthompson@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      09ba28e1
    • Bastien Nocera's avatar
      Bluetooth: Fix TOCTOU in HCI debugfs implementation · 7835fcfd
      Bastien Nocera authored
      struct hci_dev members conn_info_max_age, conn_info_min_age,
      le_conn_max_interval, le_conn_min_interval, le_adv_max_interval,
      and le_adv_min_interval can be modified from the HCI core code, as well
      through debugfs.
      
      The debugfs implementation, that's only available to privileged users,
      will check for boundaries, making sure that the minimum value being set
      is strictly above the maximum value that already exists, and vice-versa.
      
      However, as both minimum and maximum values can be changed concurrently
      to us modifying them, we need to make sure that the value we check is
      the value we end up using.
      
      For example, with ->conn_info_max_age set to 10, conn_info_min_age_set()
      gets called from vfs handlers to set conn_info_min_age to 8.
      
      In conn_info_min_age_set(), this goes through:
      	if (val == 0 || val > hdev->conn_info_max_age)
      		return -EINVAL;
      
      Concurrently, conn_info_max_age_set() gets called to set to set the
      conn_info_max_age to 7:
      	if (val == 0 || val > hdev->conn_info_max_age)
      		return -EINVAL;
      That check will also pass because we used the old value (10) for
      conn_info_max_age.
      
      After those checks that both passed, the struct hci_dev access
      is mutex-locked, disabling concurrent access, but that does not matter
      because the invalid value checks both passed, and we'll end up with
      conn_info_min_age = 8 and conn_info_max_age = 7
      
      To fix this problem, we need to lock the structure access before so the
      check and assignment are not interrupted.
      
      This fix was originally devised by the BassCheck[1] team, and
      considered the problem to be an atomicity one. This isn't the case as
      there aren't any concerns about the variable changing while we check it,
      but rather after we check it parallel to another change.
      
      This patch fixes CVE-2024-24858 and CVE-2024-24857.
      
      [1] https://sites.google.com/view/basscheck/Co-developed-by: default avatarGui-Dong Han <2045gemini@gmail.com>
      Signed-off-by: default avatarGui-Dong Han <2045gemini@gmail.com>
      Link: https://lore.kernel.org/linux-bluetooth/20231222161317.6255-1-2045gemini@gmail.com/
      Link: https://nvd.nist.gov/vuln/detail/CVE-2024-24858
      Link: https://lore.kernel.org/linux-bluetooth/20231222162931.6553-1-2045gemini@gmail.com/
      Link: https://lore.kernel.org/linux-bluetooth/20231222162310.6461-1-2045gemini@gmail.com/
      Link: https://nvd.nist.gov/vuln/detail/CVE-2024-24857
      Fixes: 31ad1691 ("Bluetooth: Add conn info lifetime parameters to debugfs")
      Fixes: 729a1051 ("Bluetooth: Expose default LE advertising interval via debugfs")
      Fixes: 71c3b60e ("Bluetooth: Move BR/EDR debugfs file creation into hci_debugfs.c")
      Signed-off-by: default avatarBastien Nocera <hadess@hadess.net>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7835fcfd
    • Hui Wang's avatar
      Bluetooth: hci_event: set the conn encrypted before conn establishes · c569242c
      Hui Wang authored
      We have a BT headset (Lenovo Thinkplus XT99), the pairing and
      connecting has no problem, once this headset is paired, bluez will
      remember this device and will auto re-connect it whenever the device
      is powered on. The auto re-connecting works well with Windows and
      Android, but with Linux, it always fails. Through debugging, we found
      at the rfcomm connection stage, the bluetooth stack reports
      "Connection refused - security block (0x0003)".
      
      For this device, the re-connecting negotiation process is different
      from other BT headsets, it sends the Link_KEY_REQUEST command before
      the CONNECT_REQUEST completes, and it doesn't send ENCRYPT_CHANGE
      command during the negotiation. When the device sends the "connect
      complete" to hci, the ev->encr_mode is 1.
      
      So here in the conn_complete_evt(), if ev->encr_mode is 1, link type
      is ACL and HCI_CONN_ENCRYPT is not set, we set HCI_CONN_ENCRYPT to
      this conn, and update conn->enc_key_size accordingly.
      
      After this change, this BT headset could re-connect with Linux
      successfully. This is the btmon log after applying the patch, after
      receiving the "Connect Complete" with "Encryption: Enabled", will send
      the command to read encryption key size:
      > HCI Event: Connect Request (0x04) plen 10
              Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
              Class: 0x240404
                Major class: Audio/Video (headset, speaker, stereo, video, vcr)
                Minor class: Wearable Headset Device
                Rendering (Printing, Speaker)
                Audio (Speaker, Microphone, Headset)
              Link type: ACL (0x01)
      ...
      > HCI Event: Link Key Request (0x17) plen 6
              Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
      < HCI Command: Link Key Request Reply (0x01|0x000b) plen 22
              Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
              Link key: ${32-hex-digits-key}
      ...
      > HCI Event: Connect Complete (0x03) plen 11
              Status: Success (0x00)
              Handle: 256
              Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
              Link type: ACL (0x01)
              Encryption: Enabled (0x01)
      < HCI Command: Read Encryption Key... (0x05|0x0008) plen 2
              Handle: 256
      < ACL Data TX: Handle 256 flags 0x00 dlen 10
            L2CAP: Information Request (0x0a) ident 1 len 2
              Type: Extended features supported (0x0002)
      > HCI Event: Command Complete (0x0e) plen 7
            Read Encryption Key Size (0x05|0x0008) ncmd 1
              Status: Success (0x00)
              Handle: 256
              Key size: 16
      
      Cc: stable@vger.kernel.org
      Link: https://github.com/bluez/bluez/issues/704Reviewed-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
      Reviewed-by: default avatarLuiz Augusto von Dentz <luiz.dentz@gmail.com>
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      c569242c
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_sync: Fix not checking error on hci_cmd_sync_cancel_sync · 6946b9c9
      Luiz Augusto von Dentz authored
      hci_cmd_sync_cancel_sync shall check the error passed to it since it
      will be propagated using req_result which is __u32 it needs to be
      properly set to a positive value if it was passed as negative othertise
      IS_ERR will not trigger as -(errno) would be converted to a positive
      value.
      
      Fixes: 63298d6e ("Bluetooth: hci_core: Cancel request on command timeout")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Reported-and-tested-by: default avatarThorsten Leemhuis <linux@leemhuis.info>
      Closes: https://lore.kernel.org/all/08275279-7462-4f4a-a0ee-8aa015f829bc@leemhuis.info/
      6946b9c9
    • Johan Hovold's avatar
      Bluetooth: qca: fix device-address endianness · 77f45cca
      Johan Hovold authored
      The WCN6855 firmware on the Lenovo ThinkPad X13s expects the Bluetooth
      device address in big-endian order when setting it using the
      EDL_WRITE_BD_ADDR_OPCODE command.
      
      Presumably, this is the case for all non-ROME devices which all use the
      EDL_WRITE_BD_ADDR_OPCODE command for this (unlike the ROME devices which
      use a different command and expect the address in little-endian order).
      
      Reverse the little-endian address before setting it to make sure that
      the address can be configured using tools like btmgmt or using the
      'local-bd-address' devicetree property.
      
      Note that this can potentially break systems with boot firmware which
      has started relying on the broken behaviour and is incorrectly passing
      the address via devicetree in big-endian order.
      
      The only device affected by this should be the WCN3991 used in some
      Chromebooks. As ChromeOS updates the kernel and devicetree in lockstep,
      the new 'qcom,local-bd-address-broken' property can be used to determine
      if the firmware is buggy so that the underlying driver bug can be fixed
      without breaking backwards compatibility.
      
      Set the HCI_QUIRK_BDADDR_PROPERTY_BROKEN quirk for such platforms so
      that the address is reversed when parsing the address property.
      
      Fixes: 5c0a1001 ("Bluetooth: hci_qca: Add helper to set device address")
      Cc: stable@vger.kernel.org      # 5.1
      Cc: Balakrishna Godavarthi <quic_bgodavar@quicinc.com>
      Cc: Matthias Kaehlcke <mka@chromium.org>
      Tested-by: Nikita Travkin <nikita@trvn.ru> # sc7180
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      77f45cca
    • Johan Hovold's avatar
      Bluetooth: add quirk for broken address properties · 39646f29
      Johan Hovold authored
      Some Bluetooth controllers lack persistent storage for the device
      address and instead one can be provided by the boot firmware using the
      'local-bd-address' devicetree property.
      
      The Bluetooth devicetree bindings clearly states that the address should
      be specified in little-endian order, but due to a long-standing bug in
      the Qualcomm driver which reversed the address some boot firmware has
      been providing the address in big-endian order instead.
      
      Add a new quirk that can be set on platforms with broken firmware and
      use it to reverse the address when parsing the property so that the
      underlying driver bug can be fixed.
      
      Fixes: 5c0a1001 ("Bluetooth: hci_qca: Add helper to set device address")
      Cc: stable@vger.kernel.org      # 5.1
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      39646f29
    • Johan Hovold's avatar
      arm64: dts: qcom: sc7180-trogdor: mark bluetooth address as broken · e12e2800
      Johan Hovold authored
      Several Qualcomm Bluetooth controllers lack persistent storage for the
      device address and instead one can be provided by the boot firmware
      using the 'local-bd-address' devicetree property.
      
      The Bluetooth bindings clearly states that the address should be
      specified in little-endian order, but due to a long-standing bug in the
      Qualcomm driver which reversed the address some boot firmware has been
      providing the address in big-endian order instead.
      
      The boot firmware in SC7180 Trogdor Chromebooks is known to be affected
      so mark the 'local-bd-address' property as broken to maintain backwards
      compatibility with older firmware when fixing the underlying driver bug.
      
      Note that ChromeOS always updates the kernel and devicetree in lockstep
      so that there is no need to handle backwards compatibility with older
      devicetrees.
      
      Fixes: 7ec3e673 ("arm64: dts: qcom: sc7180-trogdor: add initial trogdor and lazor dt")
      Cc: stable@vger.kernel.org      # 5.10
      Cc: Rob Clark <robdclark@chromium.org>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Acked-by: default avatarBjorn Andersson <andersson@kernel.org>
      Reviewed-by: default avatarBjorn Andersson <andersson@kernel.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      e12e2800
    • Johan Hovold's avatar
      dt-bindings: bluetooth: add 'qcom,local-bd-address-broken' · 7003de8a
      Johan Hovold authored
      Several Qualcomm Bluetooth controllers lack persistent storage for the
      device address and instead one can be provided by the boot firmware
      using the 'local-bd-address' devicetree property.
      
      The Bluetooth bindings clearly states that the address should be
      specified in little-endian order, but due to a long-standing bug in the
      Qualcomm driver which reversed the address some boot firmware has been
      providing the address in big-endian order instead.
      
      The only device out there that should be affected by this is the WCN3991
      used in some Chromebooks.
      
      Add a 'qcom,local-bd-address-broken' property which can be set on these
      platforms to indicate that the boot firmware is using the wrong byte
      order.
      
      Note that ChromeOS always updates the kernel and devicetree in lockstep
      so that there is no need to handle backwards compatibility with older
      devicetrees.
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Reviewed-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7003de8a