1. 20 Sep, 2023 11 commits
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_core: Fix build warnings · dcda1657
      Luiz Augusto von Dentz authored
      This fixes the following warnings:
      
      net/bluetooth/hci_core.c: In function ‘hci_register_dev’:
      net/bluetooth/hci_core.c:2620:54: warning: ‘%d’ directive output may
      be truncated writing between 1 and 10 bytes into a region of size 5
      [-Wformat-truncation=]
       2620 |         snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
            |                                                      ^~
      net/bluetooth/hci_core.c:2620:50: note: directive argument in the range
      [0, 2147483647]
       2620 |         snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
            |                                                  ^~~~~~~
      net/bluetooth/hci_core.c:2620:9: note: ‘snprintf’ output between 5 and
      14 bytes into a destination of size 8
       2620 |         snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
            |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      dcda1657
    • Ying Hsu's avatar
      Bluetooth: Avoid redundant authentication · 1d8e8014
      Ying Hsu authored
      While executing the Android 13 CTS Verifier Secure Server test on a
      ChromeOS device, it was observed that the Bluetooth host initiates
      authentication for an RFCOMM connection after SSP completes.
      When this happens, some Intel Bluetooth controllers, like AC9560, would
      disconnect with "Connection Rejected due to Security Reasons (0x0e)".
      
      Historically, BlueZ did not mandate this authentication while an
      authenticated combination key was already in use for the connection.
      This behavior was changed since commit 7b5a9241
      ("Bluetooth: Introduce requirements for security level 4").
      So, this patch addresses the aforementioned disconnection issue by
      restoring the previous behavior.
      Signed-off-by: default avatarYing Hsu <yinghsu@chromium.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      1d8e8014
    • Luiz Augusto von Dentz's avatar
      Bluetooth: ISO: Fix handling of listen for unicast · e0275ea5
      Luiz Augusto von Dentz authored
      iso_listen_cis shall only return -EADDRINUSE if the listening socket has
      the destination set to BDADDR_ANY otherwise if the destination is set to
      a specific address it is for broadcast which shall be ignored.
      
      Fixes: f764a6c2 ("Bluetooth: ISO: Add broadcast support")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      e0275ea5
    • Ying Hsu's avatar
      Bluetooth: Fix hci_link_tx_to RCU lock usage · c7eaf80b
      Ying Hsu authored
      Syzbot found a bug "BUG: sleeping function called from invalid context
      at kernel/locking/mutex.c:580". It is because hci_link_tx_to holds an
      RCU read lock and calls hci_disconnect which would hold a mutex lock
      since the commit a13f316e ("Bluetooth: hci_conn: Consolidate code
      for aborting connections"). Here's an example call trace:
      
         __dump_stack lib/dump_stack.c:88 [inline]
         dump_stack_lvl+0xfc/0x174 lib/dump_stack.c:106
         ___might_sleep+0x4a9/0x4d3 kernel/sched/core.c:9663
         __mutex_lock_common kernel/locking/mutex.c:576 [inline]
         __mutex_lock+0xc7/0x6e7 kernel/locking/mutex.c:732
         hci_cmd_sync_queue+0x3a/0x287 net/bluetooth/hci_sync.c:388
         hci_abort_conn+0x2cd/0x2e4 net/bluetooth/hci_conn.c:1812
         hci_disconnect+0x207/0x237 net/bluetooth/hci_conn.c:244
         hci_link_tx_to net/bluetooth/hci_core.c:3254 [inline]
         __check_timeout net/bluetooth/hci_core.c:3419 [inline]
         __check_timeout+0x310/0x361 net/bluetooth/hci_core.c:3399
         hci_sched_le net/bluetooth/hci_core.c:3602 [inline]
         hci_tx_work+0xe8f/0x12d0 net/bluetooth/hci_core.c:3652
         process_one_work+0x75c/0xba1 kernel/workqueue.c:2310
         worker_thread+0x5b2/0x73a kernel/workqueue.c:2457
         kthread+0x2f7/0x30b kernel/kthread.c:319
         ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
      
      This patch releases RCU read lock before calling hci_disconnect and
      reacquires it afterward to fix the bug.
      
      Fixes: a13f316e ("Bluetooth: hci_conn: Consolidate code for aborting connections")
      Signed-off-by: default avatarYing Hsu <yinghsu@chromium.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      c7eaf80b
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_sync: Fix handling of HCI_QUIRK_STRICT_DUPLICATE_FILTER · 941c998b
      Luiz Augusto von Dentz authored
      When HCI_QUIRK_STRICT_DUPLICATE_FILTER is set LE scanning requires
      periodic restarts of the scanning procedure as the controller would
      consider device previously found as duplicated despite of RSSI changes,
      but in order to set the scan timeout properly set le_scan_restart needs
      to be synchronous so it shall not use hci_cmd_sync_queue which defers
      the command processing to cmd_sync_work.
      
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/linux-bluetooth/578e6d7afd676129decafba846a933f5@agner.ch/#t
      Fixes: 27d54b77 ("Bluetooth: Rework le_scan_restart for hci_sync")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      941c998b
    • Rocky Liao's avatar
      Bluetooth: btusb: add shutdown function for QCA6174 · 187f8b64
      Rocky Liao authored
      We should send hci reset command before bt turn off, which can reset bt
      firmware status.
      Signed-off-by: default avatarRocky Liao <quic_rjliao@quicinc.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      187f8b64
    • Yao Xiao's avatar
      Bluetooth: Delete unused hci_req_prepare_suspend() declaration · cbaabbcd
      Yao Xiao authored
      hci_req_prepare_suspend() has been deprecated in favor of
      hci_suspend_sync().
      
      Fixes: 182ee45d ("Bluetooth: hci_sync: Rework hci_suspend_notifier")
      Signed-off-by: default avatarYao Xiao <xiaoyao@rock-chips.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      cbaabbcd
    • Jinjie Ruan's avatar
      net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() · 4a0f07d7
      Jinjie Ruan authored
      When making CONFIG_DEBUG_KMEMLEAK=y and CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y,
      modprobe handshake-test and then rmmmod handshake-test, the below memory
      leak is detected.
      
      The struct socket_alloc which is allocated by alloc_inode_sb() in
      __sock_create() is not freed. And the struct dentry which is allocated
      by __d_alloc() in sock_alloc_file() is not freed.
      
      Since fput() will call file->f_op->release() which is sock_close() here and
      it will call __sock_release(). and fput() will call dput(dentry) to free
      the struct dentry. So replace sock_release() with fput() to fix the
      below memory leak. After applying this patch, the following memory leak is
      never detected.
      
      unreferenced object 0xffff888109165840 (size 768):
        comm "kunit_try_catch", pid 1852, jiffies 4294685807 (age 976.262s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa0209ba2>] 0xffffffffa0209ba2
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810f472008 (size 192):
        comm "kunit_try_catch", pid 1852, jiffies 4294685808 (age 976.261s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 08 20 47 0f 81 88 ff ff  ......... G.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0209bbb>] 0xffffffffa0209bbb
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810958e580 (size 224):
        comm "kunit_try_catch", pid 1852, jiffies 4294685808 (age 976.261s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0209bbb>] 0xffffffffa0209bbb
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810926dc88 (size 192):
        comm "kunit_try_catch", pid 1854, jiffies 4294685809 (age 976.271s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 88 dc 26 09 81 88 ff ff  ..........&.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208fdc>] 0xffffffffa0208fdc
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810a241380 (size 224):
        comm "kunit_try_catch", pid 1854, jiffies 4294685809 (age 976.271s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208fdc>] 0xffffffffa0208fdc
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888109165040 (size 768):
        comm "kunit_try_catch", pid 1856, jiffies 4294685811 (age 976.269s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa0208860>] 0xffffffffa0208860
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810926d568 (size 192):
        comm "kunit_try_catch", pid 1856, jiffies 4294685811 (age 976.269s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 68 d5 26 09 81 88 ff ff  ........h.&.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208879>] 0xffffffffa0208879
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810a240580 (size 224):
        comm "kunit_try_catch", pid 1856, jiffies 4294685811 (age 976.347s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208879>] 0xffffffffa0208879
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888109164c40 (size 768):
        comm "kunit_try_catch", pid 1858, jiffies 4294685816 (age 976.342s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa0208541>] 0xffffffffa0208541
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810926cd18 (size 192):
        comm "kunit_try_catch", pid 1858, jiffies 4294685816 (age 976.342s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 18 cd 26 09 81 88 ff ff  ..........&.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa020855a>] 0xffffffffa020855a
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810a240200 (size 224):
        comm "kunit_try_catch", pid 1858, jiffies 4294685816 (age 976.342s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa020855a>] 0xffffffffa020855a
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888109164840 (size 768):
        comm "kunit_try_catch", pid 1860, jiffies 4294685817 (age 976.416s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa02093e2>] 0xffffffffa02093e2
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810926cab8 (size 192):
        comm "kunit_try_catch", pid 1860, jiffies 4294685817 (age 976.416s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 b8 ca 26 09 81 88 ff ff  ..........&.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa02093fb>] 0xffffffffa02093fb
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810a240040 (size 224):
        comm "kunit_try_catch", pid 1860, jiffies 4294685817 (age 976.416s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa02093fb>] 0xffffffffa02093fb
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888109166440 (size 768):
        comm "kunit_try_catch", pid 1862, jiffies 4294685819 (age 976.489s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa02097c1>] 0xffffffffa02097c1
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810926c398 (size 192):
        comm "kunit_try_catch", pid 1862, jiffies 4294685819 (age 976.489s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 98 c3 26 09 81 88 ff ff  ..........&.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa02097da>] 0xffffffffa02097da
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888107e0b8c0 (size 224):
        comm "kunit_try_catch", pid 1862, jiffies 4294685819 (age 976.489s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa02097da>] 0xffffffffa02097da
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888109164440 (size 768):
        comm "kunit_try_catch", pid 1864, jiffies 4294685821 (age 976.487s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa020824e>] 0xffffffffa020824e
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810f4cf698 (size 192):
        comm "kunit_try_catch", pid 1864, jiffies 4294685821 (age 976.501s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 98 f6 4c 0f 81 88 ff ff  ..........L.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208267>] 0xffffffffa0208267
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888107e0b000 (size 224):
        comm "kunit_try_catch", pid 1864, jiffies 4294685821 (age 976.501s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208267>] 0xffffffffa0208267
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      
      Fixes: 88232ec1 ("net/handshake: Add Kunit tests for the handshake consumer API")
      Signed-off-by: default avatarJinjie Ruan <ruanjinjie@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4a0f07d7
    • Cai Huoqing's avatar
      net: hinic: Fix warning-hinic_set_vlan_fliter() warn: variable dereferenced before check 'hwdev' · 22b6e7f3
      Cai Huoqing authored
      'hwdev' is checked too late and hwdev will not be NULL, so remove the check
      
      Fixes: 2acf960e ("net: hinic: Add support for configuration of rx-vlan-filter by ethtool")
      Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Closes: https://lore.kernel.org/r/202309112354.pikZCmyk-lkp@intel.com/Signed-off-by: default avatarCai Huoqing <cai.huoqing@linux.dev>
      Reviewed-by: default avatarVadim Fedorenko <vadim.fedorenko@linux.dev>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22b6e7f3
    • Benjamin Poirier's avatar
      vxlan: Add missing entries to vxlan_get_size() · 4e4b1798
      Benjamin Poirier authored
      There are some attributes added by vxlan_fill_info() which are not
      accounted for in vxlan_get_size(). Add them.
      
      I didn't find a way to trigger an actual problem from this miscalculation
      since there is usually extra space in netlink size calculations like
      if_nlmsg_size(); but maybe I just didn't search long enough.
      
      Fixes: 3511494c ("vxlan: Group Policy extension")
      Fixes: e1e5314d ("vxlan: implement GPE")
      Fixes: 0ace2ca8 ("vxlan: Use checksum partial with remote checksum offload")
      Fixes: f9c4bb0b ("vxlan: vni filtering support on collect metadata device")
      Signed-off-by: default avatarBenjamin Poirier <bpoirier@nvidia.com>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e4b1798
    • Artem Chernyshev's avatar
      net: rds: Fix possible NULL-pointer dereference · f1d95df0
      Artem Chernyshev authored
      In rds_rdma_cm_event_handler_cmn() check, if conn pointer exists
      before dereferencing it as rdma_set_service_type() argument
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE.
      
      Fixes: fd261ce6 ("rds: rdma: update rdma transport for tos")
      Signed-off-by: default avatarArtem Chernyshev <artem.chernyshev@red-soft.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f1d95df0
  2. 19 Sep, 2023 9 commits
    • Ziyang Xuan's avatar
      team: fix null-ptr-deref when team device type is changed · 49203276
      Ziyang Xuan authored
      Get a null-ptr-deref bug as follows with reproducer [1].
      
      BUG: kernel NULL pointer dereference, address: 0000000000000228
      ...
      RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]
      ...
      Call Trace:
       <TASK>
       ? __die+0x24/0x70
       ? page_fault_oops+0x82/0x150
       ? exc_page_fault+0x69/0x150
       ? asm_exc_page_fault+0x26/0x30
       ? vlan_dev_hard_header+0x35/0x140 [8021q]
       ? vlan_dev_hard_header+0x8e/0x140 [8021q]
       neigh_connected_output+0xb2/0x100
       ip6_finish_output2+0x1cb/0x520
       ? nf_hook_slow+0x43/0xc0
       ? ip6_mtu+0x46/0x80
       ip6_finish_output+0x2a/0xb0
       mld_sendpack+0x18f/0x250
       mld_ifc_work+0x39/0x160
       process_one_work+0x1e6/0x3f0
       worker_thread+0x4d/0x2f0
       ? __pfx_worker_thread+0x10/0x10
       kthread+0xe5/0x120
       ? __pfx_kthread+0x10/0x10
       ret_from_fork+0x34/0x50
       ? __pfx_kthread+0x10/0x10
       ret_from_fork_asm+0x1b/0x30
      
      [1]
      $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}'
      $ ip link add name t-dummy type dummy
      $ ip link add link t-dummy name t-dummy.100 type vlan id 100
      $ ip link add name t-nlmon type nlmon
      $ ip link set t-nlmon master team0
      $ ip link set t-nlmon nomaster
      $ ip link set t-dummy up
      $ ip link set team0 up
      $ ip link set t-dummy.100 down
      $ ip link set t-dummy.100 master team0
      
      When enslave a vlan device to team device and team device type is changed
      from non-ether to ether, header_ops of team device is changed to
      vlan_header_ops. That is incorrect and will trigger null-ptr-deref
      for vlan->real_dev in vlan_dev_hard_header() because team device is not
      a vlan device.
      
      Cache eth_header_ops in team_setup(), then assign cached header_ops to
      header_ops of team net device when its type is changed from non-ether
      to ether to fix the bug.
      
      Fixes: 1d76efe1 ("team: add support for non-ethernet devices")
      Suggested-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230918123011.1884401-1-william.xuanziyang@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      49203276
    • Eric Dumazet's avatar
      net: bridge: use DEV_STATS_INC() · 44bdb313
      Eric Dumazet authored
      syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]
      This function can run from multiple cpus without mutual exclusion.
      
      Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
      
      Handles updates to dev->stats.tx_dropped while we are at it.
      
      [1]
      BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish
      
      read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:
      br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
      br_nf_hook_thresh+0x1ed/0x220
      br_nf_pre_routing_finish_ipv6+0x50f/0x540
      NF_HOOK include/linux/netfilter.h:304 [inline]
      br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
      br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
      nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
      nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
      br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
      __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
      __netif_receive_skb_one_core net/core/dev.c:5521 [inline]
      __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
      process_backlog+0x21f/0x380 net/core/dev.c:5965
      __napi_poll+0x60/0x3b0 net/core/dev.c:6527
      napi_poll net/core/dev.c:6594 [inline]
      net_rx_action+0x32b/0x750 net/core/dev.c:6727
      __do_softirq+0xc1/0x265 kernel/softirq.c:553
      run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
      smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
      kthread+0x1d7/0x210 kernel/kthread.c:388
      ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
      ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
      
      read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:
      br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
      br_nf_hook_thresh+0x1ed/0x220
      br_nf_pre_routing_finish_ipv6+0x50f/0x540
      NF_HOOK include/linux/netfilter.h:304 [inline]
      br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
      br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
      nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
      nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
      br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
      __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
      __netif_receive_skb_one_core net/core/dev.c:5521 [inline]
      __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
      process_backlog+0x21f/0x380 net/core/dev.c:5965
      __napi_poll+0x60/0x3b0 net/core/dev.c:6527
      napi_poll net/core/dev.c:6594 [inline]
      net_rx_action+0x32b/0x750 net/core/dev.c:6727
      __do_softirq+0xc1/0x265 kernel/softirq.c:553
      do_softirq+0x5e/0x90 kernel/softirq.c:454
      __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
      __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
      _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
      spin_unlock_bh include/linux/spinlock.h:396 [inline]
      batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356
      batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560
      process_one_work kernel/workqueue.c:2630 [inline]
      process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
      worker_thread+0x525/0x730 kernel/workqueue.c:2784
      kthread+0x1d7/0x210 kernel/kthread.c:388
      ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
      ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
      
      value changed: 0x00000000000d7190 -> 0x00000000000d7191
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f3 #0
      
      Fixes: 1c29fc49 ("[BRIDGE]: keep track of received multicast packets")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Roopa Prabhu <roopa@nvidia.com>
      Cc: Nikolay Aleksandrov <razor@blackwall.org>
      Cc: bridge@lists.linux-foundation.org
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Link: https://lore.kernel.org/r/20230918091351.1356153-1-edumazet@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      44bdb313
    • Paolo Abeni's avatar
      Merge branch 'there-are-some-bugfix-for-the-hns3-ethernet-driver' · 5f8621c1
      Paolo Abeni authored
      Jijie Shao says:
      
      ====================
      There are some bugfix for the HNS3 ethernet driver
      ====================
      
      Link: https://lore.kernel.org/r/20230918074840.2650978-1-shaojijie@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      5f8621c1
    • Jie Wang's avatar
      net: hns3: add 5ms delay before clear firmware reset irq source · 07700630
      Jie Wang authored
      Currently the reset process in hns3 and firmware watchdog init process is
      asynchronous. we think firmware watchdog initialization is completed
      before hns3 clear the firmware interrupt source. However, firmware
      initialization may not complete early.
      
      so we add delay before hns3 clear firmware interrupt source and 5 ms delay
      is enough to avoid second firmware reset interrupt.
      
      Fixes: c1a81619 ("net: hns3: Add mailbox interrupt handling to PF driver")
      Signed-off-by: default avatarJie Wang <wangjie125@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      07700630
    • Jijie Shao's avatar
      net: hns3: fix fail to delete tc flower rules during reset issue · 1a7be66e
      Jijie Shao authored
      Firmware does not respond driver commands during reset
      Therefore, rule will fail to delete while the firmware is resetting
      
      So, if failed to delete rule, set rule state to TO_DEL,
      and the rule will be deleted when periodic task being scheduled.
      
      Fixes: 0205ec04 ("net: hns3: add support for hw tc offload of tc flower")
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      1a7be66e
    • Jian Shen's avatar
      net: hns3: only enable unicast promisc when mac table full · f2ed3049
      Jian Shen authored
      Currently, the driver will enable unicast promisc for the function
      once configure mac address fail. It's unreasonable when the failure
      is caused by using same mac address with other functions. So only
      enable unicast promisc when mac table full.
      
      Fixes: c631c696 ("net: hns3: refactor the promisc mode setting")
      Signed-off-by: default avatarJian Shen <shenjian15@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f2ed3049
    • Jie Wang's avatar
      net: hns3: fix GRE checksum offload issue · f9f65126
      Jie Wang authored
      The device_version V3 hardware can't offload the checksum for IP in GRE
      packets, but can do it for NvGRE. So default to disable the checksum and
      GSO offload for GRE, but keep the ability to enable it when only using
      NvGRE.
      
      Fixes: 76ad4f0e ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
      Signed-off-by: default avatarJie Wang <wangjie125@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f9f65126
    • Jie Wang's avatar
      net: hns3: add cmdq check for vf periodic service task · bd3caddf
      Jie Wang authored
      When the vf cmdq is disabled, there is no need to keep these task running.
      So this patch skip these task when the cmdq is disabled.
      
      Fixes: ff200099 ("net: hns3: remove unnecessary work in hclgevf_main")
      Signed-off-by: default avatarJie Wang <wangjie125@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      bd3caddf
    • Jisheng Zhang's avatar
      net: stmmac: fix incorrect rxq|txq_stats reference · 8070274b
      Jisheng Zhang authored
      commit 133466c3 ("net: stmmac: use per-queue 64 bit statistics
      where necessary") caused one regression as found by Uwe, the backtrace
      looks like:
      
      	INFO: trying to register non-static key.
      	The code is fine but needs lockdep annotation, or maybe
      	you didn't initialize this object before use?
      	turning off the locking correctness validator.
      	CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.5.0-rc1-00449-g133466c3-dirty #21
      	Hardware name: STM32 (Device Tree Support)
      	 unwind_backtrace from show_stack+0x18/0x1c
      	 show_stack from dump_stack_lvl+0x60/0x90
      	 dump_stack_lvl from register_lock_class+0x98c/0x99c
      	 register_lock_class from __lock_acquire+0x74/0x293c
      	 __lock_acquire from lock_acquire+0x134/0x398
      	 lock_acquire from stmmac_get_stats64+0x2ac/0x2fc
      	 stmmac_get_stats64 from dev_get_stats+0x44/0x130
      	 dev_get_stats from rtnl_fill_stats+0x38/0x120
      	 rtnl_fill_stats from rtnl_fill_ifinfo+0x834/0x17f4
      	 rtnl_fill_ifinfo from rtmsg_ifinfo_build_skb+0xc0/0x144
      	 rtmsg_ifinfo_build_skb from rtmsg_ifinfo+0x50/0x88
      	 rtmsg_ifinfo from __dev_notify_flags+0xc0/0xec
      	 __dev_notify_flags from dev_change_flags+0x50/0x5c
      	 dev_change_flags from ip_auto_config+0x2f4/0x1260
      	 ip_auto_config from do_one_initcall+0x70/0x35c
      	 do_one_initcall from kernel_init_freeable+0x2ac/0x308
      	 kernel_init_freeable from kernel_init+0x1c/0x138
      	 kernel_init from ret_from_fork+0x14/0x2c
      
      The reason is the rxq|txq_stats structures are not what expected
      because stmmac_open() -> __stmmac_open() the structure is overwritten
      by "memcpy(&priv->dma_conf, dma_conf, sizeof(*dma_conf));"
      This causes the well initialized syncp member of rxq|txq_stats is
      overwritten unexpectedly as pointed out by Johannes and Uwe.
      
      Fix this issue by moving rxq|txq_stats back to stmmac_extra_stats. For
      SMP cache friendly, we also mark stmmac_txq_stats and stmmac_rxq_stats
      as ____cacheline_aligned_in_smp.
      
      Fixes: 133466c3 ("net: stmmac: use per-queue 64 bit statistics where necessary")
      Signed-off-by: default avatarJisheng Zhang <jszhang@kernel.org>
      Reported-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Tested-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Link: https://lore.kernel.org/r/20230917165328.3403-1-jszhang@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      8070274b
  3. 18 Sep, 2023 20 commits