1. 18 Nov, 2022 14 commits
    • Ivan Vecera's avatar
      iavf: Do not restart Tx queues after reset task failure · 08f1c147
      Ivan Vecera authored
      After commit aa626da9 ("iavf: Detach device during reset task")
      the device is detached during reset task and re-attached at its end.
      The problem occurs when reset task fails because Tx queues are
      restarted during device re-attach and this leads later to a crash.
      
      To resolve this issue properly close the net device in cause of
      failure in reset task to avoid restarting of tx queues at the end.
      Also replace the hacky manipulation with IFF_UP flag by device close
      that clears properly both IFF_UP and __LINK_STATE_START flags.
      In these case iavf_close() does not do anything because the adapter
      state is already __IAVF_DOWN.
      
      Reproducer:
      1) Run some Tx traffic (e.g. iperf3) over iavf interface
      2) Set VF trusted / untrusted in loop
      
      [root@host ~]# cat repro.sh
      
      PF=enp65s0f0
      IF=${PF}v0
      
      ip link set up $IF
      ip addr add 192.168.0.2/24 dev $IF
      sleep 1
      
      iperf3 -c 192.168.0.1 -t 600 --logfile /dev/null &
      sleep 2
      
      while :; do
              ip link set $PF vf 0 trust on
              ip link set $PF vf 0 trust off
      done
      [root@host ~]# ./repro.sh
      
      Result:
      [ 2006.650969] iavf 0000:41:01.0: Failed to init adminq: -53
      [ 2006.675662] ice 0000:41:00.0: VF 0 is now trusted
      [ 2006.689997] iavf 0000:41:01.0: Reset task did not complete, VF disabled
      [ 2006.696611] iavf 0000:41:01.0: failed to allocate resources during reinit
      [ 2006.703209] ice 0000:41:00.0: VF 0 is now untrusted
      [ 2006.737011] ice 0000:41:00.0: VF 0 is now trusted
      [ 2006.764536] ice 0000:41:00.0: VF 0 is now untrusted
      [ 2006.768919] BUG: kernel NULL pointer dereference, address: 0000000000000b4a
      [ 2006.776358] #PF: supervisor read access in kernel mode
      [ 2006.781488] #PF: error_code(0x0000) - not-present page
      [ 2006.786620] PGD 0 P4D 0
      [ 2006.789152] Oops: 0000 [#1] PREEMPT SMP NOPTI
      [ 2006.792903] ice 0000:41:00.0: VF 0 is now trusted
      [ 2006.793501] CPU: 4 PID: 0 Comm: swapper/4 Kdump: loaded Not tainted 6.1.0-rc3+ #2
      [ 2006.805668] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022
      [ 2006.815915] RIP: 0010:iavf_xmit_frame_ring+0x96/0xf70 [iavf]
      [ 2006.821028] ice 0000:41:00.0: VF 0 is now untrusted
      [ 2006.821572] Code: 48 83 c1 04 48 c1 e1 04 48 01 f9 48 83 c0 10 6b 50 f8 55 c1 ea 14 45 8d 64 14 01 48 39 c8 75 eb 41 83 fc 07 0f 8f e9 08 00 00 <0f> b7 45 4a 0f b7 55 48 41 8d 74 24 05 31 c9 66 39 d0 0f 86 da 00
      [ 2006.845181] RSP: 0018:ffffb253004bc9e8 EFLAGS: 00010293
      [ 2006.850397] RAX: ffff9d154de45b00 RBX: ffff9d15497d52e8 RCX: ffff9d154de45b00
      [ 2006.856327] ice 0000:41:00.0: VF 0 is now trusted
      [ 2006.857523] RDX: 0000000000000000 RSI: 00000000000005a8 RDI: ffff9d154de45ac0
      [ 2006.857525] RBP: 0000000000000b00 R08: ffff9d159cb010ac R09: 0000000000000001
      [ 2006.857526] R10: ffff9d154de45940 R11: 0000000000000000 R12: 0000000000000002
      [ 2006.883600] R13: ffff9d1770838dc0 R14: 0000000000000000 R15: ffffffffc07b8380
      [ 2006.885840] ice 0000:41:00.0: VF 0 is now untrusted
      [ 2006.890725] FS:  0000000000000000(0000) GS:ffff9d248e900000(0000) knlGS:0000000000000000
      [ 2006.890727] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2006.909419] CR2: 0000000000000b4a CR3: 0000000c39c10002 CR4: 0000000000770ee0
      [ 2006.916543] PKRU: 55555554
      [ 2006.918254] ice 0000:41:00.0: VF 0 is now trusted
      [ 2006.919248] Call Trace:
      [ 2006.919250]  <IRQ>
      [ 2006.919252]  dev_hard_start_xmit+0x9e/0x1f0
      [ 2006.932587]  sch_direct_xmit+0xa0/0x370
      [ 2006.936424]  __dev_queue_xmit+0x7af/0xd00
      [ 2006.940429]  ip_finish_output2+0x26c/0x540
      [ 2006.944519]  ip_output+0x71/0x110
      [ 2006.947831]  ? __ip_finish_output+0x2b0/0x2b0
      [ 2006.952180]  __ip_queue_xmit+0x16d/0x400
      [ 2006.952721] ice 0000:41:00.0: VF 0 is now untrusted
      [ 2006.956098]  __tcp_transmit_skb+0xa96/0xbf0
      [ 2006.965148]  __tcp_retransmit_skb+0x174/0x860
      [ 2006.969499]  ? cubictcp_cwnd_event+0x40/0x40
      [ 2006.973769]  tcp_retransmit_skb+0x14/0xb0
      ...
      
      Fixes: aa626da9 ("iavf: Detach device during reset task")
      Cc: Jacob Keller <jacob.e.keller@intel.com>
      Cc: Patryk Piotrowski <patryk.piotrowski@intel.com>
      Cc: SlawomirX Laba <slawomirx.laba@intel.com>
      Signed-off-by: default avatarIvan Vecera <ivecera@redhat.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Tested-by: default avatarKonrad Jankowski <konrad0.jankowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      08f1c147
    • Ivan Vecera's avatar
      iavf: Fix a crash during reset task · c678669d
      Ivan Vecera authored
      Recent commit aa626da9 ("iavf: Detach device during reset task")
      removed netif_tx_stop_all_queues() with an assumption that Tx queues
      are already stopped by netif_device_detach() in the beginning of
      reset task. This assumption is incorrect because during reset
      task a potential link event can start Tx queues again.
      Revert this change to fix this issue.
      
      Reproducer:
      1. Run some Tx traffic (e.g. iperf3) over iavf interface
      2. Switch MTU of this interface in a loop
      
      [root@host ~]# cat repro.sh
      
      IF=enp2s0f0v0
      
      iperf3 -c 192.168.0.1 -t 600 --logfile /dev/null &
      sleep 2
      
      while :; do
              for i in 1280 1500 2000 900 ; do
                      ip link set $IF mtu $i
                      sleep 2
              done
      done
      [root@host ~]# ./repro.sh
      
      Result:
      [  306.199917] iavf 0000:02:02.0 enp2s0f0v0: NIC Link is Up Speed is 40 Gbps Full Duplex
      [  308.205944] iavf 0000:02:02.0 enp2s0f0v0: NIC Link is Up Speed is 40 Gbps Full Duplex
      [  310.103223] BUG: kernel NULL pointer dereference, address: 0000000000000008
      [  310.110179] #PF: supervisor write access in kernel mode
      [  310.115396] #PF: error_code(0x0002) - not-present page
      [  310.120526] PGD 0 P4D 0
      [  310.123057] Oops: 0002 [#1] PREEMPT SMP NOPTI
      [  310.127408] CPU: 24 PID: 183 Comm: kworker/u64:9 Kdump: loaded Not tainted 6.1.0-rc3+ #2
      [  310.135485] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022
      [  310.145728] Workqueue: iavf iavf_reset_task [iavf]
      [  310.150520] RIP: 0010:iavf_xmit_frame_ring+0xd1/0xf70 [iavf]
      [  310.156180] Code: d0 0f 86 da 00 00 00 83 e8 01 0f b7 fa 29 f8 01 c8 39 c6 0f 8f a0 08 00 00 48 8b 45 20 48 8d 14 92 bf 01 00 00 00 4c 8d 3c d0 <49> 89 5f 08 8b 43 70 66 41 89 7f 14 41 89 47 10 f6 83 82 00 00 00
      [  310.174918] RSP: 0018:ffffbb5f0082caa0 EFLAGS: 00010293
      [  310.180137] RAX: 0000000000000000 RBX: ffff92345471a6e8 RCX: 0000000000000200
      [  310.187259] RDX: 0000000000000000 RSI: 000000000000000d RDI: 0000000000000001
      [  310.194385] RBP: ffff92341d249000 R08: ffff92434987fcac R09: 0000000000000001
      [  310.201509] R10: 0000000011f683b9 R11: 0000000011f50641 R12: 0000000000000008
      [  310.208631] R13: ffff923447500000 R14: 0000000000000000 R15: 0000000000000000
      [  310.215756] FS:  0000000000000000(0000) GS:ffff92434ee00000(0000) knlGS:0000000000000000
      [  310.223835] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  310.229572] CR2: 0000000000000008 CR3: 0000000fbc210004 CR4: 0000000000770ee0
      [  310.236696] PKRU: 55555554
      [  310.239399] Call Trace:
      [  310.241844]  <IRQ>
      [  310.243855]  ? dst_alloc+0x5b/0xb0
      [  310.247260]  dev_hard_start_xmit+0x9e/0x1f0
      [  310.251439]  sch_direct_xmit+0xa0/0x370
      [  310.255276]  __qdisc_run+0x13e/0x580
      [  310.258848]  __dev_queue_xmit+0x431/0xd00
      [  310.262851]  ? selinux_ip_postroute+0x147/0x3f0
      [  310.267377]  ip_finish_output2+0x26c/0x540
      
      Fixes: aa626da9 ("iavf: Detach device during reset task")
      Cc: Jacob Keller <jacob.e.keller@intel.com>
      Cc: Patryk Piotrowski <patryk.piotrowski@intel.com>
      Cc: SlawomirX Laba <slawomirx.laba@intel.com>
      Signed-off-by: default avatarIvan Vecera <ivecera@redhat.com>
      Tested-by: default avatarKonrad Jankowski <konrad0.jankowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      c678669d
    • Wang Hai's avatar
      net: pch_gbe: fix potential memleak in pch_gbe_tx_queue() · 2360f9b8
      Wang Hai authored
      In pch_gbe_xmit_frame(), NETDEV_TX_OK will be returned whether
      pch_gbe_tx_queue() sends data successfully or not, so pch_gbe_tx_queue()
      needs to free skb before returning. But pch_gbe_tx_queue() returns without
      freeing skb in case of dma_map_single() fails. Add dev_kfree_skb_any()
      to fix it.
      
      Fixes: 77555ee7 ("net: Add Gigabit Ethernet driver of Topcliff PCH")
      Signed-off-by: default avatarWang Hai <wanghai38@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2360f9b8
    • Lin Ma's avatar
      nfc/nci: fix race with opening and closing · 0ad6bded
      Lin Ma authored
      Previously we leverage NCI_UNREG and the lock inside nci_close_device to
      prevent the race condition between opening a device and closing a
      device. However, it still has problem because a failed opening command
      will erase the NCI_UNREG flag and allow another opening command to
      bypass the status checking.
      
      This fix corrects that by making sure the NCI_UNREG is held.
      
      Reported-by: syzbot+43475bf3cfbd6e41f5b7@syzkaller.appspotmail.com
      Fixes: 48b71a9e ("NFC: add NCI_UNREG flag to eliminate the race")
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0ad6bded
    • Vladimir Oltean's avatar
      net: dsa: sja1105: disallow C45 transactions on the BASE-TX MDIO bus · 24deec6b
      Vladimir Oltean authored
      You'd think people know that the internal 100BASE-TX PHY on the SJA1110
      responds only to clause 22 MDIO transactions, but they don't :)
      
      When a clause 45 transaction is attempted, sja1105_base_tx_mdio_read()
      and sja1105_base_tx_mdio_write() don't expect "reg" to contain bit 30
      set (MII_ADDR_C45) and pack this value into the SPI transaction buffer.
      
      But the field in the SPI buffer has a width smaller than 30 bits, so we
      see this confusing message from the packing() API rather than a proper
      rejection of C45 transactions:
      
      Call trace:
       dump_stack+0x1c/0x38
       sja1105_pack+0xbc/0xc0 [sja1105]
       sja1105_xfer+0x114/0x2b0 [sja1105]
       sja1105_xfer_u32+0x44/0xf4 [sja1105]
       sja1105_base_tx_mdio_read+0x44/0x7c [sja1105]
       mdiobus_read+0x44/0x80
       get_phy_c45_ids+0x70/0x234
       get_phy_device+0x68/0x15c
       fwnode_mdiobus_register_phy+0x74/0x240
       of_mdiobus_register+0x13c/0x380
       sja1105_mdiobus_register+0x368/0x490 [sja1105]
       sja1105_setup+0x94/0x119c [sja1105]
      Cannot store 401d2405 inside bits 24-4 (would truncate)
      
      Fixes: 5a8f0974 ("net: dsa: sja1105: register the MDIO buses for 100base-T1 and 100base-TX")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      24deec6b
    • David Howells's avatar
      rxrpc: Fix race between conn bundle lookup and bundle removal [ZDI-CAN-15975] · 3bcd6c7e
      David Howells authored
      After rxrpc_unbundle_conn() has removed a connection from a bundle, it
      checks to see if there are any conns with available channels and, if not,
      removes and attempts to destroy the bundle.
      
      Whilst it does check after grabbing client_bundles_lock that there are no
      connections attached, this races with rxrpc_look_up_bundle() retrieving the
      bundle, but not attaching a connection for the connection to be attached
      later.
      
      There is therefore a window in which the bundle can get destroyed before we
      manage to attach a new connection to it.
      
      Fix this by adding an "active" counter to struct rxrpc_bundle:
      
       (1) rxrpc_connect_call() obtains an active count by prepping/looking up a
           bundle and ditches it before returning.
      
       (2) If, during rxrpc_connect_call(), a connection is added to the bundle,
           this obtains an active count, which is held until the connection is
           discarded.
      
       (3) rxrpc_deactivate_bundle() is created to drop an active count on a
           bundle and destroy it when the active count reaches 0.  The active
           count is checked inside client_bundles_lock() to prevent a race with
           rxrpc_look_up_bundle().
      
       (4) rxrpc_unbundle_conn() then calls rxrpc_deactivate_bundle().
      
      Fixes: 245500d8 ("rxrpc: Rewrite the client connection manager")
      Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-15975
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: zdi-disclosures@trendmicro.com
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: linux-afs@lists.infradead.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3bcd6c7e
    • Wang Yufen's avatar
      selftests/net: fix missing xdp_dummy · 302e57f8
      Wang Yufen authored
      After commit afef88e6 ("selftests/bpf: Store BPF object files with
      .bpf.o extension"), we should use xdp_dummy.bpf.o instade of xdp_dummy.o.
      
      In addition, use the BPF_FILE variable to save the BPF object file name,
      which can be better identified and modified.
      
      Fixes: afef88e6 ("selftests/bpf: Store BPF object files with .bpf.o extension")
      Signed-off-by: default avatarWang Yufen <wangyufen@huawei.com>
      Cc: Daniel Müller <deso@posteo.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      302e57f8
    • Mahesh Bandewar's avatar
      ipvlan: hold lower dev to avoid possible use-after-free · 40b9d1ab
      Mahesh Bandewar authored
      Recently syzkaller discovered the issue of disappearing lower
      device (NETDEV_UNREGISTER) while the virtual device (like
      macvlan) is still having it as a lower device. So it's just
      a matter of time similar discovery will be made for IPvlan
      device setup. So fixing it preemptively. Also while at it,
      add a refcount tracker.
      
      Fixes: 2ad7bf36 ("ipvlan: Initial check-in of the IPVLAN driver.")
      Signed-off-by: default avatarMahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40b9d1ab
    • Thomas Zeitlhofer's avatar
      net: neigh: decrement the family specific qlen · 8207f253
      Thomas Zeitlhofer authored
      Commit 0ff4eb3d ("neighbour: make proxy_queue.qlen limit
      per-device") introduced the length counter qlen in struct neigh_parms.
      There are separate neigh_parms instances for IPv4/ARP and IPv6/ND, and
      while the family specific qlen is incremented in pneigh_enqueue(), the
      mentioned commit decrements always the IPv4/ARP specific qlen,
      regardless of the currently processed family, in pneigh_queue_purge()
      and neigh_proxy_process().
      
      As a result, with IPv6/ND, the family specific qlen is only incremented
      (and never decremented) until it exceeds PROXY_QLEN, and then, according
      to the check in pneigh_enqueue(), neighbor solicitations are not
      answered anymore. As an example, this is noted when using the
      subnet-router anycast address to access a Linux router. After a certain
      amount of time (in the observed case, qlen exceeded PROXY_QLEN after two
      days), the Linux router stops answering neighbor solicitations for its
      subnet-router anycast address and effectively becomes unreachable.
      
      Another result with IPv6/ND is that the IPv4/ARP specific qlen is
      decremented more often than incremented. This leads to negative qlen
      values, as a signed integer has been used for the length counter qlen,
      and potentially to an integer overflow.
      
      Fix this by introducing the helper function neigh_parms_qlen_dec(),
      which decrements the family specific qlen. Thereby, make use of the
      existing helper function neigh_get_dev_parms_rcu(), whose definition
      therefore needs to be placed earlier in neighbour.c. Take the family
      member from struct neigh_table to determine the currently processed
      family and appropriately call neigh_parms_qlen_dec() from
      pneigh_queue_purge() and neigh_proxy_process().
      
      Additionally, use an unsigned integer for the length counter qlen.
      
      Fixes: 0ff4eb3d ("neighbour: make proxy_queue.qlen limit per-device")
      Signed-off-by: default avatarThomas Zeitlhofer <thomas.zeitlhofer+lkml@ze-it.at>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8207f253
    • Leon Romanovsky's avatar
      net: liquidio: simplify if expression · 733d4bbf
      Leon Romanovsky authored
      Fix the warning reported by kbuild:
      
      cocci warnings: (new ones prefixed by >>)
      >> drivers/net/ethernet/cavium/liquidio/lio_main.c:1797:54-56: WARNING !A || A && B is equivalent to !A || B
         drivers/net/ethernet/cavium/liquidio/lio_main.c:1827:54-56: WARNING !A || A && B is equivalent to !A || B
      
      Fixes: 8979f428 ("net: liquidio: release resources when liquidio driver open failed")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Reviewed-by: default avatarSaeed Mahameed <saeed@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      733d4bbf
    • Jakub Kicinski's avatar
      Merge branch 'mptcp-selftests-fix-timeouts-and-test-isolation' · 11b64a46
      Jakub Kicinski authored
      Mat Martineau says:
      
      ====================
      mptcp: selftests: Fix timeouts and test isolation
      
      Patches 1 and 3 adjust test timeouts to reduce false negatives on slow
      machines.
      
      Patch 2 improves test isolation by running the mptcp_sockopt test in its
      own net namespace.
      ====================
      
      Link: https://lore.kernel.org/r/20221115221046.20370-1-mathew.j.martineau@linux.intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      11b64a46
    • Matthieu Baerts's avatar
      selftests: mptcp: fix mibit vs mbit mix up · 3de88b95
      Matthieu Baerts authored
      The estimated time was supposing the rate was expressed in mibit
      (bit * 1024^2) but it is in mbit (bit * 1000^2).
      
      This makes the threshold higher but in a more realistic way to avoid
      false positives reported by CI instances.
      
      Before this patch, the thresholds were at 7561/4005ms and now they are
      at 7906/4178ms.
      
      While at it, also fix a typo in the linked comment, spotted by Mat.
      
      Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/310
      Fixes: 1a418cb8 ("mptcp: simult flow self-tests")
      Suggested-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3de88b95
    • Matthieu Baerts's avatar
      selftests: mptcp: run mptcp_sockopt from a new netns · 7e68d310
      Matthieu Baerts authored
      Not running it from a new netns causes issues if some MPTCP settings are
      modified, e.g. if MPTCP is disabled from the sysctl knob, if multiple
      addresses are available and added to the MPTCP path-manager, etc.
      
      In these cases, the created connection will not behave as expected, e.g.
      unable to create an MPTCP socket, more than one subflow is seen, etc.
      
      A new "sandbox" net namespace is now created and used to run
      mptcp_sockopt from this controlled environment.
      
      Fixes: ce997912 ("selftests: mptcp: add mptcp getsockopt test cases")
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7e68d310
    • Paolo Abeni's avatar
      selftests: mptcp: gives slow test-case more time · 22b29557
      Paolo Abeni authored
      On slow or busy VM, some test-cases still fail because the
      data transfer completes before the endpoint manipulation
      actually took effect.
      
      Address the issue by artificially increasing the runtime for
      the relevant test-cases.
      
      Fixes: ef360019 ("selftests: mptcp: signal addresses testcases")
      Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/309Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      22b29557
  2. 17 Nov, 2022 4 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 847ccab8
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bpf.
      
        Current release - regressions:
      
         - tls: fix memory leak in tls_enc_skb() and tls_sw_fallback_init()
      
        Previous releases - regressions:
      
         - bridge: fix memory leaks when changing VLAN protocol
      
         - dsa: make dsa_master_ioctl() see through port_hwtstamp_get() shims
      
         - dsa: don't leak tagger-owned storage on switch driver unbind
      
         - eth: mlxsw: avoid warnings when not offloaded FDB entry with IPv6
           is removed
      
         - eth: stmmac: ensure tx function is not running in
           stmmac_xdp_release()
      
         - eth: hns3: fix return value check bug of rx copybreak
      
        Previous releases - always broken:
      
         - kcm: close race conditions on sk_receive_queue
      
         - bpf: fix alignment problem in bpf_prog_test_run_skb()
      
         - bpf: fix writing offset in case of fault in
           strncpy_from_kernel_nofault
      
         - eth: macvlan: use built-in RCU list checking
      
         - eth: marvell: add sleep time after enabling the loopback bit
      
         - eth: octeon_ep: fix potential memory leak in octep_device_setup()
      
        Misc:
      
         - tcp: configurable source port perturb table size
      
         - bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace)"
      
      * tag 'net-6.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (51 commits)
        net: use struct_group to copy ip/ipv6 header addresses
        net: usb: smsc95xx: fix external PHY reset
        net: usb: qmi_wwan: add Telit 0x103a composition
        netdevsim: Fix memory leak of nsim_dev->fa_cookie
        tcp: configurable source port perturb table size
        l2tp: Serialize access to sk_user_data with sk_callback_lock
        net: thunderbolt: Fix error handling in tbnet_init()
        net: microchip: sparx5: Fix potential null-ptr-deref in sparx_stats_init() and sparx5_start()
        net: lan966x: Fix potential null-ptr-deref in lan966x_stats_init()
        net: dsa: don't leak tagger-owned storage on switch driver unbind
        net/x25: Fix skb leak in x25_lapb_receive_frame()
        net: ag71xx: call phylink_disconnect_phy if ag71xx_hw_enable() fail in ag71xx_open()
        bridge: switchdev: Fix memory leaks when changing VLAN protocol
        net: hns3: fix setting incorrect phy link ksettings for firmware in resetting process
        net: hns3: fix return value check bug of rx copybreak
        net: hns3: fix incorrect hw rss hash type of rx packet
        net: phy: marvell: add sleep time after enabling the loopback bit
        net: ena: Fix error handling in ena_init()
        kcm: close race conditions on sk_receive_queue
        net: ionic: Fix error handling in ionic_init_module()
        ...
      847ccab8
    • Hangbin Liu's avatar
      net: use struct_group to copy ip/ipv6 header addresses · 58e0be1e
      Hangbin Liu authored
      kernel test robot reported warnings when build bonding module with
      make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash drivers/net/bonding/:
      
                       from ../drivers/net/bonding/bond_main.c:35:
      In function ‘fortify_memcpy_chk’,
          inlined from ‘iph_to_flow_copy_v4addrs’ at ../include/net/ip.h:566:2,
          inlined from ‘bond_flow_ip’ at ../drivers/net/bonding/bond_main.c:3984:3:
      ../include/linux/fortify-string.h:413:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of f
      ield (2nd parameter); maybe use struct_group()? [-Wattribute-warning]
        413 |                         __read_overflow2_field(q_size_field, size);
            |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      In function ‘fortify_memcpy_chk’,
          inlined from ‘iph_to_flow_copy_v6addrs’ at ../include/net/ipv6.h:900:2,
          inlined from ‘bond_flow_ip’ at ../drivers/net/bonding/bond_main.c:3994:3:
      ../include/linux/fortify-string.h:413:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of f
      ield (2nd parameter); maybe use struct_group()? [-Wattribute-warning]
        413 |                         __read_overflow2_field(q_size_field, size);
            |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      This is because we try to copy the whole ip/ip6 address to the flow_key,
      while we only point the to ip/ip6 saddr. Note that since these are UAPI
      headers, __struct_group() is used to avoid the compiler warnings.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Fixes: c3f83241 ("net: Add full IPv6 addresses to flow_keys")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Link: https://lore.kernel.org/r/20221115142400.1204786-1-liuhangbin@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      58e0be1e
    • Alexandru Tachici's avatar
      net: usb: smsc95xx: fix external PHY reset · 809ff97a
      Alexandru Tachici authored
      An external PHY needs settling time after power up or reset.
      In the bind() function an mdio bus is registered. If at this point
      the external PHY is still initialising, no valid PHY ID will be
      read and on phy_find_first() the bind() function will fail.
      
      If an external PHY is present, wait the maximum time specified
      in 802.3 45.2.7.1.1.
      
      Fixes: 05b35e7e ("smsc95xx: add phylib support")
      Signed-off-by: default avatarAlexandru Tachici <alexandru.tachici@analog.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20221115114434.9991-2-alexandru.tachici@analog.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      809ff97a
    • Enrico Sau's avatar
      net: usb: qmi_wwan: add Telit 0x103a composition · e103ba33
      Enrico Sau authored
      Add the following Telit LE910C4-WWX composition:
      
      0x103a: rmnet
      Signed-off-by: default avatarEnrico Sau <enrico.sau@gmail.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Link: https://lore.kernel.org/r/20221115105859.14324-1-enrico.sau@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e103ba33
  3. 16 Nov, 2022 17 commits
  4. 15 Nov, 2022 5 commits