1. 16 Nov, 2019 7 commits
    • Chuhong Yuan's avatar
      net: gemini: add missed free_netdev · 18d647ae
      Chuhong Yuan authored
      This driver forgets to free allocated netdev in remove like
      what is done in probe failure.
      Add the free to fix it.
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      18d647ae
    • Vladimir Oltean's avatar
      net: dsa: tag_8021q: Fix dsa_8021q_restore_pvid for an absent pvid · c80ed84e
      Vladimir Oltean authored
      This sequence of operations:
      ip link set dev br0 type bridge vlan_filtering 1
      bridge vlan del dev swp2 vid 1
      ip link set dev br0 type bridge vlan_filtering 1
      ip link set dev br0 type bridge vlan_filtering 0
      
      apparently fails with the message:
      
      [   31.305716] sja1105 spi0.1: Reset switch and programmed static config. Reason: VLAN filtering
      [   31.322161] sja1105 spi0.1: Couldn't determine PVID attributes (pvid 0)
      [   31.328939] sja1105 spi0.1: Failed to setup VLAN tagging for port 1: -2
      [   31.335599] ------------[ cut here ]------------
      [   31.340215] WARNING: CPU: 1 PID: 194 at net/switchdev/switchdev.c:157 switchdev_port_attr_set_now+0x9c/0xa4
      [   31.349981] br0: Commit of attribute (id=6) failed.
      [   31.354890] Modules linked in:
      [   31.357942] CPU: 1 PID: 194 Comm: ip Not tainted 5.4.0-rc6-01792-gf4f632e07665-dirty #2062
      [   31.366167] Hardware name: Freescale LS1021A
      [   31.370437] [<c03144dc>] (unwind_backtrace) from [<c030e184>] (show_stack+0x10/0x14)
      [   31.378153] [<c030e184>] (show_stack) from [<c11d1c1c>] (dump_stack+0xe0/0x10c)
      [   31.385437] [<c11d1c1c>] (dump_stack) from [<c034c730>] (__warn+0xf4/0x10c)
      [   31.392373] [<c034c730>] (__warn) from [<c034c7bc>] (warn_slowpath_fmt+0x74/0xb8)
      [   31.399827] [<c034c7bc>] (warn_slowpath_fmt) from [<c11ca204>] (switchdev_port_attr_set_now+0x9c/0xa4)
      [   31.409097] [<c11ca204>] (switchdev_port_attr_set_now) from [<c117036c>] (__br_vlan_filter_toggle+0x6c/0x118)
      [   31.418971] [<c117036c>] (__br_vlan_filter_toggle) from [<c115d010>] (br_changelink+0xf8/0x518)
      [   31.427637] [<c115d010>] (br_changelink) from [<c0f8e9ec>] (__rtnl_newlink+0x3f4/0x76c)
      [   31.435613] [<c0f8e9ec>] (__rtnl_newlink) from [<c0f8eda8>] (rtnl_newlink+0x44/0x60)
      [   31.443329] [<c0f8eda8>] (rtnl_newlink) from [<c0f89f20>] (rtnetlink_rcv_msg+0x2cc/0x51c)
      [   31.451477] [<c0f89f20>] (rtnetlink_rcv_msg) from [<c1008df8>] (netlink_rcv_skb+0xb8/0x110)
      [   31.459796] [<c1008df8>] (netlink_rcv_skb) from [<c1008648>] (netlink_unicast+0x17c/0x1f8)
      [   31.468026] [<c1008648>] (netlink_unicast) from [<c1008980>] (netlink_sendmsg+0x2bc/0x3b4)
      [   31.476261] [<c1008980>] (netlink_sendmsg) from [<c0f43858>] (___sys_sendmsg+0x230/0x250)
      [   31.484408] [<c0f43858>] (___sys_sendmsg) from [<c0f44c84>] (__sys_sendmsg+0x50/0x8c)
      [   31.492209] [<c0f44c84>] (__sys_sendmsg) from [<c0301000>] (ret_fast_syscall+0x0/0x28)
      [   31.500090] Exception stack(0xedf47fa8 to 0xedf47ff0)
      [   31.505122] 7fa0:                   00000002 b6f2e060 00000003 beabd6a4 00000000 00000000
      [   31.513265] 7fc0: 00000002 b6f2e060 5d6e3213 00000128 00000000 00000001 00000006 000619c4
      [   31.521405] 7fe0: 00086078 beabd658 0005edbc b6e7ce68
      
      The reason is the implementation of br_get_pvid:
      
      static inline u16 br_get_pvid(const struct net_bridge_vlan_group *vg)
      {
      	if (!vg)
      		return 0;
      
      	smp_rmb();
      	return vg->pvid;
      }
      
      Since VID 0 is an invalid pvid from the bridge's point of view, let's
      add this check in dsa_8021q_restore_pvid to avoid restoring a pvid that
      doesn't really exist.
      
      Fixes: 5f33183b ("net: dsa: tag_8021q: Restore bridge VLANs when enabling vlan_filtering")
      Signed-off-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c80ed84e
    • David S. Miller's avatar
      Merge branch 'seg6-fixes-to-Segment-Routing-in-IPv6' · e84fa0ae
      David S. Miller authored
      Andrea Mayer says:
      
      ====================
      seg6: fixes to Segment Routing in IPv6
      
      This patchset is divided in 2 patches and it introduces some fixes
      to Segment Routing in IPv6, which are:
      
      - in function get_srh() fix the srh pointer after calling
        pskb_may_pull();
      
      - fix the skb->transport_header after calling decap_and_validate()
        function;
      
      Any comments on the patchset are welcome.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e84fa0ae
    • Andrea Mayer's avatar
      seg6: fix skb transport_header after decap_and_validate() · c71644d0
      Andrea Mayer authored
      in the receive path (more precisely in ip6_rcv_core()) the
      skb->transport_header is set to skb->network_header + sizeof(*hdr). As a
      consequence, after routing operations, destination input expects to find
      skb->transport_header correctly set to the next protocol (or extension
      header) that follows the network protocol. However, decap behaviors (DX*,
      DT*) remove the outer IPv6 and SRH extension and do not set again the
      skb->transport_header pointer correctly. For this reason, the patch sets
      the skb->transport_header to the skb->network_header + sizeof(hdr) in each
      DX* and DT* behavior.
      Signed-off-by: default avatarAndrea Mayer <andrea.mayer@uniroma2.it>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c71644d0
    • Andrea Mayer's avatar
      seg6: fix srh pointer in get_srh() · 7f91ed8c
      Andrea Mayer authored
      pskb_may_pull may change pointers in header. For this reason, it is
      mandatory to reload any pointer that points into skb header.
      Signed-off-by: default avatarAndrea Mayer <andrea.mayer@uniroma2.it>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7f91ed8c
    • Nishad Kamdar's avatar
      net: stmmac: Use the correct style for SPDX License Identifier · acb9bdc1
      Nishad Kamdar authored
      This patch corrects the SPDX License Identifier style in
      header files related to STMicroelectronics based Multi-Gigabit
      Ethernet driver. For C header files Documentation/process/license-rules.rst
      mandates C-like comments (opposed to C source files where
      C++ style should be used).
      
      Changes made by using a script provided by Joe Perches here:
      https://lkml.org/lkml/2019/2/7/46.
      Suggested-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarNishad Kamdar <nishadkamdar@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      acb9bdc1
    • Nishad Kamdar's avatar
      octeontx2-af: Use the correct style for SPDX License Identifier · 26b3f3cc
      Nishad Kamdar authored
      This patch corrects the SPDX License Identifier style in
      header files related to Marvell OcteonTX2 network devices.
      It uses an expilict block comment for the SPDX License
      Identifier.
      
      Changes made by using a script provided by Joe Perches here:
      https://lkml.org/lkml/2019/2/7/46.
      Suggested-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarNishad Kamdar <nishadkamdar@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26b3f3cc
  2. 15 Nov, 2019 23 commits
  3. 14 Nov, 2019 3 commits
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-5.4-20191114' of... · d15a5020
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-5.4-20191114' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-11-14
      
      here another pull request for net/master consisting of one patch (including my S-o-b).
      
      Jouni Hogander's patch fixes a memory leak found by the syzbot in the slcan
      driver's error path.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d15a5020
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-2019-11-14' of... · bb9b5441
      David S. Miller authored
      Merge tag 'wireless-drivers-2019-11-14' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.4
      
      Hopefully last fixes for v5.4, only one iwlwifi fix this time.
      
      iwlwifi
      
      * fix A-MSDU data corruption when using CCMP/GCMP ciphers
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb9b5441
    • Jouni Hogander's avatar
      slcan: Fix memory leak in error path · ed50e160
      Jouni Hogander authored
      This patch is fixing memory leak reported by Syzkaller:
      
      BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
        comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
        hex dump (first 32 bytes):
          73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
        backtrace:
          [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
          [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
          [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
          [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
          [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
          [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
          [<000000004de5a617>] tty_ioctl+0x48d/0x1590
          [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
          [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
          [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
          [<0000000053d0332e>] do_syscall_64+0x16f/0x580
          [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
          [<000000008ea75434>] 0xffffffffffffffff
      
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Cc: Marc Kleine-Budde <mkl@pengutronix.de>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: default avatarJouni Hogander <jouni.hogander@unikie.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      ed50e160
  4. 13 Nov, 2019 7 commits
    • Dan Carpenter's avatar
      net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() · a56dcc6b
      Dan Carpenter authored
      This code is supposed to test for negative error codes and partial
      reads, but because sizeof() is size_t (unsigned) type then negative
      error codes are type promoted to high positive values and the condition
      doesn't work as expected.
      
      Fixes: 332f989a ("CDC-NCM: handle incomplete transfer of MTU")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a56dcc6b
    • Jouni Hogander's avatar
      slip: Fix memory leak in slip_open error path · 3b5a3997
      Jouni Hogander authored
      Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
      by Syzkaller in slcan. Same issue exists in slip.c and this patch is
      addressing the leak in slip.c.
      
      Here is the slcan memory leak trace reported by Syzkaller:
      
      BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
        comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
        hex dump (first 32 bytes):
          73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
        backtrace:
          [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
          [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
          [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
          [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
          [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
          [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
          [<000000004de5a617>] tty_ioctl+0x48d/0x1590
          [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
          [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
          [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
          [<0000000053d0332e>] do_syscall_64+0x16f/0x580
          [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
          [<000000008ea75434>] 0xfffffffffffffff
      
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Oliver Hartkopp <socketcan@hartkopp.net>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: default avatarJouni Hogander <jouni.hogander@unikie.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b5a3997
    • Aleksander Morgado's avatar
      net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules · 802753cb
      Aleksander Morgado authored
      These are the Foxconn-branded variants of the Dell DW5821e modules,
      same USB layout as those.
      
      The QMI interface is exposed in USB configuration #1:
      
      P:  Vendor=0489 ProdID=e0b4 Rev=03.18
      S:  Manufacturer=FII
      S:  Product=T77W968 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      Signed-off-by: default avatarAleksander Morgado <aleksander@aleksander.es>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      802753cb
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-5.4-20191113' of... · b3dff0eb
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-5.4-20191113' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-11-13
      
      this is a pull request of 9 patches for net/master, hopefully for the v5.4
      release cycle.
      
      All nine patches are by Oleksij Rempel and fix locking and use-after-free bugs
      in the j1939 stack found by the syzkaller syzbot.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b3dff0eb
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · c3afb7ea
      David S. Miller authored
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2019-11-13
      
      1) Fix a page memleak on xfrm state destroy.
      
      2) Fix a refcount imbalance if a xfrm_state
         gets invaild during async resumption.
         From Xiaodong Xu.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c3afb7ea
    • Oleksij Rempel's avatar
      can: j1939: warn if resources are still linked on destroy · 4a15d574
      Oleksij Rempel authored
      j1939_session_destroy() and __j1939_priv_release() should be called only
      if session, ecu or socket are not linked or used by any one else. If at
      least one of these resources is linked, then the reference counting is
      broken somewhere.
      
      This warning will be triggered before KASAN will do, and will make it
      easier to debug initial issue. This works on platforms without KASAN
      support.
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      4a15d574
    • Oleksij Rempel's avatar
      can: j1939: j1939_can_recv(): add priv refcounting · ddeeb7d4
      Oleksij Rempel authored
      j1939_can_recv() can be called in parallel with socket release. In this
      case sk_release and sk_destruct can be done earlier than
      j1939_can_recv() is processed.
      
      Reported-by: syzbot+ca172a0ac477ac90f045@syzkaller.appspotmail.com
      Reported-by: syzbot+07ca5bce8530070a5650@syzkaller.appspotmail.com
      Reported-by: syzbot+a47537d3964ef6c874e1@syzkaller.appspotmail.com
      Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      ddeeb7d4