1. 16 Oct, 2021 7 commits
  2. 15 Oct, 2021 21 commits
  3. 14 Oct, 2021 12 commits
    • Linus Torvalds's avatar
      Merge tag 'net-5.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · ec681c53
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Quite calm.
      
        The noisy DSA driver (embedded switches) changes, and adjustment to
        IPv6 IOAM behavior add to diffstat's bottom line but are not scary.
      
        Current release - regressions:
      
         - af_unix: rename UNIX-DGRAM to UNIX to maintain backwards
           compatibility
      
         - procfs: revert "add seq_puts() statement for dev_mcast", minor
           format change broke user space
      
        Current release - new code bugs:
      
         - dsa: fix bridge_num not getting cleared after ports leaving the
           bridge, resource leak
      
         - dsa: tag_dsa: send packets with TX fwd offload from VLAN-unaware
           bridges using VID 0, prevent packet drops if pvid is removed
      
         - dsa: mv88e6xxx: keep the pvid at 0 when VLAN-unaware, prevent HW
           getting confused about station to VLAN mapping
      
        Previous releases - regressions:
      
         - virtio-net: fix for skb_over_panic inside big mode
      
         - phy: do not shutdown PHYs in READY state
      
         - dsa: mv88e6xxx: don't use PHY_DETECT on internal PHY's, fix link
           LED staying lit after ifdown
      
         - mptcp: fix possible infinite wait on recvmsg(MSG_WAITALL)
      
         - mqprio: Correct stats in mqprio_dump_class_stats()
      
         - ice: fix deadlock for Tx timestamp tracking flush
      
         - stmmac: fix feature detection on old hardware
      
        Previous releases - always broken:
      
         - sctp: account stream padding length for reconf chunk
      
         - icmp: fix icmp_ext_echo_iio parsing in icmp_build_probe()
      
         - isdn: cpai: check ctr->cnr to avoid array index out of bound
      
         - isdn: mISDN: fix sleeping function called from invalid context
      
         - nfc: nci: fix potential UAF of rf_conn_info object
      
         - dsa: microchip: prevent ksz_mib_read_work from kicking back in
           after it's canceled in .remove and crashing
      
         - dsa: mv88e6xxx: isolate the ATU databases of standalone and bridged
           ports
      
         - dsa: sja1105, ocelot: break circular dependency between switch and
           tag drivers
      
         - dsa: felix: improve timestamping in presence of packe loss
      
         - mlxsw: thermal: fix out-of-bounds memory accesses
      
        Misc:
      
         - ipv6: ioam: move the check for undefined bits to improve
           interoperability"
      
      * tag 'net-5.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (60 commits)
        icmp: fix icmp_ext_echo_iio parsing in icmp_build_probe
        MAINTAINERS: Update the devicetree documentation path of imx fec driver
        sctp: account stream padding length for reconf chunk
        mlxsw: thermal: Fix out-of-bounds memory accesses
        ethernet: s2io: fix setting mac address during resume
        NFC: digital: fix possible memory leak in digital_in_send_sdd_req()
        NFC: digital: fix possible memory leak in digital_tg_listen_mdaa()
        nfc: fix error handling of nfc_proto_register()
        Revert "net: procfs: add seq_puts() statement for dev_mcast"
        net: encx24j600: check error in devm_regmap_init_encx24j600
        net: korina: select CRC32
        net: arc: select CRC32
        net: dsa: felix: break at first CPU port during init and teardown
        net: dsa: tag_ocelot_8021q: fix inability to inject STP BPDUs into BLOCKING ports
        net: dsa: felix: purge skb from TX timestamping queue if it cannot be sent
        net: dsa: tag_ocelot_8021q: break circular dependency with ocelot switch lib
        net: dsa: tag_ocelot: break circular dependency with ocelot switch lib driver
        net: mscc: ocelot: cross-check the sequence id from the timestamp FIFO with the skb PTP header
        net: mscc: ocelot: deny TX timestamping of non-PTP packets
        net: mscc: ocelot: warn when a PTP IRQ is raised for an unknown skb
        ...
      ec681c53
    • Xin Long's avatar
      icmp: fix icmp_ext_echo_iio parsing in icmp_build_probe · 1fcd7945
      Xin Long authored
      In icmp_build_probe(), the icmp_ext_echo_iio parsing should be done
      step by step and skb_header_pointer() return value should always be
      checked, this patch fixes 3 places in there:
      
        - On case ICMP_EXT_ECHO_CTYPE_NAME, it should only copy ident.name
          from skb by skb_header_pointer(), its len is ident_len. Besides,
          the return value of skb_header_pointer() should always be checked.
      
        - On case ICMP_EXT_ECHO_CTYPE_INDEX, move ident_len check ahead of
          skb_header_pointer(), and also do the return value check for
          skb_header_pointer().
      
        - On case ICMP_EXT_ECHO_CTYPE_ADDR, before accessing iio->ident.addr.
          ctype3_hdr.addrlen, skb_header_pointer() should be called first,
          then check its return value and ident_len.
          On subcases ICMP_AFI_IP and ICMP_AFI_IP6, also do check for ident.
          addr.ctype3_hdr.addrlen and skb_header_pointer()'s return value.
          On subcase ICMP_AFI_IP, the len for skb_header_pointer() should be
          "sizeof(iio->extobj_hdr) + sizeof(iio->ident.addr.ctype3_hdr) +
          sizeof(struct in_addr)" or "ident_len".
      
      v1->v2:
        - To make it more clear, call skb_header_pointer() once only for
          iio->indent's parsing as Jakub Suggested.
      v2->v3:
        - The extobj_hdr.length check against sizeof(_iio) should be done
          before calling skb_header_pointer(), as Eric noticed.
      
      Fixes: d329ea5b ("icmp: add response to RFC 8335 PROBE messages")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/31628dd76657ea62f5cf78bb55da6b35240831f1.1634205050.git.lucien.xin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1fcd7945
    • Cai Huoqing's avatar
      MAINTAINERS: Update the devicetree documentation path of imx fec driver · ea142b09
      Cai Huoqing authored
      Change the devicetree documentation path
      to "Documentation/devicetree/bindings/net/fsl,fec.yaml"
      since 'fsl-fec.txt' has been converted to 'fsl,fec.yaml' already.
      Signed-off-by: default avatarCai Huoqing <caihuoqing@baidu.com>
      Link: https://lore.kernel.org/r/20211014110214.3254-1-caihuoqing@baidu.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ea142b09
    • Eiichi Tsukata's avatar
      sctp: account stream padding length for reconf chunk · a2d859e3
      Eiichi Tsukata authored
      sctp_make_strreset_req() makes repeated calls to sctp_addto_chunk()
      which will automatically account for padding on each call. inreq and
      outreq are already 4 bytes aligned, but the payload is not and doing
      SCTP_PAD4(a + b) (which _sctp_make_chunk() did implicitly here) is
      different from SCTP_PAD4(a) + SCTP_PAD4(b) and not enough. It led to
      possible attempt to use more buffer than it was allocated and triggered
      a BUG_ON.
      
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Fixes: cc16f00f ("sctp: add support for generating stream reconf ssn reset request chunk")
      Reported-by: default avatarEiichi Tsukata <eiichi.tsukata@nutanix.com>
      Signed-off-by: default avatarEiichi Tsukata <eiichi.tsukata@nutanix.com>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <mleitner@redhat.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Link: https://lore.kernel.org/r/b97c1f8b0c7ff79ac4ed206fc2c49d3612e0850c.1634156849.git.mleitner@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a2d859e3
    • Ido Schimmel's avatar
      mlxsw: thermal: Fix out-of-bounds memory accesses · 332fdf95
      Ido Schimmel authored
      Currently, mlxsw allows cooling states to be set above the maximum
      cooling state supported by the driver:
      
       # cat /sys/class/thermal/thermal_zone2/cdev0/type
       mlxsw_fan
       # cat /sys/class/thermal/thermal_zone2/cdev0/max_state
       10
       # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state
       # echo $?
       0
      
      This results in out-of-bounds memory accesses when thermal state
      transition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the
      transition table is accessed with a too large index (state) [1].
      
      According to the thermal maintainer, it is the responsibility of the
      driver to reject such operations [2].
      
      Therefore, return an error when the state to be set exceeds the maximum
      cooling state supported by the driver.
      
      To avoid dead code, as suggested by the thermal maintainer [3],
      partially revert commit a421ce08 ("mlxsw: core: Extend cooling
      device with cooling levels") that tried to interpret these invalid
      cooling states (above the maximum) in a special way. The cooling levels
      array is not removed in order to prevent the fans going below 20% PWM,
      which would cause them to get stuck at 0% PWM.
      
      [1]
      BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290
      Read of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5
      
      CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122
      Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2FO"/"SA000874", BIOS 4.6.5 03/08/2016
      Workqueue: events_freezable_power_ thermal_zone_device_check
      Call Trace:
       dump_stack_lvl+0x8b/0xb3
       print_address_description.constprop.0+0x1f/0x140
       kasan_report.cold+0x7f/0x11b
       thermal_cooling_device_stats_update+0x271/0x290
       __thermal_cdev_update+0x15e/0x4e0
       thermal_cdev_update+0x9f/0xe0
       step_wise_throttle+0x770/0xee0
       thermal_zone_device_update+0x3f6/0xdf0
       process_one_work+0xa42/0x1770
       worker_thread+0x62f/0x13e0
       kthread+0x3ee/0x4e0
       ret_from_fork+0x1f/0x30
      
      Allocated by task 1:
       kasan_save_stack+0x1b/0x40
       __kasan_kmalloc+0x7c/0x90
       thermal_cooling_device_setup_sysfs+0x153/0x2c0
       __thermal_cooling_device_register.part.0+0x25b/0x9c0
       thermal_cooling_device_register+0xb3/0x100
       mlxsw_thermal_init+0x5c5/0x7e0
       __mlxsw_core_bus_device_register+0xcb3/0x19c0
       mlxsw_core_bus_device_register+0x56/0xb0
       mlxsw_pci_probe+0x54f/0x710
       local_pci_probe+0xc6/0x170
       pci_device_probe+0x2b2/0x4d0
       really_probe+0x293/0xd10
       __driver_probe_device+0x2af/0x440
       driver_probe_device+0x51/0x1e0
       __driver_attach+0x21b/0x530
       bus_for_each_dev+0x14c/0x1d0
       bus_add_driver+0x3ac/0x650
       driver_register+0x241/0x3d0
       mlxsw_sp_module_init+0xa2/0x174
       do_one_initcall+0xee/0x5f0
       kernel_init_freeable+0x45a/0x4de
       kernel_init+0x1f/0x210
       ret_from_fork+0x1f/0x30
      
      The buggy address belongs to the object at ffff8881052f7800
       which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 1016 bytes inside of
       1024-byte region [ffff8881052f7800, ffff8881052f7c00)
      The buggy address belongs to the page:
      page:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0
      head:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0
      flags: 0x200000000010200(slab|head|node=0|zone=2)
      raw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0
      raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
       ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                      ^
       ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      [2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67-1895-1fdc45c0244e@linaro.org/
      [3] https://lore.kernel.org/linux-pm/af9857f2-578e-de3a-e62b-6baff7e69fd4@linaro.org/
      
      CC: Daniel Lezcano <daniel.lezcano@linaro.org>
      Fixes: a50c1e35 ("mlxsw: core: Implement thermal zone")
      Fixes: a421ce08 ("mlxsw: core: Extend cooling device with cooling levels")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Tested-by: default avatarVadim Pasternak <vadimp@nvidia.com>
      Link: https://lore.kernel.org/r/20211012174955.472928-1-idosch@idosch.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      332fdf95
    • Arnd Bergmann's avatar
      ethernet: s2io: fix setting mac address during resume · 40507e7a
      Arnd Bergmann authored
      After recent cleanups, gcc started warning about a suspicious
      memcpy() call during the s2io_io_resume() function:
      
      In function '__dev_addr_set',
          inlined from 'eth_hw_addr_set' at include/linux/etherdevice.h:318:2,
          inlined from 's2io_set_mac_addr' at drivers/net/ethernet/neterion/s2io.c:5205:2,
          inlined from 's2io_io_resume' at drivers/net/ethernet/neterion/s2io.c:8569:7:
      arch/x86/include/asm/string_32.h:182:25: error: '__builtin_memcpy' accessing 6 bytes at offsets 0 and 2 overlaps 4 bytes at offset 2 [-Werror=restrict]
        182 | #define memcpy(t, f, n) __builtin_memcpy(t, f, n)
            |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
      include/linux/netdevice.h:4648:9: note: in expansion of macro 'memcpy'
       4648 |         memcpy(dev->dev_addr, addr, len);
            |         ^~~~~~
      
      What apparently happened is that an old cleanup changed the calling
      conventions for s2io_set_mac_addr() from taking an ethernet address
      as a character array to taking a struct sockaddr, but one of the
      callers was not changed at the same time.
      
      Change it to instead call the low-level do_s2io_prog_unicast() function
      that still takes the old argument type.
      
      Fixes: 2fd37688 ("S2io: Added support set_mac_address driver entry point")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20211013143613.2049096-1-arnd@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      40507e7a
    • Dinh Nguyen's avatar
      MAINTAINERS: Update entry for the Stratix10 firmware · 26d65741
      Dinh Nguyen authored
      Richard Gong is no longer at Intel, so update the MAINTAINER's entry for
      the Stratix10 firmware drivers.
      Signed-off-by: default avatarDinh Nguyen <dinguyen@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      26d65741
    • Linus Torvalds's avatar
      Merge tag 'sound-5.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 1626d9a3
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This contains quite a few device-specific fixes for usual HD- and
        USB-audio in addition to a couple of ALSA core fixes (a UAF fix in
        sequencer and a fix for a misplaced PCM 32bit compat ioctl).
      
        Nothing really stands out"
      
      * tag 'sound-5.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: usb-audio: Add quirk for VF0770
        ALSA: hda: avoid write to STATESTS if controller is in reset
        ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW
        ALSA: pcm: Workaround for a wrong offset in SYNC_PTR compat ioctl
        ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s Gen2
        ALSA: hda: intel: Allow repeatedly probing on codec configuration errors
        ALSA: hda/realtek: Add quirk for TongFang PHxTxX1
        ALSA: hda/realtek - ALC236 headset MIC recording issue
        ALSA: usb-audio: Enable rate validation for Scarlett devices
        ALSA: hda/realtek: Add quirk for Clevo X170KM-G
        ALSA: hda/realtek: Complete partial device name to avoid ambiguity
        ALSA: hda - Enable headphone mic on Dell Latitude laptops with ALC3254
        ALSA: seq: Fix a potential UAF by wrong private_free call order
        ALSA: hda/realtek: Enable 4-speaker output for Dell Precision 5560 laptop
        ALSA: usb-audio: Fix a missing error check in scarlett gen2 mixer
      1626d9a3
    • Uwe Kleine-König's avatar
      spi-mux: Fix false-positive lockdep splats · 16a8e2fb
      Uwe Kleine-König authored
      io_mutex is taken by spi_setup() and spi-mux's .setup() callback calls
      spi_setup() which results in a nested lock of io_mutex.
      
      add_lock is taken by spi_add_device(). The device_add() call in there
      can result in calling spi-mux's .probe() callback which registers its
      own spi controller which in turn results in spi_add_device() being
      called again.
      
      To fix this initialize the controller's locks already in
      spi_alloc_controller() to give spi_mux_probe() a chance to set the
      lockdep subclass.
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Link: https://lore.kernel.org/r/20211013133710.2679703-2-u.kleine-koenig@pengutronix.deSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      16a8e2fb
    • Mark Brown's avatar
      spi: Fix deadlock when adding SPI controllers on SPI buses · 6098475d
      Mark Brown authored
      Currently we have a global spi_add_lock which we take when adding new
      devices so that we can check that we're not trying to reuse a chip
      select that's already controlled.  This means that if the SPI device is
      itself a SPI controller and triggers the instantiation of further SPI
      devices we trigger a deadlock as we try to register and instantiate
      those devices while in the process of doing so for the parent controller
      and hence already holding the global spi_add_lock.  Since we only care
      about concurrency within a single SPI bus move the lock to be per
      controller, avoiding the deadlock.
      
      This can be easily triggered in the case of spi-mux.
      Reported-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      6098475d
    • Jakub Kicinski's avatar
      Merge branch 'fix-two-possible-memory-leak-problems-in-nfc-digital-module' · cbcc5072
      Jakub Kicinski authored
      Ziyang Xuan says:
      
      ====================
      Fix two possible memory leak problems in NFC digital module.
      ====================
      
      Link: https://lore.kernel.org/r/cover.1634111083.git.william.xuanziyang@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cbcc5072
    • Ziyang Xuan's avatar
      NFC: digital: fix possible memory leak in digital_in_send_sdd_req() · 291c932f
      Ziyang Xuan authored
      'skb' is allocated in digital_in_send_sdd_req(), but not free when
      digital_in_send_cmd() failed, which will cause memory leak. Fix it
      by freeing 'skb' if digital_in_send_cmd() return failed.
      
      Fixes: 2c66daec ("NFC Digital: Add NFC-A technology support")
      Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      291c932f