1. 09 Apr, 2021 1 commit
  2. 08 Apr, 2021 30 commits
    • Muhammad Usama Anjum's avatar
      net: ipv6: check for validity before dereferencing cfg->fc_nlinfo.nlh · 864db232
      Muhammad Usama Anjum authored
      nlh is being checked for validtity two times when it is dereferenced in
      this function. Check for validity again when updating the flags through
      nlh pointer to make the dereferencing safe.
      
      CC: <stable@vger.kernel.org>
      Addresses-Coverity: ("NULL pointer dereference")
      Signed-off-by: default avatarMuhammad Usama Anjum <musamaanjum@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      864db232
    • David S. Miller's avatar
      Merge branch 'lantiq-GSWIP-fixes' · 2d1b50ab
      David S. Miller authored
      Martin Blumenstingl says:
      
      ====================
      lantiq: GSWIP: two more fixes
      
      after my last patch got accepted and is now in net as commit
      3e6fdeb2 ("net: dsa: lantiq_gswip: Let GSWIP automatically set
      the xMII clock") [0] some more people from the OpenWrt community
      (many thanks to everyone involved) helped test the GSWIP driver: [1]
      
      It turns out that the previous fix does not work for all boards.
      There's no regression, but it doesn't fix as many problems as I
      thought. This is why two more fixes are needed:
      - the first one solves many (four known but probably there are
        a few extra hidden ones) reported bugs with the GSWIP where no
        traffic would flow. Not all circumstances are fully understood
        but testing shows that switching away from PHY auto polling
        solves all of them
      - while investigating the different problems which are addressed
        by the first patch some small issues with the existing code were
        found. These are addressed by the second patch
      
      Changes since v1 at [0]:
      - Don't configure the link parameters in gswip_phylink_mac_config
        (as we're using the "modern" way in gswip_phylink_mac_link_up).
        Thanks to Andrew for the hint with the phylink documentation.
      - Clarify that GSWIP_MII_CFG_RMII_CLK is ignored by the hardware in
        the description of the second patch as suggested by Hauke
      - Don't set GSWIP_MII_CFG_RGMII_IBS in the second patch as we don't
        have any hardware available for testing this. The patch
        description now also reflects this.
      - Added Andrew's Reviewed-by to the first patch (thank you!)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d1b50ab
    • Martin Blumenstingl's avatar
      net: dsa: lantiq_gswip: Configure all remaining GSWIP_MII_CFG bits · 4b592324
      Martin Blumenstingl authored
      There are a few more bits in the GSWIP_MII_CFG register for which we
      did rely on the boot-loader (or the hardware defaults) to set them up
      properly.
      
      For some external RMII PHYs we need to select the GSWIP_MII_CFG_RMII_CLK
      bit and also we should un-set it for non-RMII PHYs. The
      GSWIP_MII_CFG_RMII_CLK bit is ignored for other PHY connection modes.
      
      The GSWIP IP also supports in-band auto-negotiation for RGMII PHYs when
      the GSWIP_MII_CFG_RGMII_IBS bit is set. Clear this bit always as there's
      no known hardware which uses this (so it is not tested yet).
      
      Clear the xMII isolation bit when set at initialization time if it was
      previously set by the bootloader. Not doing so could lead to no traffic
      (neither RX nor TX) on a port with this bit set.
      
      While here, also add the GSWIP_MII_CFG_RESET bit. We don't need to
      manage it because this bit is self-clearning when set. We still add it
      here to get a better overview of the GSWIP_MII_CFG register.
      
      Fixes: 14fceff4 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200")
      Cc: stable@vger.kernel.org
      Suggested-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Acked-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: default avatarMartin Blumenstingl <martin.blumenstingl@googlemail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b592324
    • Martin Blumenstingl's avatar
      net: dsa: lantiq_gswip: Don't use PHY auto polling · 3e9005be
      Martin Blumenstingl authored
      PHY auto polling on the GSWIP hardware can be used so link changes
      (speed, link up/down, etc.) can be detected automatically. Internally
      GSWIP reads the PHY's registers for this functionality. Based on this
      automatic detection GSWIP can also automatically re-configure it's port
      settings. Unfortunately this auto polling (and configuration) mechanism
      seems to cause various issues observed by different people on different
      devices:
      - FritzBox 7360v2: the two Gbit/s ports (connected to the two internal
        PHY11G instances) are working fine but the two Fast Ethernet ports
        (using an AR8030 RMII PHY) are completely dead (neither RX nor TX are
        received). It turns out that the AR8030 PHY sets the BMSR_ESTATEN bit
        as well as the ESTATUS_1000_TFULL and ESTATUS_1000_XFULL bits. This
        makes the PHY auto polling state machine (rightfully?) think that the
        established link speed (when the other side is Gbit/s capable) is
        1Gbit/s.
      - None of the Ethernet ports on the Zyxel P-2812HNU-F1 (two are
        connected to the internal PHY11G GPHYs while the other three are
        external RGMII PHYs) are working. Neither RX nor TX traffic was
        observed. It is not clear which part of the PHY auto polling state-
        machine caused this.
      - FritzBox 7412 (only one LAN port which is connected to one of the
        internal GPHYs running in PHY22F / Fast Ethernet mode) was seeing
        random disconnects (link down events could be seen). Sometimes all
        traffic would stop after such disconnect. It is not clear which part
        of the PHY auto polling state-machine cauased this.
      - TP-Link TD-W9980 (two ports are connected to the internal GPHYs
        running in PHY11G / Gbit/s mode, the other two are external RGMII
        PHYs) was affected by similar issues as the FritzBox 7412 just without
        the "link down" events
      
      Switch to software based configuration instead of PHY auto polling (and
      letting the GSWIP hardware configure the ports automatically) for the
      following link parameters:
      - link up/down
      - link speed
      - full/half duplex
      - flow control (RX / TX pause)
      
      After a big round of manual testing by various people (who helped test
      this on OpenWrt) it turns out that this fixes all reported issues.
      
      Additionally it can be considered more future proof because any
      "quirk" which is implemented for a PHY on the driver side can now be
      used with the GSWIP hardware as well because Linux is in control of the
      link parameters.
      
      As a nice side-effect this also solves a problem where fixed-links were
      not supported previously because we were relying on the PHY auto polling
      mechanism, which cannot work for fixed-links as there's no PHY from
      where it can read the registers. Configuring the link settings on the
      GSWIP ports means that we now use the settings from device-tree also for
      ports with fixed-links.
      
      Fixes: 14fceff4 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200")
      Fixes: 3e6fdeb2 ("net: dsa: lantiq_gswip: Let GSWIP automatically set the xMII clock")
      Cc: stable@vger.kernel.org
      Acked-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarMartin Blumenstingl <martin.blumenstingl@googlemail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3e9005be
    • David S. Miller's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 6494d15f
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2021-04-08
      
      This series contains updates to i40e and ice drivers.
      
      Grzegorz fixes the ordering of parameters to i40e_aq_get_phy_register()
      which is causing incorrect information to be reported.
      
      Arkadiusz fixes various sparse issues reported on the i40e driver.
      
      Yongxin Liu fixes a memory leak with aRFS following resume from suspend
      for ice driver.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6494d15f
    • Pavel Tikhomirov's avatar
      net: sched: sch_teql: fix null-pointer dereference · 1ffbc7ea
      Pavel Tikhomirov authored
      Reproduce:
      
        modprobe sch_teql
        tc qdisc add dev teql0 root teql0
      
      This leads to (for instance in Centos 7 VM) OOPS:
      
      [  532.366633] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8
      [  532.366733] IP: [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
      [  532.366825] PGD 80000001376d5067 PUD 137e37067 PMD 0
      [  532.366906] Oops: 0000 [#1] SMP
      [  532.366987] Modules linked in: sch_teql ...
      [  532.367945] CPU: 1 PID: 3026 Comm: tc Kdump: loaded Tainted: G               ------------ T 3.10.0-1062.7.1.el7.x86_64 #1
      [  532.368041] Hardware name: Virtuozzo KVM, BIOS 1.11.0-2.vz7.2 04/01/2014
      [  532.368125] task: ffff8b7d37d31070 ti: ffff8b7c9fdbc000 task.ti: ffff8b7c9fdbc000
      [  532.368224] RIP: 0010:[<ffffffffc06124a8>]  [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
      [  532.368320] RSP: 0018:ffff8b7c9fdbf8e0  EFLAGS: 00010286
      [  532.368394] RAX: ffffffffc0612490 RBX: ffff8b7cb1565e00 RCX: ffff8b7d35ba2000
      [  532.368476] RDX: ffff8b7d35ba2000 RSI: 0000000000000000 RDI: ffff8b7cb1565e00
      [  532.368557] RBP: ffff8b7c9fdbf8f8 R08: ffff8b7d3fd1f140 R09: ffff8b7d3b001600
      [  532.368638] R10: ffff8b7d3b001600 R11: ffffffff84c7d65b R12: 00000000ffffffd8
      [  532.368719] R13: 0000000000008000 R14: ffff8b7d35ba2000 R15: ffff8b7c9fdbf9a8
      [  532.368800] FS:  00007f6a4e872740(0000) GS:ffff8b7d3fd00000(0000) knlGS:0000000000000000
      [  532.368885] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  532.368961] CR2: 00000000000000a8 CR3: 00000001396ee000 CR4: 00000000000206e0
      [  532.369046] Call Trace:
      [  532.369159]  [<ffffffff84c8192e>] qdisc_create+0x36e/0x450
      [  532.369268]  [<ffffffff846a9b49>] ? ns_capable+0x29/0x50
      [  532.369366]  [<ffffffff849afde2>] ? nla_parse+0x32/0x120
      [  532.369442]  [<ffffffff84c81b4c>] tc_modify_qdisc+0x13c/0x610
      [  532.371508]  [<ffffffff84c693e7>] rtnetlink_rcv_msg+0xa7/0x260
      [  532.372668]  [<ffffffff84907b65>] ? sock_has_perm+0x75/0x90
      [  532.373790]  [<ffffffff84c69340>] ? rtnl_newlink+0x890/0x890
      [  532.374914]  [<ffffffff84c8da7b>] netlink_rcv_skb+0xab/0xc0
      [  532.376055]  [<ffffffff84c63708>] rtnetlink_rcv+0x28/0x30
      [  532.377204]  [<ffffffff84c8d400>] netlink_unicast+0x170/0x210
      [  532.378333]  [<ffffffff84c8d7a8>] netlink_sendmsg+0x308/0x420
      [  532.379465]  [<ffffffff84c2f3a6>] sock_sendmsg+0xb6/0xf0
      [  532.380710]  [<ffffffffc034a56e>] ? __xfs_filemap_fault+0x8e/0x1d0 [xfs]
      [  532.381868]  [<ffffffffc034a75c>] ? xfs_filemap_fault+0x2c/0x30 [xfs]
      [  532.383037]  [<ffffffff847ec23a>] ? __do_fault.isra.61+0x8a/0x100
      [  532.384144]  [<ffffffff84c30269>] ___sys_sendmsg+0x3e9/0x400
      [  532.385268]  [<ffffffff847f3fad>] ? handle_mm_fault+0x39d/0x9b0
      [  532.386387]  [<ffffffff84d88678>] ? __do_page_fault+0x238/0x500
      [  532.387472]  [<ffffffff84c31921>] __sys_sendmsg+0x51/0x90
      [  532.388560]  [<ffffffff84c31972>] SyS_sendmsg+0x12/0x20
      [  532.389636]  [<ffffffff84d8dede>] system_call_fastpath+0x25/0x2a
      [  532.390704]  [<ffffffff84d8de21>] ? system_call_after_swapgs+0xae/0x146
      [  532.391753] Code: 00 00 00 00 00 00 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 55 41 54 53 48 8b b7 48 01 00 00 48 89 fb <48> 8b 8e a8 00 00 00 48 85 c9 74 43 48 89 ca eb 0f 0f 1f 80 00
      [  532.394036] RIP  [<ffffffffc06124a8>] teql_destroy+0x18/0x100 [sch_teql]
      [  532.395127]  RSP <ffff8b7c9fdbf8e0>
      [  532.396179] CR2: 00000000000000a8
      
      Null pointer dereference happens on master->slaves dereference in
      teql_destroy() as master is null-pointer.
      
      When qdisc_create() calls teql_qdisc_init() it imediately fails after
      check "if (m->dev == dev)" because both devices are teql0, and it does
      not set qdisc_priv(sch)->m leaving it zero on error path, then
      qdisc_create() imediately calls teql_destroy() which does not expect
      zero master pointer and we get OOPS.
      
      Fixes: 87b60cfa ("net_sched: fix error recovery at qdisc creation")
      Signed-off-by: default avatarPavel Tikhomirov <ptikhomirov@virtuozzo.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ffbc7ea
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 971e3057
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2021-04-08
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 4 non-merge commits during the last 2 day(s) which contain
      a total of 4 files changed, 31 insertions(+), 10 deletions(-).
      
      The main changes are:
      
      1) Validate and reject invalid JIT branch displacements, from Piotr Krysiuk.
      
      2) Fix incorrect unhash restore as well as fwd_alloc memory accounting in
         sock map, from John Fastabend.
      
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      971e3057
    • David S. Miller's avatar
      Merge tag 'mac80211-for-net-2021-04-08.2' of... · ac075bdd
      David S. Miller authored
      Merge tag 'mac80211-for-net-2021-04-08.2' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes berg says:
      
      ====================
      Various small fixes:
       * S1G beacon validation
       * potential leak in nl80211
       * fast-RX confusion with 4-addr mode
       * erroneous WARN_ON that userspace can trigger
       * wrong time units in virt_wifi
       * rfkill userspace API breakage
       * TXQ AC confusing that led to traffic stopped forever
       * connection monitoring time after/before confusion
       * netlink beacon head validation buffer overrun
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac075bdd
    • Stephen Hemminger's avatar
      ipv6: report errors for iftoken via netlink extack · 3583a4e8
      Stephen Hemminger authored
      Setting iftoken can fail for several different reasons but there
      and there was no report to user as to the cause. Add netlink
      extended errors to the processing of the request.
      
      This requires adding additional argument through rtnl_af_ops
      set_link_af callback.
      Reported-by: default avatarHongren Zheng <li@zenithal.me>
      Signed-off-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3583a4e8
    • David S. Miller's avatar
      Merge branch 'net-sched-action-init-fixes' · f2fbd0aa
      David S. Miller authored
      Vlad Buslov says:
      
      ====================
      Action initalization fixes
      
      This series fixes reference counting of action instances and modules in
      several parts of action init code. The first patch reverts previous fix
      that didn't properly account for rollback from a failure in the middle of
      the loop in tcf_action_init() which is properly fixed by the following
      patch.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f2fbd0aa
    • Vlad Buslov's avatar
      net: sched: fix err handler in tcf_action_init() · b3650bf7
      Vlad Buslov authored
      With recent changes that separated action module load from action
      initialization tcf_action_init() function error handling code was modified
      to manually release the loaded modules if loading/initialization of any
      further action in same batch failed. For the case when all modules
      successfully loaded and some of the actions were initialized before one of
      them failed in init handler. In this case for all previous actions the
      module will be released twice by the error handler: First time by the loop
      that manually calls module_put() for all ops, and second time by the action
      destroy code that puts the module after destroying the action.
      
      Reproduction:
      
      $ sudo tc actions add action simple sdata \"2\" index 2
      $ sudo tc actions add action simple sdata \"1\" index 1 \
                            action simple sdata \"2\" index 2
      RTNETLINK answers: File exists
      We have an error talking to the kernel
      $ sudo tc actions ls action simple
      total acts 1
      
              action order 0: Simple <"2">
               index 2 ref 1 bind 0
      $ sudo tc actions flush action simple
      $ sudo tc actions ls action simple
      $ sudo tc actions add action simple sdata \"2\" index 2
      Error: Failed to load TC action module.
      We have an error talking to the kernel
      $ lsmod | grep simple
      act_simple             20480  -1
      
      Fix the issue by modifying module reference counting handling in action
      initialization code:
      
      - Get module reference in tcf_idr_create() and put it in tcf_idr_release()
      instead of taking over the reference held by the caller.
      
      - Modify users of tcf_action_init_1() to always release the module
      reference which they obtain before calling init function instead of
      assuming that created action takes over the reference.
      
      - Finally, modify tcf_action_init_1() to not release the module reference
      when overwriting existing action as this is no longer necessary since both
      upper and lower layers obtain and manage their own module references
      independently.
      
      Fixes: d349f997 ("net_sched: fix RTNL deadlock again caused by request_module()")
      Suggested-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b3650bf7
    • Vlad Buslov's avatar
      net: sched: fix action overwrite reference counting · 87c750e8
      Vlad Buslov authored
      Action init code increments reference counter when it changes an action.
      This is the desired behavior for cls API which needs to obtain action
      reference for every classifier that points to action. However, act API just
      needs to change the action and releases the reference before returning.
      This sequence breaks when the requested action doesn't exist, which causes
      act API init code to create new action with specified index, but action is
      still released before returning and is deleted (unless it was referenced
      concurrently by cls API).
      
      Reproduction:
      
      $ sudo tc actions ls action gact
      $ sudo tc actions change action gact drop index 1
      $ sudo tc actions ls action gact
      
      Extend tcf_action_init() to accept 'init_res' array and initialize it with
      action->ops->init() result. In tcf_action_add() remove pointers to created
      actions from actions array before passing it to tcf_action_put_many().
      
      Fixes: cae422f3 ("net: sched: use reference counting action init")
      Reported-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      87c750e8
    • Vlad Buslov's avatar
      Revert "net: sched: bump refcount for new action in ACT replace mode" · 4ba86128
      Vlad Buslov authored
      This reverts commit 6855e821.
      
      Following commit in series fixes the issue without introducing regression
      in error rollback of tcf_action_destroy().
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ba86128
    • Yongxin Liu's avatar
      ice: fix memory leak of aRFS after resuming from suspend · 1831da7e
      Yongxin Liu authored
      In ice_suspend(), ice_clear_interrupt_scheme() is called, and then
      irq_free_descs() will be eventually called to free irq and its descriptor.
      
      In ice_resume(), ice_init_interrupt_scheme() is called to allocate new
      irqs. However, in ice_rebuild_arfs(), struct irq_glue and struct cpu_rmap
      maybe cannot be freed, if the irqs that released in ice_suspend() were
      reassigned to other devices, which makes irq descriptor's affinity_notify
      lost.
      
      So call ice_free_cpu_rx_rmap() before ice_clear_interrupt_scheme(), which
      can make sure all irq_glue and cpu_rmap can be correctly released before
      corresponding irq and descriptor are released.
      
      Fix the following memory leak.
      
      unreferenced object 0xffff95bd951afc00 (size 512):
        comm "kworker/0:1", pid 134, jiffies 4294684283 (age 13051.958s)
        hex dump (first 32 bytes):
          18 00 00 00 18 00 18 00 70 fc 1a 95 bd 95 ff ff  ........p.......
          00 00 ff ff 01 00 ff ff 02 00 ff ff 03 00 ff ff  ................
        backtrace:
          [<0000000072e4b914>] __kmalloc+0x336/0x540
          [<0000000054642a87>] alloc_cpu_rmap+0x3b/0xb0
          [<00000000f220deec>] ice_set_cpu_rx_rmap+0x6a/0x110 [ice]
          [<000000002370a632>] ice_probe+0x941/0x1180 [ice]
          [<00000000d692edba>] local_pci_probe+0x47/0xa0
          [<00000000503934f0>] work_for_cpu_fn+0x1a/0x30
          [<00000000555a9e4a>] process_one_work+0x1dd/0x410
          [<000000002c4b414a>] worker_thread+0x221/0x3f0
          [<00000000bb2b556b>] kthread+0x14c/0x170
          [<00000000ad2cf1cd>] ret_from_fork+0x1f/0x30
      unreferenced object 0xffff95bd81b0a2a0 (size 96):
        comm "kworker/0:1", pid 134, jiffies 4294684283 (age 13051.958s)
        hex dump (first 32 bytes):
          38 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00  8...............
          b0 a2 b0 81 bd 95 ff ff b0 a2 b0 81 bd 95 ff ff  ................
        backtrace:
          [<00000000582dd5c5>] kmem_cache_alloc_trace+0x31f/0x4c0
          [<000000002659850d>] irq_cpu_rmap_add+0x25/0xe0
          [<00000000495a3055>] ice_set_cpu_rx_rmap+0xb4/0x110 [ice]
          [<000000002370a632>] ice_probe+0x941/0x1180 [ice]
          [<00000000d692edba>] local_pci_probe+0x47/0xa0
          [<00000000503934f0>] work_for_cpu_fn+0x1a/0x30
          [<00000000555a9e4a>] process_one_work+0x1dd/0x410
          [<000000002c4b414a>] worker_thread+0x221/0x3f0
          [<00000000bb2b556b>] kthread+0x14c/0x170
          [<00000000ad2cf1cd>] ret_from_fork+0x1f/0x30
      
      Fixes: 769c500d ("ice: Add advanced power mgmt for WoL")
      Signed-off-by: default avatarYongxin Liu <yongxin.liu@windriver.com>
      Tested-by: default avatarTony Brelinski <tonyx.brelinski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      1831da7e
    • Arkadiusz Kubalewski's avatar
      i40e: Fix sparse warning: missing error code 'err' · 8a1e918d
      Arkadiusz Kubalewski authored
      Set proper return values inside error checking if-statements.
      
      Previously following warning was produced when compiling against sparse.
      i40e_main.c:15162 i40e_init_recovery_mode() warn: missing error code 'err'
      
      Fixes: 4ff0ee1a ("i40e: Introduce recovery mode support")
      Signed-off-by: default avatarAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Signed-off-by: default avatarArkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
      Tested-by: default avatarDave Switzer <david.switzer@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      8a1e918d
    • Arkadiusz Kubalewski's avatar
      i40e: Fix sparse error: 'vsi->netdev' could be null · 6b5674fe
      Arkadiusz Kubalewski authored
      Remove vsi->netdev->name from the trace.
      This is redundant information. With the devinfo trace, the adapter
      is already identifiable.
      
      Previously following error was produced when compiling against sparse.
      i40e_main.c:2571 i40e_sync_vsi_filters() error:
      	we previously assumed 'vsi->netdev' could be null (see line 2323)
      
      Fixes: b603f9dc ("i40e: Log info when PF is entering and leaving Allmulti mode.")
      Signed-off-by: default avatarAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Signed-off-by: default avatarArkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
      Tested-by: default avatarDave Switzer <david.switzer@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      6b5674fe
    • Arkadiusz Kubalewski's avatar
      i40e: Fix sparse error: uninitialized symbol 'ring' · d6d04ee6
      Arkadiusz Kubalewski authored
      Init pointer with NULL in default switch case statement.
      
      Previously the error was produced when compiling against sparse.
      i40e_debugfs.c:582 i40e_dbg_dump_desc() error: uninitialized symbol 'ring'.
      
      Fixes: 44ea803e ("i40e: introduce new dump desc XDP command")
      Signed-off-by: default avatarAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Signed-off-by: default avatarArkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
      Tested-by: default avatarDave Switzer <david.switzer@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      d6d04ee6
    • Arkadiusz Kubalewski's avatar
      i40e: Fix sparse errors in i40e_txrx.c · 12738ac4
      Arkadiusz Kubalewski authored
      Remove error handling through pointers. Instead use plain int
      to return value from i40e_run_xdp(...).
      
      Previously:
      - sparse errors were produced during compilation:
      i40e_txrx.c:2338 i40e_run_xdp() error: (-2147483647) too low for ERR_PTR
      i40e_txrx.c:2558 i40e_clean_rx_irq() error: 'skb' dereferencing possible ERR_PTR()
      
      - sk_buff* was used to return value, but it has never had valid
      pointer to sk_buff. Returned value was always int handled as
      a pointer.
      
      Fixes: 0c8493d9 ("i40e: add XDP support for pass and drop actions")
      Fixes: 2e689312 ("i40e: split XDP_TX tail and XDP_REDIRECT map flushing")
      Signed-off-by: default avatarAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Signed-off-by: default avatarArkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
      Tested-by: default avatarDave Switzer <david.switzer@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      12738ac4
    • Grzegorz Siwik's avatar
      i40e: Fix parameters in aq_get_phy_register() · b2d0efc4
      Grzegorz Siwik authored
      Change parameters order in aq_get_phy_register() due to wrong
      statistics in PHY reported by ethtool. Previously all PHY statistics were
      exactly the same for all interfaces
      Now statistics are reported correctly - different for different interfaces
      
      Fixes: 0514db37 ("i40e: Extend PHY access with page change flag")
      Signed-off-by: default avatarGrzegorz Siwik <grzegorz.siwik@intel.com>
      Tested-by: default avatarDave Switzer <david.switzer@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      b2d0efc4
    • Johannes Berg's avatar
      nl80211: fix beacon head validation · 9a6847ba
      Johannes Berg authored
      If the beacon head attribute (NL80211_ATTR_BEACON_HEAD)
      is too short to even contain the frame control field,
      we access uninitialized data beyond the buffer. Fix this
      by checking the minimal required size first. We used to
      do this until S1G support was added, where the fixed
      data portion has a different size.
      
      Reported-and-tested-by: syzbot+72b99dcf4607e8c770f3@syzkaller.appspotmail.com
      Suggested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Fixes: 1d47f119 ("nl80211: correctly validate S1G beacon head")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Link: https://lore.kernel.org/r/20210408154518.d9b06d39b4ee.Iff908997b2a4067e8d456b3cb96cab9771d252b8@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      9a6847ba
    • Piotr Krysiuk's avatar
      bpf, x86: Validate computation of branch displacements for x86-32 · 26f55a59
      Piotr Krysiuk authored
      The branch displacement logic in the BPF JIT compilers for x86 assumes
      that, for any generated branch instruction, the distance cannot
      increase between optimization passes.
      
      But this assumption can be violated due to how the distances are
      computed. Specifically, whenever a backward branch is processed in
      do_jit(), the distance is computed by subtracting the positions in the
      machine code from different optimization passes. This is because part
      of addrs[] is already updated for the current optimization pass, before
      the branch instruction is visited.
      
      And so the optimizer can expand blocks of machine code in some cases.
      
      This can confuse the optimizer logic, where it assumes that a fixed
      point has been reached for all machine code blocks once the total
      program size stops changing. And then the JIT compiler can output
      abnormal machine code containing incorrect branch displacements.
      
      To mitigate this issue, we assert that a fixed point is reached while
      populating the output image. This rejects any problematic programs.
      The issue affects both x86-32 and x86-64. We mitigate separately to
      ease backporting.
      Signed-off-by: default avatarPiotr Krysiuk <piotras@gmail.com>
      Reviewed-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      26f55a59
    • Piotr Krysiuk's avatar
      bpf, x86: Validate computation of branch displacements for x86-64 · e4d4d456
      Piotr Krysiuk authored
      The branch displacement logic in the BPF JIT compilers for x86 assumes
      that, for any generated branch instruction, the distance cannot
      increase between optimization passes.
      
      But this assumption can be violated due to how the distances are
      computed. Specifically, whenever a backward branch is processed in
      do_jit(), the distance is computed by subtracting the positions in the
      machine code from different optimization passes. This is because part
      of addrs[] is already updated for the current optimization pass, before
      the branch instruction is visited.
      
      And so the optimizer can expand blocks of machine code in some cases.
      
      This can confuse the optimizer logic, where it assumes that a fixed
      point has been reached for all machine code blocks once the total
      program size stops changing. And then the JIT compiler can output
      abnormal machine code containing incorrect branch displacements.
      
      To mitigate this issue, we assert that a fixed point is reached while
      populating the output image. This rejects any problematic programs.
      The issue affects both x86-32 and x86-64. We mitigate separately to
      ease backporting.
      Signed-off-by: default avatarPiotr Krysiuk <piotras@gmail.com>
      Reviewed-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      e4d4d456
    • Johannes Berg's avatar
      nl80211: fix potential leak of ACL params · abaf94ec
      Johannes Berg authored
      In case nl80211_parse_unsol_bcast_probe_resp() results in an
      error, need to "goto out" instead of just returning to free
      possibly allocated data.
      
      Fixes: 7443dcd1 ("nl80211: Unsolicited broadcast probe response support")
      Link: https://lore.kernel.org/r/20210408142833.d8bc2e2e454a.If290b1ba85789726a671ff0b237726d4851b5b0f@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      abaf94ec
    • Johannes Berg's avatar
      cfg80211: check S1G beacon compat element length · b5ac0146
      Johannes Berg authored
      We need to check the length of this element so that we don't
      access data beyond its end. Fix that.
      
      Fixes: 9eaffe50 ("cfg80211: convert S1G beacon to scan results")
      Link: https://lore.kernel.org/r/20210408142826.f6f4525012de.I9fdeff0afdc683a6024e5ea49d2daa3cd2459d11@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      b5ac0146
    • A. Cody Schuffelen's avatar
      virt_wifi: Return micros for BSS TSF values · b57aa17f
      A. Cody Schuffelen authored
      cfg80211_inform_bss expects to receive a TSF value, but is given the
      time since boot in nanoseconds. TSF values are expected to be at
      microsecond scale rather than nanosecond scale.
      Signed-off-by: default avatarA. Cody Schuffelen <schuffelen@google.com>
      Link: https://lore.kernel.org/r/20210318200419.1421034-1-schuffelen@google.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      b57aa17f
    • Du Cheng's avatar
      cfg80211: remove WARN_ON() in cfg80211_sme_connect · 1b5ab825
      Du Cheng authored
      A WARN_ON(wdev->conn) would trigger in cfg80211_sme_connect(), if multiple
      send_msg(NL80211_CMD_CONNECT) system calls are made from the userland, which
      should be anticipated and handled by the wireless driver. Remove this WARN_ON()
      to prevent kernel panic if kernel is configured to "panic_on_warn".
      
      Bug reported by syzbot.
      
      Reported-by: syzbot+5f9392825de654244975@syzkaller.appspotmail.com
      Signed-off-by: default avatarDu Cheng <ducheng2@gmail.com>
      Link: https://lore.kernel.org/r/20210407162756.6101-1-ducheng2@gmail.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      1b5ab825
    • Ben Greear's avatar
      mac80211: fix time-is-after bug in mlme · 7d73cd94
      Ben Greear authored
      The incorrect timeout check caused probing to happen when it did
      not need to happen.  This in turn caused tx performance drop
      for around 5 seconds in ath10k-ct driver.  Possibly that tx drop
      is due to a secondary issue, but fixing the probe to not happen
      when traffic is running fixes the symptom.
      Signed-off-by: default avatarBen Greear <greearb@candelatech.com>
      Fixes: 9abf4e49 ("mac80211: optimize station connection monitor")
      Acked-by: default avatarFelix Fietkau <nbd@nbd.name>
      Link: https://lore.kernel.org/r/20210330230749.14097-1-greearb@candelatech.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      7d73cd94
    • Johannes Berg's avatar
      mac80211: fix TXQ AC confusion · 1153a747
      Johannes Berg authored
      Normally, TXQs have
      
        txq->tid = tid;
        txq->ac = ieee80211_ac_from_tid(tid);
      
      However, the special management TXQ actually has
      
        txq->tid = IEEE80211_NUM_TIDS; // 16
        txq->ac = IEEE80211_AC_VO;
      
      This makes sense, but ieee80211_ac_from_tid(16) is the same
      as ieee80211_ac_from_tid(0) which is just IEEE80211_AC_BE.
      
      Now, normally this is fine. However, if the netdev queues
      were stopped, then the code in ieee80211_tx_dequeue() will
      propagate the stop from the interface (vif->txqs_stopped[])
      if the AC 2 (ieee80211_ac_from_tid(txq->tid)) is marked as
      stopped. On wake, however, __ieee80211_wake_txqs() will wake
      the TXQ if AC 0 (txq->ac) is woken up.
      
      If a driver stops all queues with ieee80211_stop_tx_queues()
      and then wakes them again with ieee80211_wake_tx_queues(),
      the ieee80211_wake_txqs() tasklet will run to resync queue
      and TXQ state. If all queues were woken, then what'll happen
      is that _ieee80211_wake_txqs() will run in order of HW queues
      0-3, typically (and certainly for iwlwifi) corresponding to
      ACs 0-3, so it'll call __ieee80211_wake_txqs() for each AC in
      order 0-3.
      
      When __ieee80211_wake_txqs() is called for AC 0 (VO) that'll
      wake up the management TXQ (remember its tid is 16), and the
      driver's wake_tx_queue() will be called. That tries to get a
      frame, which will immediately *stop* the TXQ again, because
      now we check against AC 2, and AC 2 hasn't yet been marked as
      woken up again in sdata->vif.txqs_stopped[] since we're only
      in the __ieee80211_wake_txqs() call for AC 0.
      
      Thus, the management TXQ will never be started again.
      
      Fix this by checking txq->ac directly instead of calculating
      the AC as ieee80211_ac_from_tid(txq->tid).
      
      Fixes: adf8ed01 ("mac80211: add an optional TXQ for other PS-buffered frames")
      Acked-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Link: https://lore.kernel.org/r/20210323210500.bf4d50afea4a.I136ffde910486301f8818f5442e3c9bf8670a9c4@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      1153a747
    • Johannes Berg's avatar
      rfkill: revert back to old userspace API by default · 71826654
      Johannes Berg authored
      Recompiling with the new extended version of struct rfkill_event
      broke systemd in *two* ways:
       - It used "sizeof(struct rfkill_event)" to read the event, but
         then complained if it actually got something != 8, this broke
         it on new kernels (that include the updated API);
       - It used sizeof(struct rfkill_event) to write a command, but
         didn't implement the intended expansion protocol where the
         kernel returns only how many bytes it accepted, and errored
         out due to the unexpected smaller size on kernels that didn't
         include the updated API.
      
      Even though systemd has now been fixed, that fix may not be always
      deployed, and other applications could potentially have similar
      issues.
      
      As such, in the interest of avoiding regressions, revert the
      default API "struct rfkill_event" back to the original size.
      
      Instead, add a new "struct rfkill_event_ext" that extends it by
      the new field, and even more clearly document that applications
      should be prepared for extensions in two ways:
       * write might only accept fewer bytes on older kernels, and
         will return how many to let userspace know which data may
         have been ignored;
       * read might return anything between 8 (the original size) and
         whatever size the application sized its buffer at, indicating
         how much event data was supported by the kernel.
      
      Perhaps that will help avoid such issues in the future and we
      won't have to come up with another version of the struct if we
      ever need to extend it again.
      
      Applications that want to take advantage of the new field will
      have to be modified to use struct rfkill_event_ext instead now,
      which comes with the danger of them having already been updated
      to use it from 'struct rfkill_event', but I found no evidence
      of that, and it's still relatively new.
      
      Cc: stable@vger.kernel.org # 5.11
      Reported-by: default avatarTakashi Iwai <tiwai@suse.de>
      Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # LLVM/Clang v12.0.0-r4 (x86-64)
      Link: https://lore.kernel.org/r/20210319232510.f1a139cfdd9c.Ic5c7c9d1d28972059e132ea653a21a427c326678@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      71826654
    • Seevalamuthu Mariappan's avatar
      mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN · dd0b4553
      Seevalamuthu Mariappan authored
      In some race conditions, with more clients and traffic configuration,
      below crash is seen when making the interface down. sta->fast_rx wasn't
      cleared when STA gets removed from 4-addr AP_VLAN interface. The crash is
      due to try accessing 4-addr AP_VLAN interface's net_device (fast_rx->dev)
      which has been deleted already.
      
      Resolve this by clearing sta->fast_rx pointer when STA removes
      from a 4-addr VLAN.
      
      [  239.449529] Unable to handle kernel NULL pointer dereference at virtual address 00000004
      [  239.449531] pgd = 80204000
      ...
      [  239.481496] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.60 #227
      [  239.481591] Hardware name: Generic DT based system
      [  239.487665] task: be05b700 ti: be08e000 task.ti: be08e000
      [  239.492360] PC is at get_rps_cpu+0x2d4/0x31c
      [  239.497823] LR is at 0xbe08fc54
      ...
      [  239.778574] [<80739740>] (get_rps_cpu) from [<8073cb10>] (netif_receive_skb_internal+0x8c/0xac)
      [  239.786722] [<8073cb10>] (netif_receive_skb_internal) from [<8073d578>] (napi_gro_receive+0x48/0xc4)
      [  239.795267] [<8073d578>] (napi_gro_receive) from [<c7b83e8c>] (ieee80211_mark_rx_ba_filtered_frames+0xbcc/0x12d4 [mac80211])
      [  239.804776] [<c7b83e8c>] (ieee80211_mark_rx_ba_filtered_frames [mac80211]) from [<c7b84d4c>] (ieee80211_rx_napi+0x7b8/0x8c8 [mac8
                  0211])
      [  239.815857] [<c7b84d4c>] (ieee80211_rx_napi [mac80211]) from [<c7f63d7c>] (ath11k_dp_process_rx+0x7bc/0x8c8 [ath11k])
      [  239.827757] [<c7f63d7c>] (ath11k_dp_process_rx [ath11k]) from [<c7f5b6c4>] (ath11k_dp_service_srng+0x2c0/0x2e0 [ath11k])
      [  239.838484] [<c7f5b6c4>] (ath11k_dp_service_srng [ath11k]) from [<7f55b7dc>] (ath11k_ahb_ext_grp_napi_poll+0x20/0x84 [ath11k_ahb]
                  )
      [  239.849419] [<7f55b7dc>] (ath11k_ahb_ext_grp_napi_poll [ath11k_ahb]) from [<8073ce1c>] (net_rx_action+0xe0/0x28c)
      [  239.860945] [<8073ce1c>] (net_rx_action) from [<80324868>] (__do_softirq+0xe4/0x228)
      [  239.871269] [<80324868>] (__do_softirq) from [<80324c48>] (irq_exit+0x98/0x108)
      [  239.879080] [<80324c48>] (irq_exit) from [<8035c59c>] (__handle_domain_irq+0x90/0xb4)
      [  239.886114] [<8035c59c>] (__handle_domain_irq) from [<8030137c>] (gic_handle_irq+0x50/0x94)
      [  239.894100] [<8030137c>] (gic_handle_irq) from [<803024c0>] (__irq_svc+0x40/0x74)
      Signed-off-by: default avatarSeevalamuthu Mariappan <seevalam@codeaurora.org>
      Link: https://lore.kernel.org/r/1616163532-3881-1-git-send-email-seevalam@codeaurora.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      dd0b4553
  3. 07 Apr, 2021 9 commits
    • Anirudh Rayabharam's avatar
      net: hso: fix null-ptr-deref during tty device unregistration · 8a12f883
      Anirudh Rayabharam authored
      Multiple ttys try to claim the same the minor number causing a double
      unregistration of the same device. The first unregistration succeeds
      but the next one results in a null-ptr-deref.
      
      The get_free_serial_index() function returns an available minor number
      but doesn't assign it immediately. The assignment is done by the caller
      later. But before this assignment, calls to get_free_serial_index()
      would return the same minor number.
      
      Fix this by modifying get_free_serial_index to assign the minor number
      immediately after one is found to be and rename it to obtain_minor()
      to better reflect what it does. Similary, rename set_serial_by_index()
      to release_minor() and modify it to free up the minor number of the
      given hso_serial. Every obtain_minor() should have corresponding
      release_minor() call.
      
      Fixes: 72dc1c09 ("HSO: add option hso driver")
      Reported-by: syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com
      Tested-by: syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarAnirudh Rayabharam <mail@anirudhrb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a12f883
    • David S. Miller's avatar
      Merge tag 'ieee802154-for-davem-2021-04-07' of... · 5d1dbacd
      David S. Miller authored
      Merge tag 'ieee802154-for-davem-2021-04-07' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan
      
      Stefan Schmidt says:
      
      ====================
      pull-request: ieee802154 for net 2021-04-07
      
      An update from ieee802154 for your *net* tree.
      
      Most of these are coming from the flood of syzkaller reports
      lately got for the ieee802154 subsystem. There are likely to
      come more for this, but this is a good batch to get out for now.
      
      Alexander Aring created a patchset to avoid llsec handling on a
      monitor interface, which we do not support.
      Alex Shi removed a unused macro.
      Pavel Skripkin fixed another protection fault found by syzkaller.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5d1dbacd
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-2021-04-07' of... · 107adc69
      David S. Miller authored
      Merge tag 'wireless-drivers-2021-04-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.12
      
      Third, and last, set of fixes for v5.12. Small fixes, iwlwifi having
      most of them. brcmfmac regression caused by cfg80211 changes is the
      most important here.
      
      iwlwifi
      
      * fix a lockdep warning
      
      * fix regulatory feature detection in certain firmware versions
      
      * new hardware support
      
      * fix lockdep warning
      
      * mvm: fix beacon protection checks
      
      mt76
      
      * mt7921: fix airtime reporting
      
      brcmfmac
      
      * fix a deadlock regression
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      107adc69
    • David S. Miller's avatar
      Merge branch 'ethtool-link_mode' · 3cf14828
      David S. Miller authored
      Danielle Ratson says:
      
      ====================
      Fix link_mode derived params functionality
      
      Currently, link_mode parameter derives 3 other link parameters, speed,
      lanes and duplex, and the derived information is sent to user space.
      
      Few bugs were found in that functionality.
      First, some drivers clear the 'ethtool_link_ksettings' struct in their
      get_link_ksettings() callback and cause receiving wrong link mode
      information in user space. And also, some drivers can report random
      values in the 'link_mode' field and cause general protection fault.
      
      Second, the link parameters are only derived in netlink path so in ioctl
      path, we don't any reasonable values.
      
      Third, setting 'speed 10000 lanes 1' fails since the lanes parameter
      wasn't set for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT.
      
      Patch #1 solves the first two problems by removing link_mode parameter
      and deriving the link parameters in driver instead of ethtool.
      Patch #2 solves the third one, by setting the lanes parameter for the
      link_mode.
      
      v3:
      	* Remove the link_mode parameter in the first patch to solve
      	  both two issues from patch#1 and patch#2.
      	* Add the second patch to solve the third issue.
      
      v2:
      	* Add patch #2.
      	* Introduce 'cap_link_mode_supported' instead of adding a
      	  validity field to 'ethtool_link_ksettings' struct in patch #1.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3cf14828
    • Danielle Ratson's avatar
      ethtool: Add lanes parameter for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT · fde32dbe
      Danielle Ratson authored
      Lanes field is missing for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT
      link mode and it causes a failure when trying to set
      'speed 10000 lanes 1' on Spectrum-2 machines when autoneg is set to on.
      
      Add the lanes parameter for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT
      link mode.
      
      Fixes: c8907043 ("ethtool: Get link mode in use instead of speed and duplex parameters")
      Signed-off-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fde32dbe
    • Danielle Ratson's avatar
      ethtool: Remove link_mode param and derive link params from driver · a975d7d8
      Danielle Ratson authored
      Some drivers clear the 'ethtool_link_ksettings' struct in their
      get_link_ksettings() callback, before populating it with actual values.
      Such drivers will set the new 'link_mode' field to zero, resulting in
      user space receiving wrong link mode information given that zero is a
      valid value for the field.
      
      Another problem is that some drivers (notably tun) can report random
      values in the 'link_mode' field. This can result in a general protection
      fault when the field is used as an index to the 'link_mode_params' array
      [1].
      
      This happens because such drivers implement their set_link_ksettings()
      callback by simply overwriting their private copy of
      'ethtool_link_ksettings' struct with the one they get from the stack,
      which is not always properly initialized.
      
      Fix these problems by removing 'link_mode' from 'ethtool_link_ksettings'
      and instead have drivers call ethtool_params_from_link_mode() with the
      current link mode. The function will derive the link parameters (e.g.,
      speed) from the link mode and fill them in the 'ethtool_link_ksettings'
      struct.
      
      v3:
      	* Remove link_mode parameter and derive the link parameters in
      	  the driver instead of passing link_mode parameter to ethtool
      	  and derive it there.
      
      v2:
      	* Introduce 'cap_link_mode_supported' instead of adding a
      	  validity field to 'ethtool_link_ksettings' struct.
      
      [1]
      general protection fault, probably for non-canonical address 0xdffffc00f14cc32c: 0000 [#1] PREEMPT SMP KASAN
      KASAN: probably user-memory-access in range [0x000000078a661960-0x000000078a661967]
      CPU: 0 PID: 8452 Comm: syz-executor360 Not tainted 5.11.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__ethtool_get_link_ksettings+0x1a3/0x3a0 net/ethtool/ioctl.c:446
      Code: b7 3e fa 83 fd ff 0f 84 30 01 00 00 e8 16 b0 3e fa 48 8d 3c ed 60 d5 69 8a 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03
      +38 d0 7c 08 84 d2 0f 85 b9
      RSP: 0018:ffffc900019df7a0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff888026136008 RCX: 0000000000000000
      RDX: 00000000f14cc32c RSI: ffffffff873439ca RDI: 000000078a661960
      RBP: 00000000ffff8880 R08: 00000000ffffffff R09: ffff88802613606f
      R10: ffffffff873439bc R11: 0000000000000000 R12: 0000000000000000
      R13: ffff88802613606c R14: ffff888011d0c210 R15: ffff888011d0c210
      FS:  0000000000749300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000004b60f0 CR3: 00000000185c2000 CR4: 00000000001506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       linkinfo_prepare_data+0xfd/0x280 net/ethtool/linkinfo.c:37
       ethnl_default_notify+0x1dc/0x630 net/ethtool/netlink.c:586
       ethtool_notify+0xbd/0x1f0 net/ethtool/netlink.c:656
       ethtool_set_link_ksettings+0x277/0x330 net/ethtool/ioctl.c:620
       dev_ethtool+0x2b35/0x45d0 net/ethtool/ioctl.c:2842
       dev_ioctl+0x463/0xb70 net/core/dev_ioctl.c:440
       sock_do_ioctl+0x148/0x2d0 net/socket.c:1060
       sock_ioctl+0x477/0x6a0 net/socket.c:1177
       vfs_ioctl fs/ioctl.c:48 [inline]
       __do_sys_ioctl fs/ioctl.c:753 [inline]
       __se_sys_ioctl fs/ioctl.c:739 [inline]
       __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: c8907043 ("ethtool: Get link mode in use instead of speed and duplex parameters")
      Signed-off-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a975d7d8
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2021-04-06' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · bb58023b
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2021-04-06
      
      This series provides some fixes to mlx5 driver.
      Please pull and let me know if there is any problem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb58023b
    • Zheng Yongjun's avatar
      net: tipc: Fix spelling errors in net/tipc module · a79ace4b
      Zheng Yongjun authored
      These patches fix a series of spelling errors in net/tipc module.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarZheng Yongjun <zhengyongjun3@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a79ace4b
    • Kurt Kanzenbach's avatar
      net: hsr: Reset MAC header for Tx path · 9d680392
      Kurt Kanzenbach authored
      Reset MAC header in HSR Tx path. This is needed, because direct packet
      transmission, e.g. by specifying PACKET_QDISC_BYPASS does not reset the MAC
      header.
      
      This has been observed using the following setup:
      
      |$ ip link add name hsr0 type hsr slave1 lan0 slave2 lan1 supervision 45 version 1
      |$ ifconfig hsr0 up
      |$ ./test hsr0
      
      The test binary is using mmap'ed sockets and is specifying the
      PACKET_QDISC_BYPASS socket option.
      
      This patch resolves the following warning on a non-patched kernel:
      
      |[  112.725394] ------------[ cut here ]------------
      |[  112.731418] WARNING: CPU: 1 PID: 257 at net/hsr/hsr_forward.c:560 hsr_forward_skb+0x484/0x568
      |[  112.739962] net/hsr/hsr_forward.c:560: Malformed frame (port_src hsr0)
      
      The warning can be safely removed, because the other call sites of
      hsr_forward_skb() make sure that the skb is prepared correctly.
      
      Fixes: d346a3fa ("packet: introduce PACKET_QDISC_BYPASS socket option")
      Signed-off-by: Kurt Kanzenbach's avatarKurt Kanzenbach <kurt@linutronix.de>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d680392