1. 05 Sep, 2021 12 commits
  2. 04 Sep, 2021 5 commits
  3. 03 Sep, 2021 15 commits
  4. 02 Sep, 2021 8 commits
    • Rafał Miłecki's avatar
      net: dsa: b53: Set correct number of ports in the DSA struct · d12e1c46
      Rafał Miłecki authored
      Setting DSA_MAX_PORTS caused DSA to call b53 callbacks (e.g.
      b53_disable_port() during dsa_register_switch()) for invalid
      (non-existent) ports. That made b53 modify unrelated registers and is
      one of reasons for a broken BCM5301x support.
      
      This problem exists for years but DSA_MAX_PORTS usage has changed few
      times. It seems the most accurate to reference commit dropping
      dsa_switch_alloc() in the Fixes tag.
      
      Fixes: 7e99e347 ("net: dsa: remove dsa_switch_alloc helper")
      Signed-off-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d12e1c46
    • Rafał Miłecki's avatar
      net: dsa: b53: Fix calculating number of switch ports · cdb067d3
      Rafał Miłecki authored
      It isn't true that CPU port is always the last one. Switches BCM5301x
      have 9 ports (port 6 being inactive) and they use port 5 as CPU by
      default (depending on design some other may be CPU ports too).
      
      A more reliable way of determining number of ports is to check for the
      last set bit in the "enabled_ports" bitfield.
      
      This fixes b53 internal state, it will allow providing accurate info to
      the DSA and is required to fix BCM5301x support.
      
      Fixes: 967dd82f ("net: dsa: b53: Add support for Broadcom RoboSwitch")
      Signed-off-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cdb067d3
    • Daniele Palmas's avatar
      net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920 · aabbdc67
      Daniele Palmas authored
      Add quirk CDC_MBIM_FLAG_AVOID_ALTSETTING_TOGGLE for Telit LN920
      0x1061 composition in order to avoid bind error.
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aabbdc67
    • Ziyang Xuan's avatar
      net: hso: add failure handler for add_net_device · ecdc28de
      Ziyang Xuan authored
      If the network devices connected to the system beyond
      HSO_MAX_NET_DEVICES. add_net_device() in hso_create_net_device()
      will be failed for the network_table is full. It will lead to
      business failure which rely on network_table, for example,
      hso_suspend() and hso_resume(). It will also lead to memory leak
      because resource release process can not search the hso_device
      object from network_table in hso_free_interface().
      
      Add failure handler for add_net_device() in hso_create_net_device()
      to solve the above problems.
      
      Fixes: 72dc1c09 ("HSO: add option hso driver")
      Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ecdc28de
    • Tetsuo Handa's avatar
      flow: fix object-size-mismatch warning in flowi{4,6}_to_flowi_common() · b9edbfe1
      Tetsuo Handa authored
      Commit 3df98d79 ("lsm,selinux: pass flowi_common instead of flowi
      to the LSM hooks") introduced flowi{4,6}_to_flowi_common() functions which
      cause UBSAN warning when building with LLVM 11.0.1 on Ubuntu 21.04.
      
       ================================================================================
       UBSAN: object-size-mismatch in ./include/net/flow.h:197:33
       member access within address ffffc9000109fbd8 with insufficient space
       for an object of type 'struct flowi'
       CPU: 2 PID: 7410 Comm: systemd-resolve Not tainted 5.14.0 #51
       Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 02/27/2020
       Call Trace:
        dump_stack_lvl+0x103/0x171
        ubsan_type_mismatch_common+0x1de/0x390
        __ubsan_handle_type_mismatch_v1+0x41/0x50
        udp_sendmsg+0xda2/0x1300
        ? ip_skb_dst_mtu+0x1f0/0x1f0
        ? sock_rps_record_flow+0xe/0x200
        ? inet_send_prepare+0x2d/0x90
        sock_sendmsg+0x49/0x80
        ____sys_sendmsg+0x269/0x370
        __sys_sendmsg+0x15e/0x1d0
        ? syscall_enter_from_user_mode+0xf0/0x1b0
        do_syscall_64+0x3d/0xb0
        entry_SYSCALL_64_after_hwframe+0x44/0xae
       RIP: 0033:0x7f7081a50497
       Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
       RSP: 002b:00007ffc153870f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f7081a50497
       RDX: 0000000000000000 RSI: 00007ffc15387140 RDI: 000000000000000c
       RBP: 00007ffc15387140 R08: 0000563f29a5e4fc R09: 000000000000cd28
       R10: 0000563f29a68a30 R11: 0000000000000246 R12: 000000000000000c
       R13: 0000000000000001 R14: 0000563f29a68a30 R15: 0000563f29a5e50c
       ================================================================================
      
      I don't think we need to call flowi{4,6}_to_flowi() from these functions
      because the first member of "struct flowi4" and "struct flowi6" is
      
        struct flowi_common __fl_common;
      
      while the first member of "struct flowi" is
      
        union {
          struct flowi_common __fl_common;
          struct flowi4       ip4;
          struct flowi6       ip6;
          struct flowidn      dn;
        } u;
      
      which should point to the same address without access to "struct flowi".
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b9edbfe1
    • Ryoga Saito's avatar
      Set fc_nlinfo in nh_create_ipv4, nh_create_ipv6 · 9aca491e
      Ryoga Saito authored
      This patch fixes kernel NULL pointer dereference when creating nexthop
      which is bound with SRv6 decapsulation. In the creation of nexthop,
      __seg6_end_dt_vrf_build is called. __seg6_end_dt_vrf_build expects
      fc_lninfo in fib6_config is set correctly, but it isn't set in
      nh_create_ipv6, which causes kernel crash.
      
      Here is steps to reproduce kernel crash:
      
      1. modprobe vrf
      2. ip -6 nexthop add encap seg6local action End.DT4 vrftable 1 dev eth0
      
      We got the following message:
      
      [  901.370336] BUG: kernel NULL pointer dereference, address: 0000000000000ba0
      [  901.371658] #PF: supervisor read access in kernel mode
      [  901.372672] #PF: error_code(0x0000) - not-present page
      [  901.373672] PGD 0 P4D 0
      [  901.374248] Oops: 0000 [#1] SMP PTI
      [  901.374944] CPU: 0 PID: 8593 Comm: ip Not tainted 5.14-051400-generic #202108310811-Ubuntu
      [  901.376404] Hardware name: Red Hat KVM, BIOS 1.11.1-4.module_el8.2.0+320+13f867d7 04/01/2014
      [  901.377907] RIP: 0010:vrf_ifindex_lookup_by_table_id+0x19/0x90 [vrf]
      [  901.379182] Code: c1 e9 72 ff ff ff e8 96 49 01 c2 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 41 89 f5 41 54 53 8b 05 47 4c 00 00 <48> 8b 97 a0 0b 00 00 48 8b 1c c2 e8 57 27 53 c1 4c 8d a3 88 00 00
      [  901.382652] RSP: 0018:ffffbf2d02043590 EFLAGS: 00010282
      [  901.383746] RAX: 000000000000000b RBX: ffff990808255e70 RCX: ffffbf2d02043aa8
      [  901.385436] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000000
      [  901.386924] RBP: ffffbf2d020435b0 R08: 00000000000000c0 R09: ffff990808255e40
      [  901.388537] R10: ffffffff83b08c90 R11: 0000000000000009 R12: 0000000000000000
      [  901.389937] R13: 0000000000000001 R14: 0000000000000000 R15: 000000000000000b
      [  901.391226] FS:  00007fe49381f740(0000) GS:ffff99087dc00000(0000) knlGS:0000000000000000
      [  901.392737] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  901.393803] CR2: 0000000000000ba0 CR3: 000000000e3e8003 CR4: 0000000000770ef0
      [  901.395122] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  901.396496] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  901.397833] PKRU: 55555554
      [  901.398578] Call Trace:
      [  901.399144]  l3mdev_ifindex_lookup_by_table_id+0x3b/0x70
      [  901.400179]  __seg6_end_dt_vrf_build+0x34/0xd0
      [  901.401067]  seg6_end_dt4_build+0x16/0x20
      [  901.401904]  seg6_local_build_state+0x271/0x430
      [  901.402797]  lwtunnel_build_state+0x81/0x130
      [  901.403645]  fib_nh_common_init+0x82/0x100
      [  901.404465]  ? sock_def_readable+0x4b/0x80
      [  901.405285]  fib6_nh_init+0x115/0x7c0
      [  901.406033]  nh_create_ipv6.isra.0+0xe1/0x140
      [  901.406932]  rtm_new_nexthop+0x3b7/0xeb0
      [  901.407828]  rtnetlink_rcv_msg+0x152/0x3a0
      [  901.408663]  ? rtnl_calcit.isra.0+0x130/0x130
      [  901.409535]  netlink_rcv_skb+0x55/0x100
      [  901.410319]  rtnetlink_rcv+0x15/0x20
      [  901.411026]  netlink_unicast+0x1a8/0x250
      [  901.411813]  netlink_sendmsg+0x238/0x470
      [  901.412602]  ? _copy_from_user+0x2b/0x60
      [  901.413394]  sock_sendmsg+0x65/0x70
      [  901.414112]  ____sys_sendmsg+0x218/0x290
      [  901.414929]  ? copy_msghdr_from_user+0x5c/0x90
      [  901.415814]  ___sys_sendmsg+0x81/0xc0
      [  901.416559]  ? fsnotify_destroy_marks+0x27/0xf0
      [  901.417447]  ? call_rcu+0xa4/0x230
      [  901.418153]  ? kmem_cache_free+0x23f/0x410
      [  901.418972]  ? dentry_free+0x37/0x70
      [  901.419705]  ? mntput_no_expire+0x4c/0x260
      [  901.420574]  __sys_sendmsg+0x62/0xb0
      [  901.421297]  __x64_sys_sendmsg+0x1f/0x30
      [  901.422057]  do_syscall_64+0x5c/0xc0
      [  901.422756]  ? syscall_exit_to_user_mode+0x27/0x50
      [  901.423675]  ? __x64_sys_close+0x12/0x40
      [  901.424462]  ? do_syscall_64+0x69/0xc0
      [  901.425219]  ? irqentry_exit_to_user_mode+0x9/0x20
      [  901.426149]  ? irqentry_exit+0x19/0x30
      [  901.426901]  ? exc_page_fault+0x89/0x160
      [  901.427709]  ? asm_exc_page_fault+0x8/0x30
      [  901.428536]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [  901.429514] RIP: 0033:0x7fe493945747
      [  901.430248] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
      [  901.433549] RSP: 002b:00007ffe9932cf68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [  901.434981] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe493945747
      [  901.436303] RDX: 0000000000000000 RSI: 00007ffe9932cfe0 RDI: 0000000000000003
      [  901.437607] RBP: 00000000613053f7 R08: 0000000000000001 R09: 00007ffe9932d07c
      [  901.438990] R10: 000055f4a903a010 R11: 0000000000000246 R12: 0000000000000001
      [  901.440340] R13: 0000000000000001 R14: 000055f4a802b163 R15: 000055f4a8042020
      [  901.441630] Modules linked in: vrf nls_utf8 isofs nls_iso8859_1 dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl_msr intel_rapl_common isst_if_mbox_msr isst_if_common nfit rapl input_leds joydev serio_raw qemu_fw_cfg mac_hid sch_fq_codel drm virtio_rng ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd virtio_net net_failover cryptd psmouse virtio_blk failover i2c_piix4 pata_acpi floppy
      [  901.450808] CR2: 0000000000000ba0
      [  901.451514] ---[ end trace c27b934b99ade304 ]---
      [  901.452403] RIP: 0010:vrf_ifindex_lookup_by_table_id+0x19/0x90 [vrf]
      [  901.453626] Code: c1 e9 72 ff ff ff e8 96 49 01 c2 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 41 89 f5 41 54 53 8b 05 47 4c 00 00 <48> 8b 97 a0 0b 00 00 48 8b 1c c2 e8 57 27 53 c1 4c 8d a3 88 00 00
      [  901.456910] RSP: 0018:ffffbf2d02043590 EFLAGS: 00010282
      [  901.457912] RAX: 000000000000000b RBX: ffff990808255e70 RCX: ffffbf2d02043aa8
      [  901.459238] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000000
      [  901.460552] RBP: ffffbf2d020435b0 R08: 00000000000000c0 R09: ffff990808255e40
      [  901.461882] R10: ffffffff83b08c90 R11: 0000000000000009 R12: 0000000000000000
      [  901.463208] R13: 0000000000000001 R14: 0000000000000000 R15: 000000000000000b
      [  901.464529] FS:  00007fe49381f740(0000) GS:ffff99087dc00000(0000) knlGS:0000000000000000
      [  901.466058] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  901.467189] CR2: 0000000000000ba0 CR3: 000000000e3e8003 CR4: 0000000000770ef0
      [  901.468515] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  901.469858] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  901.471139] PKRU: 55555554
      Signed-off-by: default avatarRyoga Saito <contact@proelbtn.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9aca491e
    • Dan Carpenter's avatar
      net: qrtr: revert check in qrtr_endpoint_post() · d2cabd2d
      Dan Carpenter authored
      I tried to make this check stricter as a hardenning measure but it broke
      audo and wifi on these devices so revert it.
      
      Fixes: aaa8e492 ("net: qrtr: make checks in qrtr_endpoint_post() stricter")
      Reported-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Tested-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2cabd2d
    • Jan Hoffmann's avatar
      net: dsa: lantiq_gswip: fix maximum frame length · 552799f8
      Jan Hoffmann authored
      Currently, outgoing packets larger than 1496 bytes are dropped when
      tagged VLAN is used on a switch port.
      
      Add the frame check sequence length to the value of the register
      GSWIP_MAC_FLEN to fix this. This matches the lantiq_ppa vendor driver,
      which uses a value consisting of 1518 bytes for the MAC frame, plus the
      lengths of special tag and VLAN tags.
      
      Fixes: 14fceff4 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJan Hoffmann <jan@3e8.eu>
      Acked-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      552799f8