1. 07 Jan, 2022 10 commits
    • Moshe Shemesh's avatar
      net/mlx5: Set command entry semaphore up once got index free · 8e715cd6
      Moshe Shemesh authored
      Avoid a race where command work handler may fail to allocate command
      entry index, by holding the command semaphore down till command entry
      index is being freed.
      
      Fixes: 410bd754 ("net/mlx5: Add retry mechanism to the command entry index allocation")
      Signed-off-by: default avatarMoshe Shemesh <moshe@nvidia.com>
      Reviewed-by: default avatarEran Ben Elisha <eranbe@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      8e715cd6
    • Maor Dickman's avatar
      net/mlx5e: Sync VXLAN udp ports during uplink representor profile change · 07f6dc40
      Maor Dickman authored
      Currently during NIC profile disablement all VXLAN udp ports offloaded to the
      HW are flushed and during its enablement the driver send notification to
      the stack to inform the core that the entire UDP tunnel port state has been
      lost, uplink representor doesn't have the same behavior which can cause
      VXLAN udp ports offload to be in bad state while moving between modes while
      VXLAN interface exist.
      
      Fixed by aligning the uplink representor profile behavior to the NIC behavior.
      
      Fixes: 84db6612 ("net/mlx5e: Move set vxlan nic info to profile init")
      Signed-off-by: default avatarMaor Dickman <maord@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      07f6dc40
    • Shay Drory's avatar
      net/mlx5: Fix access to sf_dev_table on allocation failure · a1c7c49c
      Shay Drory authored
      Even when SF devices are supported, the SF device table allocation
      can still fail.
      In such case mlx5_sf_dev_supported still reports true, but SF device
      table is invalid. This can result in NULL table access.
      
      Hence, fix it by adding NULL table check.
      
      Fixes: 1958fc2f ("net/mlx5: SF, Add auxiliary device driver")
      Signed-off-by: default avatarShay Drory <shayd@nvidia.com>
      Reviewed-by: default avatarParav Pandit <parav@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      a1c7c49c
    • Paul Blakey's avatar
      net/mlx5e: Fix matching on modified inner ip_ecn bits · b6dfff21
      Paul Blakey authored
      Tunnel device follows RFC 6040, and during decapsulation inner
      ip_ecn might change depending on inner and outer ip_ecn as follows:
      
       +---------+----------------------------------------+
       |Arriving |         Arriving Outer Header          |
       |   Inner +---------+---------+---------+----------+
       |  Header | Not-ECT | ECT(0)  | ECT(1)  |   CE     |
       +---------+---------+---------+---------+----------+
       | Not-ECT | Not-ECT | Not-ECT | Not-ECT | <drop>   |
       |  ECT(0) |  ECT(0) | ECT(0)  | ECT(1)  |   CE*    |
       |  ECT(1) |  ECT(1) | ECT(1)  | ECT(1)* |   CE*    |
       |    CE   |   CE    |  CE     | CE      |   CE     |
       +---------+---------+---------+---------+----------+
      
      Cells marked above are changed from original inner packet ip_ecn value.
      
      Tc then matches on the modified inner ip_ecn, but hw offload which
      matches the inner ip_ecn value before decap, will fail.
      
      Fix that by mapping all the cases of outer and inner ip_ecn matching,
      and only supporting cases where we know inner wouldn't be changed by
      decap, or in the outer ip_ecn=CE case, inner ip_ecn didn't matter.
      
      Fixes: bcef735c ("net/mlx5e: Offload TC matching on tos/ttl for ip tunnels")
      Signed-off-by: default avatarPaul Blakey <paulb@nvidia.com>
      Reviewed-by: default avatarOz Shlomo <ozsh@nvidia.com>
      Reviewed-by: default avatarEli Cohen <elic@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      b6dfff21
    • Aya Levin's avatar
      Revert "net/mlx5e: Block offload of outer header csum for GRE tunnel" · 01c3fd11
      Aya Levin authored
      This reverts commit 54e1217b.
      
      Although the NIC doesn't support offload of outer header CSUM, using
      gso_partial_features allows offloading the tunnel's segmentation. The
      driver relies on the stack CSUM calculation of the outer header. For
      this, NETIF_F_GSO_GRE_CSUM must be a member of the device's features.
      
      Fixes: 54e1217b ("net/mlx5e: Block offload of outer header csum for GRE tunnel")
      Signed-off-by: default avatarAya Levin <ayal@nvidia.com>
      Reviewed-by: default avatarGal Pressman <gal@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      01c3fd11
    • Aya Levin's avatar
      Revert "net/mlx5e: Block offload of outer header csum for UDP tunnels" · 64050cda
      Aya Levin authored
      This reverts commit 6d6727dd.
      
      Although the NIC doesn't support offload of outer header CSUM, using
      gso_partial_features allows offloading the tunnel's segmentation. The
      driver relies on the stack CSUM calculation of the outer header. For
      this, NETIF_F_GSO_UDP_TUNNEL_CSUM must be a member of the device's
      features.
      
      Fixes: 6d6727dd ("net/mlx5e: Block offload of outer header csum for UDP tunnels")
      Signed-off-by: default avatarAya Levin <ayal@nvidia.com>
      Reviewed-by: default avatarGal Pressman <gal@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      64050cda
    • Maor Dickman's avatar
      net/mlx5e: Don't block routes with nexthop objects in SW · 9e72a55a
      Maor Dickman authored
      Routes with nexthop objects is currently not supported by multipath offload
      and any attempts to use it is blocked, however this also block adding SW
      routes with nexthop.
      
      Resolve this by returning NOTIFY_DONE instead of an error which will allow such
      a route to be created in SW but not offloaded.
      
      This fix also solve an issue which block adding such routes on different devices
      due to missing check if the route FIB device is one of multipath devices.
      
      Fixes: 6a87afc0 ("mlx5: Fail attempts to use routes with nexthop objects")
      Signed-off-by: default avatarMaor Dickman <maord@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      9e72a55a
    • Maor Dickman's avatar
      net/mlx5e: Fix wrong usage of fib_info_nh when routes with nexthop objects are used · 885751eb
      Maor Dickman authored
      Creating routes with nexthop objects while in switchdev mode leads to access to
      un-allocated memory and trigger bellow call trace due to hitting WARN_ON.
      This is caused due to illegal usage of fib_info_nh in TC tunnel FIB event handling to
      resolve the FIB device while fib_info built in with nexthop.
      
      Fixed by ignoring attempts to use nexthop objects with routes until support can be
      properly added.
      
      WARNING: CPU: 1 PID: 1724 at include/net/nexthop.h:468 mlx5e_tc_tun_fib_event+0x448/0x570 [mlx5_core]
      CPU: 1 PID: 1724 Comm: ip Not tainted 5.15.0_for_upstream_min_debug_2021_11_09_02_04 #1
      RIP: 0010:mlx5e_tc_tun_fib_event+0x448/0x570 [mlx5_core]
      RSP: 0018:ffff8881349f7910 EFLAGS: 00010202
      RAX: ffff8881492f1980 RBX: ffff8881349f79e8 RCX: 0000000000000000
      RDX: ffff8881349f79e8 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: ffff8881349f7950 R08: 00000000000000fe R09: 0000000000000001
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811e9d0000
      R13: ffff88810eb62000 R14: ffff888106710268 R15: 0000000000000018
      FS:  00007f1d5ca6e800(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007ffedba44ff8 CR3: 0000000129808004 CR4: 0000000000370ea0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       atomic_notifier_call_chain+0x42/0x60
       call_fib_notifiers+0x21/0x40
       fib_table_insert+0x479/0x6d0
       ? try_charge_memcg+0x480/0x6d0
       inet_rtm_newroute+0x65/0xb0
       rtnetlink_rcv_msg+0x2af/0x360
       ? page_add_file_rmap+0x13/0x130
       ? do_set_pte+0xcd/0x120
       ? rtnl_calcit.isra.0+0x120/0x120
       netlink_rcv_skb+0x4e/0xf0
       netlink_unicast+0x1ee/0x2b0
       netlink_sendmsg+0x22e/0x460
       sock_sendmsg+0x33/0x40
       ____sys_sendmsg+0x1d1/0x1f0
       ___sys_sendmsg+0xab/0xf0
       ? __mod_memcg_lruvec_state+0x40/0x60
       ? __mod_lruvec_page_state+0x95/0xd0
       ? page_add_new_anon_rmap+0x4e/0xf0
       ? __handle_mm_fault+0xec6/0x1470
       __sys_sendmsg+0x51/0x90
       ? internal_get_user_pages_fast+0x480/0xa10
       do_syscall_64+0x3d/0x90
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Fixes: 8914add2 ("net/mlx5e: Handle FIB events to update tunnel endpoint device")
      Signed-off-by: default avatarMaor Dickman <maord@nvidia.com>
      Reviewed-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      885751eb
    • Dima Chumak's avatar
      net/mlx5e: Fix nullptr on deleting mirroring rule · de31854e
      Dima Chumak authored
      Deleting a Tc rule with multiple outputs, one of which is internal port,
      like this one:
      
        tc filter del dev enp8s0f0_0 ingress protocol ip pref 5 flower \
            dst_mac 0c:42:a1:d1:d0:88 \
            src_mac e4:ea:09:08:00:02 \
            action tunnel_key  set \
                src_ip 0.0.0.0 \
                dst_ip 7.7.7.8 \
                id 8 \
                dst_port 4789 \
            action mirred egress mirror dev vxlan_sys_4789 pipe \
            action mirred egress redirect dev enp8s0f0_1
      
      Triggers a call trace:
      
        BUG: kernel NULL pointer dereference, address: 0000000000000230
        RIP: 0010:del_sw_hw_rule+0x2b/0x1f0 [mlx5_core]
        Call Trace:
         tree_remove_node+0x16/0x30 [mlx5_core]
         mlx5_del_flow_rules+0x51/0x160 [mlx5_core]
         __mlx5_eswitch_del_rule+0x4b/0x170 [mlx5_core]
         mlx5e_tc_del_fdb_flow+0x295/0x550 [mlx5_core]
         mlx5e_flow_put+0x1f/0x70 [mlx5_core]
         mlx5e_delete_flower+0x286/0x390 [mlx5_core]
         tc_setup_cb_destroy+0xac/0x170
         fl_hw_destroy_filter+0x94/0xc0 [cls_flower]
         __fl_delete+0x15e/0x170 [cls_flower]
         fl_delete+0x36/0x80 [cls_flower]
         tc_del_tfilter+0x3a6/0x6e0
         rtnetlink_rcv_msg+0xe5/0x360
         ? rtnl_calcit.isra.0+0x110/0x110
         netlink_rcv_skb+0x46/0x110
         netlink_unicast+0x16b/0x200
         netlink_sendmsg+0x202/0x3d0
         sock_sendmsg+0x33/0x40
         ____sys_sendmsg+0x1c3/0x200
         ? copy_msghdr_from_user+0xd6/0x150
         ___sys_sendmsg+0x88/0xd0
         ? ___sys_recvmsg+0x88/0xc0
         ? do_futex+0x10c/0x460
         __sys_sendmsg+0x59/0xa0
         do_syscall_64+0x48/0x140
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fix by disabling offloading for flows matching
      esw_is_chain_src_port_rewrite() which have more than one output.
      
      Fixes: 10742efc ("net/mlx5e: VF tunnel TX traffic offloading")
      Signed-off-by: default avatarDima Chumak <dchumak@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      de31854e
    • Aya Levin's avatar
      net/mlx5e: Fix page DMA map/unmap attributes · 0b7cfa40
      Aya Levin authored
      Driver initiates DMA sync, hence it may skip CPU sync. Add
      DMA_ATTR_SKIP_CPU_SYNC as input attribute both to dma_map_page and
      dma_unmap_page to avoid redundant sync with the CPU.
      When forcing the device to work with SWIOTLB, the extra sync might cause
      data corruption. The driver unmaps the whole page while the hardware
      used just a part of the bounce buffer. So syncing overrides the entire
      page with bounce buffer that only partially contains real data.
      
      Fixes: bc77b240 ("net/mlx5e: Add fragmented memory support for RX multi packet WQE")
      Fixes: db05815b ("net/mlx5e: Add XSK zero-copy support")
      Signed-off-by: default avatarAya Levin <ayal@nvidia.com>
      Reviewed-by: default avatarGal Pressman <gal@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      0b7cfa40
  2. 06 Jan, 2022 6 commits
    • Wen Gu's avatar
      net/smc: Reset conn->lgr when link group registration fails · 36595d8a
      Wen Gu authored
      SMC connections might fail to be registered in a link group due to
      unable to find a usable link during its creation. As a result,
      smc_conn_create() will return a failure and most resources related
      to the connection won't be applied or initialized, such as
      conn->abort_work or conn->lnk.
      
      If smc_conn_free() is invoked later, it will try to access the
      uninitialized resources related to the connection, thus causing
      a warning or crash.
      
      This patch tries to fix this by resetting conn->lgr to NULL if an
      abnormal exit occurs in smc_lgr_register_conn(), thus avoiding the
      access to uninitialized resources in smc_conn_free().
      
      Meanwhile, the new created link group should be terminated if smc
      connections can't be registered in it. So smc_lgr_cleanup_early() is
      modified to take care of link group only and invoked to terminate
      unusable link group by smc_conn_create(). The call to smc_conn_free()
      is moved out from smc_lgr_cleanup_early() to smc_conn_abort().
      
      Fixes: 56bc3b20 ("net/smc: assign link to a new connection")
      Suggested-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarWen Gu <guwen@linux.alibaba.com>
      Acked-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      36595d8a
    • Jiasheng Jiang's avatar
      fsl/fman: Check for null pointer after calling devm_ioremap · d5a73ec9
      Jiasheng Jiang authored
      As the possible failure of the allocation, the devm_ioremap() may return
      NULL pointer.
      Take tgec_initialization() as an example.
      If allocation fails, the params->base_addr will be NULL pointer and will
      be assigned to tgec->regs in tgec_config().
      Then it will cause the dereference of NULL pointer in set_mac_address(),
      which is called by tgec_init().
      Therefore, it should be better to add the sanity check after the calling
      of the devm_ioremap().
      
      Fixes: 39339616 ("fsl/fman: Add FMan MAC driver")
      Signed-off-by: default avatarJiasheng Jiang <jiasheng@iscas.ac.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d5a73ec9
    • Dan Carpenter's avatar
      rocker: fix a sleeping in atomic bug · 43d01212
      Dan Carpenter authored
      This code is holding the &ofdpa->flow_tbl_lock spinlock so it is not
      allowed to sleep.  That means we have to pass the OFDPA_OP_FLAG_NOWAIT
      flag to ofdpa_flow_tbl_del().
      
      Fixes: 936bd486 ("rocker: use FIB notifications instead of switchdev calls")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43d01212
    • Eric Dumazet's avatar
      ppp: ensure minimum packet size in ppp_write() · 44073187
      Eric Dumazet authored
      It seems pretty clear ppp layer assumed user space
      would always be kind to provide enough data
      in their write() to a ppp device.
      
      This patch makes sure user provides at least
      2 bytes.
      
      It adds PPP_PROTO_LEN macro that could replace
      in net-next many occurrences of hard-coded 2 value.
      
      I replaced only one occurrence to ease backports
      to stable kernels.
      
      The bug manifests in the following report:
      
      BUG: KMSAN: uninit-value in ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740
       ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740
       __ppp_xmit_process+0x23e/0x4b0 drivers/net/ppp/ppp_generic.c:1640
       ppp_xmit_process+0x1fe/0x480 drivers/net/ppp/ppp_generic.c:1661
       ppp_write+0x5cb/0x5e0 drivers/net/ppp/ppp_generic.c:513
       do_iter_write+0xb0c/0x1500 fs/read_write.c:853
       vfs_writev fs/read_write.c:924 [inline]
       do_writev+0x645/0xe00 fs/read_write.c:967
       __do_sys_writev fs/read_write.c:1040 [inline]
       __se_sys_writev fs/read_write.c:1037 [inline]
       __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was created at:
       slab_post_alloc_hook mm/slab.h:524 [inline]
       slab_alloc_node mm/slub.c:3251 [inline]
       __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
       kmalloc_reserve net/core/skbuff.c:354 [inline]
       __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
       alloc_skb include/linux/skbuff.h:1126 [inline]
       ppp_write+0x11d/0x5e0 drivers/net/ppp/ppp_generic.c:501
       do_iter_write+0xb0c/0x1500 fs/read_write.c:853
       vfs_writev fs/read_write.c:924 [inline]
       do_writev+0x645/0xe00 fs/read_write.c:967
       __do_sys_writev fs/read_write.c:1040 [inline]
       __se_sys_writev fs/read_write.c:1037 [inline]
       __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: linux-ppp@vger.kernel.org
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44073187
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · c4251db3
      David S. Miller authored
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2022-01-06
      
      1) Fix xfrm policy lookups for ipv6 gre packets by initializing
         fl6_gre_key properly. From Ghalem Boudour.
      
      2) Fix the dflt policy check on forwarding when there is no
         policy configured. The check was done for the wrong direction.
         From Nicolas Dichtel.
      
      3) Use the correct 'struct xfrm_user_offload' when calculating
         netlink message lenghts in xfrm_sa_len(). From Eric Dumazet.
      
      4) Tread inserting xfrm interface id 0 as an error.
         From Antony Antony.
      
      5) Fail if xfrm state or policy is inserted with XFRMA_IF_ID 0,
         xfrm interfaces with id 0 are not allowed.
         From Antony Antony.
      
      6) Fix inner_ipproto setting in the sec_path for tunnel mode.
         From  Raed Salem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4251db3
    • Jakub Kicinski's avatar
      Merge tag 'linux-can-fixes-for-5.16-20220105' of... · 502a2ce9
      Jakub Kicinski authored
      Merge tag 'linux-can-fixes-for-5.16-20220105' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2022-01-05
      
      It consists of 2 patches, both by me. The first one fixes the use of
      an uninitialized variable in the gs_usb driver the other one a
      skb_over_panic in the ISOTP stack in case of reception of too large
      ISOTP messages.
      
      * tag 'linux-can-fixes-for-5.16-20220105' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
        can: isotp: convert struct tpcon::{idx,len} to unsigned int
        can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
      ====================
      
      Link: https://lore.kernel.org/r/20220105205443.1274709-1-mkl@pengutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      502a2ce9
  3. 05 Jan, 2022 10 commits
  4. 04 Jan, 2022 14 commits
    • Karen Sornek's avatar
      iavf: Fix limit of total number of queues to active queues of VF · b712941c
      Karen Sornek authored
      In the absence of this validation, if the user requests to
      configure queues more than the enabled queues, it results in
      sending the requested number of queues to the kernel stack
      (due to the asynchronous nature of VF response), in which
      case the stack might pick a queue to transmit that is not
      enabled and result in Tx hang. Fix this bug by
      limiting the total number of queues allocated for VF to
      active queues of VF.
      
      Fixes: d5b33d02 ("i40evf: add ndo_setup_tc callback to i40evf")
      Signed-off-by: default avatarAshwin Vijayavel <ashwin.vijayavel@intel.com>
      Signed-off-by: default avatarKaren Sornek <karen.sornek@intel.com>
      Tested-by: default avatarKonrad Jankowski <konrad0.jankowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      b712941c
    • Jedrzej Jagielski's avatar
      i40e: Fix incorrect netdev's real number of RX/TX queues · e738451d
      Jedrzej Jagielski authored
      There was a wrong queues representation in sysfs during
      driver's reinitialization in case of online cpus number is
      less than combined queues. It was caused by stopped
      NetworkManager, which is responsible for calling vsi_open
      function during driver's initialization.
      In specific situation (ex. 12 cpus online) there were 16 queues
      in /sys/class/net/<iface>/queues. In case of modifying queues with
      value higher, than number of online cpus, then it caused write
      errors and other errors.
      Add updating of sysfs's queues representation during driver
      initialization.
      
      Fixes: 41c445ff ("i40e: main driver core")
      Signed-off-by: default avatarLukasz Cieplicki <lukaszx.cieplicki@intel.com>
      Signed-off-by: default avatarJedrzej Jagielski <jedrzej.jagielski@intel.com>
      Tested-by: default avatarGurucharan G <gurucharanx.g@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      e738451d
    • Mateusz Palczewski's avatar
      i40e: Fix for displaying message regarding NVM version · 40feded8
      Mateusz Palczewski authored
      When loading the i40e driver, it prints a message like: 'The driver for the
      device detected a newer version of the NVM image v1.x than expected v1.y.
      Please install the most recent version of the network driver.' This is
      misleading as the driver is working as expected.
      
      Fix that by removing the second part of message and changing it from
      dev_info to dev_dbg.
      
      Fixes: 4fb29bdd ("i40e: The driver now prints the API version in error message")
      Signed-off-by: default avatarMateusz Palczewski <mateusz.palczewski@intel.com>
      Tested-by: default avatarGurucharan G <gurucharanx.g@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      40feded8
    • Di Zhu's avatar
      i40e: fix use-after-free in i40e_sync_filters_subtask() · 3116f59c
      Di Zhu authored
      Using ifconfig command to delete the ipv6 address will cause
      the i40e network card driver to delete its internal mac_filter and
      i40e_service_task kernel thread will concurrently access the mac_filter.
      These two processes are not protected by lock
      so causing the following use-after-free problems.
      
       print_address_description+0x70/0x360
       ? vprintk_func+0x5e/0xf0
       kasan_report+0x1b2/0x330
       i40e_sync_vsi_filters+0x4f0/0x1850 [i40e]
       i40e_sync_filters_subtask+0xe3/0x130 [i40e]
       i40e_service_task+0x195/0x24c0 [i40e]
       process_one_work+0x3f5/0x7d0
       worker_thread+0x61/0x6c0
       ? process_one_work+0x7d0/0x7d0
       kthread+0x1c3/0x1f0
       ? kthread_park+0xc0/0xc0
       ret_from_fork+0x35/0x40
      
      Allocated by task 2279810:
       kasan_kmalloc+0xa0/0xd0
       kmem_cache_alloc_trace+0xf3/0x1e0
       i40e_add_filter+0x127/0x2b0 [i40e]
       i40e_add_mac_filter+0x156/0x190 [i40e]
       i40e_addr_sync+0x2d/0x40 [i40e]
       __hw_addr_sync_dev+0x154/0x210
       i40e_set_rx_mode+0x6d/0xf0 [i40e]
       __dev_set_rx_mode+0xfb/0x1f0
       __dev_mc_add+0x6c/0x90
       igmp6_group_added+0x214/0x230
       __ipv6_dev_mc_inc+0x338/0x4f0
       addrconf_join_solict.part.7+0xa2/0xd0
       addrconf_dad_work+0x500/0x980
       process_one_work+0x3f5/0x7d0
       worker_thread+0x61/0x6c0
       kthread+0x1c3/0x1f0
       ret_from_fork+0x35/0x40
      
      Freed by task 2547073:
       __kasan_slab_free+0x130/0x180
       kfree+0x90/0x1b0
       __i40e_del_filter+0xa3/0xf0 [i40e]
       i40e_del_mac_filter+0xf3/0x130 [i40e]
       i40e_addr_unsync+0x85/0xa0 [i40e]
       __hw_addr_sync_dev+0x9d/0x210
       i40e_set_rx_mode+0x6d/0xf0 [i40e]
       __dev_set_rx_mode+0xfb/0x1f0
       __dev_mc_del+0x69/0x80
       igmp6_group_dropped+0x279/0x510
       __ipv6_dev_mc_dec+0x174/0x220
       addrconf_leave_solict.part.8+0xa2/0xd0
       __ipv6_ifa_notify+0x4cd/0x570
       ipv6_ifa_notify+0x58/0x80
       ipv6_del_addr+0x259/0x4a0
       inet6_addr_del+0x188/0x260
       addrconf_del_ifaddr+0xcc/0x130
       inet6_ioctl+0x152/0x190
       sock_do_ioctl+0xd8/0x2b0
       sock_ioctl+0x2e5/0x4c0
       do_vfs_ioctl+0x14e/0xa80
       ksys_ioctl+0x7c/0xa0
       __x64_sys_ioctl+0x42/0x50
       do_syscall_64+0x98/0x2c0
       entry_SYSCALL_64_after_hwframe+0x65/0xca
      
      Fixes: 41c445ff ("i40e: main driver core")
      Signed-off-by: default avatarDi Zhu <zhudi2@huawei.com>
      Signed-off-by: default avatarRui Zhang <zhangrui182@huawei.com>
      Tested-by: default avatarGurucharan G <gurucharanx.g@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      3116f59c
    • Mateusz Palczewski's avatar
      i40e: Fix to not show opcode msg on unsuccessful VF MAC change · 01cbf508
      Mateusz Palczewski authored
      Hide i40e opcode information sent during response to VF in case when
      untrusted VF tried to change MAC on the VF interface.
      
      This is implemented by adding an additional parameter 'hide' to the
      response sent to VF function that hides the display of error
      information, but forwards the error code to VF.
      
      Previously it was not possible to send response with some error code
      to VF without displaying opcode information.
      
      Fixes: 5c3c48ac ("i40e: implement virtual device interface")
      Signed-off-by: default avatarGrzegorz Szczurek <grzegorzx.szczurek@intel.com>
      Signed-off-by: default avatarMateusz Palczewski <mateusz.palczewski@intel.com>
      Reviewed-by: default avatarPaul M Stillwell Jr <paul.m.stillwell.jr@intel.com>
      Reviewed-by: default avatarAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Tested-by: default avatarTony Brelinski <tony.brelinski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      01cbf508
    • Pavel Skripkin's avatar
      ieee802154: atusb: fix uninit value in atusb_set_extended_addr · 754e4382
      Pavel Skripkin authored
      Alexander reported a use of uninitialized value in
      atusb_set_extended_addr(), that is caused by reading 0 bytes via
      usb_control_msg().
      
      Fix it by validating if the number of bytes transferred is actually
      correct, since usb_control_msg() may read less bytes, than was requested
      by caller.
      
      Fail log:
      
      BUG: KASAN: uninit-cmp in ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline]
      BUG: KASAN: uninit-cmp in atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline]
      BUG: KASAN: uninit-cmp in atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056
      Uninit value used in comparison: 311daa649a2003bd stack handle: 000000009a2003bd
       ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline]
       atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline]
       atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056
       usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396
      
      Fixes: 7490b008 ("ieee802154: add support for atusb transceiver")
      Reported-by: default avatarAlexander Potapenko <glider@google.com>
      Acked-by: default avatarAlexander Aring <aahringo@redhat.com>
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Link: https://lore.kernel.org/r/20220104182806.7188-1-paskripkin@gmail.comSigned-off-by: default avatarStefan Schmidt <stefan@datenfreihafen.org>
      754e4382
    • Jakub Kicinski's avatar
      Merge tag 'mac80211-for-net-2022-01-04' of... · 6f89ecf1
      Jakub Kicinski authored
      Merge tag 'mac80211-for-net-2022-01-04' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Two more changes:
       - mac80211: initialize a variable to avoid using it uninitialized
       - mac80211 mesh: put some data structures into the container to
         fix bugs with and not have to deal with allocation failures
      
      * tag 'mac80211-for-net-2022-01-04' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211:
        mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh
        mac80211: initialize variable have_higher_than_11mbit
      ====================
      
      Link: https://lore.kernel.org/r/20220104144449.64937-1-johannes@sipsolutions.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6f89ecf1
    • Pavel Skripkin's avatar
      mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh · 8b5cb7e4
      Pavel Skripkin authored
      Syzbot hit NULL deref in rhashtable_free_and_destroy(). The problem was
      in mesh_paths and mpp_paths being NULL.
      
      mesh_pathtbl_init() could fail in case of memory allocation failure, but
      nobody cared, since ieee80211_mesh_init_sdata() returns void. It led to
      leaving 2 pointers as NULL. Syzbot has found null deref on exit path,
      but it could happen anywhere else, because code assumes these pointers are
      valid.
      
      Since all ieee80211_*_setup_sdata functions are void and do not fail,
      let's embedd mesh_paths and mpp_paths into parent struct to avoid
      adding error handling on higher levels and follow the pattern of others
      setup_sdata functions
      
      Fixes: 60854fd9 ("mac80211: mesh: convert path table to rhashtable")
      Reported-and-tested-by: syzbot+860268315ba86ea6b96b@syzkaller.appspotmail.com
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Link: https://lore.kernel.org/r/20211230195547.23977-1-paskripkin@gmail.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      8b5cb7e4
    • Tom Rix's avatar
      mac80211: initialize variable have_higher_than_11mbit · 68a18ad7
      Tom Rix authored
      Clang static analysis reports this warnings
      
      mlme.c:5332:7: warning: Branch condition evaluates to a
        garbage value
          have_higher_than_11mbit)
          ^~~~~~~~~~~~~~~~~~~~~~~
      
      have_higher_than_11mbit is only set to true some of the time in
      ieee80211_get_rates() but is checked all of the time.  So
      have_higher_than_11mbit needs to be initialized to false.
      
      Fixes: 5d6a1b06 ("mac80211: set basic rates earlier")
      Signed-off-by: default avatarTom Rix <trix@redhat.com>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Link: https://lore.kernel.org/r/20211223162848.3243702-1-trix@redhat.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      68a18ad7
    • Eric Dumazet's avatar
      sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc · 7d18a078
      Eric Dumazet authored
      tx_queue_len can be set to ~0U, we need to be more
      careful about overflows.
      
      __fls(0) is undefined, as this report shows:
      
      UBSAN: shift-out-of-bounds in net/sched/sch_qfq.c:1430:24
      shift exponent 51770272 is too large for 32-bit type 'int'
      CPU: 0 PID: 25574 Comm: syz-executor.0 Not tainted 5.16.0-rc7-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0x201/0x2d8 lib/dump_stack.c:106
       ubsan_epilogue lib/ubsan.c:151 [inline]
       __ubsan_handle_shift_out_of_bounds+0x494/0x530 lib/ubsan.c:330
       qfq_init_qdisc+0x43f/0x450 net/sched/sch_qfq.c:1430
       qdisc_create+0x895/0x1430 net/sched/sch_api.c:1253
       tc_modify_qdisc+0x9d9/0x1e20 net/sched/sch_api.c:1660
       rtnetlink_rcv_msg+0x934/0xe60 net/core/rtnetlink.c:5571
       netlink_rcv_skb+0x200/0x470 net/netlink/af_netlink.c:2496
       netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
       netlink_unicast+0x814/0x9f0 net/netlink/af_netlink.c:1345
       netlink_sendmsg+0xaea/0xe60 net/netlink/af_netlink.c:1921
       sock_sendmsg_nosec net/socket.c:704 [inline]
       sock_sendmsg net/socket.c:724 [inline]
       ____sys_sendmsg+0x5b9/0x910 net/socket.c:2409
       ___sys_sendmsg net/socket.c:2463 [inline]
       __sys_sendmsg+0x280/0x370 net/socket.c:2492
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Fixes: 462dbc91 ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7d18a078
    • Christoph Hellwig's avatar
      netrom: fix copying in user data in nr_setsockopt · 3087a6f3
      Christoph Hellwig authored
      This code used to copy in an unsigned long worth of data before
      the sockptr_t conversion, so restore that.
      
      Fixes: a7b75c5a ("net: pass a sockptr_t into ->setsockopt")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3087a6f3
    • David S. Miller's avatar
      Merge branch 'srv6-traceroute' · d2d9a6d0
      David S. Miller authored
      Andrew Lunn says:
      
      ====================
      Fix traceroute in the presence of SRv6
      
      When using SRv6 the destination IP address in the IPv6 header is not
      always the true destination, it can be a router along the path that
      SRv6 is using.
      
      When ICMP reports an error, e.g, time exceeded, which is what
      traceroute uses, it included the packet which invoked the error into
      the ICMP message body. Upon receiving such an ICMP packet, the
      invoking packet is examined and an attempt is made to find the socket
      which sent the packet, so the error can be reported. Lookup is
      performed using the source and destination address. If the
      intermediary router IP address from the IP header is used, the lookup
      fails. It is necessary to dig into the header and find the true
      destination address in the Segment Router header, SRH.
      
      v2:
      Play games with the skb->network_header rather than clone the skb
      v3:
      Move helpers into seg6.c
      v4:
      Move short helper into header file.
      Rework getting SRH destination address
      v5:
      Fix comment to describe function, not caller
      
      Patch 1 exports a helper which can find the SRH in a packet
      Patch 2 does the actual examination of the invoking packet
      Patch 3 makes use of the results when trying to find the socket.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2d9a6d0
    • Andrew Lunn's avatar
      udp6: Use Segment Routing Header for dest address if present · 222a011e
      Andrew Lunn authored
      When finding the socket to report an error on, if the invoking packet
      is using Segment Routing, the IPv6 destination address is that of an
      intermediate router, not the end destination. Extract the ultimate
      destination address from the segment address.
      
      This change allows traceroute to function in the presence of Segment
      Routing.
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      222a011e
    • Andrew Lunn's avatar
      icmp: ICMPV6: Examine invoking packet for Segment Route Headers. · e4129440
      Andrew Lunn authored
      RFC8754 says:
      
      ICMP error packets generated within the SR domain are sent to source
      nodes within the SR domain.  The invoking packet in the ICMP error
      message may contain an SRH.  Since the destination address of a packet
      with an SRH changes as each segment is processed, it may not be the
      destination used by the socket or application that generated the
      invoking packet.
      
      For the source of an invoking packet to process the ICMP error
      message, the ultimate destination address of the IPv6 header may be
      required.  The following logic is used to determine the destination
      address for use by protocol-error handlers.
      
      *  Walk all extension headers of the invoking IPv6 packet to the
         routing extension header preceding the upper-layer header.
      
         -  If routing header is type 4 Segment Routing Header (SRH)
      
            o  The SID at Segment List[0] may be used as the destination
               address of the invoking packet.
      
      Mangle the skb so the network header points to the invoking packet
      inside the ICMP packet. The seg6 helpers can then be used on the skb
      to find any segment routing headers. If found, mark this fact in the
      IPv6 control block of the skb, and store the offset into the packet of
      the SRH. Then restore the skb back to its old state.
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e4129440