1. 24 Apr, 2024 7 commits
    • Nathan Chancellor's avatar
      Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() · 9bf4e919
      Nathan Chancellor authored
      After an innocuous optimization change in LLVM main (19.0.0), x86_64
      allmodconfig (which enables CONFIG_KCSAN / -fsanitize=thread) fails to
      build due to the checks in check_copy_size():
      
        In file included from net/bluetooth/sco.c:27:
        In file included from include/linux/module.h:13:
        In file included from include/linux/stat.h:19:
        In file included from include/linux/time.h:60:
        In file included from include/linux/time32.h:13:
        In file included from include/linux/timex.h:67:
        In file included from arch/x86/include/asm/timex.h:6:
        In file included from arch/x86/include/asm/tsc.h:10:
        In file included from arch/x86/include/asm/msr.h:15:
        In file included from include/linux/percpu.h:7:
        In file included from include/linux/smp.h:118:
        include/linux/thread_info.h:244:4: error: call to '__bad_copy_from'
        declared with 'error' attribute: copy source size is too small
          244 |                         __bad_copy_from();
              |                         ^
      
      The same exact error occurs in l2cap_sock.c. The copy_to_user()
      statements that are failing come from l2cap_sock_getsockopt_old() and
      sco_sock_getsockopt_old(). This does not occur with GCC with or without
      KCSAN or Clang without KCSAN enabled.
      
      len is defined as an 'int' because it is assigned from
      '__user int *optlen'. However, it is clamped against the result of
      sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit
      platforms). This is done with min_t() because min() requires compatible
      types, which results in both len and the result of sizeof() being casted
      to 'unsigned int', meaning len changes signs and the result of sizeof()
      is truncated. From there, len is passed to copy_to_user(), which has a
      third parameter type of 'unsigned long', so it is widened and changes
      signs again. This excessive casting in combination with the KCSAN
      instrumentation causes LLVM to fail to eliminate the __bad_copy_from()
      call, failing the build.
      
      The official recommendation from LLVM developers is to consistently use
      long types for all size variables to avoid the unnecessary casting in
      the first place. Change the type of len to size_t in both
      l2cap_sock_getsockopt_old() and sco_sock_getsockopt_old(). This clears
      up the error while allowing min_t() to be replaced with min(), resulting
      in simpler code with no casts and fewer implicit conversions. While len
      is a different type than optlen now, it should result in no functional
      change because the result of sizeof() will clamp all values of optlen in
      the same manner as before.
      
      Cc: stable@vger.kernel.org
      Closes: https://github.com/ClangBuiltLinux/linux/issues/2007
      Link: https://github.com/llvm/llvm-project/issues/85647Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
      Reviewed-by: default avatarJustin Stitt <justinstitt@google.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      9bf4e919
    • Daniel Golle's avatar
      net: phy: mediatek-ge-soc: follow netdev LED trigger semantics · 5b5f724b
      Daniel Golle authored
      Only blink if the link is up on a LED which is programmed to also
      indicate link-status.
      
      Otherwise, if both LEDs are in use to indicate different speeds, the
      resulting blinking being inverted on LEDs which aren't switched on at
      a specific speed is quite counter-intuitive.
      
      Also make sure that state left behind by reset or the bootloader is
      recognized correctly including the half-duplex and full-duplex bits as
      well as the (unsupported by Linux netdev trigger semantics) link-down
      bit.
      
      Fixes: c66937b0 ("net: phy: mediatek-ge-soc: support PHY LEDs")
      Signed-off-by: default avatarDaniel Golle <daniel@makrotopia.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b5f724b
    • Hyunwoo Kim's avatar
      net: gtp: Fix Use-After-Free in gtp_dellink · f2a90410
      Hyunwoo Kim authored
      Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal
      of gtp_dellink, is not part of the RCU read critical section, it
      is possible that the RCU grace period will pass during the traversal and
      the key will be free.
      
      To prevent this, it should be changed to hlist_for_each_entry_safe.
      
      Fixes: 94dc550a ("gtp: fix an use-after-free in ipv4_pdp_find()")
      Signed-off-by: default avatarHyunwoo Kim <v4bel@theori.io>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f2a90410
    • Hyunwoo Kim's avatar
      tcp: Fix Use-After-Free in tcp_ao_connect_init · 80e679b3
      Hyunwoo Kim authored
      Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal
      of tcp_ao_connect_init, is not part of the RCU read critical section, it
      is possible that the RCU grace period will pass during the traversal and
      the key will be free.
      
      To prevent this, it should be changed to hlist_for_each_entry_safe.
      
      Fixes: 7c2ffaf2 ("net/tcp: Calculate TCP-AO traffic keys")
      Signed-off-by: default avatarHyunwoo Kim <v4bel@theori.io>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarDmitry Safonov <0x7f454c46@gmail.com>
      Link: https://lore.kernel.org/r/ZiYu9NJ/ClR8uSkH@v4bel-B760M-AORUS-ELITE-AXSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      80e679b3
    • Eric Dumazet's avatar
      net: usb: ax88179_178a: stop lying about skb->truesize · 4ce62d5b
      Eric Dumazet authored
      Some usb drivers try to set small skb->truesize and break
      core networking stacks.
      
      In this patch, I removed one of the skb->truesize overide.
      
      I also replaced one skb_clone() by an allocation of a fresh
      and small skb, to get minimally sized skbs, like we did
      in commit 1e2c6117 ("net: cdc_ncm: reduce skb truesize
      in rx path")
      
      Fixes: f8ebb3ac ("net: usb: ax88179_178a: Fix packet receiving")
      Reported-by: default avatarshironeko <shironeko@tesaguri.club>
      Closes: https://lore.kernel.org/netdev/c110f41a0d2776b525930f213ca9715c@tesaguri.club/Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jose Alonso <joalonsof@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240421193828.1966195-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4ce62d5b
    • Eric Dumazet's avatar
      ipv4: check for NULL idev in ip_route_use_hint() · 58a4c9b1
      Eric Dumazet authored
      syzbot was able to trigger a NULL deref in fib_validate_source()
      in an old tree [1].
      
      It appears the bug exists in latest trees.
      
      All calls to __in_dev_get_rcu() must be checked for a NULL result.
      
      [1]
      general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
      CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
       RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425
      Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf
      RSP: 0018:ffffc900015fee40 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0
      RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0
      RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000
      R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000
      FS:  00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231
        ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327
        ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]
        ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638
        ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673
        __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]
        __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620
        __netif_receive_skb_list net/core/dev.c:5672 [inline]
        netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764
        netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816
        xdp_recv_frames net/bpf/test_run.c:257 [inline]
        xdp_test_run_batch net/bpf/test_run.c:335 [inline]
        bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363
        bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376
        bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736
        __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115
        __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]
        __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]
        __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199
      
      Fixes: 02b24941 ("ipv4: use dst hint for ipv4 list receive")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20240421184326.1704930-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      58a4c9b1
    • Eric Dumazet's avatar
      net: fix sk_memory_allocated_{add|sub} vs softirqs · 3584718c
      Eric Dumazet authored
      Jonathan Heathcote reported a regression caused by blamed commit
      on aarch64 architecture.
      
      x86 happens to have irq-safe __this_cpu_add_return()
      and __this_cpu_sub(), but this is not generic.
      
      I think my confusion came from "struct sock" argument,
      because these helpers are called with a locked socket.
      But the memory accounting is per-proto (and per-cpu after
      the blamed commit). We might cleanup these helpers later
      to directly accept a "struct proto *proto" argument.
      
      Switch to this_cpu_add_return() and this_cpu_xchg()
      operations, and get rid of preempt_disable()/preempt_enable() pairs.
      
      Fast path becomes a bit faster as a result :)
      
      Many thanks to Jonathan Heathcote for his awesome report and
      investigations.
      
      Fixes: 3cd3399d ("net: implement per-cpu reserves for memory_allocated")
      Reported-by: default avatarJonathan Heathcote <jonathan.heathcote@bbc.co.uk>
      Closes: https://lore.kernel.org/netdev/VI1PR01MB42407D7947B2EA448F1E04EFD10D2@VI1PR01MB4240.eurprd01.prod.exchangelabs.com/Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Reviewed-by: default avatarShakeel Butt <shakeel.butt@linux.dev>
      Link: https://lore.kernel.org/r/20240421175248.1692552-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3584718c
  2. 23 Apr, 2024 2 commits
    • Jakub Kicinski's avatar
      tools: ynl: don't ignore errors in NLMSG_DONE messages · a44f2eb1
      Jakub Kicinski authored
      NLMSG_DONE contains an error code, it has to be extracted.
      Prior to this change all dumps will end in success,
      and in case of failure the result is silently truncated.
      
      Fixes: e4b48ed4 ("tools: ynl: add a completely generic client")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarDonald Hunter <donald.hunter@gmail.com>
      Link: https://lore.kernel.org/r/20240420020827.3288615-1-kuba@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a44f2eb1
    • Duoming Zhou's avatar
      ax25: Fix netdev refcount issue · 467324bc
      Duoming Zhou authored
      The dev_tracker is added to ax25_cb in ax25_bind(). When the
      ax25 device is detaching, the dev_tracker of ax25_cb should be
      deallocated in ax25_kill_by_device() instead of the dev_tracker
      of ax25_dev. The log reported by ref_tracker is shown below:
      
      [   80.884935] ref_tracker: reference already released.
      [   80.885150] ref_tracker: allocated in:
      [   80.885349]  ax25_dev_device_up+0x105/0x540
      [   80.885730]  ax25_device_event+0xa4/0x420
      [   80.885730]  notifier_call_chain+0xc9/0x1e0
      [   80.885730]  __dev_notify_flags+0x138/0x280
      [   80.885730]  dev_change_flags+0xd7/0x180
      [   80.885730]  dev_ifsioc+0x6a9/0xa30
      [   80.885730]  dev_ioctl+0x4d8/0xd90
      [   80.885730]  sock_do_ioctl+0x1c2/0x2d0
      [   80.885730]  sock_ioctl+0x38b/0x4f0
      [   80.885730]  __se_sys_ioctl+0xad/0xf0
      [   80.885730]  do_syscall_64+0xc4/0x1b0
      [   80.885730]  entry_SYSCALL_64_after_hwframe+0x67/0x6f
      [   80.885730] ref_tracker: freed in:
      [   80.885730]  ax25_device_event+0x272/0x420
      [   80.885730]  notifier_call_chain+0xc9/0x1e0
      [   80.885730]  dev_close_many+0x272/0x370
      [   80.885730]  unregister_netdevice_many_notify+0x3b5/0x1180
      [   80.885730]  unregister_netdev+0xcf/0x120
      [   80.885730]  sixpack_close+0x11f/0x1b0
      [   80.885730]  tty_ldisc_kill+0xcb/0x190
      [   80.885730]  tty_ldisc_hangup+0x338/0x3d0
      [   80.885730]  __tty_hangup+0x504/0x740
      [   80.885730]  tty_release+0x46e/0xd80
      [   80.885730]  __fput+0x37f/0x770
      [   80.885730]  __x64_sys_close+0x7b/0xb0
      [   80.885730]  do_syscall_64+0xc4/0x1b0
      [   80.885730]  entry_SYSCALL_64_after_hwframe+0x67/0x6f
      [   80.893739] ------------[ cut here ]------------
      [   80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0
      [   80.894297] Modules linked in:
      [   80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd9 #11
      [   80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4
      [   80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0
      [   80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9
      [   80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286
      [   80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000
      [   80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518
      [   80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a
      [   80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4
      [   80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518
      [   80.898279] FS:  00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000
      [   80.899436] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0
      ...
      [   80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at
      [   80.935774]      ax25_bind+0x424/0x4e0
      [   80.935774]      __sys_bind+0x1d9/0x270
      [   80.935774]      __x64_sys_bind+0x75/0x80
      [   80.935774]      do_syscall_64+0xc4/0x1b0
      [   80.935774]      entry_SYSCALL_64_after_hwframe+0x67/0x6f
      
      Change ax25_dev->dev_tracker to the dev_tracker of ax25_cb
      in order to mitigate the bug.
      
      Fixes: feef318c ("ax25: fix UAF bugs of net_device caused by rebinding operation")
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Link: https://lore.kernel.org/r/20240419020456.29826-1-duoming@zju.edu.cnSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      467324bc
  3. 22 Apr, 2024 11 commits
    • Paul Geurts's avatar
      NFC: trf7970a: disable all regulators on removal · 6bea4f03
      Paul Geurts authored
      During module probe, regulator 'vin' and 'vdd-io' are used and enabled,
      but the vdd-io regulator overwrites the 'vin' regulator pointer. During
      remove, only the vdd-io is disabled, as the vin regulator pointer is not
      available anymore. When regulator_put() is called during resource
      cleanup a kernel warning is given, as the regulator is still enabled.
      
      Store the two regulators in separate pointers and disable both the
      regulators on module remove.
      
      Fixes: 49d22c70 ("NFC: trf7970a: Add device tree option of 1.8 Volt IO voltage")
      Signed-off-by: default avatarPaul Geurts <paul_geurts@live.nl>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Link: https://lore.kernel.org/r/DB7PR09MB26847A4EBF88D9EDFEB1DA0F950E2@DB7PR09MB2684.eurprd09.prod.outlook.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6bea4f03
    • David Christensen's avatar
      MAINTAINERS: eth: mark IBM eHEA as an Orphan · 97ec32b5
      David Christensen authored
      Current maintainer Douglas Miller has left IBM and no replacement has
      been assigned for the driver. The eHEA hardware was last used on
      IBM POWER7 systems, the last of which reached end-of-support at the
      end of 2020.
      Signed-off-by: default avatarDavid Christensen <drc@linux.ibm.com>
      Reviewed-by: default avatarPradeep Satyanarayana <pradeeps@linux.ibm.com>
      Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
      Link: https://lore.kernel.org/r/20240418195517.528577-1-drc@linux.ibm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      97ec32b5
    • Matthias Schiffer's avatar
      net: dsa: mv88e6xx: fix supported_interfaces setup in mv88e6250_phylink_get_caps() · a4e38990
      Matthias Schiffer authored
      With the recent PHYLINK changes requiring supported_interfaces to be set,
      MV88E6250 family switches like the 88E6020 fail to probe - cmode is
      never initialized on these devices, so mv88e6250_phylink_get_caps() does
      not set any supported_interfaces flags.
      
      Instead of a cmode, on 88E6250 we have a read-only port mode value that
      encodes similar information. There is no reason to bother mapping port
      mode to the cmodes of other switch models; instead we introduce a
      mv88e6250_setup_supported_interfaces() that is called directly from
      mv88e6250_phylink_get_caps().
      
      Fixes: de5c9bf4 ("net: phylink: require supported_interfaces to be filled")
      Signed-off-by: default avatarMatthias Schiffer <matthias.schiffer@ew.tq-group.com>
      Link: https://lore.kernel.org/r/20240417103737.166651-1-matthias.schiffer@ew.tq-group.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a4e38990
    • David S. Miller's avatar
      Merge branch 'bnxt_en-aer-fixes' · 9e91bf75
      David S. Miller authored
      Michael Chan says:
      
      ====================
      bnxt_en: AER fixes
      
      This patchset fixes issues in the AER recovery logic.  The first patch
      refactors the code to make a shutdown function available for AER fatal
      errors.  The second patch fixes the AER fatal recovery logic.  The
      third patch fixes the health register logic to fix AER recovery failure
      for the new P7 chips.
      ====================
      Signed-off-by: default avatarArınç ÜNAL <arinc.unal@arinc9.com>
      9e91bf75
    • Michael Chan's avatar
      bnxt_en: Fix error recovery for 5760X (P7) chips · 41e54045
      Michael Chan authored
      During error recovery, such as AER fatal error slot reset, we call
      bnxt_try_map_fw_health_reg() to try to get access to the health
      register to determine the firmware state.  Fix
      bnxt_try_map_fw_health_reg() to recognize the P7 chip correctly
      and set up the health register.
      
      This fixes this type of AER slot reset failure:
      
      bnxt_en 0000:04:00.0: AER: PCIe Bus Error: severity=Uncorrectable (Fatal), type=Inaccessible, (Unregistered Agent ID)
      bnxt_en 0000:04:00.0 enp4s0f0np0: PCI I/O error detected
      bnxt_en 0000:04:00.0 bnxt_re0: Handle device suspend call
      bnxt_en 0000:04:00.1 enp4s0f1np1: PCI I/O error detected
      bnxt_en 0000:04:00.1 bnxt_re1: Handle device suspend call
      pcieport 0000:00:02.0: AER: Root Port link has been reset (0)
      bnxt_en 0000:04:00.0 enp4s0f0np0: PCI Slot Reset
      bnxt_en 0000:04:00.0: enabling device (0000 -> 0002)
      bnxt_en 0000:04:00.0: Firmware not ready
      bnxt_en 0000:04:00.1 enp4s0f1np1: PCI Slot Reset
      bnxt_en 0000:04:00.1: enabling device (0000 -> 0002)
      bnxt_en 0000:04:00.1: Firmware not ready
      pcieport 0000:00:02.0: AER: device recovery failed
      
      Fixes: a432a45b ("bnxt_en: Define basic P7 macros")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      41e54045
    • Vikas Gupta's avatar
      bnxt_en: Fix the PCI-AER routines · a1acdc22
      Vikas Gupta authored
      We do not support two simultaneous recoveries so check for reset
      flag, BNXT_STATE_IN_FW_RESET, and do not proceed with AER further.
      When the pci channel state is pci_channel_io_frozen, the PCIe link
      can not be trusted so we disable the traffic immediately and stop
      BAR access by calling bnxt_fw_fatal_close().  BAR access after
      AER fatal error can cause an NMI.
      
      Fixes: f75d9a0a ("bnxt_en: Re-write PCI BARs after PCI fatal error.")
      Signed-off-by: default avatarVikas Gupta <vikas.gupta@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1acdc22
    • Vikas Gupta's avatar
      bnxt_en: refactor reset close code · 7474b1c8
      Vikas Gupta authored
      Introduce bnxt_fw_fatal_close() API which can be used
      to stop data path and disable device when firmware
      is in fatal state.
      Signed-off-by: default avatarVikas Gupta <vikas.gupta@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7474b1c8
    • Hangbin Liu's avatar
      bridge/br_netlink.c: no need to return void function · 4fd1edcd
      Hangbin Liu authored
      br_info_notify is a void function. There is no need to return.
      
      Fixes: b6d0425b ("bridge: cfm: Netlink Notifications.")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4fd1edcd
    • Alex Elder's avatar
      mailmap: add entries for Alex Elder · 70dcdf5f
      Alex Elder authored
      Define my kernel.org address to be the canonical one, and add mailmap
      entries for the various addresses (including typos) that have been
      used over the years.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      70dcdf5f
    • Eric Dumazet's avatar
      icmp: prevent possible NULL dereferences from icmp_build_probe() · c58e88d4
      Eric Dumazet authored
      First problem is a double call to __in_dev_get_rcu(), because
      the second one could return NULL.
      
      if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)
      
      Second problem is a read from dev->ip6_ptr with no NULL check:
      
      if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))
      
      Use the correct RCU API to fix these.
      
      v2: add missing include <net/addrconf.h>
      
      Fixes: d329ea5b ("icmp: add response to RFC 8335 PROBE messages")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Andreas Roeseler <andreas.a.roeseler@gmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c58e88d4
    • Daniele Palmas's avatar
      net: usb: qmi_wwan: add Telit FN920C04 compositions · 0b8fe5bd
      Daniele Palmas authored
      Add the following Telit FN920C04 compositions:
      
      0x10a0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag)
      T:  Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#=  5 Spd=480  MxCh= 0
      D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=1bc7 ProdID=10a0 Rev=05.15
      S:  Manufacturer=Telit Cinterion
      S:  Product=FN920
      S:  SerialNumber=92c4c4d8
      C:  #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      
      0x10a4: rmnet + tty (AT) + tty (AT) + tty (diag)
      T:  Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#=  8 Spd=480  MxCh= 0
      D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=1bc7 ProdID=10a4 Rev=05.15
      S:  Manufacturer=Telit Cinterion
      S:  Product=FN920
      S:  SerialNumber=92c4c4d8
      C:  #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      
      0x10a9: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb
      T:  Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#=  9 Spd=480  MxCh= 0
      D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=1bc7 ProdID=10a9 Rev=05.15
      S:  Manufacturer=Telit Cinterion
      S:  Product=FN920
      S:  SerialNumber=92c4c4d8
      C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:  If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b8fe5bd
  4. 20 Apr, 2024 6 commits
  5. 19 Apr, 2024 2 commits
    • David Bauer's avatar
      vxlan: drop packets from invalid src-address · f58f45c1
      David Bauer authored
      The VXLAN driver currently does not check if the inner layer2
      source-address is valid.
      
      In case source-address snooping/learning is enabled, a entry in the FDB
      for the invalid address is created with the layer3 address of the tunnel
      endpoint.
      
      If the frame happens to have a non-unicast address set, all this
      non-unicast traffic is subsequently not flooded to the tunnel network
      but sent to the learnt host in the FDB. To make matters worse, this FDB
      entry does not expire.
      
      Apply the same filtering for packets as it is done for bridges. This not
      only drops these invalid packets but avoids them from being learnt into
      the FDB.
      
      Fixes: d342894c ("vxlan: virtual extensible lan")
      Suggested-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid Bauer <mail@david-bauer.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f58f45c1
    • Duanqiang Wen's avatar
      net: libwx: fix alloc msix vectors failed · 69197dfc
      Duanqiang Wen authored
      driver needs queue msix vectors and one misc irq vector,
      but only queue vectors need irq affinity.
      when num_online_cpus is less than chip max msix vectors,
      driver will acquire (num_online_cpus + 1) vecotrs, and
      call pci_alloc_irq_vectors_affinity functions with affinity
      params without setting pre_vectors or post_vectors, it will
      cause return error code -ENOSPC.
      Misc irq vector is vector 0, driver need to set affinity params
      .pre_vectors = 1.
      
      Fixes: 3f703186 ("net: libwx: Add irq flow functions")
      Signed-off-by: default avatarDuanqiang Wen <duanqiangwen@net-swift.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69197dfc
  6. 18 Apr, 2024 12 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 7586c850
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "A little calmer than usual, probably just the timing of sub-tree PRs.
      
        Including fixes from netfilter.
      
        Current release - regressions:
      
         - inet: bring NLM_DONE out to a separate recv() again, fix user space
           which assumes multiple recv()s will happen and gets blocked forever
      
         - drv: mlx5:
             - restore mistakenly dropped parts in register devlink flow
             - use channel mdev reference instead of global mdev instance for
               coalescing
             - acquire RTNL lock before RQs/SQs activation/deactivation
      
        Previous releases - regressions:
      
         - net: change maximum number of UDP segments to 128, fix virtio
           compatibility with Windows peers
      
         - usb: ax88179_178a: avoid writing the mac address before first
           reading
      
        Previous releases - always broken:
      
         - sched: fix mirred deadlock on device recursion
      
         - netfilter:
             - br_netfilter: skip conntrack input hook for promisc packets
             - fixes removal of duplicate elements in the pipapo set backend
             - various fixes for abort paths and error handling
      
         - af_unix: don't peek OOB data without MSG_OOB
      
         - drv: flower: fix fragment flags handling in multiple drivers
      
         - drv: ravb: fix jumbo frames and packet stats accounting
      
        Misc:
      
         - kselftest_harness: fix Clang warning about zero-length format
      
         - tun: limit printing rate when illegal packet received by tun dev"
      
      * tag 'net-6.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (46 commits)
        net: ethernet: ti: am65-cpsw-nuss: cleanup DMA Channels before using them
        net: usb: ax88179_178a: avoid writing the mac address before first reading
        net: ravb: Fix RX byte accounting for jumbo packets
        net: ravb: Fix GbEth jumbo packet RX checksum handling
        net: ravb: Allow RX loop to move past DMA mapping errors
        net: ravb: Count packets instead of descriptors in R-Car RX path
        net: ethernet: mtk_eth_soc: fix WED + wifi reset
        net:usb:qmi_wwan: support Rolling modules
        selftests: kselftest_harness: fix Clang warning about zero-length format
        net/sched: Fix mirred deadlock on device recursion
        netfilter: nf_tables: fix memleak in map from abort path
        netfilter: nf_tables: restore set elements when delete set fails
        netfilter: nf_tables: missing iterator type in lookup walk
        s390/ism: Properly fix receive message buffer allocation
        net: dsa: mt7530: fix port mirroring for MT7988 SoC switch
        net: dsa: mt7530: fix mirroring frames received on local port
        tun: limit printing rate when illegal packet received by tun dev
        ice: Fix checking for unsupported keys on non-tunnel device
        ice: tc: allow zero flags in parsing tc flower
        ice: tc: check src_vsi in case of traffic from VF
        ...
      7586c850
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v6.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · 360a348f
      Linus Torvalds authored
      Pull gpio fixes from Bartosz Golaszewski:
      
       - use -ENOTSUPP consistently in Intel GPIO drivers
      
       - don't include dt-bindings headers in gpio-swnode code
      
       - add missing of device table to gpio-lpc32xx and fix autoloading
      
      * tag 'gpio-fixes-for-v6.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpiolib: swnode: Remove wrong header inclusion
        gpio: lpc32xx: fix module autoloading
        gpio: crystalcove: Use -ENOTSUPP consistently
        gpio: wcove: Use -ENOTSUPP consistently
      360a348f
    • Siddharth Vadapalli's avatar
      net: ethernet: ti: am65-cpsw-nuss: cleanup DMA Channels before using them · c24cd679
      Siddharth Vadapalli authored
      The TX and RX DMA Channels used by the driver to exchange data with CPSW
      are not guaranteed to be in a clean state during driver initialization.
      The Bootloader could have used the same DMA Channels without cleaning them
      up in the event of failure. Thus, reset and disable the DMA Channels to
      ensure that they are in a clean state before using them.
      
      Fixes: 93a76530 ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver")
      Reported-by: default avatarSchuyler Patton <spatton@ti.com>
      Signed-off-by: default avatarSiddharth Vadapalli <s-vadapalli@ti.com>
      Reviewed-by: default avatarRoger Quadros <rogerq@kernel.org>
      Link: https://lore.kernel.org/r/20240417095425.2253876-1-s-vadapalli@ti.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c24cd679
    • Jose Ignacio Tornos Martinez's avatar
      net: usb: ax88179_178a: avoid writing the mac address before first reading · 56f78615
      Jose Ignacio Tornos Martinez authored
      After the commit d2689b6a ("net: usb: ax88179_178a: avoid two
      consecutive device resets"), reset operation, in which the default mac
      address from the device is read, is not executed from bind operation and
      the random address, that is pregenerated just in case, is direclty written
      the first time in the device, so the default one from the device is not
      even read. This writing is not dangerous because is volatile and the
      default mac address is not missed.
      
      In order to avoid this and keep the simplification to have only one
      reset and reduce the delays, restore the reset from bind operation and
      remove the reset that is commanded from open operation. The behavior is
      the same but everything is ready for usbnet_probe.
      
      Tested with ASIX AX88179 USB Gigabit Ethernet devices.
      Restore the old behavior for the rest of possible devices because I don't
      have the hardware to test.
      
      cc: stable@vger.kernel.org # 6.6+
      Fixes: d2689b6a ("net: usb: ax88179_178a: avoid two consecutive device resets")
      Reported-by: default avatarJarkko Palviainen <jarkko.palviainen@gmail.com>
      Signed-off-by: default avatarJose Ignacio Tornos Martinez <jtornosm@redhat.com>
      Link: https://lore.kernel.org/r/20240417085524.219532-1-jtornosm@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      56f78615
    • Linus Torvalds's avatar
      Merge tag 'random-6.9-rc5-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random · e4add020
      Linus Torvalds authored
      Pull random number generator fixes from Jason Donenfeld:
      
       - The input subsystem contributes entropy in some places where a
         spinlock is held, but the entropy accounting code only handled
         callers being in an interrupt or non-atomic process context, but not
         atomic process context. We fix this by removing an optimization and
         just calling queue_work() unconditionally.
      
       - Greg accidently sent up a patch not intended for his tree and that
         had been nack'd, so that's now reverted.
      
      * tag 'random-6.9-rc5-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
        Revert "vmgenid: emit uevent when VMGENID updates"
        random: handle creditable entropy from atomic process context
      e4add020
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.9-3' of... · c2d88559
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Ilpo Järvinen:
      
       - amd/pmf: Add SPS notifications quirk (+ quirk support)
      
       - amd/pmf: Lower Smart PC check message severity
      
       - x86/ISST: New HW support
      
       - x86/intel-uncore-freq: Bump minor version to avoid "unsupported" message
      
       - amd/pmc: New BIOS version still needs Spurious IRQ1 quirk
      
      * tag 'platform-drivers-x86-v6.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86/amd/pmc: Extend Framework 13 quirk to more BIOSes
        platform/x86/intel-uncore-freq: Increase minor number support
        platform/x86: ISST: Add Granite Rapids-D to HPM CPU list
        platform/x86/amd: pmf: Add quirk for ROG Zephyrus G14
        platform/x86/amd: pmf: Add infrastructure for quirking supported funcs
        platform/x86/amd: pmf: Decrease error message to debug
      c2d88559
    • Jason A. Donenfeld's avatar
      Revert "vmgenid: emit uevent when VMGENID updates" · 3aadf100
      Jason A. Donenfeld authored
      This reverts commit ad6bcdad. I had
      nak'd it, and Greg said on the thread that it links that he wasn't going
      to take it either, especially since it's not his code or his tree, but
      then, seemingly accidentally, it got pushed up some months later, in
      what looks like a mistake, with no further discussion in the linked
      thread. So revert it, since it's clearly not intended.
      
      Fixes: ad6bcdad ("vmgenid: emit uevent when VMGENID updates")
      Cc: stable@vger.kernel.org
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20230531095119.11202-2-bchalios@amazon.esSigned-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      3aadf100
    • Paolo Abeni's avatar
      Merge tag 'nf-24-04-18' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · ac1a21db
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      Patch #1 amends a missing spot where the set iterator type is unset.
      	 This is fixing a issue in the previous pull request.
      
      Patch #2 fixes the delete set command abort path by restoring state
               of the elements. Reverse logic for the activate (abort) case
      	 otherwise element state is not restored, this requires to move
      	 the check for active/inactive elements to the set iterator
      	 callback. From the deactivate path, toggle the next generation
      	 bit and from the activate (abort) path, clear the next generation
      	 bitmask.
      
      Patch #3 skips elements already restored by delete set command from the
      	 abort path in case there is a previous delete element command in
      	 the batch. Check for the next generation bit just like it is done
      	 via set iteration to restore maps.
      
      netfilter pull request 24-04-18
      
      * tag 'nf-24-04-18' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: fix memleak in map from abort path
        netfilter: nf_tables: restore set elements when delete set fails
        netfilter: nf_tables: missing iterator type in lookup walk
      ====================
      
      Link: https://lore.kernel.org/r/20240418010948.3332346-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ac1a21db
    • Paolo Abeni's avatar
      Merge branch 'ravb-ethernet-driver-bugfixes' · d10a7f55
      Paolo Abeni authored
      Paul Barker says:
      
      ====================
      ravb Ethernet driver bugfixes
      
      These patches fix bugs found during recent work on the ravb driver.
      
      Patches 1 & 2 affect the R-Car code paths so have been tested on an
      R-Car M3N Salvator-XS board - this is the only R-Car board I currently
      have access to.
      
      Patches 2, 3 & 4 affect the GbEth code paths so have been tested on
      RZ/G2L and RZ/G2UL SMARC EVK boards.
      
      Changes v2->v3:
        * Incorporate feedback from Niklas and add Reviewed-by tag to patch
          "net: ravb: Count packets instead of descriptors in R-Car RX path".
      Changes v1->v2:
        * Fixed typos in commit message of patch
          "net: ravb: Allow RX loop to move past DMA mapping errors".
        * Added Sergey's Reviewed-by tags.
        * Expanded Cc list as Patchwork complained that I had missed people.
        * Trimmed the call trace in accordance with the docs [1] in patch
          "net: ravb: Fix GbEth jumbo packet RX checksum handling".
      
      [1]: https://docs.kernel.org/process/submitting-patches.html#backtraces-in-commit-messages
      ====================
      
      Link: https://lore.kernel.org/r/20240416120254.2620-1-paul.barker.ct@bp.renesas.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d10a7f55
    • Paul Barker's avatar
      net: ravb: Fix RX byte accounting for jumbo packets · 2e36c9fb
      Paul Barker authored
      The RX byte accounting for jumbo packets was changed to fix a potential
      use-after-free bug. However, that fix used the wrong variable and so
      only accounted for the number of bytes in the final descriptor, not the
      number of bytes in the whole packet.
      
      To fix this, we can simply update our stats with the correct number of
      bytes before calling napi_gro_receive().
      
      Also rename pkt_len to desc_len in ravb_rx_gbeth() to avoid any future
      confusion. The variable name pkt_len is correct in ravb_rx_rcar() as
      that function does not handle packets spanning multiple descriptors.
      
      Fixes: 5a5a3e56 ("ravb: Fix potential use-after-free in ravb_rx_gbeth()")
      Signed-off-by: default avatarPaul Barker <paul.barker.ct@bp.renesas.com>
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      2e36c9fb
    • Paul Barker's avatar
      net: ravb: Fix GbEth jumbo packet RX checksum handling · c7c44950
      Paul Barker authored
      Sending a 7kB ping packet to the RZ/G2L in v6.9-rc2 causes the following
      backtrace:
      
      	WARNING: CPU: 0 PID: 0 at include/linux/skbuff.h:3127 skb_trim+0x30/0x38
      	Hardware name: Renesas SMARC EVK based on r9a07g044l2 (DT)
      	pc : skb_trim+0x30/0x38
      	lr : ravb_rx_csum_gbeth+0x40/0x90
      	Call trace:
      	 skb_trim+0x30/0x38
      	 ravb_rx_gbeth+0x56c/0x5cc
      	 ravb_poll+0xa0/0x204
      	 __napi_poll+0x38/0x17c
      
      This is caused by ravb_rx_gbeth() calling ravb_rx_csum_gbeth() with the
      wrong skb for a packet which spans multiple descriptors. To fix this,
      use the correct skb.
      
      Fixes: c2da9408 ("ravb: Add Rx checksum offload support for GbEth")
      Signed-off-by: default avatarPaul Barker <paul.barker.ct@bp.renesas.com>
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c7c44950
    • Paul Barker's avatar
      net: ravb: Allow RX loop to move past DMA mapping errors · a892493a
      Paul Barker authored
      The RX loops in ravb_rx_gbeth() and ravb_rx_rcar() skip to the next loop
      iteration if a zero-length descriptor is seen (indicating a DMA mapping
      error). However, the current RX descriptor index `priv->cur_rx[q]` was
      incremented at the end of the loop and so would not be incremented when
      we skip to the next loop iteration. This would cause the loop to keep
      seeing the same zero-length descriptor instead of moving on to the next
      descriptor.
      
      As the loop counter `i` still increments, the loop would eventually
      terminate so there is no risk of being stuck here forever - but we
      should still fix this to avoid wasting cycles.
      
      To fix this, the RX descriptor index is incremented at the top of the
      loop, in the for statement itself. The assignments of `entry` and `desc`
      are brought into the loop to avoid the need for duplication.
      
      Fixes: d8b48911 ("ravb: fix ring memory allocation")
      Signed-off-by: default avatarPaul Barker <paul.barker.ct@bp.renesas.com>
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a892493a