1. 29 Jul, 2024 3 commits
  2. 27 Jul, 2024 3 commits
  3. 26 Jul, 2024 16 commits
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_event: Fix setting DISCOVERY_FINDING for passive scanning · df3d6a3e
      Luiz Augusto von Dentz authored
      DISCOVERY_FINDING shall only be set for active scanning as passive
      scanning is not meant to generate MGMT Device Found events causing
      discovering state to go out of sync since userspace would believe it
      is discovering when in fact it is just passive scanning.
      
      Cc: stable@vger.kernel.org
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=219088
      Fixes: 2e2515c1 ("Bluetooth: hci_event: Set DISCOVERY_FINDING on SCAN_ENABLED")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      df3d6a3e
    • Arnd Bergmann's avatar
      Bluetooth: btmtk: remove #ifdef around declarations · 7a8c6fb2
      Arnd Bergmann authored
      The caller of these functions in btusb.c is guarded with an
      if(IS_ENABLED()) style check, so dead code is left out, but the
      declarations are still needed at compile time:
      
      drivers/bluetooth/btusb.c: In function 'btusb_mtk_reset':
      drivers/bluetooth/btusb.c:2705:15: error: implicit declaration of function 'btmtk_usb_subsys_reset' [-Wimplicit-function-declaration]
       2705 |         err = btmtk_usb_subsys_reset(hdev, btmtk_data->dev_id);
            |               ^~~~~~~~~~~~~~~~~~~~~~
      drivers/bluetooth/btusb.c: In function 'btusb_send_frame_mtk':
      drivers/bluetooth/btusb.c:2720:23: error: implicit declaration of function 'alloc_mtk_intr_urb' [-Wimplicit-function-declaration]
       2720 |                 urb = alloc_mtk_intr_urb(hdev, skb, btusb_tx_complete);
            |                       ^~~~~~~~~~~~~~~~~~
      drivers/bluetooth/btusb.c:2720:21: error: assignment to 'struct urb *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
       2720 |                 urb = alloc_mtk_intr_urb(hdev, skb, btusb_tx_complete);
            |                     ^
      
      Fixes: f0c83a23 ("Bluetooth: btmtk: Fix btmtk.c undefined reference build error")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarAngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7a8c6fb2
    • Arnd Bergmann's avatar
      Bluetooth: btmtk: Fix btmtk.c undefined reference build error harder · 61f7a8f9
      Arnd Bergmann authored
      The previous fix was incomplete as the link failure still persists
      with CONFIG_USB=m when the sdio or serial wrappers for btmtk.c
      are build-in:
      
      btmtk.c:(.text+0x468): undefined reference to `usb_alloc_urb'
      btmtk.c:(.text+0x488): undefined reference to `usb_free_urb'
      btmtk.c:(.text+0x500): undefined reference to `usb_anchor_urb'
      btmtk.c:(.text+0x50a): undefined reference to `usb_submit_urb'
      btmtk.c:(.text+0x92c): undefined reference to `usb_control_msg'
      btmtk.c:(.text+0xa92): undefined reference to `usb_unanchor_urb'
      btmtk.c:(.text+0x11e4): undefined reference to `usb_set_interface'
      btmtk.c:(.text+0x120a): undefined reference to `usb_kill_anchored_urbs'
      
      Disallow this configuration.
      
      Fixes: f0c83a23 ("Bluetooth: btmtk: Fix btmtk.c undefined reference build error")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      61f7a8f9
    • Chris Lu's avatar
      Bluetooth: btmtk: Fix btmtk.c undefined reference build error · f0c83a23
      Chris Lu authored
      MediaTek moved some usb interface related function to btmtk.c which
      may cause build failed if BT USB Kconfig wasn't enabled.
      Fix undefined reference by adding config check.
      
      btmtk.c:(.text+0x89c): undefined reference to `usb_alloc_urb'
      btmtk.c:(.text+0x8e3): undefined reference to `usb_free_urb'
      btmtk.c:(.text+0x956): undefined reference to `usb_free_urb'
      btmtk.c:(.text+0xa0e): undefined reference to `usb_anchor_urb'
      btmtk.c:(.text+0xb43): undefined reference to `usb_autopm_get_interface'
      btmtk.c:(.text+0xb7e): undefined reference to `usb_autopm_put_interface'
      btmtk.c:(.text+0xf70): undefined reference to `usb_disable_autosuspend'
      btmtk.c:(.text+0x133a): undefined reference to `usb_control_msg'
      
      Fixes: d019930b ("Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202407091928.AH0aGZnx-lkp@intel.com/Signed-off-by: default avatarChris Lu <chris.lu@mediatek.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      f0c83a23
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_sync: Fix suspending with wrong filter policy · 96b82af3
      Luiz Augusto von Dentz authored
      When suspending the scan filter policy cannot be 0x00 (no acceptlist)
      since that means the host has to process every advertisement report
      waking up the system, so this attempts to check if hdev is marked as
      suspended and if the resulting filter policy would be 0x00 (no
      acceptlist) then skip passive scanning if thre no devices in the
      acceptlist otherwise reset the filter policy to 0x01 so the acceptlist
      is used since the devices programmed there can still wakeup be system.
      
      Fixes: 182ee45d ("Bluetooth: hci_sync: Rework hci_suspend_notifier")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      96b82af3
    • Chris Lu's avatar
      Bluetooth: btmtk: Fix kernel crash when entering btmtk_usb_suspend · d09009bc
      Chris Lu authored
      If MediaTek's Bluetooth setup is unsuccessful, a NULL pointer issue
      occur when the system is suspended and the anchored kill function
      is called. To avoid this, add protection to prevent executing the
      anchored kill function if the setup is unsuccessful.
      
      [    6.922106] Hardware name: Acer Tomato (rev2) board (DT)
      [    6.922114] Workqueue: pm pm_runtime_work
      [    6.922132] pstate: 804000c9
      (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      [    6.922147] pc : usb_kill_anchored_urbs+0x6c/0x1e0
      [    6.922164] lr : usb_kill_anchored_urbs+0x48/0x1e0
      [    6.922181] sp : ffff800080903b60
      [    6.922187] x29: ffff800080903b60
      x28: ffff2c7b85c32b80 x27: ffff2c7bbb370930
      [    6.922211] x26: 00000000000f4240
      x25: 00000000ffffffff x24: ffffd49ece2dcb48
      [    6.922255] x20: ffffffffffffffd8
      x19: 0000000000000000 x18: 0000000000000006
      [    6.922276] x17: 6531656337386238
      x16: 3632373862333863 x15: ffff800080903480
      [    6.922297] x14: 0000000000000000
      x13: 303278302f303178 x12: ffffd49ecf090e30
      [    6.922318] x11: 0000000000000001
      x10: 0000000000000001 x9 : ffffd49ecd2c5bb4
      [    6.922339] x8 : c0000000ffffdfff
      x7 : ffffd49ecefe0db8 x6 : 00000000000affa8
      [    6.922360] x5 : ffff2c7bbb35dd48
      x4 : 0000000000000000 x3 : 0000000000000000
      [    6.922379] x2 : 0000000000000000
      x1 : 0000000000000003 x0 : ffffffffffffffd8
      [    6.922400] Call trace:
      [    6.922405]  usb_kill_anchored_urbs+0x6c/0x1e0
      [    6.922422]  btmtk_usb_suspend+0x20/0x38
      [btmtk 5f200a97badbdfda4266773fee49acfc8e0224d5]
      [    6.922444]  btusb_suspend+0xd0/0x210
      [btusb 0bfbf19a87ff406c83b87268b87ce1e80e9a829b]
      [    6.922469]  usb_suspend_both+0x90/0x288
      [    6.922487]  usb_runtime_suspend+0x3c/0xa8
      [    6.922507]  __rpm_callback+0x50/0x1f0
      [    6.922523]  rpm_callback+0x70/0x88
      [    6.922538]  rpm_suspend+0xe4/0x5a0
      [    6.922553]  pm_runtime_work+0xd4/0xe0
      [    6.922569]  process_one_work+0x18c/0x440
      [    6.922588]  worker_thread+0x314/0x428
      [    6.922606]  kthread+0x128/0x138
      [    6.922621]  ret_from_fork+0x10/0x20
      [    6.922644] Code: f100a274 54000520 d503201f d100a260 (b8370000)
      [    6.922654] ---[ end trace 0000000000000000 ]---
      
      Fixes: ceac1cb0 ("Bluetooth: btusb: mediatek: add ISO data transmission functions")
      Signed-off-by: default avatarChris Lu <chris.lu@mediatek.com>
      Reported-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> #KernelCI
      Tested-by: default avatarNícolas F. R. A. Prado <nfraprado@collabora.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      d09009bc
    • Kiran K's avatar
      Bluetooth: btintel: Fail setup on error · e22a3a9d
      Kiran K authored
      Do not attempt to send any hci command to controller if *setup* function
      fails.
      
      Fixes: af395330 ("Bluetooth: btintel: Add Intel devcoredump support")
      Signed-off-by: default avatarKiran K <kiran.k@intel.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      e22a3a9d
    • Mark Mentovai's avatar
      net: phy: realtek: add support for RTL8366S Gigabit PHY · 225990c4
      Mark Mentovai authored
      The PHY built in to the Realtek RTL8366S switch controller was
      previously supported by genphy_driver. This PHY does not implement MMD
      operations. Since commit 9b01c885 ("net: phy: c22: migrate to
      genphy_c45_write_eee_adv()"), MMD register reads have been made during
      phy_probe to determine EEE support. For genphy_driver, these reads are
      transformed into 802.3 annex 22D clause 45-over-clause 22
      mmd_phy_indirect operations that perform MII register writes to
      MII_MMD_CTRL and MII_MMD_DATA. This overwrites those two MII registers,
      which on this PHY are reserved and have another function, rendering the
      PHY unusable while so configured.
      
      Proper support for this PHY is restored by providing a phy_driver that
      declares MMD operations as unsupported by using the helper functions
      provided for that purpose, while remaining otherwise identical to
      genphy_driver.
      
      Fixes: 9b01c885 ("net: phy: c22: migrate to genphy_c45_write_eee_adv()")
      Reported-by: default avatarRussell Senior <russell@personaltelco.net>
      Closes: https://github.com/openwrt/openwrt/issues/15981
      Link: https://github.com/openwrt/openwrt/issues/15739Signed-off-by: default avatarMark Mentovai <mark@mentovai.com>
      Reviewed-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      225990c4
    • Johan Hovold's avatar
      wifi: ath12k: fix soft lockup on suspend · a47f3320
      Johan Hovold authored
      The ext interrupts are enabled when the firmware has been started, but
      this may never happen, for example, if the board configuration file is
      missing.
      
      When the system is later suspended, the driver unconditionally tries to
      disable interrupts, which results in an irq disable imbalance and causes
      the driver to spin indefinitely in napi_synchronize().
      
      Make sure that the interrupts have been enabled before attempting to
      disable them.
      
      Fixes: d8899132 ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
      Cc: stable@vger.kernel.org	# 6.3
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Acked-by: default avatarJeff Johnson <quic_jjohnson@quicinc.com>
      Link: https://patch.msgid.link/20240709073132.9168-1-johan+linaro@kernel.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      a47f3320
    • Sean Wang's avatar
      wifi: mt76: mt7921: fix null pointer access in mt792x_mac_link_bss_remove · 6557a28f
      Sean Wang authored
      Fix null pointer access in mt792x_mac_link_bss_remove.
      
      To prevent null pointer access, we should assign the vif to bss_conf in
      mt7921_add_interface. This ensures that subsequent operations on the BSS
      can properly reference the correct vif.
      
      [  T843] Call Trace:
      [  T843]  <TASK>
      [  T843]  ? __die+0x1e/0x60
      [  T843]  ? page_fault_oops+0x157/0x450
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? search_bpf_extables+0x5a/0x80
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? exc_page_fault+0x2bb/0x670
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? lock_timer_base+0x71/0x90
      [  T843]  ? asm_exc_page_fault+0x26/0x30
      [  T843]  ? mt792x_mac_link_bss_remove+0x24/0x110 [mt792x_lib]
      [  T843]  ? mt792x_remove_interface+0x6e/0x90 [mt792x_lib]
      [  T843]  ? ieee80211_do_stop+0x507/0x7e0 [mac80211]
      [  T843]  ? ieee80211_stop+0x53/0x190 [mac80211]
      [  T843]  ? __dev_close_many+0xa5/0x120
      [  T843]  ? __dev_change_flags+0x18c/0x220
      [  T843]  ? dev_change_flags+0x21/0x60
      [  T843]  ? do_setlink+0xdf9/0x11d0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? security_sock_rcv_skb+0x33/0x50
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? __nla_validate_parse+0x61/0xd10
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? genl_done+0x53/0x80
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? netlink_dump+0x357/0x410
      [  T843]  ? __rtnl_newlink+0x5d6/0x980
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? genl_family_rcv_msg_dumpit+0xdf/0xf0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? __kmalloc_cache_noprof+0x44/0x210
      [  T843]  ? rtnl_newlink+0x42/0x60
      [  T843]  ? rtnetlink_rcv_msg+0x152/0x3f0
      [  T843]  ? mptcp_pm_nl_dump_addr+0x180/0x180
      [  T843]  ? rtnl_calcit.isra.0+0x130/0x130
      [  T843]  ? netlink_rcv_skb+0x56/0x100
      [  T843]  ? netlink_unicast+0x199/0x290
      [  T843]  ? netlink_sendmsg+0x21d/0x490
      [  T843]  ? __sock_sendmsg+0x78/0x80
      [  T843]  ? ____sys_sendmsg+0x23f/0x2e0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? copy_msghdr_from_user+0x68/0xa0
      [  T843]  ? ___sys_sendmsg+0x81/0xd0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? crng_fast_key_erasure+0xbc/0xf0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? get_random_bytes_user+0x126/0x140
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? __fdget+0xb1/0xe0
      [  T843]  ? __sys_sendmsg+0x56/0xa0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? do_syscall_64+0x5f/0x170
      [  T843]  ? entry_SYSCALL_64_after_hwframe+0x55/0x5d
      [  T843]  </TASK>
      
      Fixes: 1541d63c ("wifi: mt76: mt7925: add mt7925_mac_link_bss_remove to remove per-link BSS")
      Reported-by: default avatarBert Karwatzki <spasswolf@web.de>
      Closes: https://lore.kernel.org/linux-wireless/2fee61f8c903d02a900ca3188c3742c7effd102e.camel@web.de/#bSigned-off-by: default avatarSean Wang <sean.wang@mediatek.com>
      Tested-by: default avatarBert Karwatzki <spasswolf@web.de>
      Link: https://patch.msgid.link/20240718234633.12737-1-sean.wang@kernel.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      6557a28f
    • Baochen Qiang's avatar
      wifi: ath12k: fix reusing outside iterator in ath12k_wow_vif_set_wakeups() · 189d7aae
      Baochen Qiang authored
      Smatch throws below warning:
      
      	drivers/net/wireless/ath/ath12k/wow.c:434 ath12k_wow_vif_set_wakeups()
      	warn: reusing outside iterator: 'i'
      
      	drivers/net/wireless/ath/ath12k/wow.c
      	    411         default:
      	    412                 break;
      	    413         }
      	    414
      	    415         for (i = 0; i < wowlan->n_patterns; i++) {
      	                            ^^^^^^^^^^^^^^^^^^^^^^
      	Here we loop until ->n_patterns
      
      	    416                 const struct cfg80211_pkt_pattern *eth_pattern = &patterns[i];
      	    417                 struct ath12k_pkt_pattern new_pattern = {};
      	    418
      	    419                 if (WARN_ON(eth_pattern->pattern_len > WOW_MAX_PATTERN_SIZE))
      	    420                         return -EINVAL;
      	    421
      	    422                 if (ar->ab->wow.wmi_conf_rx_decap_mode ==
      	    423                     ATH12K_HW_TXRX_NATIVE_WIFI) {
      	    424                         ath12k_wow_convert_8023_to_80211(ar, eth_pattern,
      	    425                                                          &new_pattern);
      	    426
      	    427                         if (WARN_ON(new_pattern.pattern_len > WOW_MAX_PATTERN_SIZE))
      	    428                                 return -EINVAL;
      	    429                 } else {
      	    430                         memcpy(new_pattern.pattern, eth_pattern->pattern,
      	    431                                eth_pattern->pattern_len);
      	    432
      	    433                         /* convert bitmask to bytemask */
      	--> 434                         for (i = 0; i < eth_pattern->pattern_len; i++)
      	    435                                 if (eth_pattern->mask[i / 8] & BIT(i % 8))
      	    436                                         new_pattern.bytemask[i] = 0xff;
      
      	This loop re-uses i and the loop ends with i == eth_pattern->pattern_len.
      	This looks like a bug.
      
      Change to use a new iterator 'j' for the inner loop to fix it.
      
      Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4
      
      Fixes: 4a3c212e ("wifi: ath12k: add basic WoW functionalities")
      Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Closes: https://lore.kernel.org/all/d4975b95-9c43-45af-a0ab-80253f18c7f2@stanley.mountain/Signed-off-by: default avatarBaochen Qiang <quic_bqiang@quicinc.com>
      Acked-by: default avatarJeff Johnson <quic_jjohnson@quicinc.com>
      Link: https://patch.msgid.link/20240722033332.6273-1-quic_bqiang@quicinc.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      189d7aae
    • Johannes Berg's avatar
      wifi: cfg80211: correct S1G beacon length calculation · 6873cc44
      Johannes Berg authored
      The minimum header length calculation (equivalent to the start
      of the elements) for the S1G long beacon erroneously required
      only up to the start of u.s1g_beacon rather than the start of
      u.s1g_beacon.variable. Fix that, and also shuffle the branches
      around a bit to not assign useless values that are overwritten
      later.
      
      Reported-by: syzbot+0f3afa93b91202f21939@syzkaller.appspotmail.com
      Fixes: 9eaffe50 ("cfg80211: convert S1G beacon to scan results")
      Link: https://patch.msgid.link/20240724132912.9662972db7c1.I8779675b5bbda4994cc66f876b6b87a2361c3c0b@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      6873cc44
    • Veerendranath Jakkam's avatar
      wifi: cfg80211: fix reporting failed MLO links status with cfg80211_connect_done · baeaabf9
      Veerendranath Jakkam authored
      Individual MLO links connection status is not copied to
      EVENT_CONNECT_RESULT data while processing the connect response
      information in cfg80211_connect_done(). Due to this failed links
      are wrongly indicated with success status in EVENT_CONNECT_RESULT.
      
      To fix this, copy the individual MLO links status to the
      EVENT_CONNECT_RESULT data.
      
      Fixes: 53ad07e9 ("wifi: cfg80211: support reporting failed links")
      Signed-off-by: default avatarVeerendranath Jakkam <quic_vjakkam@quicinc.com>
      Reviewed-by: default avatarCarlos Llamas <cmllamas@google.com>
      Link: https://patch.msgid.link/20240724125327.3495874-1-quic_vjakkam@quicinc.com
      [commit message editorial changes]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      baeaabf9
    • Johannes Berg's avatar
      wifi: mac80211: use monitor sdata with driver only if desired · 8f4fa087
      Johannes Berg authored
      In commit 0d9c2bee ("wifi: mac80211: fix monitor channel
      with chanctx emulation") I changed mac80211 to always have an
      internal monitor_sdata to have something to have the chanctx
      bound to.
      
      However, if the driver didn't also have the WANT_MONITOR flag
      this would cause mac80211 to allocate it without telling the
      driver (which was intentional) but also use it for later APIs
      to the driver without it ever having known about it which was
      _not_ intentional.
      
      Check through the code and only use the monitor_sdata in the
      relevant places (TX, MU-MIMO follow settings, TX power, and
      interface iteration) when the WANT_MONITOR flag is set.
      
      Cc: stable@vger.kernel.org
      Fixes: 0d9c2bee ("wifi: mac80211: fix monitor channel with chanctx emulation")
      Reported-by: default avatarZeroBeat <ZeroBeat@gmx.de>
      Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219086Tested-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Link: https://patch.msgid.link/20240725184836.25d334157a8e.I02574086da2c5cf0e18264ce5807db6f14ffd9c0@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      8f4fa087
    • Eric Dumazet's avatar
      sched: act_ct: take care of padding in struct zones_ht_key · 2191a54f
      Eric Dumazet authored
      Blamed commit increased lookup key size from 2 bytes to 16 bytes,
      because zones_ht_key got a struct net pointer.
      
      Make sure rhashtable_lookup() is not using the padding bytes
      which are not initialized.
      
       BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
       BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
       BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
       BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
       BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
        rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
        __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
        rhashtable_lookup include/linux/rhashtable.h:646 [inline]
        rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
        tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
        tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408
        tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425
        tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488
        tcf_action_add net/sched/act_api.c:2061 [inline]
        tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118
        rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647
        netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550
        rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665
        netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
        netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357
        netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901
        sock_sendmsg_nosec net/socket.c:730 [inline]
        __sock_sendmsg+0x30f/0x380 net/socket.c:745
        ____sys_sendmsg+0x877/0xb60 net/socket.c:2597
        ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651
        __sys_sendmsg net/socket.c:2680 [inline]
        __do_sys_sendmsg net/socket.c:2689 [inline]
        __se_sys_sendmsg net/socket.c:2687 [inline]
        __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687
        x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      
      Local variable key created at:
        tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324
        tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408
      
      Fixes: 88c67aeb ("sched: act_ct: add netns into the key of tcf_ct_flow_table")
      Reported-by: syzbot+1b5e4e187cc586d05ea0@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Xin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2191a54f
    • Ma Ke's avatar
      net: usb: sr9700: fix uninitialized variable use in sr_mdio_read · 08f3a5c3
      Ma Ke authored
      It could lead to error happen because the variable res is not updated if
      the call to sr_share_read_word returns an error. In this particular case
      error code was returned and res stayed uninitialized. Same issue also
      applies to sr_read_reg.
      
      This can be avoided by checking the return value of sr_share_read_word
      and sr_read_reg, and propagating the error if the read operation failed.
      
      Found by code review.
      
      Cc: stable@vger.kernel.org
      Fixes: c9b37458 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
      Signed-off-by: default avatarMa Ke <make24@iscas.ac.cn>
      Reviewed-by: default avatarShigeru Yoshida <syoshida@redhat.com>
      Reviewed-by: default avatarHariprasad Kelam <hkelam@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      08f3a5c3
  4. 25 Jul, 2024 18 commits
    • Jakub Kicinski's avatar
      Merge branch 'ethtool-rss-small-fixes-to-spec-and-get' · 07c10cff
      Jakub Kicinski authored
      Jakub Kicinski says:
      
      ====================
      ethtool: rss: small fixes to spec and GET
      
      Two small fixes to the ethtool RSS_GET over Netlink.
      Spec is a bit inaccurate and responses miss an identifier.
      ====================
      
      Link: https://patch.msgid.link/20240724234249.2621109-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      07c10cff
    • Jakub Kicinski's avatar
      ethtool: rss: echo the context number back · f96aae91
      Jakub Kicinski authored
      The response to a GET request in Netlink should fully identify
      the queried object. RSS_GET accepts context id as an input,
      so it must echo that attribute back to the response.
      
      After (assuming context 1 has been created):
      
        $ ./cli.py --spec netlink/specs/ethtool.yaml \
                   --do rss-get \
      	     --json '{"header": {"dev-index": 2}, "context": 1}'
        {'context': 1,
         'header': {'dev-index': 2, 'dev-name': 'eth0'},
        [...]
      
      Fixes: 7112a046 ("ethtool: add netlink based get rss support")
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarJoe Damato <jdamato@fastly.com>
      Link: https://patch.msgid.link/20240724234249.2621109-3-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f96aae91
    • Jakub Kicinski's avatar
      netlink: specs: correct the spec of ethtool · a40c7a24
      Jakub Kicinski authored
      The spec for Ethtool is a bit inaccurate. We don't currently
      support dump. Context is only accepted as input and not echoed
      to output (which is a separate bug).
      
      Fixes: a353318e ("tools: ynl: populate most of the ethtool spec")
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarJoe Damato <jdamato@fastly.com>
      Link: https://patch.msgid.link/20240724234249.2621109-2-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a40c7a24
    • Pavan Chebbi's avatar
      bnxt_en: Fix RSS logic in __bnxt_reserve_rings() · 98ba1d93
      Pavan Chebbi authored
      In __bnxt_reserve_rings(), the existing code unconditionally sets the
      default RSS indirection table to default if netif_is_rxfh_configured()
      returns false.  This used to be correct before we added RSS contexts
      support.  For example, if the user is changing the number of ethtool
      channels, we will enter this path to reserve the new number of rings.
      We will then set the RSS indirection table to default to cover the new
      number of rings if netif_is_rxfh_configured() is false.
      
      Now, with RSS contexts support, if the user has added or deleted RSS
      contexts, we may now enter this path to reserve the new number of VNICs.
      However, netif_is_rxfh_configured() will not return the correct state if
      we are still in the middle of set_rxfh().  So the existing code may
      set the indirection table of the default RSS context to default by
      mistake.
      
      Fix it to check if the reservation of the RX rings is changing.  Only
      check netif_is_rxfh_configured() if it is changing.  RX rings will not
      change in the middle of set_rxfh() and this will fix the issue.
      
      Fixes: b3d0083c ("bnxt_en: Support RSS contexts in ethtool .{get|set}_rxfh()")
      Reported-and-tested-by: default avatarJakub Kicinski <kuba@kernel.org>
      Link: https://lore.kernel.org/20240625010210.2002310-1-kuba@kernel.orgReviewed-by: default avatarAndy Gospodarek <andrew.gospodarek@broadcom.com>
      Signed-off-by: default avatarPavan Chebbi <pavan.chebbi@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Link: https://patch.msgid.link/20240724222106.147744-1-michael.chan@broadcom.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      98ba1d93
    • Linus Torvalds's avatar
      Merge tag 'net-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 1722389b
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf and netfilter.
      
        A lot of networking people were at a conference last week, busy
        catching COVID, so relatively short PR.
      
        Current release - regressions:
      
         - tcp: process the 3rd ACK with sk_socket for TFO and MPTCP
      
        Current release - new code bugs:
      
         - l2tp: protect session IDR and tunnel session list with one lock,
           make sure the state is coherent to avoid a warning
      
         - eth: bnxt_en: update xdp_rxq_info in queue restart logic
      
         - eth: airoha: fix location of the MBI_RX_AGE_SEL_MASK field
      
        Previous releases - regressions:
      
         - xsk: require XDP_UMEM_TX_METADATA_LEN to actuate tx_metadata_len,
           the field reuses previously un-validated pad
      
        Previous releases - always broken:
      
         - tap/tun: drop short frames to prevent crashes later in the stack
      
         - eth: ice: add a per-VF limit on number of FDIR filters
      
         - af_unix: disable MSG_OOB handling for sockets in sockmap/sockhash"
      
      * tag 'net-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (34 commits)
        tun: add missing verification for short frame
        tap: add missing verification for short frame
        mISDN: Fix a use after free in hfcmulti_tx()
        gve: Fix an edge case for TSO skb validity check
        bnxt_en: update xdp_rxq_info in queue restart logic
        tcp: process the 3rd ACK with sk_socket for TFO/MPTCP
        selftests/bpf: Add XDP_UMEM_TX_METADATA_LEN to XSK TX metadata test
        xsk: Require XDP_UMEM_TX_METADATA_LEN to actuate tx_metadata_len
        bpf: Fix a segment issue when downgrading gso_size
        net: mediatek: Fix potential NULL pointer dereference in dummy net_device handling
        MAINTAINERS: make Breno the netconsole maintainer
        MAINTAINERS: Update bonding entry
        net: nexthop: Initialize all fields in dumped nexthops
        net: stmmac: Correct byte order of perfect_match
        selftests: forwarding: skip if kernel not support setting bridge fdb learning limit
        tipc: Return non-zero value from tipc_udp_addr2str() on error
        netfilter: nft_set_pipapo_avx2: disable softinterrupts
        ice: Fix recipe read procedure
        ice: Add a per-VF limit on number of FDIR filters
        net: bonding: correctly annotate RCU in bond_should_notify_peers()
        ...
      1722389b
    • Linus Torvalds's avatar
      Merge tag 'printk-for-6.11-trivial' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux · 8bf10009
      Linus Torvalds authored
      Pull printk updates from Petr Mladek:
      
       - trivial printk changes
      
      The bigger "real" printk work is still being discussed.
      
      * tag 'printk-for-6.11-trivial' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux:
        vsprintf: add missing MODULE_DESCRIPTION() macro
        printk: Rename console_replay_all() and update context
      8bf10009
    • Linus Torvalds's avatar
      Merge tag 'constfy-sysctl-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/sysctl/sysctl · b4856250
      Linus Torvalds authored
      Pull sysctl constification from Joel Granados:
       "Treewide constification of the ctl_table argument of proc_handlers
        using a coccinelle script and some manual code formatting fixups.
      
        This is a prerequisite to moving the static ctl_table structs into
        read-only data section which will ensure that proc_handler function
        pointers cannot be modified"
      
      * tag 'constfy-sysctl-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/sysctl/sysctl:
        sysctl: treewide: constify the ctl_table argument of proc_handlers
      b4856250
    • Linus Torvalds's avatar
      Merge tag 'efi-fixes-for-v6.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi · bba959f4
      Linus Torvalds authored
      Pull EFI fixes from Ard Biesheuvel:
      
       - Wipe screen_info after allocating it from the heap - used by arm32
         and EFI zboot, other EFI architectures allocate it statically
      
       - Revert to allocating boot_params from the heap on x86 when entering
         via the native PE entrypoint, to work around a regression on older
         Dell hardware
      
      * tag 'efi-fixes-for-v6.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi:
        x86/efistub: Revert to heap allocated boot_params for PE entrypoint
        efi/libstub: Zero initialize heap allocated struct screen_info
      bba959f4
    • Linus Torvalds's avatar
      Merge tag 'kgdb-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/danielt/linux · 9b219936
      Linus Torvalds authored
      Pull kgdb updates from Daniel Thompson:
       "Three small changes this cycle:
      
         - Clean up an architecture abstraction that is no longer needed
           because all the architectures have converged.
      
         - Actually use the prompt argument to kdb_position_cursor() instead
           of ignoring it (functionally this fix is a nop but that was due to
           luck rather than good judgement)
      
         - Fix a -Wformat-security warning"
      
      * tag 'kgdb-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/danielt/linux:
        kdb: Get rid of redundant kdb_curr_task()
        kdb: Use the passed prompt in kdb_position_cursor()
        kdb: address -Wformat-security warnings
      9b219936
    • Linus Torvalds's avatar
      Merge tag 'mips_6.11_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 28e7241c
      Linus Torvalds authored
      Pull MIPS updates from Thomas Bogendoerfer:
      
       - Use improved timer sync for Loongson64
      
       - Fix address of GCR_ACCESS register
      
       - Add missing MODULE_DESCRIPTION
      
      * tag 'mips_6.11_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        mips: sibyte: add missing MODULE_DESCRIPTION() macro
        MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
        MIPS: Loongson64: Switch to SYNC_R4K
      28e7241c
    • Linus Torvalds's avatar
      Merge tag 'parisc-for-6.11-rc1' of... · f6464295
      Linus Torvalds authored
      Merge tag 'parisc-for-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
      
      Pull parisc updates from Helge Deller:
       "The gettimeofday() and clock_gettime() syscalls are now available as
        vDSO functions, and Dave added a patch which allows to use NVMe cards
        in the PCI slots as fast and easy alternative to SCSI discs.
      
        Summary:
      
         - add gettimeofday() and clock_gettime() vDSO functions
      
         - enable PCI_MSI_ARCH_FALLBACKS to allow PCI to PCIe bridge adaptor
           with PCIe NVME card to function in parisc machines
      
         - allow users to reduce kernel unaligned runtime warnings
      
         - minor code cleanups"
      
      * tag 'parisc-for-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Add support for CONFIG_SYSCTL_ARCH_UNALIGN_NO_WARN
        parisc: Use max() to calculate parisc_tlb_flush_threshold
        parisc: Fix warning at drivers/pci/msi/msi.h:121
        parisc: Add 64-bit gettimeofday() and clock_gettime() vDSO functions
        parisc: Add 32-bit gettimeofday() and clock_gettime() vDSO functions
        parisc: Clean up unistd.h file
      f6464295
    • Linus Torvalds's avatar
      Merge tag 'uml-for-linus-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux · f9bcc61a
      Linus Torvalds authored
      Pull UML updates from Richard Weinberger:
      
       - Support for preemption
      
       - i386 Rust support
      
       - Huge cleanup by Benjamin Berg
      
       - UBSAN support
      
       - Removal of dead code
      
      * tag 'uml-for-linus-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux: (41 commits)
        um: vector: always reset vp->opened
        um: vector: remove vp->lock
        um: register power-off handler
        um: line: always fill *error_out in setup_one_line()
        um: remove pcap driver from documentation
        um: Enable preemption in UML
        um: refactor TLB update handling
        um: simplify and consolidate TLB updates
        um: remove force_flush_all from fork_handler
        um: Do not flush MM in flush_thread
        um: Delay flushing syscalls until the thread is restarted
        um: remove copy_context_skas0
        um: remove LDT support
        um: compress memory related stub syscalls while adding them
        um: Rework syscall handling
        um: Add generic stub_syscall6 function
        um: Create signal stack memory assignment in stub_data
        um: Remove stub-data.h include from common-offsets.h
        um: time-travel: fix signal blocking race/hang
        um: time-travel: remove time_exit()
        ...
      f9bcc61a
    • Linus Torvalds's avatar
      Merge tag 'driver-core-6.11-rc1' of... · c2a96b7f
      Linus Torvalds authored
      Merge tag 'driver-core-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core updates from Greg KH:
       "Here is the big set of driver core changes for 6.11-rc1.
      
        Lots of stuff in here, with not a huge diffstat, but apis are evolving
        which required lots of files to be touched. Highlights of the changes
        in here are:
      
         - platform remove callback api final fixups (Uwe took many releases
           to get here, finally!)
      
         - Rust bindings for basic firmware apis and initial driver-core
           interactions.
      
           It's not all that useful for a "write a whole driver in rust" type
           of thing, but the firmware bindings do help out the phy rust
           drivers, and the driver core bindings give a solid base on which
           others can start their work.
      
           There is still a long way to go here before we have a multitude of
           rust drivers being added, but it's a great first step.
      
         - driver core const api changes.
      
           This reached across all bus types, and there are some fix-ups for
           some not-common bus types that linux-next and 0-day testing shook
           out.
      
           This work is being done to help make the rust bindings more safe,
           as well as the C code, moving toward the end-goal of allowing us to
           put driver structures into read-only memory. We aren't there yet,
           but are getting closer.
      
         - minor devres cleanups and fixes found by code inspection
      
         - arch_topology minor changes
      
         - other minor driver core cleanups
      
        All of these have been in linux-next for a very long time with no
        reported problems"
      
      * tag 'driver-core-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (55 commits)
        ARM: sa1100: make match function take a const pointer
        sysfs/cpu: Make crash_hotplug attribute world-readable
        dio: Have dio_bus_match() callback take a const *
        zorro: make match function take a const pointer
        driver core: module: make module_[add|remove]_driver take a const *
        driver core: make driver_find_device() take a const *
        driver core: make driver_[create|remove]_file take a const *
        firmware_loader: fix soundness issue in `request_internal`
        firmware_loader: annotate doctests as `no_run`
        devres: Correct code style for functions that return a pointer type
        devres: Initialize an uninitialized struct member
        devres: Fix memory leakage caused by driver API devm_free_percpu()
        devres: Fix devm_krealloc() wasting memory
        driver core: platform: Switch to use kmemdup_array()
        driver core: have match() callback in struct bus_type take a const *
        MAINTAINERS: add Rust device abstractions to DRIVER CORE
        device: rust: improve safety comments
        MAINTAINERS: add Danilo as FIRMWARE LOADER maintainer
        MAINTAINERS: add Rust FW abstractions to FIRMWARE LOADER
        firmware: rust: improve safety comments
        ...
      c2a96b7f
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-6.11-rc1' of git://www.linux-watchdog.org/linux-watchdog · b2eed733
      Linus Torvalds authored
      Pull watchdog updates from Wim Van Sebroeck:
      
       - make watchdog_class const
      
       - rework of the rzg2l_wdt driver
      
       - other small fixes and improvements
      
      * tag 'linux-watchdog-6.11-rc1' of git://www.linux-watchdog.org/linux-watchdog:
        dt-bindings: watchdog: dlg,da9062-watchdog: Drop blank space
        watchdog: rzn1: Convert comma to semicolon
        watchdog: lenovo_se10_wdt: Convert comma to semicolon
        dt-bindings: watchdog: renesas,wdt: Document RZ/G3S support
        watchdog: rzg2l_wdt: Add suspend/resume support
        watchdog: rzg2l_wdt: Rely on the reset driver for doing proper reset
        watchdog: rzg2l_wdt: Remove comparison with zero
        watchdog: rzg2l_wdt: Remove reset de-assert from probe
        watchdog: rzg2l_wdt: Check return status of pm_runtime_put()
        watchdog: rzg2l_wdt: Use pm_runtime_resume_and_get()
        watchdog: rzg2l_wdt: Make the driver depend on PM
        watchdog: rzg2l_wdt: Restrict the driver to ARCH_RZG2L and ARCH_R9A09G011
        watchdog: imx7ulp_wdt: keep already running watchdog enabled
        watchdog: starfive: Add missing clk_disable_unprepare()
        watchdog: Make watchdog_class const
      b2eed733
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-6.11-2024-07-24' of git://git.infradead.org/users/hch/dma-mapping · 9cf601e8
      Linus Torvalds authored
      Pull dma-mapping fix from Christoph Hellwig:
      
       - fix the order of actions in dmam_free_coherent (Lance Richardson)
      
      * tag 'dma-mapping-6.11-2024-07-24' of git://git.infradead.org/users/hch/dma-mapping:
        dma: fix call order in dmam_free_coherent
      9cf601e8
    • Jakub Kicinski's avatar
      Merge branch 'tap-tun-harden-by-dropping-short-frame' · af65ea42
      Jakub Kicinski authored
      Dongli Zhang says:
      
      ====================
      tap/tun: harden by dropping short frame
      
      This is to harden all of tap/tun to avoid any short frame smaller than the
      Ethernet header (ETH_HLEN).
      
      While the xen-netback already rejects short frame smaller than ETH_HLEN ...
      
       914 static void xenvif_tx_build_gops(struct xenvif_queue *queue,
       915                                      int budget,
       916                                      unsigned *copy_ops,
       917                                      unsigned *map_ops)
       918 {
      ... ...
      1007                 if (unlikely(txreq.size < ETH_HLEN)) {
      1008                         netdev_dbg(queue->vif->dev,
      1009                                    "Bad packet size: %d\n", txreq.size);
      1010                         xenvif_tx_err(queue, &txreq, extra_count, idx);
      1011                         break;
      1012                 }
      
      ... the short frame may not be dropped by vhost-net/tap/tun.
      
      This fixes CVE-2024-41090 and CVE-2024-41091.
      ====================
      
      Link: https://patch.msgid.link/20240724170452.16837-1-dongli.zhang@oracle.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      af65ea42
    • Dongli Zhang's avatar
      tun: add missing verification for short frame · 04958480
      Dongli Zhang authored
      The cited commit missed to check against the validity of the frame length
      in the tun_xdp_one() path, which could cause a corrupted skb to be sent
      downstack. Even before the skb is transmitted, the
      tun_xdp_one-->eth_type_trans() may access the Ethernet header although it
      can be less than ETH_HLEN. Once transmitted, this could either cause
      out-of-bound access beyond the actual length, or confuse the underlayer
      with incorrect or inconsistent header length in the skb metadata.
      
      In the alternative path, tun_get_user() already prohibits short frame which
      has the length less than Ethernet header size from being transmitted for
      IFF_TAP.
      
      This is to drop any frame shorter than the Ethernet header size just like
      how tun_get_user() does.
      
      CVE: CVE-2024-41091
      Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
      Fixes: 043d222f ("tuntap: accept an array of XDP buffs through sendmsg()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDongli Zhang <dongli.zhang@oracle.com>
      Reviewed-by: default avatarSi-Wei Liu <si-wei.liu@oracle.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarJason Wang <jasowang@redhat.com>
      Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      04958480
    • Si-Wei Liu's avatar
      tap: add missing verification for short frame · ed7f2afd
      Si-Wei Liu authored
      The cited commit missed to check against the validity of the frame length
      in the tap_get_user_xdp() path, which could cause a corrupted skb to be
      sent downstack. Even before the skb is transmitted, the
      tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
      than ETH_HLEN. Once transmitted, this could either cause out-of-bound
      access beyond the actual length, or confuse the underlayer with incorrect
      or inconsistent header length in the skb metadata.
      
      In the alternative path, tap_get_user() already prohibits short frame which
      has the length less than Ethernet header size from being transmitted.
      
      This is to drop any frame shorter than the Ethernet header size just like
      how tap_get_user() does.
      
      CVE: CVE-2024-41090
      Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
      Fixes: 0efac277 ("tap: accept an array of XDP buffs through sendmsg()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSi-Wei Liu <si-wei.liu@oracle.com>
      Signed-off-by: default avatarDongli Zhang <dongli.zhang@oracle.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarJason Wang <jasowang@redhat.com>
      Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ed7f2afd