1. 03 Jul, 2023 11 commits
    • Subash Abhinov Kasiviswanathan's avatar
      Documentation: ABI: sysfs-class-net-qmi: pass_through contact update · acd97558
      Subash Abhinov Kasiviswanathan authored
      Switch to the quicinc.com id.
      
      Fixes: bd1af6b5 ("Documentation: ABI: sysfs-class-net-qmi: document pass-through file")
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      acd97558
    • Eric Dumazet's avatar
      tcp: annotate data races in __tcp_oow_rate_limited() · 998127cd
      Eric Dumazet authored
      request sockets are lockless, __tcp_oow_rate_limited() could be called
      on the same object from different cpus. This is harmless.
      
      Add READ_ONCE()/WRITE_ONCE() annotations to avoid a KCSAN report.
      
      Fixes: 4ce7e93c ("tcp: rate limit ACK sent by SYN_RECV request sockets")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      998127cd
    • David S. Miller's avatar
      Merge branch 'wireguard-fixes' · c94683ed
      David S. Miller authored
      Jason A. Donenfeld says:
      
      ====================
      wireguard fixes for 6.4.2/6.5-rc1
      
      Sorry to send these patches during the merge window, but they're net
      fixes, not netdev enhancements, and while I'd ordinarily wait anyway,
      I just got a first bug report for one of these fixes, which I originally
      had thought was mostly unlikely. So please apply the following three
      patches to net:
      
      1) Make proper use of nr_cpu_ids with cpumask_next(), rather than
         awkwardly using modulo, to handle dynamic CPU topology changes.
         Linus noticed this a while ago and pointed it out, and today a user
         actually got hit by it.
      
      2) Respect persistent keepalive and other staged packets when setting
         the private key after the interface is already up.
      
      3) Use timer_delete_sync() instead of del_timer_sync(), per the
         documentation.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c94683ed
    • Jason A. Donenfeld's avatar
      wireguard: timers: move to using timer_delete_sync · 326534e8
      Jason A. Donenfeld authored
      The documentation says that del_timer_sync is obsolete, and code should
      use the equivalent timer_delete_sync instead, so switch to it.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      326534e8
    • Jason A. Donenfeld's avatar
      wireguard: netlink: send staged packets when setting initial private key · f58d0a9b
      Jason A. Donenfeld authored
      Packets bound for peers can queue up prior to the device private key
      being set. For example, if persistent keepalive is set, a packet is
      queued up to be sent as soon as the device comes up. However, if the
      private key hasn't been set yet, the handshake message never sends, and
      no timer is armed to retry, since that would be pointless.
      
      But, if a user later sets a private key, the expectation is that those
      queued packets, such as a persistent keepalive, are actually sent. So
      adjust the configuration logic to account for this edge case, and add a
      test case to make sure this works.
      
      Maxim noticed this with a wg-quick(8) config to the tune of:
      
          [Interface]
          PostUp = wg set %i private-key somefile
      
          [Peer]
          PublicKey = ...
          Endpoint = ...
          PersistentKeepalive = 25
      
      Here, the private key gets set after the device comes up using a PostUp
      script, triggering the bug.
      
      Fixes: e7096c13 ("net: WireGuard secure network tunnel")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarMaxim Cournoyer <maxim.cournoyer@gmail.com>
      Tested-by: default avatarMaxim Cournoyer <maxim.cournoyer@gmail.com>
      Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@gmail.com/Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f58d0a9b
    • Jason A. Donenfeld's avatar
      wireguard: queueing: use saner cpu selection wrapping · 7387943f
      Jason A. Donenfeld authored
      Using `% nr_cpumask_bits` is slow and complicated, and not totally
      robust toward dynamic changes to CPU topologies. Rather than storing the
      next CPU in the round-robin, just store the last one, and also return
      that value. This simplifies the loop drastically into a much more common
      pattern.
      
      Fixes: e7096c13 ("net: WireGuard secure network tunnel")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Tested-by: default avatarManuel Leiner <manuel.leiner@gmx.de>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7387943f
    • J.J. Martzki's avatar
      samples: pktgen: fix append mode failed issue · a27ac539
      J.J. Martzki authored
      Each sample script sources functions.sh before parameters.sh
      which makes $APPEND undefined when trapping EXIT no matter in
      append mode or not. Due to this when sample scripts finished
      they always do "pgctrl reset" which resets pktgen config.
      
      So move trap to each script after sourcing parameters.sh
      and trap EXIT explicitly.
      Signed-off-by: default avatarJ.J. Martzki <mars14850@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a27ac539
    • Daniel Díaz's avatar
      selftests/net: Add xt_policy config for xfrm_policy test · f56d1eea
      Daniel Díaz authored
      When running Kselftests with the current selftests/net/config
      the following problem can be seen with the net:xfrm_policy.sh
      selftest:
      
        # selftests: net: xfrm_policy.sh
        [   41.076721] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
        [   41.094787] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
        [   41.107635] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
        # modprobe: FATAL: Module ip_tables not found in directory /lib/modules/6.1.36
        # iptables v1.8.7 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
        # Perhaps iptables or your kernel needs to be upgraded.
        # modprobe: FATAL: Module ip_tables not found in directory /lib/modules/6.1.36
        # iptables v1.8.7 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
        # Perhaps iptables or your kernel needs to be upgraded.
        # SKIP: Could not insert iptables rule
        ok 1 selftests: net: xfrm_policy.sh # SKIP
      
      This is because IPsec "policy" match support is not available
      to the kernel.
      
      This patch adds CONFIG_NETFILTER_XT_MATCH_POLICY as a module
      to the selftests/net/config file, so that `make
      kselftest-merge` can take this into consideration.
      Signed-off-by: default avatarDaniel Díaz <daniel.diaz@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f56d1eea
    • Eric Dumazet's avatar
      net: fix net_dev_start_xmit trace event vs skb_transport_offset() · f88fcb1d
      Eric Dumazet authored
      After blamed commit, we must be more careful about using
      skb_transport_offset(), as reminded us by syzbot:
      
      WARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 skb_transport_offset include/linux/skbuff.h:2977 [inline]
      WARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14
      Modules linked in:
      CPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 6.1.30-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
      Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
      RIP: 0010:skb_transport_header include/linux/skbuff.h:2868 [inline]
      RIP: 0010:skb_transport_offset include/linux/skbuff.h:2977 [inline]
      RIP: 0010:perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14
      Code: 8b 04 25 28 00 00 00 48 3b 84 24 c0 00 00 00 0f 85 4e 04 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc e8 56 22 01 fd <0f> 0b e9 f6 fc ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 86 f9 ff
      RSP: 0018:ffffc900002bf700 EFLAGS: 00010293
      RAX: ffffffff8485d8ca RBX: 000000000000ffff RCX: ffff888100914280
      RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
      RBP: ffffc900002bf818 R08: ffffffff8485d5b6 R09: fffffbfff0f8fb5e
      R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff110217d8f67
      R13: ffff88810bec7b3a R14: dffffc0000000000 R15: dffffc0000000000
      FS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f96cf6d52f0 CR3: 000000012224c000 CR4: 0000000000350ef0
      Call Trace:
      <TASK>
      [<ffffffff84715e35>] trace_net_dev_start_xmit include/trace/events/net.h:14 [inline]
      [<ffffffff84715e35>] xmit_one net/core/dev.c:3643 [inline]
      [<ffffffff84715e35>] dev_hard_start_xmit+0x705/0x980 net/core/dev.c:3660
      [<ffffffff8471a232>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
      [<ffffffff85416493>] dev_queue_xmit include/linux/netdevice.h:3030 [inline]
      [<ffffffff85416493>] batadv_send_skb_packet+0x3f3/0x680 net/batman-adv/send.c:108
      [<ffffffff85416744>] batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127
      [<ffffffff853bc52a>] batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
      [<ffffffff853bc52a>] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline]
      [<ffffffff853bc52a>] batadv_iv_send_outstanding_bat_ogm_packet+0x69a/0x840 net/batman-adv/bat_iv_ogm.c:1701
      [<ffffffff8151023c>] process_one_work+0x8ac/0x1170 kernel/workqueue.c:2289
      [<ffffffff81511938>] worker_thread+0xaa8/0x12d0 kernel/workqueue.c:2436
      
      Fixes: 66e4c8d9 ("net: warn if transport header was not set")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f88fcb1d
    • Vladimir Oltean's avatar
      net: dsa: tag_sja1105: fix source port decoding in vlan_filtering=0 bridge mode · a398b9ea
      Vladimir Oltean authored
      There was a regression introduced by the blamed commit, where pinging to
      a VLAN-unaware bridge would fail with the repeated message "Couldn't
      decode source port" coming from the tagging protocol driver.
      
      When receiving packets with a bridge_vid as determined by
      dsa_tag_8021q_bridge_join(), dsa_8021q_rcv() will decode:
      - source_port = 0 (which isn't really valid, more like "don't know")
      - switch_id = 0 (which isn't really valid, more like "don't know")
      - vbid = value in range 1-7
      
      Since the blamed patch has reversed the order of the checks, we are now
      going to believe that source_port != -1 and switch_id != -1, so they're
      valid, but they aren't.
      
      The minimal solution to the problem is to only populate source_port and
      switch_id with what dsa_8021q_rcv() came up with, if the vbid is zero,
      i.e. the source port information is trustworthy.
      
      Fixes: c1ae02d8 ("net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a398b9ea
    • Vladimir Oltean's avatar
      net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode · 6ca3c005
      Vladimir Oltean authored
      According to the synchronization rules for .ndo_get_stats() as seen in
      Documentation/networking/netdevices.rst, acquiring a plain spin_lock()
      should not be illegal, but the bridge driver implementation makes it so.
      
      After running these commands, I am being faced with the following
      lockdep splat:
      
      $ ip link add link swp0 name macsec0 type macsec encrypt on && ip link set swp0 up
      $ ip link add dev br0 type bridge vlan_filtering 1 && ip link set br0 up
      $ ip link set macsec0 master br0 && ip link set macsec0 up
      
        ========================================================
        WARNING: possible irq lock inversion dependency detected
        6.4.0-04295-g31b577b4bd4a #603 Not tainted
        --------------------------------------------------------
        swapper/1/0 just changed the state of lock:
        ffff6bd348724cd8 (&br->lock){+.-.}-{3:3}, at: br_forward_delay_timer_expired+0x34/0x198
        but this lock took another, SOFTIRQ-unsafe lock in the past:
         (&ocelot->stats_lock){+.+.}-{3:3}
      
        and interrupts could create inverse lock ordering between them.
      
        other info that might help us debug this:
        Chain exists of:
          &br->lock --> &br->hash_lock --> &ocelot->stats_lock
      
         Possible interrupt unsafe locking scenario:
      
               CPU0                    CPU1
               ----                    ----
          lock(&ocelot->stats_lock);
                                       local_irq_disable();
                                       lock(&br->lock);
                                       lock(&br->hash_lock);
          <Interrupt>
            lock(&br->lock);
      
         *** DEADLOCK ***
      
      (details about the 3 locks skipped)
      
      swp0 is instantiated by drivers/net/dsa/ocelot/felix.c, and this
      only matters to the extent that its .ndo_get_stats64() method calls
      spin_lock(&ocelot->stats_lock).
      
      Documentation/locking/lockdep-design.rst says:
      
      | A lock is irq-safe means it was ever used in an irq context, while a lock
      | is irq-unsafe means it was ever acquired with irq enabled.
      
      (...)
      
      | Furthermore, the following usage based lock dependencies are not allowed
      | between any two lock-classes::
      |
      |    <hardirq-safe>   ->  <hardirq-unsafe>
      |    <softirq-safe>   ->  <softirq-unsafe>
      
      Lockdep marks br->hash_lock as softirq-safe, because it is sometimes
      taken in softirq context (for example br_fdb_update() which runs in
      NET_RX softirq), and when it's not in softirq context it blocks softirqs
      by using spin_lock_bh().
      
      Lockdep marks ocelot->stats_lock as softirq-unsafe, because it never
      blocks softirqs from running, and it is never taken from softirq
      context. So it can always be interrupted by softirqs.
      
      There is a call path through which a function that holds br->hash_lock:
      fdb_add_hw_addr() will call a function that acquires ocelot->stats_lock:
      ocelot_port_get_stats64(). This can be seen below:
      
      ocelot_port_get_stats64+0x3c/0x1e0
      felix_get_stats64+0x20/0x38
      dsa_slave_get_stats64+0x3c/0x60
      dev_get_stats+0x74/0x2c8
      rtnl_fill_stats+0x4c/0x150
      rtnl_fill_ifinfo+0x5cc/0x7b8
      rtmsg_ifinfo_build_skb+0xe4/0x150
      rtmsg_ifinfo+0x5c/0xb0
      __dev_notify_flags+0x58/0x200
      __dev_set_promiscuity+0xa0/0x1f8
      dev_set_promiscuity+0x30/0x70
      macsec_dev_change_rx_flags+0x68/0x88
      __dev_set_promiscuity+0x1a8/0x1f8
      __dev_set_rx_mode+0x74/0xa8
      dev_uc_add+0x74/0xa0
      fdb_add_hw_addr+0x68/0xd8
      fdb_add_local+0xc4/0x110
      br_fdb_add_local+0x54/0x88
      br_add_if+0x338/0x4a0
      br_add_slave+0x20/0x38
      do_setlink+0x3a4/0xcb8
      rtnl_newlink+0x758/0x9d0
      rtnetlink_rcv_msg+0x2f0/0x550
      netlink_rcv_skb+0x128/0x148
      rtnetlink_rcv+0x24/0x38
      
      the plain English explanation for it is:
      
      The macsec0 bridge port is created without p->flags & BR_PROMISC,
      because it is what br_manage_promisc() decides for a VLAN filtering
      bridge with a single auto port.
      
      As part of the br_add_if() procedure, br_fdb_add_local() is called for
      the MAC address of the device, and this results in a call to
      dev_uc_add() for macsec0 while the softirq-safe br->hash_lock is taken.
      
      Because macsec0 does not have IFF_UNICAST_FLT, dev_uc_add() ends up
      calling __dev_set_promiscuity() for macsec0, which is propagated by its
      implementation, macsec_dev_change_rx_flags(), to the lower device: swp0.
      This triggers the call path:
      
      dev_set_promiscuity(swp0)
      -> rtmsg_ifinfo()
         -> dev_get_stats()
            -> ocelot_port_get_stats64()
      
      with a calling context that lockdep doesn't like (br->hash_lock held).
      
      Normally we don't see this, because even though many drivers that can be
      bridge ports don't support IFF_UNICAST_FLT, we need a driver that
      
      (a) doesn't support IFF_UNICAST_FLT, *and*
      (b) it forwards the IFF_PROMISC flag to another driver, and
      (c) *that* driver implements ndo_get_stats64() using a softirq-unsafe
          spinlock.
      
      Condition (b) is necessary because the first __dev_set_rx_mode() calls
      __dev_set_promiscuity() with "bool notify=false", and thus, the
      rtmsg_ifinfo() code path won't be entered.
      
      The same criteria also hold true for DSA switches which don't report
      IFF_UNICAST_FLT. When the DSA master uses a spin_lock() in its
      ndo_get_stats64() method, the same lockdep splat can be seen.
      
      I think the deadlock possibility is real, even though I didn't reproduce
      it, and I'm thinking of the following situation to support that claim:
      
      fdb_add_hw_addr() runs on a CPU A, in a context with softirqs locally
      disabled and br->hash_lock held, and may end up attempting to acquire
      ocelot->stats_lock.
      
      In parallel, ocelot->stats_lock is currently held by a thread B (say,
      ocelot_check_stats_work()), which is interrupted while holding it by a
      softirq which attempts to lock br->hash_lock.
      
      Thread B cannot make progress because br->hash_lock is held by A. Whereas
      thread A cannot make progress because ocelot->stats_lock is held by B.
      
      When taking the issue at face value, the bridge can avoid that problem
      by simply making the ports promiscuous from a code path with a saner
      calling context (br->hash_lock not held). A bridge port without
      IFF_UNICAST_FLT is going to become promiscuous as soon as we call
      dev_uc_add() on it (which we do unconditionally), so why not be
      preemptive and make it promiscuous right from the beginning, so as to
      not be taken by surprise.
      
      With this, we've broken the links between code that holds br->hash_lock
      or br->lock and code that calls into the ndo_change_rx_flags() or
      ndo_get_stats64() ops of the bridge port.
      
      Fixes: 2796d0c6 ("bridge: Automatically manage port promiscuous mode.")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ca3c005
  2. 02 Jul, 2023 6 commits
  3. 01 Jul, 2023 3 commits
  4. 30 Jun, 2023 2 commits
  5. 29 Jun, 2023 18 commits
    • Nick Child's avatar
      ibmvnic: Do not reset dql stats on NON_FATAL err · 48538ccb
      Nick Child authored
      All ibmvnic resets, make a call to netdev_tx_reset_queue() when
      re-opening the device. netdev_tx_reset_queue() resets the num_queued
      and num_completed byte counters. These stats are used in Byte Queue
      Limit (BQL) algorithms. The difference between these two stats tracks
      the number of bytes currently sitting on the physical NIC. ibmvnic
      increases the number of queued bytes though calls to
      netdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports
      that it is done transmitting bytes, the ibmvnic device increases the
      number of completed bytes through calls to netdev_tx_completed_queue().
      It is important to note that the driver batches its transmit calls and
      num_queued is increased every time that an skb is added to the next
      batch, not necessarily when the batch is sent to VIOS for transmission.
      
      Unlike other reset types, a NON FATAL reset will not flush the sub crq
      tx buffers. Therefore, it is possible for the batched skb array to be
      partially full. So if there is call to netdev_tx_reset_queue() when
      re-opening the device, the value of num_queued (0) would not account
      for the skb's that are currently batched. Eventually, when the batch
      is sent to VIOS, the call to netdev_tx_completed_queue() would increase
      num_completed to a value greater than the num_queued. This causes a
      BUG_ON crash:
      
      ibmvnic 30000002: Firmware reports error, cause: adapter problem.
      Starting recovery...
      ibmvnic 30000002: tx error 600
      ibmvnic 30000002: tx error 600
      ibmvnic 30000002: tx error 600
      ibmvnic 30000002: tx error 600
      ------------[ cut here ]------------
      kernel BUG at lib/dynamic_queue_limits.c:27!
      Oops: Exception in kernel mode, sig: 5
      [....]
      NIP dql_completed+0x28/0x1c0
      LR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic]
      Call Trace:
      ibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable)
      ibmvnic_interrupt_tx+0x40/0x70 [ibmvnic]
      __handle_irq_event_percpu+0x98/0x270
      ---[ end trace ]---
      
      Therefore, do not reset the dql stats when performing a NON_FATAL reset.
      
      Fixes: 0d973388 ("ibmvnic: Introduce xmit_more support using batched subCRQ hcalls")
      Signed-off-by: default avatarNick Child <nnac123@linux.ibm.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      48538ccb
    • Martin Habets's avatar
      sfc: support for devlink port requires MAE access · 915057ae
      Martin Habets authored
      On systems without MAE permission efx->mae is not initialised,
      and trying to lookup an mport results in a NULL pointer
      dereference.
      
      Fixes: 25414b2a ("sfc: add devlink port support for ef100")
      Signed-off-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      915057ae
    • Jakub Kicinski's avatar
      Merge branch 'bluetooth-fixes-from-next' · 56f66ce1
      Jakub Kicinski authored
      Cherry-pick what looks like safe fixes from the bluetooth
      net-next PR. The other changes will have to wait for 6.6
      
      Link: https://lore.kernel.org/all/20230627191004.2586540-1-luiz.dentz@gmail.com/Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      56f66ce1
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_event: Fix parsing of CIS Established Event · 2be22f19
      Luiz Augusto von Dentz authored
      The ISO Interval on CIS Established Event uses 1.25 ms slots:
      
          BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
          page 2304:
      
            Time = N * 1.25 ms
      
      In addition to that this always update the QoS settings based on CIS
      Established Event.
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2be22f19
    • Jiapeng Chong's avatar
      Bluetooth: hci_conn: Use kmemdup() to replace kzalloc + memcpy · 5b6d345d
      Jiapeng Chong authored
      Use kmemdup rather than duplicating its implementation.
      
      ./net/bluetooth/hci_conn.c:1880:7-14: WARNING opportunity for kmemdup.
      Reported-by: default avatarAbaci Robot <abaci@linux.alibaba.com>
      Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=5597Signed-off-by: default avatarJiapeng Chong <jiapeng.chong@linux.alibaba.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5b6d345d
    • Matthew Anderson's avatar
      Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally · fa01eba1
      Matthew Anderson authored
      Adding the device ID from the Asus Ally gets the bluetooth working
      on the device.
      Signed-off-by: default avatarMatthew Anderson <ruinairas1992@gmail.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fa01eba1
    • Ivan Orlov's avatar
      Bluetooth: hci_sysfs: make bt_class a static const structure · d40d6f52
      Ivan Orlov authored
      Now that the driver core allows for struct class to be in read-only
      memory, move the bt_class structure to be declared at build time
      placing it into read-only memory, instead of having to be dynamically
      allocated at load time.
      
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
      Cc: linux-bluetooth@vger.kernel.org
      Suggested-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarIvan Orlov <ivan.orlov0322@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d40d6f52
    • Luiz Augusto von Dentz's avatar
      Bluetooth: ISO: Rework sync_interval to be sync_factor · 14f0dcec
      Luiz Augusto von Dentz authored
      This rework sync_interval to be sync_factor as having sync_interval in
      the order of seconds is sometimes not disarable.
      
      Wit sync_factor the application can tell how many SDU intervals it wants
      to send an announcement with PA, the EA interval is set to 2 times that
      so a factor of 24 of BIG SDU interval of 10ms would look like the
      following:
      
      < HCI Command: LE Set Extended Advertising Parameters (0x08|0x0036) plen 25
              Handle: 0x01
              Properties: 0x0000
              Min advertising interval: 480.000 msec (0x0300)
              Max advertising interval: 480.000 msec (0x0300)
              Channel map: 37, 38, 39 (0x07)
              Own address type: Random (0x01)
              Peer address type: Public (0x00)
              Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
              Filter policy: Allow Scan Request from Any, Allow Connect Request from Any (0x00)
              TX power: Host has no preference (0x7f)
              Primary PHY: LE 1M (0x01)
              Secondary max skip: 0x00
              Secondary PHY: LE 2M (0x02)
              SID: 0x00
              Scan request notifications: Disabled (0x00)
      < HCI Command: LE Set Periodic Advertising Parameters (0x08|0x003e) plen 7
              Handle: 1
              Min interval: 240.00 msec (0x00c0)
              Max interval: 240.00 msec (0x00c0)
              Properties: 0x0000
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      14f0dcec
    • Luiz Augusto von Dentz's avatar
      Bluetooth: MGMT: Fix marking SCAN_RSP as not connectable · 73f55453
      Luiz Augusto von Dentz authored
      When receiving a scan response there is no way to know if the remote
      device is connectable or not, so when it cannot be merged don't
      make any assumption and instead just mark it with a new flag defined as
      MGMT_DEV_FOUND_SCAN_RSP so userspace can tell it is a standalone
      SCAN_RSP.
      
      Link: https://lore.kernel.org/linux-bluetooth/CABBYNZ+CYMsDSPTxBn09Js3BcdC-x7vZFfyLJ3ppZGGwJKmUTw@mail.gmail.com/
      Fixes: c70a7e4c ("Bluetooth: Add support for Not Connectable flag for Device Found events")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      73f55453
    • Pauli Virtanen's avatar
      Bluetooth: hci_event: fix Set CIG Parameters error status handling · db9cbcad
      Pauli Virtanen authored
      If the event has error status, return right error code and don't show
      incorrect "response malformed" messages.
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      db9cbcad
    • Pauli Virtanen's avatar
      Bluetooth: ISO: use hci_sync for setting CIG parameters · 6b9545dc
      Pauli Virtanen authored
      When reconfiguring CIG after disconnection of the last CIS, LE Remove
      CIG shall be sent before LE Set CIG Parameters.  Otherwise, it fails
      because CIG is in the inactive state and not configurable (Core v5.3
      Vol 6 Part B Sec. 4.5.14.3). This ordering is currently wrong under
      suitable timing conditions, because LE Remove CIG is sent via the
      hci_sync queue and may be delayed, but Set CIG Parameters is via
      hci_send_cmd.
      
      Make the ordering well-defined by sending also Set CIG Parameters via
      hci_sync.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6b9545dc
    • Johan Hovold's avatar
      Bluetooth: hci_bcm: do not mark valid bd_addr as invalid · 56b7f325
      Johan Hovold authored
      A recent commit restored the original (and still documented) semantics
      for the HCI_QUIRK_USE_BDADDR_PROPERTY quirk so that the device address
      is considered invalid unless an address is provided by firmware.
      
      This specifically means that this flag must only be set for devices with
      invalid addresses, but the Broadcom driver has so far been setting this
      flag unconditionally.
      
      Fortunately the driver already checks for invalid addresses during setup
      and sets the HCI_QUIRK_INVALID_BDADDR flag. Use this flag to indicate
      when the address can be overridden by firmware (long term, this should
      probably just always be allowed).
      
      Fixes: 6945795b ("Bluetooth: fix use-bdaddr-property quirk")
      Reported-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Link: https://lore.kernel.org/lkml/ecef83c8-497f-4011-607b-a63c24764867@samsung.comSigned-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Tested-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      56b7f325
    • Sungwoo Kim's avatar
      Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb · 1728137b
      Sungwoo Kim authored
      l2cap_sock_release(sk) frees sk. However, sk's children are still alive
      and point to the already free'd sk's address.
      To fix this, l2cap_sock_release(sk) also cleans sk's children.
      
      ==================================================================
      BUG: KASAN: use-after-free in l2cap_sock_ready_cb+0xb7/0x100 net/bluetooth/l2cap_sock.c:1650
      Read of size 8 at addr ffff888104617aa8 by task kworker/u3:0/276
      
      CPU: 0 PID: 276 Comm: kworker/u3:0 Not tainted 6.2.0-00001-gef397bd4d5fb-dirty #59
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
      Workqueue: hci2 hci_rx_work
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0x72/0x95 lib/dump_stack.c:106
       print_address_description mm/kasan/report.c:306 [inline]
       print_report+0x175/0x478 mm/kasan/report.c:417
       kasan_report+0xb1/0x130 mm/kasan/report.c:517
       l2cap_sock_ready_cb+0xb7/0x100 net/bluetooth/l2cap_sock.c:1650
       l2cap_chan_ready+0x10e/0x1e0 net/bluetooth/l2cap_core.c:1386
       l2cap_config_req+0x753/0x9f0 net/bluetooth/l2cap_core.c:4480
       l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5739 [inline]
       l2cap_sig_channel net/bluetooth/l2cap_core.c:6509 [inline]
       l2cap_recv_frame+0xe2e/0x43c0 net/bluetooth/l2cap_core.c:7788
       l2cap_recv_acldata+0x6ed/0x7e0 net/bluetooth/l2cap_core.c:8506
       hci_acldata_packet net/bluetooth/hci_core.c:3813 [inline]
       hci_rx_work+0x66e/0xbc0 net/bluetooth/hci_core.c:4048
       process_one_work+0x4ea/0x8e0 kernel/workqueue.c:2289
       worker_thread+0x364/0x8e0 kernel/workqueue.c:2436
       kthread+0x1b9/0x200 kernel/kthread.c:376
       ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
       </TASK>
      
      Allocated by task 288:
       kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
       kasan_set_track+0x25/0x30 mm/kasan/common.c:52
       ____kasan_kmalloc mm/kasan/common.c:374 [inline]
       __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:383
       kasan_kmalloc include/linux/kasan.h:211 [inline]
       __do_kmalloc_node mm/slab_common.c:968 [inline]
       __kmalloc+0x5a/0x140 mm/slab_common.c:981
       kmalloc include/linux/slab.h:584 [inline]
       sk_prot_alloc+0x113/0x1f0 net/core/sock.c:2040
       sk_alloc+0x36/0x3c0 net/core/sock.c:2093
       l2cap_sock_alloc.constprop.0+0x39/0x1c0 net/bluetooth/l2cap_sock.c:1852
       l2cap_sock_create+0x10d/0x220 net/bluetooth/l2cap_sock.c:1898
       bt_sock_create+0x183/0x290 net/bluetooth/af_bluetooth.c:132
       __sock_create+0x226/0x380 net/socket.c:1518
       sock_create net/socket.c:1569 [inline]
       __sys_socket_create net/socket.c:1606 [inline]
       __sys_socket_create net/socket.c:1591 [inline]
       __sys_socket+0x112/0x200 net/socket.c:1639
       __do_sys_socket net/socket.c:1652 [inline]
       __se_sys_socket net/socket.c:1650 [inline]
       __x64_sys_socket+0x40/0x50 net/socket.c:1650
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      Freed by task 288:
       kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
       kasan_set_track+0x25/0x30 mm/kasan/common.c:52
       kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:523
       ____kasan_slab_free mm/kasan/common.c:236 [inline]
       ____kasan_slab_free mm/kasan/common.c:200 [inline]
       __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244
       kasan_slab_free include/linux/kasan.h:177 [inline]
       slab_free_hook mm/slub.c:1781 [inline]
       slab_free_freelist_hook mm/slub.c:1807 [inline]
       slab_free mm/slub.c:3787 [inline]
       __kmem_cache_free+0x88/0x1f0 mm/slub.c:3800
       sk_prot_free net/core/sock.c:2076 [inline]
       __sk_destruct+0x347/0x430 net/core/sock.c:2168
       sk_destruct+0x9c/0xb0 net/core/sock.c:2183
       __sk_free+0x82/0x220 net/core/sock.c:2194
       sk_free+0x7c/0xa0 net/core/sock.c:2205
       sock_put include/net/sock.h:1991 [inline]
       l2cap_sock_kill+0x256/0x2b0 net/bluetooth/l2cap_sock.c:1257
       l2cap_sock_release+0x1a7/0x220 net/bluetooth/l2cap_sock.c:1428
       __sock_release+0x80/0x150 net/socket.c:650
       sock_close+0x19/0x30 net/socket.c:1368
       __fput+0x17a/0x5c0 fs/file_table.c:320
       task_work_run+0x132/0x1c0 kernel/task_work.c:179
       resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
       exit_to_user_mode_prepare+0x113/0x120 kernel/entry/common.c:203
       __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
       syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:296
       do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      The buggy address belongs to the object at ffff888104617800
       which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 680 bytes inside of
       1024-byte region [ffff888104617800, ffff888104617c00)
      
      The buggy address belongs to the physical page:
      page:00000000dbca6a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888104614000 pfn:0x104614
      head:00000000dbca6a80 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
      flags: 0x200000000010200(slab|head|node=0|zone=2)
      raw: 0200000000010200 ffff888100041dc0 ffffea0004212c10 ffffea0004234b10
      raw: ffff888104614000 0000000000080002 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff888104617980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff888104617a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff888104617a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
       ffff888104617b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff888104617b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Ack: This bug is found by FuzzBT with a modified Syzkaller. Other
      contributors are Ruoyu Wu and Hui Peng.
      Signed-off-by: default avatarSungwoo Kim <iam@sung-woo.kim>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1728137b
    • Johan Hovold's avatar
      Bluetooth: fix use-bdaddr-property quirk · 6945795b
      Johan Hovold authored
      Devices that lack persistent storage for the device address can indicate
      this by setting the HCI_QUIRK_INVALID_BDADDR which causes the controller
      to be marked as unconfigured until user space has set a valid address.
      
      The related HCI_QUIRK_USE_BDADDR_PROPERTY was later added to similarly
      indicate that the device lacks a valid address but that one may be
      specified in the devicetree.
      
      As is clear from commit 7a0e5b15 ("Bluetooth: Add quirk for reading
      BD_ADDR from fwnode property") that added and documented this quirk and
      commits like de79a9df ("Bluetooth: btqcomsmd: use
      HCI_QUIRK_USE_BDADDR_PROPERTY"), the device address of controllers with
      this flag should be treated as invalid until user space has had a chance
      to configure the controller in case the devicetree property is missing.
      
      As it does not make sense to allow controllers with invalid addresses,
      restore the original semantics, which also makes sure that the
      implementation is consistent (e.g. get_missing_options() indicates that
      the address must be set) and matches the documentation (including
      comments in the code, such as, "In case any of them is set, the
      controller has to start up as unconfigured.").
      
      Fixes: e668eb1e ("Bluetooth: hci_core: Don't stop BT if the BD address missing in dts")
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6945795b
    • Johan Hovold's avatar
      Bluetooth: fix invalid-bdaddr quirk for non-persistent setup · 0cb73658
      Johan Hovold authored
      Devices that lack persistent storage for the device address can indicate
      this by setting the HCI_QUIRK_INVALID_BDADDR which causes the controller
      to be marked as unconfigured until user space has set a valid address.
      
      Once configured, the device address must be set on every setup for
      controllers with HCI_QUIRK_NON_PERSISTENT_SETUP to avoid marking the
      controller as unconfigured and requiring the address to be set again.
      
      Fixes: 740011cf ("Bluetooth: Add new quirk for non-persistent setup settings")
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0cb73658
    • Zhengping Jiang's avatar
      Bluetooth: L2CAP: Fix use-after-free · f752a0b3
      Zhengping Jiang authored
      Fix potential use-after-free in l2cap_le_command_rej.
      Signed-off-by: default avatarZhengping Jiang <jiangzp@google.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f752a0b3
    • Min-Hua Chen's avatar
      Bluetooth: btqca: use le32_to_cpu for ver.soc_id · 8153b738
      Min-Hua Chen authored
      Use le32_to_cpu for ver.soc_id to fix the following
      sparse warning.
      
      drivers/bluetooth/btqca.c:640:24: sparse: warning: restricted
      __le32 degrades to integer
      Signed-off-by: default avatarMin-Hua Chen <minhuadotchen@gmail.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8153b738
    • Dan Gora's avatar
      Bluetooth: btusb: Add device 6655:8771 to device tables · 022b6101
      Dan Gora authored
      This device is an Inspire branded BT 5.1 USB dongle with a
      Realtek RTL8761BU chip using the "Best Buy China" vendor ID.
      
      The device table is as follows:
      
      T:  Bus=01 Lev=01 Prnt=02 Port=09 Cnt=01 Dev#=  7 Spd=12   MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=6655 ProdID=8771 Rev=02.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00E04C239987
      C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      Signed-off-by: default avatarDan Gora <dan.gora@gmail.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      022b6101