1. 13 Dec, 2021 9 commits
    • Dan Carpenter's avatar
      iavf: missing unlocks in iavf_watchdog_task() · bc2f39a6
      Dan Carpenter authored
      This code was re-organized and there some unlocks missing now.
      
      Fixes: 898ef1cb ("iavf: Combine init and watchdog state machines")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Tested-by: default avatarKonrad Jankowski <konrad0.jankowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      bc2f39a6
    • David Wu's avatar
      net: stmmac: Add GFP_DMA32 for rx buffers if no 64 capability · 884d2b84
      David Wu authored
      Use page_pool_alloc_pages instead of page_pool_dev_alloc_pages, which
      can give the gfp parameter, in the case of not supporting 64-bit width,
      using 32-bit address memory can reduce a copy from swiotlb.
      Signed-off-by: default avatarDavid Wu <david.wu@rock-chips.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      884d2b84
    • Russell King (Oracle)'s avatar
      net: phy: add a note about refcounting · d33dae51
      Russell King (Oracle) authored
      Recently, a patch has been submitted to "fix" the refcounting for a DT
      node in of_mdiobus_link_mdiodev(). This is not a leaked refcount. The
      refcount is passed to the new device.
      
      Sadly, coccicheck identifies this location as a leaked refcount, which
      means we're likely to keep getting patches to "fix" this. However,
      fixing this will cause breakage. Add a comment to state that the lack
      of of_node_put() here is intentional.
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d33dae51
    • Wang Qing's avatar
      net: ethernet: ti: add missing of_node_put before return · be565ec7
      Wang Qing authored
      Fix following coccicheck warning:
      WARNING: Function "for_each_child_of_node"
      should have of_node_put() before return.
      
      Early exits from for_each_child_of_node should decrement the
      node reference counter.
      Signed-off-by: default avatarWang Qing <wangqing@vivo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be565ec7
    • Hangbin Liu's avatar
      selftest/net/forwarding: declare NETIFS p9 p10 · 71da1aec
      Hangbin Liu authored
      The recent GRE selftests defined NUM_NETIFS=10. If the users copy
      forwarding.config.sample to forwarding.config directly, they will get
      error "Command line is not complete" when run the GRE tests, because
      create_netif_veth() failed with no interface name defined.
      
      Fix it by extending the NETIFS with p9 and p10.
      
      Fixes: 2800f248 ("selftests: forwarding: Test multipath hashing on inner IP pkts for GRE tunnel")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      71da1aec
    • Marek Behún's avatar
      net: dsa: mv88e6xxx: Unforce speed & duplex in mac_link_down() · 9d591fc0
      Marek Behún authored
      Commit 64d47d50 ("net: dsa: mv88e6xxx: configure interface settings
      in mac_config") removed forcing of speed and duplex from
      mv88e6xxx_mac_config(), where the link is forced down, and left it only
      in mv88e6xxx_mac_link_up(), by which time link is unforced.
      
      It seems that (at least on 88E6190) when changing cmode to 2500base-x,
      if the link is not forced down, but the speed or duplex are still
      forced, the forcing of new settings for speed & duplex doesn't take in
      mv88e6xxx_mac_link_up().
      
      Fix this by unforcing speed & duplex in mv88e6xxx_mac_link_down().
      
      Fixes: 64d47d50 ("net: dsa: mv88e6xxx: configure interface settings in mac_config")
      Signed-off-by: default avatarMarek Behún <kabel@kernel.org>
      Reviewed-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d591fc0
    • Willem de Bruijn's avatar
      selftests/net: toeplitz: fix udp option · a8d13611
      Willem de Bruijn authored
      Tiny fix. Option -u ("use udp") does not take an argument.
      
      It can cause the next argument to silently be ignored.
      
      Fixes: 5ebfb4cc ("selftests/net: toeplitz test")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8d13611
    • Miaoqian Lin's avatar
      net: bcmgenet: Fix NULL vs IS_ERR() checking · ab8eb798
      Miaoqian Lin authored
      The phy_attach() function does not return NULL. It returns error pointers.
      Signed-off-by: default avatarMiaoqian Lin <linmq006@gmail.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab8eb798
    • Davide Caratti's avatar
      net/sched: sch_ets: don't remove idle classes from the round-robin list · c062f2a0
      Davide Caratti authored
      Shuang reported that the following script:
      
       1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7
       2) mausezahn ddd0  -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp &
       3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3
      
      crashes systematically when line 2) is commented:
      
       list_del corruption, ffff8e028404bd30->next is LIST_POISON1 (dead000000000100)
       ------------[ cut here ]------------
       kernel BUG at lib/list_debug.c:47!
       invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
       CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478
       Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014
       RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47
       Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe
       RSP: 0018:ffffae46807a3888 EFLAGS: 00010246
       RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202
       RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff
       RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff
       R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800
       R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400
       FS:  00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0
       Call Trace:
        <TASK>
        ets_qdisc_change+0x58b/0xa70 [sch_ets]
        tc_modify_qdisc+0x323/0x880
        rtnetlink_rcv_msg+0x169/0x4a0
        netlink_rcv_skb+0x50/0x100
        netlink_unicast+0x1a5/0x280
        netlink_sendmsg+0x257/0x4d0
        sock_sendmsg+0x5b/0x60
        ____sys_sendmsg+0x1f2/0x260
        ___sys_sendmsg+0x7c/0xc0
        __sys_sendmsg+0x57/0xa0
        do_syscall_64+0x3a/0x80
        entry_SYSCALL_64_after_hwframe+0x44/0xae
       RIP: 0033:0x7efdc8031338
       Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55
       RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338
       RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003
       RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940
       R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001
       R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000
        </TASK>
       Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets]
       ---[ end trace f35878d1912655c2 ]---
       RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47
       Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe
       RSP: 0018:ffffae46807a3888 EFLAGS: 00010246
       RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202
       RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff
       RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff
       R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800
       R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400
       FS:  00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0
       Kernel panic - not syncing: Fatal exception in interrupt
       Kernel Offset: 0x4e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
       ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      we can remove 'q->classes[i].alist' only if DRR class 'i' was part of the
      active list. In the ETS scheduler DRR classes belong to that list only if
      the queue length is greater than zero: we need to test for non-zero value
      of 'q->classes[i].qdisc->q.qlen' before removing from the list, similarly
      to what has been done elsewhere in the ETS code.
      
      Fixes: de6d2592 ("net/sched: sch_ets: don't peek at classes beyond 'nbands'")
      Reported-by: default avatarShuang Li <shuali@redhat.com>
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c062f2a0
  2. 12 Dec, 2021 7 commits
  3. 11 Dec, 2021 4 commits
    • Filip Pokryvka's avatar
      netdevsim: don't overwrite read only ethtool parms · ee60e626
      Filip Pokryvka authored
      Ethtool ring feature has _max_pending attributes read-only.
      Set only read-write attributes in nsim_set_ringparam.
      
      This patch is useful, if netdevsim device is set-up using NetworkManager,
      because NetworkManager sends 0 as MAX values, as it is pointless to
      retrieve them in extra call, because they should be read-only. Then,
      the device is left in incosistent state (value > MAX).
      
      Fixes: a7fc6db0 ("netdevsim: support ethtool ring and coalesce settings")
      Signed-off-by: default avatarFilip Pokryvka <fpokryvk@redhat.com>
      Link: https://lore.kernel.org/r/20211210175032.411872-1-fpokryvk@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ee60e626
    • Daniele Palmas's avatar
      net: usb: qmi_wwan: add Telit 0x1070 composition · 94f2a444
      Daniele Palmas authored
      Add the following Telit FN990 composition:
      
      0x1070: tty, adb, rmnet, tty, tty, tty, tty
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Link: https://lore.kernel.org/r/20211210095722.22269-1-dnlplm@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      94f2a444
    • Eric Dumazet's avatar
      inet_diag: fix kernel-infoleak for UDP sockets · 71ddeac8
      Eric Dumazet authored
      KMSAN reported a kernel-infoleak [1], that can exploited
      by unpriv users.
      
      After analysis it turned out UDP was not initializing
      r->idiag_expires. Other users of inet_sk_diag_fill()
      might make the same mistake in the future, so fix this
      in inet_sk_diag_fill().
      
      [1]
      BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
      BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline]
      BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670
       instrument_copy_to_user include/linux/instrumented.h:121 [inline]
       copyout lib/iov_iter.c:156 [inline]
       _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670
       copy_to_iter include/linux/uio.h:155 [inline]
       simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
       __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425
       skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
       skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline]
       netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974
       sock_recvmsg_nosec net/socket.c:944 [inline]
       sock_recvmsg net/socket.c:962 [inline]
       sock_read_iter+0x5a9/0x630 net/socket.c:1035
       call_read_iter include/linux/fs.h:2156 [inline]
       new_sync_read fs/read_write.c:400 [inline]
       vfs_read+0x1631/0x1980 fs/read_write.c:481
       ksys_read+0x28c/0x520 fs/read_write.c:619
       __do_sys_read fs/read_write.c:629 [inline]
       __se_sys_read fs/read_write.c:627 [inline]
       __x64_sys_read+0xdb/0x120 fs/read_write.c:627
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was created at:
       slab_post_alloc_hook mm/slab.h:524 [inline]
       slab_alloc_node mm/slub.c:3251 [inline]
       __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
       kmalloc_reserve net/core/skbuff.c:354 [inline]
       __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
       alloc_skb include/linux/skbuff.h:1126 [inline]
       netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245
       __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370
       netlink_dump_start include/linux/netlink.h:254 [inline]
       inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343
       sock_diag_rcv_msg+0x24a/0x620
       netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491
       sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276
       netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
       netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345
       netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916
       sock_sendmsg_nosec net/socket.c:704 [inline]
       sock_sendmsg net/socket.c:724 [inline]
       sock_write_iter+0x594/0x690 net/socket.c:1057
       do_iter_readv_writev+0xa7f/0xc70
       do_iter_write+0x52c/0x1500 fs/read_write.c:851
       vfs_writev fs/read_write.c:924 [inline]
       do_writev+0x63f/0xe30 fs/read_write.c:967
       __do_sys_writev fs/read_write.c:1040 [inline]
       __se_sys_writev fs/read_write.c:1037 [inline]
       __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Bytes 68-71 of 312 are uninitialized
      Memory access of size 312 starts at ffff88812ab54000
      Data copied to user address 0000000020001440
      
      CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 3c4d05c8 ("inet_diag: Introduce the inet socket dumping routine")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20211209185058.53917-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      71ddeac8
    • Hangyu Hua's avatar
      phonet: refcount leak in pep_sock_accep · bcd0f933
      Hangyu Hua authored
      sock_hold(sk) is invoked in pep_sock_accept(), but __sock_put(sk) is not
      invoked in subsequent failure branches(pep_accept_conn() != 0).
      Signed-off-by: default avatarHangyu Hua <hbh25y@gmail.com>
      Link: https://lore.kernel.org/r/20211209082839.33985-1-hbh25y@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      bcd0f933
  4. 10 Dec, 2021 2 commits
    • Eric Dumazet's avatar
      sch_cake: do not call cake_destroy() from cake_init() · ab443c53
      Eric Dumazet authored
      qdiscs are not supposed to call their own destroy() method
      from init(), because core stack already does that.
      
      syzbot was able to trigger use after free:
      
      DEBUG_LOCKS_WARN_ON(lock->magic != lock)
      WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline]
      WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740
      Modules linked in:
      CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline]
      RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740
      Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8
      RSP: 0018:ffffc9000627f290 EFLAGS: 00010282
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44
      RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000
      R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000
      R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000
      FS:  0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0
      Call Trace:
       <TASK>
       tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810
       tcf_block_put_ext net/sched/cls_api.c:1381 [inline]
       tcf_block_put_ext net/sched/cls_api.c:1376 [inline]
       tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394
       cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695
       qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293
       tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660
       rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571
       netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496
       netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
       netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345
       netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921
       sock_sendmsg_nosec net/socket.c:704 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:724
       ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
       ___sys_sendmsg+0xf3/0x170 net/socket.c:2463
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      RIP: 0033:0x7f1bb06badb9
      Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f.
      RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9
      RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003
      R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688
      R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2
       </TASK>
      
      Fixes: 046f6fd5 ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@toke.dk>
      Link: https://lore.kernel.org/r/20211210142046.698336-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ab443c53
    • Jie2x Zhou's avatar
      selftests: net: Correct ping6 expected rc from 2 to 1 · 92816e26
      Jie2x Zhou authored
      ./fcnal-test.sh -v -t ipv6_ping
      TEST: ping out, VRF bind - ns-B IPv6 LLA                                      [FAIL]
      TEST: ping out, VRF bind - multicast IP                                       [FAIL]
      
      ping6 is failing as it should.
      COMMAND: ip netns exec ns-A /bin/ping6 -c1 -w1 fe80::7c4c:bcff:fe66:a63a%red
      strace of ping6 shows it is failing with '1',
      so change the expected rc from 2 to 1.
      
      Fixes: c0644e71 ("selftests: Add ipv6 ping tests to fcnal-test")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Suggested-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarJie2x Zhou <jie2x.zhou@intel.com>
      Link: https://lore.kernel.org/r/20211209020230.37270-1-jie2x.zhou@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      92816e26
  5. 09 Dec, 2021 18 commits
    • Linus Torvalds's avatar
      Merge tag 'net-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · ded746bf
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf, can and netfilter.
      
        Current release - regressions:
      
         - bpf, sockmap: re-evaluate proto ops when psock is removed from
           sockmap
      
        Current release - new code bugs:
      
         - bpf: fix bpf_check_mod_kfunc_call for built-in modules
      
         - ice: fixes for TC classifier offloads
      
         - vrf: don't run conntrack on vrf with !dflt qdisc
      
        Previous releases - regressions:
      
         - bpf: fix the off-by-two error in range markings
      
         - seg6: fix the iif in the IPv6 socket control block
      
         - devlink: fix netns refcount leak in devlink_nl_cmd_reload()
      
         - dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
      
         - dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports
      
        Previous releases - always broken:
      
         - ethtool: do not perform operations on net devices being
           unregistered
      
         - udp: use datalen to cap max gso segments
      
         - ice: fix races in stats collection
      
         - fec: only clear interrupt of handling queue in fec_enet_rx_queue()
      
         - m_can: pci: fix incorrect reference clock rate
      
         - m_can: disable and ignore ELO interrupt
      
         - mvpp2: fix XDP rx queues registering
      
        Misc:
      
         - treewide: add missing includes masked by cgroup -> bpf.h
           dependency"
      
      * tag 'net-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (82 commits)
        net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports
        net: wwan: iosm: fixes unable to send AT command during mbim tx
        net: wwan: iosm: fixes net interface nonfunctional after fw flash
        net: wwan: iosm: fixes unnecessary doorbell send
        net: dsa: felix: Fix memory leak in felix_setup_mmio_filtering
        MAINTAINERS: s390/net: remove myself as maintainer
        net/sched: fq_pie: prevent dismantle issue
        net: mana: Fix memory leak in mana_hwc_create_wq
        seg6: fix the iif in the IPv6 socket control block
        nfp: Fix memory leak in nfp_cpp_area_cache_add()
        nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
        nfc: fix segfault in nfc_genl_dump_devices_done
        udp: using datalen to cap max gso segments
        net: dsa: mv88e6xxx: error handling for serdes_power functions
        can: kvaser_usb: get CAN clock frequency from device
        can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct stats->{rx,tx}_errors counter
        net: mvpp2: fix XDP rx queues registering
        vmxnet3: fix minimum vectors alloc issue
        net, neigh: clear whole pneigh_entry at alloc time
        net: dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
        ...
      ded746bf
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · 27698cd2
      Linus Torvalds authored
      Pull mtd fixes from Miquel Raynal:
       "MTD fixes:
      
         - dataflash: Add device-tree SPI IDs to avoid new warnings
      
        Raw NAND fixes:
      
         - Fix nand_choose_best_timings() on unsupported interface
      
         - Fix nand_erase_op delay (wrong unit)
      
         - fsmc:
            - Fix timing computation
            - Take instruction delay into account
      
         - denali:
            - Add the dependency on HAS_IOMEM to silence robots"
      
      * tag 'mtd/fixes-for-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: dataflash: Add device-tree SPI IDs
        mtd: rawnand: fsmc: Fix timing computation
        mtd: rawnand: fsmc: Take instruction delay into account
        mtd: rawnand: Fix nand_choose_best_timings() on unsupported interface
        mtd: rawnand: Fix nand_erase_op delay
        mtd: rawnand: denali: Add the dependency on HAS_IOMEM
      27698cd2
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 03090cc7
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - fixes for various drivers which assume that a HID device is on USB
         transport, but that might not necessarily be the case, as the device
         can be faked by uhid. (Greg, Benjamin Tissoires)
      
       - fix for spurious wakeups on certain Lenovo notebooks (Thomas
         Weißschuh)
      
       - a few other device-specific quirks
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: Ignore battery for Elan touchscreen on Asus UX550VE
        HID: intel-ish-hid: ipc: only enable IRQ wakeup when requested
        HID: google: add eel USB id
        HID: add USB_HID dependancy to hid-prodikeys
        HID: add USB_HID dependancy to hid-chicony
        HID: bigbenff: prevent null pointer dereference
        HID: sony: fix error path in probe
        HID: add USB_HID dependancy on some USB HID drivers
        HID: check for valid USB device for many HID drivers
        HID: wacom: fix problems when device is not a valid USB device
        HID: add hid_is_usb() function to make it simpler for USB detection
        HID: quirks: Add quirk for the Microsoft Surface 3 type-cover
      03090cc7
    • Linus Torvalds's avatar
      Merge tag 'netfs-fixes-20211207' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 2990c89d
      Linus Torvalds authored
      Pull netfslib fixes from David Howells:
      
       - Fix a lockdep warning and potential deadlock. This is takes the
         simple approach of offloading the write-to-cache done from within a
         network filesystem read to a worker thread to avoid taking the
         sb_writer lock from the cache backing filesystem whilst holding the
         mmap lock on an inode from the network filesystem.
      
         Jan Kara posits a scenario whereby this can cause deadlock[1], though
         it's quite complex and I think requires someone in userspace to
         actually do I/O on the cache files. Matthew Wilcox isn't so certain,
         though[2].
      
         An alternative way to fix this, suggested by Darrick Wong, might be
         to allow cachefiles to prevent userspace from performing I/O upon the
         file - something like an exclusive open - but that's beyond the scope
         of a fix here if we do want to make such a facility in the future.
      
       - In some of the error handling paths where netfs_ops->cleanup() is
         called, the arguments are transposed[3]. gcc doesn't complain because
         one of the parameters is void* and one of the values is void*.
      
      Link: https://lore.kernel.org/r/20210922110420.GA21576@quack2.suse.cz/ [1]
      Link: https://lore.kernel.org/r/Ya9eDiFCE2fO7K/S@casper.infradead.org/ [2]
      Link: https://lore.kernel.org/r/20211207031449.100510-1-jefflexu@linux.alibaba.com/ [3]
      
      * tag 'netfs-fixes-20211207' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        netfs: fix parameter of cleanup()
        netfs: Fix lockdep warning from taking sb_writers whilst holding mmap_lock
      2990c89d
    • Sasha Levin's avatar
      tools/lib/lockdep: drop leftover liblockdep headers · 3a49cc22
      Sasha Levin authored
      Clean up remaining headers that are specific to liblockdep but lived in
      the shared header directory.  These are all unused after the liblockdep
      code was removed in commit 7246f4dc ("tools/lib/lockdep: drop
      liblockdep").
      
      Note that there are still headers that were originally created for
      liblockdep, that still have liblockdep references, but they are used by
      other tools/ code at this point.
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3a49cc22
    • Russell King (Oracle)'s avatar
      net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports · 04ec4e62
      Russell King (Oracle) authored
      Martyn Welch reports that his CPU port is unable to link where it has
      been necessary to use one of the switch ports with an internal PHY for
      the CPU port. The reason behind this is the port control register is
      left forcing the link down, preventing traffic flow.
      
      This occurs because during initialisation, phylink expects the link to
      be down, and DSA forces the link down by synthesising a call to the
      DSA drivers phylink_mac_link_down() method, but we don't touch the
      forced-link state when we later reconfigure the port.
      
      Resolve this by also unforcing the link state when we are operating in
      PHY mode and the PPU is set to poll the PHY to retrieve link status
      information.
      Reported-by: default avatarMartyn Welch <martyn.welch@collabora.com>
      Tested-by: default avatarMartyn Welch <martyn.welch@collabora.com>
      Fixes: 3be98b2d ("net: dsa: Down cpu/dsa ports phylink will control")
      Cc: <stable@vger.kernel.org> # 5.7: 2b29cb9e: net: dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Link: https://lore.kernel.org/r/E1mvFhP-00F8Zb-Ul@rmk-PC.armlinux.org.ukSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      04ec4e62
    • Jakub Kicinski's avatar
      Merge branch 'net-wwan-iosm-bug-fixes' · 19961780
      Jakub Kicinski authored
      M Chetan Kumar says:
      
      ====================
      net: wwan: iosm: bug fixes
      
      This patch series brings in IOSM driver bug fixes. Patch details are
      explained below.
      
      PATCH1: stop sending unnecessary doorbell in IP tx flow.
      PATCH2: Restore the IP channel configuration after fw flash.
      PATCH3: Removed the unnecessary check around control port TX transfer.
      ====================
      
      Link: https://lore.kernel.org/r/20211209101629.2940877-1-m.chetan.kumar@linux.intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      19961780
    • M Chetan Kumar's avatar
      net: wwan: iosm: fixes unable to send AT command during mbim tx · 383451ce
      M Chetan Kumar authored
      ev_cdev_write_pending flag is preventing a TX message post for
      AT port while MBIM transfer is ongoing.
      
      Removed the unnecessary check around control port TX transfer.
      Signed-off-by: default avatarM Chetan Kumar <m.chetan.kumar@linux.intel.com>
      Reviewed-by: default avatarSergey Ryazanov <ryazanov.s.a@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      383451ce
    • M Chetan Kumar's avatar
      net: wwan: iosm: fixes net interface nonfunctional after fw flash · 07d3f274
      M Chetan Kumar authored
      Devlink initialization flow was overwriting the IP traffic
      channel configuration. This was causing wwan0 network interface
      to be unusable after fw flash.
      
      When device boots to fully functional mode restore the IP channel
      configuration.
      Signed-off-by: default avatarM Chetan Kumar <m.chetan.kumar@linux.intel.com>
      Reviewed-by: default avatarSergey Ryazanov <ryazanov.s.a@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      07d3f274
    • M Chetan Kumar's avatar
      net: wwan: iosm: fixes unnecessary doorbell send · 373f121a
      M Chetan Kumar authored
      In TX packet accumulation flow transport layer is
      giving a doorbell to device even though there is
      no pending control TX transfer that needs immediate
      attention.
      
      Introduced a new hpda_ctrl_pending variable to keep
      track of pending control TX transfer. If there is a
      pending control TX transfer which needs an immediate
      attention only then give a doorbell to device.
      Signed-off-by: default avatarM Chetan Kumar <m.chetan.kumar@linux.intel.com>
      Reviewed-by: default avatarSergey Ryazanov <ryazanov.s.a@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      373f121a
    • José Expósito's avatar
      net: dsa: felix: Fix memory leak in felix_setup_mmio_filtering · e8b1d769
      José Expósito authored
      Avoid a memory leak if there is not a CPU port defined.
      
      Fixes: 8d5f7954 ("net: dsa: felix: break at first CPU port during init and teardown")
      Addresses-Coverity-ID: 1492897 ("Resource leak")
      Addresses-Coverity-ID: 1492899 ("Resource leak")
      Signed-off-by: default avatarJosé Expósito <jose.exposito89@gmail.com>
      Reviewed-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/r/20211209110538.11585-1-jose.exposito89@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e8b1d769
    • Julian Wiedmann's avatar
      MAINTAINERS: s390/net: remove myself as maintainer · 37ad4e2a
      Julian Wiedmann authored
      I won't have access to the relevant HW and docs much longer.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Link: https://lore.kernel.org/r/20211209153546.1152921-1-jwi@linux.ibm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      37ad4e2a
    • Eric Dumazet's avatar
      net/sched: fq_pie: prevent dismantle issue · 61c24026
      Eric Dumazet authored
      For some reason, fq_pie_destroy() did not copy
      working code from pie_destroy() and other qdiscs,
      thus causing elusive bug.
      
      Before calling del_timer_sync(&q->adapt_timer),
      we need to ensure timer will not rearm itself.
      
      rcu: INFO: rcu_preempt self-detected stall on CPU
      rcu:    0-....: (4416 ticks this GP) idle=60d/1/0x4000000000000000 softirq=10433/10434 fqs=2579
              (t=10501 jiffies g=13085 q=3989)
      NMI backtrace for cpu 0
      CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
       nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111
       nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
       trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
       rcu_dump_cpu_stacks+0x25e/0x3f0 kernel/rcu/tree_stall.h:343
       print_cpu_stall kernel/rcu/tree_stall.h:627 [inline]
       check_cpu_stall kernel/rcu/tree_stall.h:711 [inline]
       rcu_pending kernel/rcu/tree.c:3878 [inline]
       rcu_sched_clock_irq.cold+0x9d/0x746 kernel/rcu/tree.c:2597
       update_process_times+0x16d/0x200 kernel/time/timer.c:1785
       tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226
       tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428
       __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
       __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749
       hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811
       local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline]
       __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103
       sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097
       </IRQ>
       <TASK>
       asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
      RIP: 0010:write_comp_data kernel/kcov.c:221 [inline]
      RIP: 0010:__sanitizer_cov_trace_const_cmp1+0x1d/0x80 kernel/kcov.c:273
      Code: 54 c8 20 48 89 10 c3 66 0f 1f 44 00 00 53 41 89 fb 41 89 f1 bf 03 00 00 00 65 48 8b 0c 25 40 70 02 00 48 89 ce 4c 8b 54 24 08 <e8> 4e f7 ff ff 84 c0 74 51 48 8b 81 88 15 00 00 44 8b 81 84 15 00
      RSP: 0018:ffffc90000d27b28 EFLAGS: 00000246
      RAX: 0000000000000000 RBX: ffff888064bf1bf0 RCX: ffff888011928000
      RDX: ffff888011928000 RSI: ffff888011928000 RDI: 0000000000000003
      RBP: ffff888064bf1c28 R08: 0000000000000000 R09: 0000000000000000
      R10: ffffffff875d8295 R11: 0000000000000000 R12: 0000000000000000
      R13: ffff8880783dd300 R14: 0000000000000000 R15: 0000000000000000
       pie_calculate_probability+0x405/0x7c0 net/sched/sch_pie.c:418
       fq_pie_timer+0x170/0x2a0 net/sched/sch_fq_pie.c:383
       call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
       expire_timers kernel/time/timer.c:1466 [inline]
       __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734
       __run_timers kernel/time/timer.c:1715 [inline]
       run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
       __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
       run_ksoftirqd kernel/softirq.c:921 [inline]
       run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913
       smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
       kthread+0x405/0x4f0 kernel/kthread.c:327
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
       </TASK>
      
      Fixes: ec97ecf1 ("net: sched: add Flow Queue PIE packet scheduler")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Mohit P. Tahiliani <tahiliani@nitk.edu.in>
      Cc: Sachin D. Patil <sdp.sachin@gmail.com>
      Cc: V. Saicharan <vsaicharan1998@gmail.com>
      Cc: Mohit Bhasi <mohitbhasi1998@gmail.com>
      Cc: Leslie Monis <lesliemonis@gmail.com>
      Cc: Gautam Ramakrishnan <gautamramk@gmail.com>
      Link: https://lore.kernel.org/r/20211209084937.3500020-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      61c24026
    • José Expósito's avatar
      net: mana: Fix memory leak in mana_hwc_create_wq · 9acfc57f
      José Expósito authored
      If allocating the DMA buffer fails, mana_hwc_destroy_wq was called
      without previously storing the pointer to the queue.
      
      In order to avoid leaking the pointer to the queue, store it as soon as
      it is allocated.
      
      Addresses-Coverity-ID: 1484720 ("Resource leak")
      Signed-off-by: default avatarJosé Expósito <jose.exposito89@gmail.com>
      Reviewed-by: default avatarDexuan Cui <decui@microsoft.com>
      Link: https://lore.kernel.org/r/20211208223723.18520-1-jose.exposito89@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9acfc57f
    • Andrea Mayer's avatar
      seg6: fix the iif in the IPv6 socket control block · ae68d933
      Andrea Mayer authored
      When an IPv4 packet is received, the ip_rcv_core(...) sets the receiving
      interface index into the IPv4 socket control block (v5.16-rc4,
      net/ipv4/ip_input.c line 510):
      
          IPCB(skb)->iif = skb->skb_iif;
      
      If that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH
      header, the seg6_do_srh_encap(...) performs the required encapsulation.
      In this case, the seg6_do_srh_encap function clears the IPv6 socket control
      block (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):
      
          memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
      
      The memset(...) was introduced in commit ef489749 ("ipv6: sr: clear
      IP6CB(skb) on SRH ip4ip6 encapsulation") a long time ago (2019-01-29).
      
      Since the IPv6 socket control block and the IPv4 socket control block share
      the same memory area (skb->cb), the receiving interface index info is lost
      (IP6CB(skb)->iif is set to zero).
      
      As a side effect, that condition triggers a NULL pointer dereference if
      commit 0857d6f8 ("ipv6: When forwarding count rx stats on the orig
      netdev") is applied.
      
      To fix that issue, we set the IP6CB(skb)->iif with the index of the
      receiving interface once again.
      
      Fixes: ef489749 ("ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation")
      Signed-off-by: default avatarAndrea Mayer <andrea.mayer@uniroma2.it>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20211208195409.12169-1-andrea.mayer@uniroma2.itSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ae68d933
    • Jianglei Nie's avatar
      nfp: Fix memory leak in nfp_cpp_area_cache_add() · c56c9630
      Jianglei Nie authored
      In line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a
      CPP area structure. But in line 807 (#2), when the cache is allocated
      failed, this CPP area structure is not freed, which will result in
      memory leak.
      
      We can fix it by freeing the CPP area when the cache is allocated
      failed (#2).
      
      792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size)
      793 {
      794 	struct nfp_cpp_area_cache *cache;
      795 	struct nfp_cpp_area *area;
      
      800	area = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0),
      801 				  0, size);
      	// #1: allocates and initializes
      
      802 	if (!area)
      803 		return -ENOMEM;
      
      805 	cache = kzalloc(sizeof(*cache), GFP_KERNEL);
      806 	if (!cache)
      807 		return -ENOMEM; // #2: missing free
      
      817	return 0;
      818 }
      
      Fixes: 4cb584e0 ("nfp: add CPP access core")
      Signed-off-by: default avatarJianglei Nie <niejianglei2021@163.com>
      Acked-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20211209061511.122535-1-niejianglei2021@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c56c9630
    • Krzysztof Kozlowski's avatar
      nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done · 4cd8371a
      Krzysztof Kozlowski authored
      The done() netlink callback nfc_genl_dump_ses_done() should check if
      received argument is non-NULL, because its allocation could fail earlier
      in dumpit() (nfc_genl_dump_ses()).
      
      Fixes: ac22ac46 ("NFC: Add a GET_SE netlink API")
      Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
      Link: https://lore.kernel.org/r/20211209081307.57337-1-krzysztof.kozlowski@canonical.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4cd8371a
    • Tadeusz Struk's avatar
      nfc: fix segfault in nfc_genl_dump_devices_done · fd79a0cb
      Tadeusz Struk authored
      When kmalloc in nfc_genl_dump_devices() fails then
      nfc_genl_dump_devices_done() segfaults as below
      
      KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
      CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65-dirty #5
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014
      Workqueue: events netlink_sock_destruct_work
      RIP: 0010:klist_iter_exit+0x26/0x80
      Call Trace:
      <TASK>
      class_dev_iter_exit+0x15/0x20
      nfc_genl_dump_devices_done+0x3b/0x50
      genl_lock_done+0x84/0xd0
      netlink_sock_destruct+0x8f/0x270
      __sk_destruct+0x64/0x3b0
      sk_destruct+0xa8/0xd0
      __sk_free+0x2e8/0x3d0
      sk_free+0x51/0x90
      netlink_sock_destruct_work+0x1c/0x20
      process_one_work+0x411/0x710
      worker_thread+0x6fd/0xa80
      
      Link: https://syzkaller.appspot.com/bug?id=fc0fa5a53db9edd261d56e74325419faf18bd0df
      Reported-by: syzbot+f9f76f4a0766420b4a02@syzkaller.appspotmail.com
      Signed-off-by: default avatarTadeusz Struk <tadeusz.struk@linaro.org>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
      Link: https://lore.kernel.org/r/20211208182742.340542-1-tadeusz.struk@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fd79a0cb