1. 17 Jan, 2024 5 commits
  2. 16 Jan, 2024 7 commits
  3. 14 Jan, 2024 5 commits
    • Nikita Yushchenko's avatar
      net: ravb: Fix dma_addr_t truncation in error case · e327b237
      Nikita Yushchenko authored
      In ravb_start_xmit(), ravb driver uses u32 variable to store result of
      dma_map_single() call. Since ravb hardware has 32-bit address fields in
      descriptors, this works properly when mapping is successful - it is
      platform's job to provide mapping addresses that fit into hardware
      limitations.
      
      However, in failure case dma_map_single() returns DMA_MAPPING_ERROR
      constant that is 64-bit when dma_addr_t is 64-bit. Storing this constant
      in u32 leads to truncation, and further call to dma_mapping_error()
      fails to notice the error.
      
      Fix that by storing result of dma_map_single() in a dma_addr_t
      variable.
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Signed-off-by: default avatarNikita Yushchenko <nikita.yoush@cogentembedded.com>
      Reviewed-by: default avatarNiklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e327b237
    • Marcin Wojtas's avatar
      MAINTAINERS: eth: mvneta: update entry · c061be1b
      Marcin Wojtas authored
      Add myself as driver maintainer and restore the maintained status.
      While at it, update the file field to cover mvneta_bm part of the driver.
      Signed-off-by: default avatarMarcin Wojtas <marcin.s.wojtas@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c061be1b
    • David S. Miller's avatar
      Merge branch 'tls-splice-hint-fixes' · 5ef7f6b3
      David S. Miller authored
      John Fastabend says:
      
      ====================
      tls fixes for SPLICE with more hint
      
      Syzbot found a splat where it tried to splice data over a tls socket
      with the more hint and sending greater than the number of frags that
      fit in a msg scatterlist. This resulted in an error where we do not
      correctly send the data when the msg sg is full. The more flag being
      just a hint not a strict contract. This then results in the syzbot
      warning on the next send.
      
      Edward generated an initial patch for this which checked for a full
      msg on entry to the sendmsg hook.  This fixed the WARNING, but didn't
      fully resolve the issue because the full msg_pl scatterlist was never
      sent resulting in a stuck socket. In this series instead avoid the
      situation by forcing the send on the splice that fills the scatterlist.
      
      Also in original thread I mentioned it didn't seem to be enough to
      simply fix the send on full sg problem. That was incorrect and was
      really a bug in my test program that was hanging the test program.
      I had setup a repair socket and wasn't handling it correctly so my
      tester got stuck.
      
      Thanks. Please review. Fix in patch 1 and test in patch 2.
      
      v2: use SPLICE_F_ flag names instead of cryptic 0xe
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ef7f6b3
    • John Fastabend's avatar
      net: tls, add test to capture error on large splice · 034ea130
      John Fastabend authored
      syzbot found an error with how splice() is handled with a msg greater
      than 32. This was fixed in previous patch, but lets add a test for
      it to ensure it continues to work.
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      034ea130
    • John Fastabend's avatar
      net: tls, fix WARNIING in __sk_msg_free · dc9dfc8d
      John Fastabend authored
      A splice with MSG_SPLICE_PAGES will cause tls code to use the
      tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user
      provided pages from the msg into the msg_pl. This will loop over the
      msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user
      can also set the MORE flag to hint stack to delay sending until receiving
      more pages and ideally a full buffer.
      
      If the user adds more pages to the msg than can fit in the msg_pl
      scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send
      the buffer anyways.
      
      What actually happens though is we abort the msg to msg_pl scatterlist
      setup and then because we forget to set 'full record' indicating we
      can no longer consume data without a send we fallthrough to the 'continue'
      path which will check if msg_data_left(msg) has more bytes to send and
      then attempts to fit them in the already full msg_pl. Then next
      iteration of sender doing send will encounter a full msg_pl and throw
      the warning in the syzbot report.
      
      To fix simply check if we have a full_record in splice code path and
      if not send the msg regardless of MORE flag.
      
      Reported-and-tested-by: syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com
      Reported-by: default avatarEdward Adam Davis <eadavis@qq.com>
      Fixes: fe1e81d4 ("tls/sw: Support MSG_SPLICE_PAGES")
      Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc9dfc8d
  4. 13 Jan, 2024 12 commits
    • Marc Kleine-Budde's avatar
      net: netdev_queue: netdev_txq_completed_mb(): fix wake condition · 894d7508
      Marc Kleine-Budde authored
      netif_txq_try_stop() uses "get_desc >= start_thrs" as the check for
      the call to netif_tx_start_queue().
      
      Use ">=" i netdev_txq_completed_mb(), too.
      
      Fixes: c91c46de ("net: provide macros for commonly copied lockless queue stop/wake code")
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Acked-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      894d7508
    • Eric Dumazet's avatar
      net: add more sanity check in virtio_net_hdr_to_skb() · 9181d6f8
      Eric Dumazet authored
      syzbot/KMSAN reports access to uninitialized data from gso_features_check() [1]
      
      The repro use af_packet, injecting a gso packet and hdrlen == 0.
      
      We could fix the issue making gso_features_check() more careful
      while dealing with NETIF_F_TSO_MANGLEID in fast path.
      
      Or we can make sure virtio_net_hdr_to_skb() pulls minimal network and
      transport headers as intended.
      
      Note that for GSO packets coming from untrusted sources, SKB_GSO_DODGY
      bit forces a proper header validation (and pull) before the packet can
      hit any device ndo_start_xmit(), thus we do not need a precise disection
      at virtio_net_hdr_to_skb() stage.
      
      [1]
      BUG: KMSAN: uninit-value in skb_gso_segment include/net/gso.h:83 [inline]
      BUG: KMSAN: uninit-value in validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629
       skb_gso_segment include/net/gso.h:83 [inline]
       validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629
       __dev_queue_xmit+0x1eac/0x5130 net/core/dev.c:4341
       dev_queue_xmit include/linux/netdevice.h:3134 [inline]
       packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
       packet_snd net/packet/af_packet.c:3087 [inline]
       packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg net/socket.c:745 [inline]
       ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
       ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
       __sys_sendmsg net/socket.c:2667 [inline]
       __do_sys_sendmsg net/socket.c:2676 [inline]
       __se_sys_sendmsg net/socket.c:2674 [inline]
       __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Uninit was created at:
       slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
       slab_alloc_node mm/slub.c:3478 [inline]
       kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
       kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
       __alloc_skb+0x318/0x740 net/core/skbuff.c:651
       alloc_skb include/linux/skbuff.h:1286 [inline]
       alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
       sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780
       packet_alloc_skb net/packet/af_packet.c:2936 [inline]
       packet_snd net/packet/af_packet.c:3030 [inline]
       packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg net/socket.c:745 [inline]
       ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
       ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
       __sys_sendmsg net/socket.c:2667 [inline]
       __do_sys_sendmsg net/socket.c:2676 [inline]
       __se_sys_sendmsg net/socket.c:2674 [inline]
       __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      CPU: 0 PID: 5025 Comm: syz-executor279 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e6 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
      
      Reported-by: syzbot+7f4d0ea3df4d4fa9a65f@syzkaller.appspotmail.com
      Link: https://lore.kernel.org/netdev/0000000000005abd7b060eb160cd@google.com/
      Fixes: 9274124f ("net: stricter validation of untrusted gso packets")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9181d6f8
    • Jiri Pirko's avatar
      net: sched: track device in tcf_block_get/put_ext() only for clsact binder types · e18405d0
      Jiri Pirko authored
      Clsact/ingress qdisc is not the only one using shared block,
      red is also using it. The device tracking was originally introduced
      by commit 913b47d3 ("net/sched: Introduce tc block netdev
      tracking infra") for clsact/ingress only. Commit 94e2557d ("net:
      sched: move block device tracking into tcf_block_get/put_ext()")
      mistakenly enabled that for red as well.
      
      Fix that by adding a check for the binder type being clsact when adding
      device to the block->ports xarray.
      Reported-by: default avatarIdo Schimmel <idosch@idosch.org>
      Closes: https://lore.kernel.org/all/ZZ6JE0odnu1lLPtu@shredder/
      Fixes: 94e2557d ("net: sched: move block device tracking into tcf_block_get/put_ext()")
      Signed-off-by: default avatarJiri Pirko <jiri@nvidia.com>
      Tested-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Tested-by: default avatarVictor Nogueira <victor@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e18405d0
    • Eric Dumazet's avatar
      udp: annotate data-races around up->pending · 482521d8
      Eric Dumazet authored
      up->pending can be read without holding the socket lock,
      as pointed out by syzbot [1]
      
      Add READ_ONCE() in lockless contexts, and WRITE_ONCE()
      on write side.
      
      [1]
      BUG: KCSAN: data-race in udpv6_sendmsg / udpv6_sendmsg
      
      write to 0xffff88814e5eadf0 of 4 bytes by task 15547 on cpu 1:
       udpv6_sendmsg+0x1405/0x1530 net/ipv6/udp.c:1596
       inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:657
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg net/socket.c:745 [inline]
       __sys_sendto+0x257/0x310 net/socket.c:2192
       __do_sys_sendto net/socket.c:2204 [inline]
       __se_sys_sendto net/socket.c:2200 [inline]
       __x64_sys_sendto+0x78/0x90 net/socket.c:2200
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      read to 0xffff88814e5eadf0 of 4 bytes by task 15551 on cpu 0:
       udpv6_sendmsg+0x22c/0x1530 net/ipv6/udp.c:1373
       inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:657
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg net/socket.c:745 [inline]
       ____sys_sendmsg+0x37c/0x4d0 net/socket.c:2586
       ___sys_sendmsg net/socket.c:2640 [inline]
       __sys_sendmmsg+0x269/0x500 net/socket.c:2726
       __do_sys_sendmmsg net/socket.c:2755 [inline]
       __se_sys_sendmmsg net/socket.c:2752 [inline]
       __x64_sys_sendmmsg+0x57/0x60 net/socket.c:2752
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      value changed: 0x00000000 -> 0x0000000a
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 15551 Comm: syz-executor.1 Tainted: G        W          6.7.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: syzbot+8d482d0e407f665d9d10@syzkaller.appspotmail.com
      Link: https://lore.kernel.org/netdev/0000000000009e46c3060ebcdffd@google.com/Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      482521d8
    • Sneh Shah's avatar
      net: stmmac: Fix ethool link settings ops for integrated PCS · 08300ada
      Sneh Shah authored
      Currently get/set_link_ksettings ethtool ops are dependent on PCS.
      When PCS is integrated, it will not have separate link config.
      Bypass configuring and checking PCS for integrated PCS.
      
      Fixes: aa571b62 ("net: stmmac: add new switch to struct plat_stmmacenet_data")
      Tested-by: Andrew Halaney <ahalaney@redhat.com> # sa8775p-ride
      Signed-off-by: default avatarSneh Shah <quic_snehshah@quicinc.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      08300ada
    • Jakub Kicinski's avatar
      Merge branch 'mptcp-better-validation-of-mptcpopt_mp_join-option' · 68d27bad
      Jakub Kicinski authored
      Eric Dumazet says:
      
      ====================
      mptcp: better validation of MPTCPOPT_MP_JOIN option
      
      Based on a syzbot report (see 4th patch in the series).
      
      We need to be more explicit about which one of the
      following flag is set by mptcp_parse_option():
      
      - OPTION_MPTCP_MPJ_SYN
      - OPTION_MPTCP_MPJ_SYNACK
      - OPTION_MPTCP_MPJ_ACK
      
      Then select the appropriate values instead of OPTIONS_MPTCP_MPJ
      
      Paolo suggested to do the same for OPTIONS_MPTCP_MPC (5th patch)
      ====================
      
      Link: https://lore.kernel.org/r/20240111194917.4044654-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      68d27bad
    • Eric Dumazet's avatar
      mptcp: refine opt_mp_capable determination · 724b00c1
      Eric Dumazet authored
      OPTIONS_MPTCP_MPC is a combination of three flags.
      
      It would be better to be strict about testing what
      flag is expected, at least for code readability.
      
      mptcp_parse_option() already makes the distinction.
      
      - subflow_check_req() should use OPTION_MPTCP_MPC_SYN.
      
      - mptcp_subflow_init_cookie_req() should use OPTION_MPTCP_MPC_ACK.
      
      - subflow_finish_connect() should use OPTION_MPTCP_MPC_SYNACK
      
      - subflow_syn_recv_sock should use OPTION_MPTCP_MPC_ACK
      Suggested-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Fixes: 74c7dfbe ("mptcp: consolidate in_opt sub-options fields in a bitmask")
      Link: https://lore.kernel.org/r/20240111194917.4044654-6-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      724b00c1
    • Eric Dumazet's avatar
      mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req() · 66ff70df
      Eric Dumazet authored
      syzbot reported that subflow_check_req() was using uninitialized data in
      subflow_check_req() [1]
      
      This is because mp_opt.token is only set when OPTION_MPTCP_MPJ_SYN is also set.
      
      While we are are it, fix mptcp_subflow_init_cookie_req()
      to test for OPTION_MPTCP_MPJ_ACK.
      
      [1]
      
      BUG: KMSAN: uninit-value in subflow_token_join_request net/mptcp/subflow.c:91 [inline]
       BUG: KMSAN: uninit-value in subflow_check_req+0x1028/0x15d0 net/mptcp/subflow.c:209
        subflow_token_join_request net/mptcp/subflow.c:91 [inline]
        subflow_check_req+0x1028/0x15d0 net/mptcp/subflow.c:209
        subflow_v6_route_req+0x269/0x410 net/mptcp/subflow.c:367
        tcp_conn_request+0x153a/0x4240 net/ipv4/tcp_input.c:7164
       subflow_v6_conn_request+0x3ee/0x510
        tcp_rcv_state_process+0x2e1/0x4ac0 net/ipv4/tcp_input.c:6659
        tcp_v6_do_rcv+0x11bf/0x1fe0 net/ipv6/tcp_ipv6.c:1669
        tcp_v6_rcv+0x480b/0x4fb0 net/ipv6/tcp_ipv6.c:1900
        ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
        ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
        NF_HOOK include/linux/netfilter.h:314 [inline]
        ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
        dst_input include/net/dst.h:461 [inline]
        ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
        NF_HOOK include/linux/netfilter.h:314 [inline]
        ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
        __netif_receive_skb_one_core net/core/dev.c:5532 [inline]
        __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646
        netif_receive_skb_internal net/core/dev.c:5732 [inline]
        netif_receive_skb+0x58/0x660 net/core/dev.c:5791
        tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
        tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002
        tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
        call_write_iter include/linux/fs.h:2020 [inline]
        new_sync_write fs/read_write.c:491 [inline]
        vfs_write+0x8ef/0x1490 fs/read_write.c:584
        ksys_write+0x20f/0x4c0 fs/read_write.c:637
        __do_sys_write fs/read_write.c:649 [inline]
        __se_sys_write fs/read_write.c:646 [inline]
        __x64_sys_write+0x93/0xd0 fs/read_write.c:646
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Local variable mp_opt created at:
        subflow_check_req+0x6d/0x15d0 net/mptcp/subflow.c:145
        subflow_v6_route_req+0x269/0x410 net/mptcp/subflow.c:367
      
      CPU: 1 PID: 5924 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00055-g5eff55d7 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
      
      Fixes: f296234c ("mptcp: Add handling of incoming MP_JOIN requests")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Florian Westphal <fw@strlen.de>
      Cc: Peter Krystad <peter.krystad@linux.intel.com>
      Cc: Matthieu Baerts <matttbe@kernel.org>
      Cc: Mat Martineau <martineau@kernel.org>
      Cc: Geliang Tang <geliang.tang@linux.dev>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Link: https://lore.kernel.org/r/20240111194917.4044654-5-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      66ff70df
    • Eric Dumazet's avatar
      mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() · be1d9d9d
      Eric Dumazet authored
      subflow_finish_connect() uses four fields (backup, join_id, thmac, none)
      that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set
      in mptcp_parse_option()
      
      Fixes: f296234c ("mptcp: Add handling of incoming MP_JOIN requests")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Florian Westphal <fw@strlen.de>
      Cc: Peter Krystad <peter.krystad@linux.intel.com>
      Cc: Matthieu Baerts <matttbe@kernel.org>
      Cc: Mat Martineau <martineau@kernel.org>
      Cc: Geliang Tang <geliang.tang@linux.dev>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Link: https://lore.kernel.org/r/20240111194917.4044654-4-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      be1d9d9d
    • Eric Dumazet's avatar
      mptcp: strict validation before using mp_opt->hmac · c1665273
      Eric Dumazet authored
      mp_opt->hmac contains uninitialized data unless OPTION_MPTCP_MPJ_ACK
      was set in mptcp_parse_option().
      
      We must refine the condition before we call subflow_hmac_valid().
      
      Fixes: f296234c ("mptcp: Add handling of incoming MP_JOIN requests")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Florian Westphal <fw@strlen.de>
      Cc: Peter Krystad <peter.krystad@linux.intel.com>
      Cc: Matthieu Baerts <matttbe@kernel.org>
      Cc: Mat Martineau <martineau@kernel.org>
      Cc: Geliang Tang <geliang.tang@linux.dev>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Link: https://lore.kernel.org/r/20240111194917.4044654-3-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c1665273
    • Eric Dumazet's avatar
      mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN · 89e23277
      Eric Dumazet authored
      mptcp_parse_option() currently sets OPTIONS_MPTCP_MPJ, for the three
      possible cases handled for MPTCPOPT_MP_JOIN option.
      
      OPTIONS_MPTCP_MPJ is the combination of three flags:
      - OPTION_MPTCP_MPJ_SYN
      - OPTION_MPTCP_MPJ_SYNACK
      - OPTION_MPTCP_MPJ_ACK
      
      This is a problem, because backup, join_id, token, nonce and/or hmac fields
      could be left uninitialized in some cases.
      
      Distinguish the three cases, as following patches will need this step.
      
      Fixes: f296234c ("mptcp: Add handling of incoming MP_JOIN requests")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Florian Westphal <fw@strlen.de>
      Cc: Peter Krystad <peter.krystad@linux.intel.com>
      Cc: Matthieu Baerts <matttbe@kernel.org>
      Cc: Mat Martineau <martineau@kernel.org>
      Cc: Geliang Tang <geliang.tang@linux.dev>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Link: https://lore.kernel.org/r/20240111194917.4044654-2-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      89e23277
    • Dmitry Antipov's avatar
      net: liquidio: fix clang-specific W=1 build warnings · cbdd50ec
      Dmitry Antipov authored
      When compiling with clang-18 and W=1, I've noticed the following
      warnings:
      
      drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c:1493:16: warning: cast
      from 'void (*)(struct octeon_device *, struct octeon_mbox_cmd *, void *)' to
      'octeon_mbox_callback_t' (aka 'void (*)(void *, void *, void *)') converts to
      incompatible function type [-Wcast-function-type-strict]
       1493 |         mbox_cmd.fn = (octeon_mbox_callback_t)cn23xx_get_vf_stats_callback;
            |                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      and:
      
      drivers/net/ethernet/cavium/liquidio/cn23xx_vf_device.c:432:16: warning: cast
      from 'void (*)(struct octeon_device *, struct octeon_mbox_cmd *, void *)' to
      'octeon_mbox_callback_t' (aka 'void (*)(void *, void *, void *)') converts to
      incompatible function type [-Wcast-function-type-strict]
        432 |         mbox_cmd.fn = (octeon_mbox_callback_t)octeon_pfvf_hs_callback;
            |                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Fix both of the above by adjusting 'octeon_mbox_callback_t' to match actual
      callback definitions (at the cost of adding an extra forward declaration).
      Signed-off-by: default avatarDmitry Antipov <dmantipov@yandex.ru>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240111162432.124014-1-dmantipov@yandex.ruSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cbdd50ec
  5. 12 Jan, 2024 11 commits