1. 27 May, 2021 1 commit
    • Linus Torvalds's avatar
      Merge tag 'net-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · d7c5303f
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes for 5.13-rc4, including fixes from bpf, netfilter,
        can and wireless trees. Notably including fixes for the recently
        announced "FragAttacks" WiFi vulnerabilities. Rather large batch,
        touching some core parts of the stack, too, but nothing hair-raising.
      
        Current release - regressions:
      
         - tipc: make node link identity publish thread safe
      
         - dsa: felix: re-enable TAS guard band mode
      
         - stmmac: correct clocks enabled in stmmac_vlan_rx_kill_vid()
      
         - stmmac: fix system hang if change mac address after interface
           ifdown
      
        Current release - new code bugs:
      
         - mptcp: avoid OOB access in setsockopt()
      
         - bpf: Fix nested bpf_bprintf_prepare with more per-cpu buffers
      
         - ethtool: stats: fix a copy-paste error - init correct array size
      
        Previous releases - regressions:
      
         - sched: fix packet stuck problem for lockless qdisc
      
         - net: really orphan skbs tied to closing sk
      
         - mlx4: fix EEPROM dump support
      
         - bpf: fix alu32 const subreg bound tracking on bitwise operations
      
         - bpf: fix mask direction swap upon off reg sign change
      
         - bpf, offload: reorder offload callback 'prepare' in verifier
      
         - stmmac: Fix MAC WoL not working if PHY does not support WoL
      
         - packetmmap: fix only tx timestamp on request
      
         - tipc: skb_linearize the head skb when reassembling msgs
      
        Previous releases - always broken:
      
         - mac80211: address recent "FragAttacks" vulnerabilities
      
         - mac80211: do not accept/forward invalid EAPOL frames
      
         - mptcp: avoid potential error message floods
      
         - bpf, ringbuf: deny reserve of buffers larger than ringbuf to
           prevent out of buffer writes
      
         - bpf: forbid trampoline attach for functions with variable arguments
      
         - bpf: add deny list of functions to prevent inf recursion of tracing
           programs
      
         - tls splice: check SPLICE_F_NONBLOCK instead of MSG_DONTWAIT
      
         - can: isotp: prevent race between isotp_bind() and
           isotp_setsockopt()
      
         - netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check,
           fallback to non-AVX2 version
      
        Misc:
      
         - bpf: add kconfig knob for disabling unpriv bpf by default"
      
      * tag 'net-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (172 commits)
        net: phy: Document phydev::dev_flags bits allocation
        mptcp: validate 'id' when stopping the ADD_ADDR retransmit timer
        mptcp: avoid error message on infinite mapping
        mptcp: drop unconditional pr_warn on bad opt
        mptcp: avoid OOB access in setsockopt()
        nfp: update maintainer and mailing list addresses
        net: mvpp2: add buffer header handling in RX
        bnx2x: Fix missing error code in bnx2x_iov_init_one()
        net: zero-initialize tc skb extension on allocation
        net: hns: Fix kernel-doc
        sctp: fix the proc_handler for sysctl encap_port
        sctp: add the missing setting for asoc encap_port
        bpf, selftests: Adjust few selftest result_unpriv outcomes
        bpf: No need to simulate speculative domain for immediates
        bpf: Fix mask direction swap upon off reg sign change
        bpf: Wrap aux data inside bpf_sanitize_info container
        bpf: Fix BPF_LSM kconfig symbol dependency
        selftests/bpf: Add test for l3 use of bpf_redirect_peer
        bpftool: Add sock_release help info for cgroup attach/prog load command
        net: dsa: microchip: enable phy errata workaround on 9567
        ...
      d7c5303f
  2. 26 May, 2021 2 commits
  3. 25 May, 2021 26 commits
  4. 24 May, 2021 11 commits
    • George McCollister's avatar
      net: dsa: microchip: enable phy errata workaround on 9567 · 8c42a497
      George McCollister authored
      Also enable phy errata workaround on 9567 since has the same errata as
      the 9477 according to the manufacture's documentation.
      Signed-off-by: default avatarGeorge McCollister <george.mccollister@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c42a497
    • Pavel Skripkin's avatar
      net: usb: fix memory leak in smsc75xx_bind · 46a8b29c
      Pavel Skripkin authored
      Syzbot reported memory leak in smsc75xx_bind().
      The problem was is non-freed memory in case of
      errors after memory allocation.
      
      backtrace:
        [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline]
        [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline]
        [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460
        [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728
      
      Fixes: d0cad871 ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
      Cc: stable@kernel.vger.org
      Reported-and-tested-by: syzbot+b558506ba8165425fee2@syzkaller.appspotmail.com
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      46a8b29c
    • George McCollister's avatar
      net: hsr: fix mac_len checks · 48b491a5
      George McCollister authored
      Commit 2e9f6093 ("net: hsr: check skb can contain struct hsr_ethhdr
      in fill_frame_info") added the following which resulted in -EINVAL
      always being returned:
      	if (skb->mac_len < sizeof(struct hsr_ethhdr))
      		return -EINVAL;
      
      mac_len was not being set correctly so this check completely broke
      HSR/PRP since it was always 14, not 20.
      
      Set mac_len correctly and modify the mac_len checks to test in the
      correct places since sometimes it is legitimately 14.
      
      Fixes: 2e9f6093 ("net: hsr: check skb can contain struct hsr_ethhdr in fill_frame_info")
      Signed-off-by: default avatarGeorge McCollister <george.mccollister@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      48b491a5
    • Saubhik Mukherjee's avatar
      net: appletalk: cops: Fix data race in cops_probe1 · a4dd4fc6
      Saubhik Mukherjee authored
      In cops_probe1(), there is a write to dev->base_addr after requesting an
      interrupt line and registering the interrupt handler cops_interrupt().
      The handler might be called in parallel to handle an interrupt.
      cops_interrupt() tries to read dev->base_addr leading to a potential
      data race. So write to dev->base_addr before calling request_irq().
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarSaubhik Mukherjee <saubhik.mukherjee@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a4dd4fc6
    • David S. Miller's avatar
      Merge branch 'sja1105-fixes' · 93c5d741
      David S. Miller authored
      Vladimir Oltean says:
      
      ====================
      Fixes for SJA1105 DSA driver
      
      This series contains some minor fixes in the sja1105 driver:
      - improved error handling in the probe path
      - rejecting an invalid phy-mode specified in the device tree
      - register access fix for SJA1105P/Q/R/S for the virtual links through
        the dynamic reconfiguration interface
      - handling 2 bridge VLANs where the second is supposed to overwrite the
        first
      - making sure that the lack of a pvid results in the actual dropping of
        untagged traffic
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      93c5d741
    • Vladimir Oltean's avatar
      net: dsa: sja1105: update existing VLANs from the bridge VLAN list · b38e659d
      Vladimir Oltean authored
      When running this sequence of operations:
      
      ip link add br0 type bridge vlan_filtering 1
      ip link set swp4 master br0
      bridge vlan add dev swp4 vid 1
      
      We observe the traffic sent on swp4 is still untagged, even though the
      bridge has overwritten the existing VLAN entry:
      
      port    vlan ids
      swp4     1 PVID
      
      br0      1 PVID Egress Untagged
      
      This happens because we didn't consider that the 'bridge vlan add'
      command just overwrites VLANs like it's nothing. We treat the 'vid 1
      pvid untagged' and the 'vid 1' as two separate VLANs, and the first
      still has precedence when calling sja1105_build_vlan_table. Obviously
      there is a disagreement regarding semantics, and we end up doing
      something unexpected from the PoV of the bridge.
      
      Let's actually consider an "existing VLAN" to be one which is on the
      same port, and has the same VLAN ID, as one we already have, and update
      it if it has different flags than we do.
      
      The first blamed commit is the one introducing the bug, the second one
      is the latest on top of which the bugfix still applies.
      
      Fixes: ec5ae610 ("net: dsa: sja1105: save/restore VLANs using a delta commit method")
      Fixes: 5899ee36 ("net: dsa: tag_8021q: add a context structure")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b38e659d
    • Vladimir Oltean's avatar
      net: dsa: sja1105: use 4095 as the private VLAN for untagged traffic · ed040abc
      Vladimir Oltean authored
      One thing became visible when writing the blamed commit, and that was
      that STP and PTP frames injected by net/dsa/tag_sja1105.c using the
      deferred xmit mechanism are always classified to the pvid of the CPU
      port, regardless of whatever VLAN there might be in these packets.
      
      So a decision needed to be taken regarding the mechanism through which
      we should ensure that delivery of STP and PTP traffic is possible when
      we are in a VLAN awareness mode that involves tag_8021q. This is because
      tag_8021q is not concerned with managing the pvid of the CPU port, since
      as far as tag_8021q is concerned, no traffic should be sent as untagged
      from the CPU port. So we end up not actually having a pvid on the CPU
      port if we only listen to tag_8021q, and unless we do something about it.
      
      The decision taken at the time was to keep VLAN 1 in the list of
      priv->dsa_8021q_vlans, and make it a pvid of the CPU port. This ensures
      that STP and PTP frames can always be sent to the outside world.
      
      However there is a problem. If we do the following while we are in
      the best_effort_vlan_filtering=true mode:
      
      ip link add br0 type bridge vlan_filtering 1
      ip link set swp2 master br0
      bridge vlan del dev swp2 vid 1
      
      Then untagged and pvid-tagged frames should be dropped. But we observe
      that they aren't, and this is because of the precaution we took that VID
      1 is always installed on all ports.
      
      So clearly VLAN 1 is not good for this purpose. What about VLAN 0?
      Well, VLAN 0 is managed by the 8021q module, and that module wants to
      ensure that 802.1p tagged frames are always received by a port, and are
      always transmitted as VLAN-tagged (with VLAN ID 0). Whereas we want our
      STP and PTP frames to be untagged if the stack sent them as untagged -
      we don't want the driver to just decide out of the blue that it adds
      VID 0 to some packets.
      
      So what to do?
      
      Well, there is one other VLAN that is reserved, and that is 4095:
      $ ip link add link swp2 name swp2.4095 type vlan id 4095
      Error: 8021q: Invalid VLAN id.
      $ bridge vlan add dev swp2 vid 4095
      Error: bridge: Vlan id is invalid.
      
      After we made this change, VLAN 1 is indeed forwarded and/or dropped
      according to the bridge VLAN table, there are no further alterations
      done by the sja1105 driver.
      
      Fixes: ec5ae610 ("net: dsa: sja1105: save/restore VLANs using a delta commit method")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ed040abc
    • Vladimir Oltean's avatar
      net: dsa: sja1105: error out on unsupported PHY mode · 6729188d
      Vladimir Oltean authored
      The driver continues probing when a port is configured for an
      unsupported PHY interface type, instead it should stop.
      
      Fixes: 8aa9ebcc ("net: dsa: Introduce driver for NXP SJA1105 5-port L2 switch")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6729188d
    • Vladimir Oltean's avatar
      net: dsa: sja1105: add error handling in sja1105_setup() · cec279a8
      Vladimir Oltean authored
      If any of sja1105_static_config_load(), sja1105_clocking_setup() or
      sja1105_devlink_setup() fails, we can't just return in the middle of
      sja1105_setup() or memory will leak. Add a cleanup path.
      
      Fixes: 0a7bdbc2 ("net: dsa: sja1105: move devlink param code to sja1105_devlink.c")
      Fixes: 8aa9ebcc ("net: dsa: Introduce driver for NXP SJA1105 5-port L2 switch")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cec279a8
    • Vladimir Oltean's avatar
      net: dsa: sja1105: call dsa_unregister_switch when allocating memory fails · dc596e3f
      Vladimir Oltean authored
      Unlike other drivers which pretty much end their .probe() execution with
      dsa_register_switch(), the sja1105 does some extra stuff. When that
      fails with -ENOMEM, the driver is quick to return that, forgetting to
      call dsa_unregister_switch(). Not critical, but a bug nonetheless.
      
      Fixes: 4d752508 ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc")
      Fixes: a68578c2 ("net: dsa: Make deferred_xmit private to sja1105")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc596e3f
    • Vladimir Oltean's avatar
      net: dsa: sja1105: fix VL lookup command packing for P/Q/R/S · ba61cf16
      Vladimir Oltean authored
      At the beginning of the sja1105_dynamic_config.c file there is a diagram
      of the dynamic config interface layout:
      
       packed_buf
      
       |
       V
       +-----------------------------------------+------------------+
       |              ENTRY BUFFER               |  COMMAND BUFFER  |
       +-----------------------------------------+------------------+
      
       <----------------------- packed_size ------------------------>
      
      So in order to pack/unpack the command bits into the buffer,
      sja1105_vl_lookup_cmd_packing must first advance the buffer pointer by
      the length of the entry. This is similar to what the other *cmd_packing
      functions do.
      
      This bug exists because the command packing function for P/Q/R/S was
      copied from the E/T generation, and on E/T, the command was actually
      embedded within the entry buffer itself.
      
      Fixes: 94f94d4a ("net: dsa: sja1105: add static tables for virtual links")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ba61cf16