1. 25 Apr, 2019 11 commits
    • Aditya Pakki's avatar
      rsi: Fix NULL pointer dereference in kmalloc · d5414c23
      Aditya Pakki authored
      kmalloc can fail in rsi_register_rates_channels but memcpy still attempts
      to write to channels. The patch replaces these calls with kmemdup and
      passes the error upstream.
      Signed-off-by: default avatarAditya Pakki <pakki001@umn.edu>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      d5414c23
    • Tomislav Požega's avatar
      rt2x00: code-style fix in rt2800usb.c · 9490c560
      Tomislav Požega authored
      Remove space leftovers.
      Signed-off-by: default avatarTomislav Požega <pozega.tomislav@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      9490c560
    • Stanislaw Gruszka's avatar
      rt2x00: do not print error when queue is full · 61a4e5ff
      Stanislaw Gruszka authored
      For unknown reasons printk() on some context can cause CPU hung on
      embedded MT7620 AP/router MIPS platforms. What can result on wifi
      disconnects.
      
      This patch move queue full messages to debug level what is consistent
      with other mac80211 drivers which drop packet silently if tx queue is
      full. This make MT7620 OpenWRT routers more stable, what was reported
      by various users.
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      61a4e5ff
    • Stanislaw Gruszka's avatar
      rt2x00: check number of EPROTO errors · e383c704
      Stanislaw Gruszka authored
      Some USB host devices/drivers on some conditions can always return
      EPROTO error on submitted URBs. That can cause infinity loop in the
      rt2x00 driver.
      
      Since we can have single EPROTO errors we can not mark as device as
      removed to avoid infinity loop. However we can count consecutive
      EPROTO errors and mark device as removed if get lot of it.
      I choose number 10 as threshold.
      Reported-and-tested-by: default avatarRandy Oostdyk <linux-kernel@oostdyk.com>
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      e383c704
    • Stanislaw Gruszka's avatar
      rt2x00: use ratelimited variants dev_warn/dev_err · bb3b18c9
      Stanislaw Gruszka authored
      As reported by Randy we can overwhelm logs on some USB error conditions.
      To avoid that use dev_warn_ratelimited() and dev_err_ratelimitd().
      Reported-and-tested-by: default avatarRandy Oostdyk <linux-kernel@oostdyk.com>
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      bb3b18c9
    • Kangjie Lu's avatar
      net: cw1200: fix a NULL pointer dereference · 0ed2a005
      Kangjie Lu authored
      In case create_singlethread_workqueue fails, the fix free the
      hardware and returns NULL to avoid NULL pointer dereference.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      0ed2a005
    • YueHaibing's avatar
      ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit · b2c01aab
      YueHaibing authored
      Syzkaller report this:
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      CPU: 0 PID: 4492 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      RIP: 0010:sysfs_remove_file_ns+0x27/0x70 fs/sysfs/file.c:468
      Code: 00 00 00 41 54 55 48 89 fd 53 49 89 d4 48 89 f3 e8 ee 76 9c ff 48 8d 7d 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 2d 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 8b 6d
      RSP: 0018:ffff8881e9d9fc00 EFLAGS: 00010206
      RAX: dffffc0000000000 RBX: ffffffff900367e0 RCX: ffffffff81a95952
      RDX: 0000000000000006 RSI: ffffc90001405000 RDI: 0000000000000030
      RBP: 0000000000000000 R08: fffffbfff1fa22ed R09: fffffbfff1fa22ed
      R10: 0000000000000001 R11: fffffbfff1fa22ec R12: 0000000000000000
      R13: ffffffffc1abdac0 R14: 1ffff1103d3b3f8b R15: 0000000000000000
      FS:  00007fe409dc1700(0000) GS:ffff8881f1200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b2d721000 CR3: 00000001e98b6005 CR4: 00000000007606f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       sysfs_remove_file include/linux/sysfs.h:519 [inline]
       driver_remove_file+0x40/0x50 drivers/base/driver.c:122
       pcmcia_remove_newid_file drivers/pcmcia/ds.c:163 [inline]
       pcmcia_unregister_driver+0x7d/0x2b0 drivers/pcmcia/ds.c:209
       ssb_modexit+0xa/0x1b [ssb]
       __do_sys_delete_module kernel/module.c:1018 [inline]
       __se_sys_delete_module kernel/module.c:961 [inline]
       __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fe409dc0c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
      RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
      RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe409dc16bc
      R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff
      Modules linked in: ssb(-) 3c59x nvme_core macvlan tap pata_hpt3x3 rt2x00pci null_blk tsc40 pm_notifier_error_inject notifier_error_inject mdio cdc_wdm nf_reject_ipv4 ath9k_common ath9k_hw ath pppox ppp_generic slhc ehci_platform wl12xx wlcore tps6507x_ts ioc4 nf_synproxy_core ide_gd_mod ax25 can_dev iwlwifi can_raw atm tm2_touchkey can_gw can sundance adp5588_keys rt2800mmio rt2800lib rt2x00mmio rt2x00lib eeprom_93cx6 pn533 lru_cache elants_i2c ip_set nfnetlink gameport tipc hampshire nhc_ipv6 nhc_hop nhc_udp nhc_fragment nhc_routing nhc_mobility nhc_dest 6lowpan silead brcmutil nfc mt76_usb mt76 mac80211 iptable_security iptable_raw iptable_mangle iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_gre sit hsr veth vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon vcan bridge stp llc ip6_gre ip6_tunnel tunnel6 tun joydev mousedev serio_raw ide_pci_generic piix floppy ide_core sch_fq_codel ip_tables x_tables ipv6
       [last unloaded: 3c59x]
      Dumping ftrace buffer:
         (ftrace buffer empty)
      ---[ end trace 3913cbf8011e1c05 ]---
      
      In ssb_modinit, it does not fail SSB init when ssb_host_pcmcia_init failed,
      however in ssb_modexit, ssb_host_pcmcia_exit calls pcmcia_unregister_driver
      unconditionally, which may tigger a NULL pointer dereference issue as above.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Fixes: 399500da ("ssb: pick PCMCIA host code support from b43 driver")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      b2c01aab
    • YueHaibing's avatar
      ray_cs: use remove_proc_subtree to simplify procfs code · 3b6edcb3
      YueHaibing authored
      Use remove_proc_subtree to remove the whole subtree
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      3b6edcb3
    • YueHaibing's avatar
      ray_cs: Check return value of pcmcia_register_driver · 444efbde
      YueHaibing authored
      init_ray_cs does not check value of pcmcia_register_driver,
      if it fails, there maybe cause a NULL pointer dereference in
      exit_ray_cs.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      444efbde
    • Gustavo A. R. Silva's avatar
      rndis_wlan: use struct_size() helper · d442af2e
      Gustavo A. R. Silva authored
      Make use of the struct_size() helper instead of an open-coded version
      in order to avoid any potential type mistakes, in particular in the
      context in which this code is being used.
      
      So, replace code of the following form:
      
      sizeof(*pmkids) + max_pmkids * sizeof(pmkids->bssid_info[0])
      
      with:
      
      struct_size(pmkids, bssid_info, num_pmkids)
      
      This code was detected with the help of Coccinelle.
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      d442af2e
    • Kalle Valo's avatar
      Merge tag 'iwlwifi-next-for-kalle-2019-04-18-2' of... · b99561c5
      Kalle Valo authored
      Merge tag 'iwlwifi-next-for-kalle-2019-04-18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next
      
      Third batch of patches intended for v5.2
      
      * Bump the 20000-series FW API version supported;
      * Work on the new debugging infra continues;
      * One clean-up to prevent a bogus warning with clang;
      * A small cleanup in the PCI ID list;
      * Work on new hardware continues;
      * RTT confidence indication support for FTM;
      * An improvement in HE rate-scaling;
      b99561c5
  2. 19 Apr, 2019 24 commits
  3. 18 Apr, 2019 5 commits
    • Stephen Suryaputra's avatar
      ipv6: Add rate limit mask for ICMPv6 messages · 0bc19985
      Stephen Suryaputra authored
      To make ICMPv6 closer to ICMPv4, add ratemask parameter. Since the ICMP
      message types use larger numeric values, a simple bitmask doesn't fit.
      I use large bitmap. The input and output are the in form of list of
      ranges. Set the default to rate limit all error messages but Packet Too
      Big. For Packet Too Big, use ratemask instead of hard-coded.
      
      There are functions where icmpv6_xrlim_allow() and icmpv6_global_allow()
      aren't called. This patch only adds them to icmpv6_echo_reply().
      
      Rate limiting error messages is mandated by RFC 4443 but RFC 4890 says
      that it is also acceptable to rate limit informational messages. Thus,
      I removed the current hard-coded behavior of icmpv6_mask_allow() that
      doesn't rate limit informational messages.
      
      v2: Add dummy function proc_do_large_bitmap() if CONFIG_PROC_SYSCTL
          isn't defined, expand the description in ip-sysctl.txt and remove
          unnecessary conditional before kfree().
      v3: Inline the bitmap instead of dynamically allocated. Still is a
          pointer to it is needed because of the way proc_do_large_bitmap work.
      Signed-off-by: default avatarStephen Suryaputra <ssuryaextr@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0bc19985
    • Heiner Kallweit's avatar
      net: phy: remove dead code from phy_sanitize_settings · 4cf2d206
      Heiner Kallweit authored
      phy_sanitize_settings() is called from phy_start_aneg() only, and only
      if phydev->autoneg isn't set. Therefore the removed code does nothing.
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4cf2d206
    • Heiner Kallweit's avatar
      net: phy: don't set autoneg if it's not supported · 5e42574b
      Heiner Kallweit authored
      In phy_device_create() we set phydev->autoneg = 1. This isn't changed
      even if the PHY doesn't support autoneg. This seems to affect very
      few PHY's, and they disable phydev->autoneg in their config_init
      callback. So it's more of an improvement, therefore net-next.
      The patch also wouldn't apply to older kernel versions because the
      link mode bitmaps have been introduced recently.
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5e42574b
    • David S. Miller's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue · 16111991
      David S. Miller authored
      Jeff Kirsher says:
      
      ====================
      100GbE Intel Wired LAN Driver Updates 2019-04-18
      
      This series contains updates to the ice driver only.
      
      Anirudh fixes up code comments which had typos.  Added support for DCB
      into the ice driver, which required a bit of refactoring of the existing
      code.  Also fixed a potential race condition between closing and opening
      the VSI for a MIB change event, so resolved this by grabbing the
      rtnl_lock prior to closing.  Added support to process LLDP MIB change
      notifications.  Added support for reporting DCB stats via ethtool.
      
      Brett updates the calculation to increment ITR to use a direct
      calculation instead of using estimations.  This provides a more accurate
      value.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16111991
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-next-for-davem-2019-04-18' of... · f9a904ef
      David S. Miller authored
      Merge tag 'wireless-drivers-next-for-davem-2019-04-18' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
      
      Kalle Valo says:
      
      ====================
      wireless-drivers-next patches for 5.2
      
      Nothing really special standing out this time, iwlwifi being the most
      active driver.
      
      Major changes:
      
      iwlwifi
      
      * send NO_DATA events so they can be captured in radiotap
      
      * support for multiple BSSID
      
      * support for some new FW API versions
      
      * support new hardware
      
      * debugfs cleanups by Greg-KH
      
      qtnfmac
      
      * allow each MAC to specify its own regulatory rules
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9a904ef