1. 05 1月, 2022 3 次提交
    • M
      i40e: Fix for displaying message regarding NVM version · 40feded8
      Mateusz Palczewski 提交于
      When loading the i40e driver, it prints a message like: 'The driver for the
      device detected a newer version of the NVM image v1.x than expected v1.y.
      Please install the most recent version of the network driver.' This is
      misleading as the driver is working as expected.
      
      Fix that by removing the second part of message and changing it from
      dev_info to dev_dbg.
      
      Fixes: 4fb29bdd ("i40e: The driver now prints the API version in error message")
      Signed-off-by: NMateusz Palczewski <mateusz.palczewski@intel.com>
      Tested-by: NGurucharan G <gurucharanx.g@intel.com>
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      40feded8
    • D
      i40e: fix use-after-free in i40e_sync_filters_subtask() · 3116f59c
      Di Zhu 提交于
      Using ifconfig command to delete the ipv6 address will cause
      the i40e network card driver to delete its internal mac_filter and
      i40e_service_task kernel thread will concurrently access the mac_filter.
      These two processes are not protected by lock
      so causing the following use-after-free problems.
      
       print_address_description+0x70/0x360
       ? vprintk_func+0x5e/0xf0
       kasan_report+0x1b2/0x330
       i40e_sync_vsi_filters+0x4f0/0x1850 [i40e]
       i40e_sync_filters_subtask+0xe3/0x130 [i40e]
       i40e_service_task+0x195/0x24c0 [i40e]
       process_one_work+0x3f5/0x7d0
       worker_thread+0x61/0x6c0
       ? process_one_work+0x7d0/0x7d0
       kthread+0x1c3/0x1f0
       ? kthread_park+0xc0/0xc0
       ret_from_fork+0x35/0x40
      
      Allocated by task 2279810:
       kasan_kmalloc+0xa0/0xd0
       kmem_cache_alloc_trace+0xf3/0x1e0
       i40e_add_filter+0x127/0x2b0 [i40e]
       i40e_add_mac_filter+0x156/0x190 [i40e]
       i40e_addr_sync+0x2d/0x40 [i40e]
       __hw_addr_sync_dev+0x154/0x210
       i40e_set_rx_mode+0x6d/0xf0 [i40e]
       __dev_set_rx_mode+0xfb/0x1f0
       __dev_mc_add+0x6c/0x90
       igmp6_group_added+0x214/0x230
       __ipv6_dev_mc_inc+0x338/0x4f0
       addrconf_join_solict.part.7+0xa2/0xd0
       addrconf_dad_work+0x500/0x980
       process_one_work+0x3f5/0x7d0
       worker_thread+0x61/0x6c0
       kthread+0x1c3/0x1f0
       ret_from_fork+0x35/0x40
      
      Freed by task 2547073:
       __kasan_slab_free+0x130/0x180
       kfree+0x90/0x1b0
       __i40e_del_filter+0xa3/0xf0 [i40e]
       i40e_del_mac_filter+0xf3/0x130 [i40e]
       i40e_addr_unsync+0x85/0xa0 [i40e]
       __hw_addr_sync_dev+0x9d/0x210
       i40e_set_rx_mode+0x6d/0xf0 [i40e]
       __dev_set_rx_mode+0xfb/0x1f0
       __dev_mc_del+0x69/0x80
       igmp6_group_dropped+0x279/0x510
       __ipv6_dev_mc_dec+0x174/0x220
       addrconf_leave_solict.part.8+0xa2/0xd0
       __ipv6_ifa_notify+0x4cd/0x570
       ipv6_ifa_notify+0x58/0x80
       ipv6_del_addr+0x259/0x4a0
       inet6_addr_del+0x188/0x260
       addrconf_del_ifaddr+0xcc/0x130
       inet6_ioctl+0x152/0x190
       sock_do_ioctl+0xd8/0x2b0
       sock_ioctl+0x2e5/0x4c0
       do_vfs_ioctl+0x14e/0xa80
       ksys_ioctl+0x7c/0xa0
       __x64_sys_ioctl+0x42/0x50
       do_syscall_64+0x98/0x2c0
       entry_SYSCALL_64_after_hwframe+0x65/0xca
      
      Fixes: 41c445ff ("i40e: main driver core")
      Signed-off-by: NDi Zhu <zhudi2@huawei.com>
      Signed-off-by: NRui Zhang <zhangrui182@huawei.com>
      Tested-by: NGurucharan G <gurucharanx.g@intel.com>
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      3116f59c
    • M
      i40e: Fix to not show opcode msg on unsuccessful VF MAC change · 01cbf508
      Mateusz Palczewski 提交于
      Hide i40e opcode information sent during response to VF in case when
      untrusted VF tried to change MAC on the VF interface.
      
      This is implemented by adding an additional parameter 'hide' to the
      response sent to VF function that hides the display of error
      information, but forwards the error code to VF.
      
      Previously it was not possible to send response with some error code
      to VF without displaying opcode information.
      
      Fixes: 5c3c48ac ("i40e: implement virtual device interface")
      Signed-off-by: NGrzegorz Szczurek <grzegorzx.szczurek@intel.com>
      Signed-off-by: NMateusz Palczewski <mateusz.palczewski@intel.com>
      Reviewed-by: NPaul M Stillwell Jr <paul.m.stillwell.jr@intel.com>
      Reviewed-by: NAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Tested-by: NTony Brelinski <tony.brelinski@intel.com>
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      01cbf508
  2. 04 1月, 2022 13 次提交
  3. 03 1月, 2022 2 次提交
    • M
      net/fsl: Remove leftover definition in xgmac_mdio · 1ef5e1d0
      Markus Koch 提交于
      commit 26eee021 ("net/fsl: fix a bug in xgmac_mdio") fixed a bug in
      the QorIQ mdio driver but left the (now unused) incorrect bit definition
      for MDIO_DATA_BSY in the code. This commit removes it.
      Signed-off-by: NMarkus Koch <markus@notsyncing.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1ef5e1d0
    • T
      rndis_host: support Hytera digital radios · 29262e1f
      Thomas Toye 提交于
      Hytera makes a range of digital (DMR) radios. These radios can be
      programmed to a allow a computer to control them over Ethernet over USB,
      either using NCM or RNDIS.
      
      This commit adds support for RNDIS for Hytera radios. I tested with a
      Hytera PD785 and a Hytera MD785G. When these radios are programmed to
      set up a Radio to PC Network using RNDIS, an USB interface will be added
      with class 2 (Communications), subclass 2 (Abstract Modem Control) and
      an interface protocol of 255 ("vendor specific" - lsusb even hints "MSFT
      RNDIS?").
      
      This patch is similar to the solution of this StackOverflow user, but
      that only works for the Hytera MD785:
      https://stackoverflow.com/a/53550858
      
      To use the "Radio to PC Network" functionality of Hytera DMR radios, the
      radios need to be programmed correctly in CPS (Hytera's Customer
      Programming Software). "Forward to PC" should be checked in "Network"
      (under "General Setting" in "Conventional") and the "USB Network
      Communication Protocol" should be set to RNDIS.
      Signed-off-by: NThomas Toye <thomas@toye.io>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      29262e1f
  4. 02 1月, 2022 7 次提交
  5. 01 1月, 2022 3 次提交
    • H
      net ticp:fix a kernel-infoleak in __tipc_sendmsg() · d6d86830
      Haimin Zhang 提交于
      struct tipc_socket_addr.ref has a 4-byte hole,and __tipc_getname() currently
      copying it to user space,causing kernel-infoleak.
      
      BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
      BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] lib/usercopy.c:33
      BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 lib/usercopy.c:33
       instrument_copy_to_user include/linux/instrumented.h:121 [inline]
       instrument_copy_to_user include/linux/instrumented.h:121 [inline] lib/usercopy.c:33
       _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 lib/usercopy.c:33
       copy_to_user include/linux/uaccess.h:209 [inline]
       copy_to_user include/linux/uaccess.h:209 [inline] net/socket.c:287
       move_addr_to_user+0x3f6/0x600 net/socket.c:287 net/socket.c:287
       __sys_getpeername+0x470/0x6b0 net/socket.c:1987 net/socket.c:1987
       __do_sys_getpeername net/socket.c:1997 [inline]
       __se_sys_getpeername net/socket.c:1994 [inline]
       __do_sys_getpeername net/socket.c:1997 [inline] net/socket.c:1994
       __se_sys_getpeername net/socket.c:1994 [inline] net/socket.c:1994
       __x64_sys_getpeername+0xda/0x120 net/socket.c:1994 net/socket.c:1994
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_x64 arch/x86/entry/common.c:51 [inline] arch/x86/entry/common.c:82
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was stored to memory at:
       tipc_getname+0x575/0x5e0 net/tipc/socket.c:757 net/tipc/socket.c:757
       __sys_getpeername+0x3b3/0x6b0 net/socket.c:1984 net/socket.c:1984
       __do_sys_getpeername net/socket.c:1997 [inline]
       __se_sys_getpeername net/socket.c:1994 [inline]
       __do_sys_getpeername net/socket.c:1997 [inline] net/socket.c:1994
       __se_sys_getpeername net/socket.c:1994 [inline] net/socket.c:1994
       __x64_sys_getpeername+0xda/0x120 net/socket.c:1994 net/socket.c:1994
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_x64 arch/x86/entry/common.c:51 [inline] arch/x86/entry/common.c:82
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was stored to memory at:
       msg_set_word net/tipc/msg.h:212 [inline]
       msg_set_destport net/tipc/msg.h:619 [inline]
       msg_set_word net/tipc/msg.h:212 [inline] net/tipc/socket.c:1486
       msg_set_destport net/tipc/msg.h:619 [inline] net/tipc/socket.c:1486
       __tipc_sendmsg+0x44fa/0x5890 net/tipc/socket.c:1486 net/tipc/socket.c:1486
       tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1402 net/tipc/socket.c:1402
       sock_sendmsg_nosec net/socket.c:704 [inline]
       sock_sendmsg net/socket.c:724 [inline]
       sock_sendmsg_nosec net/socket.c:704 [inline] net/socket.c:2409
       sock_sendmsg net/socket.c:724 [inline] net/socket.c:2409
       ____sys_sendmsg+0xe11/0x12c0 net/socket.c:2409 net/socket.c:2409
       ___sys_sendmsg net/socket.c:2463 [inline]
       ___sys_sendmsg net/socket.c:2463 [inline] net/socket.c:2492
       __sys_sendmsg+0x704/0x840 net/socket.c:2492 net/socket.c:2492
       __do_sys_sendmsg net/socket.c:2501 [inline]
       __se_sys_sendmsg net/socket.c:2499 [inline]
       __do_sys_sendmsg net/socket.c:2501 [inline] net/socket.c:2499
       __se_sys_sendmsg net/socket.c:2499 [inline] net/socket.c:2499
       __x64_sys_sendmsg+0xe2/0x120 net/socket.c:2499 net/socket.c:2499
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_x64 arch/x86/entry/common.c:51 [inline] arch/x86/entry/common.c:82
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Local variable skaddr created at:
       __tipc_sendmsg+0x2d0/0x5890 net/tipc/socket.c:1419 net/tipc/socket.c:1419
       tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1402 net/tipc/socket.c:1402
      
      Bytes 4-7 of 16 are uninitialized
      Memory access of size 16 starts at ffff888113753e00
      Data copied to user address 0000000020000280
      
      Reported-by: syzbot+cdbd40e0c3ca02cae3b7@syzkaller.appspotmail.com
      Signed-off-by: NHaimin Zhang <tcs_kernel@tencent.com>
      Acked-by: NJon Maloy <jmaloy@redhat.com>
      Link: https://lore.kernel.org/r/1640918123-14547-1-git-send-email-tcs.kernel@gmail.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      d6d86830
    • J
      selftests: net: udpgro_fwd.sh: explicitly checking the available ping feature · 5e75d0b2
      Jianguo Wu 提交于
      As Paolo pointed out, the result of ping IPv6 address depends on
      the running distro. So explicitly checking the available ping feature,
      as e.g. do the bareudp.sh self-tests.
      
      Fixes: 8b3170e0 ("selftests: net: using ping6 for IPv6 in udpgro_fwd.sh")
      Signed-off-by: NJianguo Wu <wujianguo@chinatelecom.cn>
      Link: https://lore.kernel.org/r/825ee22b-4245-dbf7-d2f7-a230770d6e21@163.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      5e75d0b2
    • J
      Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 0f1fe7b8
      Jakub Kicinski 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2021-12-31
      
      We've added 2 non-merge commits during the last 14 day(s) which contain
      a total of 2 files changed, 3 insertions(+), 3 deletions(-).
      
      The main changes are:
      
      1) Revert of an earlier attempt to fix xsk's poll() behavior where it
         turned out that the fix for a rare problem made it much worse in
         general, from Magnus Karlsson. (Fyi, Magnus mentioned that a proper
         fix is coming early next year, so the revert is mainly to avoid
         slipping the behavior into 5.16.)
      
      2) Minor misc spell fix in BPF selftests, from Colin Ian King.
      
      * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf, selftests: Fix spelling mistake "tained" -> "tainted"
        Revert "xsk: Do not sleep in poll() when need_wakeup set"
      ====================
      
      Link: https://lore.kernel.org/r/20211231160050.16105-1-daniel@iogearbox.netSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      0f1fe7b8
  6. 31 12月, 2021 9 次提交
    • D
      Merge branch 'mpr-len-checks' · 4760abaa
      David S. Miller 提交于
      David Ahern says:
      
      ====================
      net: Length checks for attributes within multipath routes
      
      Add length checks for attributes within a multipath route (attributes
      within RTA_MULTIPATH). Motivated by the syzbot report in patch 1 and
      then expanded to other attributes as noted by Ido.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4760abaa
    • D
      lwtunnel: Validate RTA_ENCAP_TYPE attribute length · 8bda81a4
      David Ahern 提交于
      lwtunnel_valid_encap_type_attr is used to validate encap attributes
      within a multipath route. Add length validation checking to the type.
      
      lwtunnel_valid_encap_type_attr is called converting attributes to
      fib{6,}_config struct which means it is used before fib_get_nhs,
      ip6_route_multipath_add, and ip6_route_multipath_del - other
      locations that use rtnh_ok and then nla_get_u16 on RTA_ENCAP_TYPE
      attribute.
      
      Fixes: 9ed59592 ("lwtunnel: fix autoload of lwt modules")
      Signed-off-by: NDavid Ahern <dsahern@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8bda81a4
    • D
      ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route · 1ff15a71
      David Ahern 提交于
      Make sure RTA_GATEWAY for IPv6 multipath route has enough bytes to hold
      an IPv6 address.
      
      Fixes: 6b9ea5a6 ("ipv6: fix multipath route replace error recovery")
      Signed-off-by: NDavid Ahern <dsahern@kernel.org>
      Cc: Roopa Prabhu <roopa@nvidia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1ff15a71
    • D
      ipv6: Check attribute length for RTA_GATEWAY in multipath route · 4619bcf9
      David Ahern 提交于
      Commit referenced in the Fixes tag used nla_memcpy for RTA_GATEWAY as
      does the current nla_get_in6_addr. nla_memcpy protects against accessing
      memory greater than what is in the attribute, but there is no check
      requiring the attribute to have an IPv6 address. Add it.
      
      Fixes: 51ebd318 ("ipv6: add support of equal cost multipath (ECMP)")
      Signed-off-by: NDavid Ahern <dsahern@kernel.org>
      Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4619bcf9
    • D
      ipv4: Check attribute length for RTA_FLOW in multipath route · 664b9c4b
      David Ahern 提交于
      Make sure RTA_FLOW is at least 4B before using.
      
      Fixes: 4e902c57 ("[IPv4]: FIB configuration using struct fib_config")
      Signed-off-by: NDavid Ahern <dsahern@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      664b9c4b
    • D
      ipv4: Check attribute length for RTA_GATEWAY in multipath route · 7a3429ba
      David Ahern 提交于
      syzbot reported uninit-value:
      ============================================================
        BUG: KMSAN: uninit-value in fib_get_nhs+0xac4/0x1f80
        net/ipv4/fib_semantics.c:708
         fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708
         fib_create_info+0x2411/0x4870 net/ipv4/fib_semantics.c:1453
         fib_table_insert+0x45c/0x3a10 net/ipv4/fib_trie.c:1224
         inet_rtm_newroute+0x289/0x420 net/ipv4/fib_frontend.c:886
      
      Add helper to validate RTA_GATEWAY length before using the attribute.
      
      Fixes: 4e902c57 ("[IPv4]: FIB configuration using struct fib_config")
      Reported-by: syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com
      Signed-off-by: NDavid Ahern <dsahern@kernel.org>
      Cc: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7a3429ba
    • L
      Merge tag 'net-5.16-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 74c78b42
      Linus Torvalds 提交于
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from.. Santa?
      
        No regressions on our radar at this point. The igc problem fixed here
        was the last one I was tracking but it was broken in previous
        releases, anyway. Mostly driver fixes and a couple of largish SMC
        fixes.
      
        Current release - regressions:
      
         - xsk: initialise xskb free_list_node, fixup for a -rc7 fix
      
        Current release - new code bugs:
      
         - mlx5: handful of minor fixes:
      
         - use first online CPU instead of hard coded CPU
      
         - fix some error handling paths in 'mlx5e_tc_add_fdb_flow()'
      
         - fix skb memory leak when TC classifier action offloads are disabled
      
         - fix memory leak with rules with internal OvS port
      
        Previous releases - regressions:
      
         - igc: do not enable crosstimestamping for i225-V models
      
        Previous releases - always broken:
      
         - udp: use datalen to cap ipv6 udp max gso segments
      
         - fix use-after-free in tw_timer_handler due to early free of stats
      
         - smc: fix kernel panic caused by race of smc_sock
      
         - smc: don't send CDC/LLC message if link not ready, avoid timeouts
      
         - sctp: use call_rcu to free endpoint, avoid UAF in sock diag
      
         - bridge: mcast: add and enforce query interval minimum
      
         - usb: pegasus: do not drop long Ethernet frames
      
         - mlx5e: fix ICOSQ recovery flow for XSK
      
         - nfc: uapi: use kernel size_t to fix user-space builds"
      
      * tag 'net-5.16-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (47 commits)
        fsl/fman: Fix missing put_device() call in fman_port_probe
        selftests: net: using ping6 for IPv6 in udpgro_fwd.sh
        Documentation: fix outdated interpretation of ip_no_pmtu_disc
        net/ncsi: check for error return from call to nla_put_u32
        net: bridge: mcast: fix br_multicast_ctx_vlan_global_disabled helper
        net: fix use-after-free in tw_timer_handler
        selftests: net: Fix a typo in udpgro_fwd.sh
        selftests/net: udpgso_bench_tx: fix dst ip argument
        net: bridge: mcast: add and enforce startup query interval minimum
        net: bridge: mcast: add and enforce query interval minimum
        ipv6: raw: check passed optlen before reading
        xsk: Initialise xskb free_list_node
        net/mlx5e: Fix wrong features assignment in case of error
        net/mlx5e: TC, Fix memory leak with rules with internal port
        ionic: Initialize the 'lif->dbid_inuse' bitmap
        igc: Fix TX timestamp support for non-MSI-X platforms
        igc: Do not enable crosstimestamping for i225-V models
        net/smc: fix kernel panic caused by race of smc_sock
        net/smc: don't send CDC/LLC message if link not ready
        NFC: st21nfca: Fix memory leak in device probe and remove
        ...
      74c78b42
    • L
      Merge tag 'char-misc-5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 9bad743e
      Linus Torvalds 提交于
      Pull char/misc fixes from Greg KH:
       "Here are two misc driver fixes for 5.16-final:
      
         - binder accounting fix to resolve reported problem
      
         - nitro_enclaves fix for mmap assert warning output
      
        Both of these have been for over a week with no reported issues"
      
      * tag 'char-misc-5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert
        binder: fix async_free_space accounting for empty parcels
      9bad743e
    • L
      Merge tag 'usb-5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 2d40060b
      Linus Torvalds 提交于
      Pull USB fixes from Greg KH:
       "Here are some small USB driver fixes for 5.16 to resolve some reported
        problems:
      
         - mtu3 driver fixes
      
         - typec ucsi driver fix
      
         - xhci driver quirk added
      
         - usb gadget f_fs fix for reported crash
      
        All of these have been in linux-next for a while with no reported
        problems"
      
      * tag 'usb-5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: typec: ucsi: Only check the contract if there is a connection
        xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.
        usb: mtu3: set interval of FS intr and isoc endpoint
        usb: mtu3: fix list_head check warning
        usb: mtu3: add memory barrier before set GPD's HWO
        usb: mtu3: fix interval value for intr and isoc
        usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
      2d40060b
  7. 30 12月, 2021 3 次提交