1. 17 5月, 2023 14 次提交
    • M
      net: wwan: iosm: fix NULL pointer dereference when removing device · 60829145
      M Chetan Kumar 提交于
      In suspend and resume cycle, the removal and rescan of device ends
      up in NULL pointer dereference.
      
      During driver initialization, if the ipc_imem_wwan_channel_init()
      fails to get the valid device capabilities it returns an error and
      further no resource (wwan struct) will be allocated. Now in this
      situation if driver removal procedure is initiated it would result
      in NULL pointer exception since unallocated wwan struct is dereferenced
      inside ipc_wwan_deinit().
      
      ipc_imem_run_state_worker() to handle the called functions return value
      and to release the resource in failure case. It also reports the link
      down event in failure cases. The user space application can handle this
      event to do a device reset for restoring the device communication.
      
      Fixes: 3670970d ("net: iosm: shared memory IPC interface")
      Reported-by: NSamuel Wein PhD <sam@samwein.com>
      Closes: https://lore.kernel.org/netdev/20230427140819.1310f4bd@kernel.org/T/Signed-off-by: NM Chetan Kumar <m.chetan.kumar@linux.intel.com>
      Reviewed-by: NSimon Horman <simon.horman@corigine.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      60829145
    • E
      vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() · dacab578
      Eric Dumazet 提交于
      syzbot triggered the following splat [1], sending an empty message
      through pppoe_sendmsg().
      
      When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header()
      does not push extra bytes for the VLAN header, because vlan is offloaded.
      
      Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto
      before testing (vlan->flags & VLAN_FLAG_REORDER_HDR).
      
      We need to swap the two conditions.
      
      [1]
      BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
      vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
      __netdev_start_xmit include/linux/netdevice.h:4883 [inline]
      netdev_start_xmit include/linux/netdevice.h:4897 [inline]
      xmit_one net/core/dev.c:3580 [inline]
      dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596
      __dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246
      dev_queue_xmit include/linux/netdevice.h:3053 [inline]
      pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900
      sock_sendmsg_nosec net/socket.c:724 [inline]
      sock_sendmsg net/socket.c:747 [inline]
      ____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
      ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
      __sys_sendmmsg+0x411/0xa50 net/socket.c:2641
      __do_sys_sendmmsg net/socket.c:2670 [inline]
      __se_sys_sendmmsg net/socket.c:2667 [inline]
      __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Uninit was created at:
      slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774
      slab_alloc_node mm/slub.c:3452 [inline]
      kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497
      kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520
      __alloc_skb+0x3a7/0x850 net/core/skbuff.c:606
      alloc_skb include/linux/skbuff.h:1277 [inline]
      sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583
      pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867
      sock_sendmsg_nosec net/socket.c:724 [inline]
      sock_sendmsg net/socket.c:747 [inline]
      ____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
      ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
      __sys_sendmmsg+0x411/0xa50 net/socket.c:2641
      __do_sys_sendmmsg net/socket.c:2670 [inline]
      __se_sys_sendmmsg net/socket.c:2667 [inline]
      __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dacab578
    • N
      mailmap: add entries for Nikolay Aleksandrov · 66353baf
      Nikolay Aleksandrov 提交于
      Turns out I missed a few patches due to use of old addresses by
      senders. Add a mailmap entry with my old addresses.
      Signed-off-by: NNikolay Aleksandrov <razor@blackwall.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      66353baf
    • A
      igb: fix bit_shift to be in [1..8] range · 60d75865
      Aleksandr Loktionov 提交于
      In igb_hash_mc_addr() the expression:
              "mc_addr[4] >> 8 - bit_shift", right shifting "mc_addr[4]"
      shift by more than 7 bits always yields zero, so hash becomes not so different.
      Add initialization with bit_shift = 1 and add a loop condition to ensure
      bit_shift will be always in [1..8] range.
      
      Fixes: 9d5c8243 ("igb: PCI-Express 82575 Gigabit Ethernet driver")
      Signed-off-by: NAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      60d75865
    • D
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 5ad3bd84
      David S. Miller 提交于
      Tony nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-05-16
      
      This series contains updates to ice and iavf drivers.
      
      Ahmed adds setting of missed condition for statistics which caused
      incorrect reporting of values for ice. For iavf, he removes a call to set
      VLAN offloads during re-initialization which can cause incorrect values
      to be set.
      
      Dawid adds checks to ensure VF is ready to be reset before executing
      commands that will require it to be reset on ice.
      ---
      v2:
      Patch 2
      - Redo commit message
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5ad3bd84
    • M
      net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset · 1323e0c6
      Marco Migliore 提交于
      According to datasheet, the command opcode must be specified
      into bits [14:12] of the Extended Port Control register (EPC).
      
      Fixes: de776d0d ("net: dsa: mv88e6xxx: add support for mv88e6393x family")
      Signed-off-by: NMarco Migliore <m.migliore@tiesse.com>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1323e0c6
    • C
      cassini: Fix a memory leak in the error handling path of cas_init_one() · 412cd77a
      Christophe JAILLET 提交于
      cas_saturn_firmware_init() allocates some memory using vmalloc(). This
      memory is freed in the .remove() function but not it the error handling
      path of the probe.
      
      Add the missing vfree() to avoid a memory leak, should an error occur.
      
      Fixes: fcaa4066 ("cassini: use request_firmware")
      Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: NPavan Chebbi <pavan.chebbi@broadcom.com>
      Reviewed-by: NSimon Horman <simon.horman@corigine.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      412cd77a
    • K
      tun: Fix memory leak for detached NAPI queue. · 82b2bc27
      Kuniyuki Iwashima 提交于
      syzkaller reported [0] memory leaks of sk and skb related to the TUN
      device with no repro, but we can reproduce it easily with:
      
        struct ifreq ifr = {}
        int fd_tun, fd_tmp;
        char buf[4] = {};
      
        fd_tun = openat(AT_FDCWD, "/dev/net/tun", O_WRONLY, 0);
        ifr.ifr_flags = IFF_TUN | IFF_NAPI | IFF_MULTI_QUEUE;
        ioctl(fd_tun, TUNSETIFF, &ifr);
      
        ifr.ifr_flags = IFF_DETACH_QUEUE;
        ioctl(fd_tun, TUNSETQUEUE, &ifr);
      
        fd_tmp = socket(AF_PACKET, SOCK_PACKET, 0);
        ifr.ifr_flags = IFF_UP;
        ioctl(fd_tmp, SIOCSIFFLAGS, &ifr);
      
        write(fd_tun, buf, sizeof(buf));
        close(fd_tun);
      
      If we enable NAPI and multi-queue on a TUN device, we can put skb into
      tfile->sk.sk_write_queue after the queue is detached.  We should prevent
      it by checking tfile->detached before queuing skb.
      
      Note this must be done under tfile->sk.sk_write_queue.lock because write()
      and ioctl(IFF_DETACH_QUEUE) can run concurrently.  Otherwise, there would
      be a small race window:
      
        write()                             ioctl(IFF_DETACH_QUEUE)
        `- tun_get_user                     `- __tun_detach
           |- if (tfile->detached)             |- tun_disable_queue
           |  `-> false                        |  `- tfile->detached = tun
           |                                   `- tun_queue_purge
           |- spin_lock_bh(&queue->lock)
           `- __skb_queue_tail(queue, skb)
      
      Another solution is to call tun_queue_purge() when closing and
      reattaching the detached queue, but it could paper over another
      problems.  Also, we do the same kind of test for IFF_NAPI_FRAGS.
      
      [0]:
      unreferenced object 0xffff88801edbc800 (size 2048):
        comm "syz-executor.1", pid 33269, jiffies 4295743834 (age 18.756s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
        backtrace:
          [<000000008c16ea3d>] __do_kmalloc_node mm/slab_common.c:965 [inline]
          [<000000008c16ea3d>] __kmalloc+0x4a/0x130 mm/slab_common.c:979
          [<000000003addde56>] kmalloc include/linux/slab.h:563 [inline]
          [<000000003addde56>] sk_prot_alloc+0xef/0x1b0 net/core/sock.c:2035
          [<000000003e20621f>] sk_alloc+0x36/0x2f0 net/core/sock.c:2088
          [<0000000028e43843>] tun_chr_open+0x3d/0x190 drivers/net/tun.c:3438
          [<000000001b0f1f28>] misc_open+0x1a6/0x1f0 drivers/char/misc.c:165
          [<000000004376f706>] chrdev_open+0x111/0x300 fs/char_dev.c:414
          [<00000000614d379f>] do_dentry_open+0x2f9/0x750 fs/open.c:920
          [<000000008eb24774>] do_open fs/namei.c:3636 [inline]
          [<000000008eb24774>] path_openat+0x143f/0x1a30 fs/namei.c:3791
          [<00000000955077b5>] do_filp_open+0xce/0x1c0 fs/namei.c:3818
          [<00000000b78973b0>] do_sys_openat2+0xf0/0x260 fs/open.c:1356
          [<00000000057be699>] do_sys_open fs/open.c:1372 [inline]
          [<00000000057be699>] __do_sys_openat fs/open.c:1388 [inline]
          [<00000000057be699>] __se_sys_openat fs/open.c:1383 [inline]
          [<00000000057be699>] __x64_sys_openat+0x83/0xf0 fs/open.c:1383
          [<00000000a7d2182d>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
          [<00000000a7d2182d>] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80
          [<000000004cc4e8c4>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      unreferenced object 0xffff88802f671700 (size 240):
        comm "syz-executor.1", pid 33269, jiffies 4295743854 (age 18.736s)
        hex dump (first 32 bytes):
          68 c9 db 1e 80 88 ff ff 68 c9 db 1e 80 88 ff ff  h.......h.......
          00 c0 7b 2f 80 88 ff ff 00 c8 db 1e 80 88 ff ff  ..{/............
        backtrace:
          [<00000000e9d9fdb6>] __alloc_skb+0x223/0x250 net/core/skbuff.c:644
          [<000000002c3e4e0b>] alloc_skb include/linux/skbuff.h:1288 [inline]
          [<000000002c3e4e0b>] alloc_skb_with_frags+0x6f/0x350 net/core/skbuff.c:6378
          [<00000000825f98d7>] sock_alloc_send_pskb+0x3ac/0x3e0 net/core/sock.c:2729
          [<00000000e9eb3df3>] tun_alloc_skb drivers/net/tun.c:1529 [inline]
          [<00000000e9eb3df3>] tun_get_user+0x5e1/0x1f90 drivers/net/tun.c:1841
          [<0000000053096912>] tun_chr_write_iter+0xac/0x120 drivers/net/tun.c:2035
          [<00000000b9282ae0>] call_write_iter include/linux/fs.h:1868 [inline]
          [<00000000b9282ae0>] new_sync_write fs/read_write.c:491 [inline]
          [<00000000b9282ae0>] vfs_write+0x40f/0x530 fs/read_write.c:584
          [<00000000524566e4>] ksys_write+0xa1/0x170 fs/read_write.c:637
          [<00000000a7d2182d>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
          [<00000000a7d2182d>] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80
          [<000000004cc4e8c4>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      Fixes: cde8b15f ("tuntap: add ioctl to attach or detach a file form tuntap device")
      Reported-by: Nsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: NKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      82b2bc27
    • J
      Merge tag 'ipsec-2023-05-16' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 6ad85ed0
      Jakub Kicinski 提交于
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2023-05-16
      
      1) Don't check the policy default if we have an allow
         policy. Fix from Sabrina Dubroca.
      
      2) Fix netdevice refount usage on offload.
         From Leon Romanovsky.
      
      3) Use netdev_put instead of dev_puti to correctly release
         the netdev on failure in xfrm_dev_policy_add.
         From Leon Romanovsky.
      
      4) Revert "Fix XFRM-I support for nested ESP tunnels"
         This broke Netfilter policy matching.
         From Martin Willi.
      
      5) Reject optional tunnel/BEET mode templates in outbound policies
         on netlink and pfkey sockets. From Tobias Brunner.
      
      6) Check if_id in inbound policy/secpath match to make
         it symetric to the outbound codepath.
         From Benedict Wong.
      
      * tag 'ipsec-2023-05-16' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
        xfrm: Check if_id in inbound policy/secpath match
        af_key: Reject optional tunnel/BEET mode templates in outbound policies
        xfrm: Reject optional tunnel/BEET mode templates in outbound policies
        Revert "Fix XFRM-I support for nested ESP tunnels"
        xfrm: Fix leak of dev tracker
        xfrm: release all offloaded policy memory
        xfrm: don't check the default policy if the policy allows the packet
      ====================
      
      Link: https://lore.kernel.org/r/20230516052405.2677554-1-steffen.klassert@secunet.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      6ad85ed0
    • J
      Merge tag 'linux-can-fixes-for-6.4-20230515' of... · 47d55c62
      Jakub Kicinski 提交于
      Merge tag 'linux-can-fixes-for-6.4-20230515' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2023-05-15
      
      The first 2 patches are by Oliver Hartkopp and allow the
      MSG_CMSG_COMPAT flag for isotp and j1939.
      
      The next patch is by Oliver Hartkopp, too and adds missing CAN XL
      support in can_put_echo_skb().
      
      Geert Uytterhoeven's patch let's the bxcan driver depend on
      ARCH_STM32.
      
      The last 5 patches are from Dario Binacchi and also affect the bxcan
      driver. The bxcan driver hit mainline with v6.4-rc1 and was originally
      written for IP cores containing 2 CAN interfaces with shared
      resources. Dario's series updates the DT bindings and driver to
      support IP cores with a single CAN interface instance as well as
      adding the bxcan to the stm32f746's device tree.
      
      * tag 'linux-can-fixes-for-6.4-20230515' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
        ARM: dts: stm32: add CAN support on stm32f746
        can: bxcan: add support for single peripheral configuration
        ARM: dts: stm32: add pin map for CAN controller on stm32f7
        ARM: dts: stm32f429: put can2 in secondary mode
        dt-bindings: net: can: add "st,can-secondary" property
        can: CAN_BXCAN should depend on ARCH_STM32
        can: dev: fix missing CAN XL support in can_put_echo_skb()
        can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
        can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag
      ====================
      
      Link: https://lore.kernel.org/r/20230515204722.1000957-1-mkl@pengutronix.deSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      47d55c62
    • I
      devlink: Fix crash with CONFIG_NET_NS=n · d6352dae
      Ido Schimmel 提交于
      '__net_initdata' becomes a no-op with CONFIG_NET_NS=y, but when this
      option is disabled it becomes '__initdata', which means the data can be
      freed after the initialization phase. This annotation is obviously
      incorrect for the devlink net device notifier block which is still
      registered after the initialization phase [1].
      
      Fix this crash by removing the '__net_initdata' annotation.
      
      [1]
      general protection fault, probably for non-canonical address 0xcccccccccccccccc: 0000 [#1] PREEMPT SMP
      CPU: 3 PID: 117 Comm: (udev-worker) Not tainted 6.4.0-rc1-custom-gdf0acdc5 #64
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014
      RIP: 0010:notifier_call_chain+0x58/0xc0
      [...]
      Call Trace:
       <TASK>
       dev_set_mac_address+0x85/0x120
       dev_set_mac_address_user+0x30/0x50
       do_setlink+0x219/0x1270
       rtnl_setlink+0xf7/0x1a0
       rtnetlink_rcv_msg+0x142/0x390
       netlink_rcv_skb+0x58/0x100
       netlink_unicast+0x188/0x270
       netlink_sendmsg+0x214/0x470
       __sys_sendto+0x12f/0x1a0
       __x64_sys_sendto+0x24/0x30
       do_syscall_64+0x38/0x80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: e93c9378 ("devlink: change per-devlink netdev notifier to static one")
      Reported-by: NMarek Szyprowski <m.szyprowski@samsung.com>
      Closes: https://lore.kernel.org/netdev/600ddf9e-589a-2aa0-7b69-a438f833ca10@samsung.com/Tested-by: NMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: NIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: NJiri Pirko <jiri@nvidia.com>
      Reviewed-by: NSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230515162925.1144416-1-idosch@nvidia.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      d6352dae
    • A
      iavf: send VLAN offloading caps once after VFR · 7dcbdf29
      Ahmed Zaki 提交于
      When the user disables rxvlan offloading and then changes the number of
      channels, all VLAN ports are unable to receive traffic.
      
      Changing the number of channels triggers a VFR reset. During re-init, when
      VIRTCHNL_OP_GET_OFFLOAD_VLAN_V2_CAPS is received, we do:
      1 - set the IAVF_FLAG_SETUP_NETDEV_FEATURES flag
      2 - call
          iavf_set_vlan_offload_features(adapter, 0, netdev->features);
      
      The second step sends to the PF the __default__ features, in this case
      aq_required |= IAVF_FLAG_AQ_ENABLE_CTAG_VLAN_STRIPPING
      
      While the first step forces the watchdog task to call
      netdev_update_features() ->  iavf_set_features() ->
      iavf_set_vlan_offload_features(adapter, netdev->features, features).
      Since the user disabled the "rxvlan", this sets:
      aq_required |= IAVF_FLAG_AQ_DISABLE_CTAG_VLAN_STRIPPING
      
      When we start processing the AQ commands, both flags are enabled. Since we
      process DISABLE_XTAG first then ENABLE_XTAG, this results in the PF
      enabling the rxvlan offload. This breaks all communications on the VLAN
      net devices.
      
      Fix by removing the call to iavf_set_vlan_offload_features() (second
      step). Calling netdev_update_features() from watchdog task is enough for
      both init and reset paths.
      
      Fixes: 7598f4b4 ("iavf: Move netdev_update_features() into watchdog task")
      Signed-off-by: NAhmed Zaki <ahmed.zaki@intel.com>
      Tested-by: NRafal Romanowski <rafal.romanowski@intel.com>
      Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      7dcbdf29
    • D
      ice: Fix ice VF reset during iavf initialization · 7255355a
      Dawid Wesierski 提交于
      Fix the current implementation that causes ice_trigger_vf_reset()
      to start resetting the VF even when the VF-NIC is still initializing.
      
      When we reset NIC with ice driver it can interfere with
      iavf-vf initialization e.g. during consecutive resets induced by ice
      
      iavf                ice
        |                  |
        |<-----------------|
        |            ice resets vf
       iavf                |
       reset               |
       start               |
        |<-----------------|
        |             ice resets vf
        |             causing iavf
        |             initialization
        |             error
        |                  |
       iavf
       reset
       end
      
      This leads to a series of -53 errors
      (failed to init adminq) from the IAVF.
      
      Change the state of the vf_state field to be not active when the IAVF
      is still initializing. Make sure to wait until receiving the message on
      the message box to ensure that the vf is ready and initializded.
      
      In simple terms we use the ACTIVE flag to make sure that the ice
      driver knows if the iavf is ready for another reset
      
        iavf                  ice
          |                    |
          |                    |
          |<------------- ice resets vf
        iavf           vf_state != ACTIVE
        reset                  |
        start                  |
          |                    |
          |                    |
        iavf                   |
        reset-------> vf_state == ACTIVE
        end              ice resets vf
          |                    |
          |                    |
      
      Fixes: c54d209c ("ice: Wait for VF to be reset/ready before configuration")
      Signed-off-by: NDawid Wesierski <dawidx.wesierski@intel.com>
      Signed-off-by: NKamil Maziarz <kamil.maziarz@intel.com>
      Acked-by: NJacob Keller <Jacob.e.keller@intel.com>
      Tested-by: NRafal Romanowski <rafal.romanowski@intel.com>
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      7255355a
    • A
      ice: Fix stats after PF reset · ab7470bc
      Ahmed Zaki 提交于
      After a core PF reset, the VFs were showing wrong Rx/Tx stats. This is a
      regression in commit 6624e780 ("ice: split ice_vsi_setup into smaller
      functions") caused by missing to set "stat_offsets_loaded = false" in the
      ice_vsi_rebuild() path.
      
      Fixes: 6624e780 ("ice: split ice_vsi_setup into smaller functions")
      Signed-off-by: NAhmed Zaki <ahmed.zaki@intel.com>
      Reviewed-by: NAlexander Lobakin <aleksander.lobakin@intel.com>
      Tested-by: NRafal Romanowski <rafal.romanowski@intel.com>
      Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      ab7470bc
  2. 16 5月, 2023 11 次提交
  3. 15 5月, 2023 9 次提交
    • R
      net: phylink: fix ksettings_set() ethtool call · df0acdc5
      Russell King (Oracle) 提交于
      While testing a Fiberstore SFP-10G-T module (which uses 10GBASE-R with
      rate adaption) in a Clearfog platform (which can't do that) it was
      found that the PHYs advertisement was not limited according to the
      hosts capabilities when using ethtool to change it.
      
      Fix this by ensuring that we mask the advertisement with the computed
      support mask as the very first thing we do.
      
      Fixes: cbc1bb1e ("net: phylink: simplify phy case for ksettings_set method")
      Signed-off-by: NRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df0acdc5
    • D
      Merge branch 'tipc-fixes' · d1b2777d
      David S. Miller 提交于
      Xin Long says:
      
      ====================
      tipc: fix the mtu update in link mtu negotiation
      
      This patchset fixes a crash caused by a too small MTU carried in the
      activate msg. Note that as such malicious packet does not exist in
      the normal env, the fix won't break any application
      
      The 1st patch introduces a function to calculate the minimum MTU for
      the bearer, and the 2nd patch fixes the crash with this helper. While
      at it, the 3rd patch fixes the udp bearer mtu update by netlink with
      this helper.
      ====================
      Reviewed-by: NTung Nguyen <tung.q.nguyen@dektech.com.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d1b2777d
    • X
      tipc: check the bearer min mtu properly when setting it by netlink · 35a089b5
      Xin Long 提交于
      Checking the bearer min mtu with tipc_udp_mtu_bad() only works for
      IPv4 UDP bearer, and IPv6 UDP bearer has a different value for the
      min mtu. This patch checks with encap_hlen + TIPC_MIN_BEARER_MTU
      for min mtu, which works for both IPv4 and IPv6 UDP bearer.
      
      Note that tipc_udp_mtu_bad() is still used to check media min mtu
      in __tipc_nl_media_set(), as m->mtu currently is only used by the
      IPv4 UDP bearer as its default mtu value.
      
      Fixes: 682cd3cf ("tipc: confgiure and apply UDP bearer MTU on running links")
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NJon Maloy <jmaloy@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      35a089b5
    • X
      tipc: do not update mtu if msg_max is too small in mtu negotiation · 56077b56
      Xin Long 提交于
      When doing link mtu negotiation, a malicious peer may send Activate msg
      with a very small mtu, e.g. 4 in Shuang's testing, without checking for
      the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then
      n->links[bearer_id].mtu is set to 4294967228, which is a overflow of
      '4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss().
      
      With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning:
      
       tipc: Too large msg, purging xmit list 1 5 0 40 4!
       tipc: Too large msg, purging xmit list 1 15 0 60 4!
      
      And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in
      named_distribute(), and when purging it in tipc_link_xmit(), a crash
      was even caused:
      
        general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI
        CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19
        RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0
        Call Trace:
         <IRQ>
         skb_release_data+0xf9/0x1d0
         kfree_skb_reason+0x40/0x100
         tipc_link_xmit+0x57a/0x740 [tipc]
         tipc_node_xmit+0x16c/0x5c0 [tipc]
         tipc_named_node_up+0x27f/0x2c0 [tipc]
         tipc_node_write_unlock+0x149/0x170 [tipc]
         tipc_rcv+0x608/0x740 [tipc]
         tipc_udp_recv+0xdc/0x1f0 [tipc]
         udp_queue_rcv_one_skb+0x33e/0x620
         udp_unicast_rcv_skb.isra.72+0x75/0x90
         __udp4_lib_rcv+0x56d/0xc20
         ip_protocol_deliver_rcu+0x100/0x2d0
      
      This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(),
      and not updating mtu if it is too small.
      
      Fixes: ed193ece ("tipc: simplify link mtu negotiation")
      Reported-by: NShuang Li <shuali@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NJon Maloy <jmaloy@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      56077b56
    • X
      tipc: add tipc_bearer_min_mtu to calculate min mtu · 3ae6d66b
      Xin Long 提交于
      As different media may requires different min mtu, and even the
      same media with different net family requires different min mtu,
      add tipc_bearer_min_mtu() to calculate min mtu accordingly.
      
      This API will be used to check the new mtu when doing the link
      mtu negotiation in the next patch.
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NJon Maloy <jmaloy@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3ae6d66b
    • R
      net: mdio: i2c: fix rollball accessors · b48a1864
      Russell King (Oracle) 提交于
      Commit 87e3bee0 ("net: mdio: i2c: Separate C22 and C45 transactions")
      separated the non-rollball bus accessors, but left the rollball
      accessors as is. As rollball accessors are clause 45, this results
      in the rollball protocol being completely non-functional. Fix this.
      
      Fixes: 87e3bee0 ("net: mdio: i2c: Separate C22 and C45 transactions")
      Signed-off-by: NRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b48a1864
    • F
      virtio_net: Fix error unwinding of XDP initialization · 5306623a
      Feng Liu 提交于
      When initializing XDP in virtnet_open(), some rq xdp initialization
      may hit an error causing net device open failed. However, previous
      rqs have already initialized XDP and enabled NAPI, which is not the
      expected behavior. Need to roll back the previous rq initialization
      to avoid leaks in error unwinding of init code.
      
      Also extract helper functions of disable and enable queue pairs.
      Use newly introduced disable helper function in error unwinding and
      virtnet_close. Use enable helper function in virtnet_open.
      
      Fixes: 754b8a21 ("virtio_net: setup xdp_rxq_info")
      Signed-off-by: NFeng Liu <feliu@nvidia.com>
      Reviewed-by: NJiri Pirko <jiri@nvidia.com>
      Reviewed-by: NWilliam Tu <witu@nvidia.com>
      Acked-by: NMichael S. Tsirkin <mst@redhat.com>
      Acked-by: NJason Wang <jasowang@redhat.com>
      Reviewed-by: NXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Acked-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5306623a
    • S
      net: fec: remove the xdp_return_frame when lack of tx BDs · 6ead9c98
      Shenwei Wang 提交于
      In the implementation, the sent_frame count does not increment when
      transmit errors occur. Therefore, bq_xmit_all() will take care of
      returning the XDP frames.
      
      Fixes: 26312c68 ("net: fec: correct the counting of XDP sent frames")
      Signed-off-by: NShenwei Wang <shenwei.wang@nxp.com>
      Reviewed-by: NHoratiu Vultur <horatiu.vultur@microchip.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6ead9c98
    • D
      net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() · c83b4938
      Dong Chenchen 提交于
      As the call trace shows, skb_panic was caused by wrong skb->mac_header
      in nsh_gso_segment():
      
      invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
      CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
      RIP: 0010:skb_panic+0xda/0xe0
      call Trace:
       skb_push+0x91/0xa0
       nsh_gso_segment+0x4f3/0x570
       skb_mac_gso_segment+0x19e/0x270
       __skb_gso_segment+0x1e8/0x3c0
       validate_xmit_skb+0x452/0x890
       validate_xmit_skb_list+0x99/0xd0
       sch_direct_xmit+0x294/0x7c0
       __dev_queue_xmit+0x16f0/0x1d70
       packet_xmit+0x185/0x210
       packet_snd+0xc15/0x1170
       packet_sendmsg+0x7b/0xa0
       sock_sendmsg+0x14f/0x160
      
      The root cause is:
      nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
      in skb_gso_error_unwind() if inner-layer protocol gso fails.
      However, skb->network_header may be reset by inner-layer protocol
      gso function e.g. mpls_gso_segment. skb->mac_header reset by the
      inaccurate network_header will be larger than skb headroom.
      
      nsh_gso_segment
          nhoff = skb->network_header - skb->mac_header;
          __skb_pull(skb,nsh_len)
          skb_mac_gso_segment
              mpls_gso_segment
                  skb_reset_network_header(skb);//skb->network_header+=nsh_len
                  return -EINVAL;
          skb_gso_error_unwind
              skb_push(skb, nsh_len);
              skb->mac_header = skb->network_header - nhoff;
              // skb->mac_header > skb->headroom, cause skb_push panic
      
      Use correct mac_offset to restore mac_header and get rid of nhoff.
      
      Fixes: c411ed85 ("nsh: add GSO support")
      Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com
      Suggested-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDong Chenchen <dongchenchen2@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c83b4938
  4. 14 5月, 2023 6 次提交