1. 16 5月, 2023 8 次提交
  2. 15 5月, 2023 9 次提交
    • R
      net: phylink: fix ksettings_set() ethtool call · df0acdc5
      Russell King (Oracle) 提交于
      While testing a Fiberstore SFP-10G-T module (which uses 10GBASE-R with
      rate adaption) in a Clearfog platform (which can't do that) it was
      found that the PHYs advertisement was not limited according to the
      hosts capabilities when using ethtool to change it.
      
      Fix this by ensuring that we mask the advertisement with the computed
      support mask as the very first thing we do.
      
      Fixes: cbc1bb1e ("net: phylink: simplify phy case for ksettings_set method")
      Signed-off-by: NRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df0acdc5
    • D
      Merge branch 'tipc-fixes' · d1b2777d
      David S. Miller 提交于
      Xin Long says:
      
      ====================
      tipc: fix the mtu update in link mtu negotiation
      
      This patchset fixes a crash caused by a too small MTU carried in the
      activate msg. Note that as such malicious packet does not exist in
      the normal env, the fix won't break any application
      
      The 1st patch introduces a function to calculate the minimum MTU for
      the bearer, and the 2nd patch fixes the crash with this helper. While
      at it, the 3rd patch fixes the udp bearer mtu update by netlink with
      this helper.
      ====================
      Reviewed-by: NTung Nguyen <tung.q.nguyen@dektech.com.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d1b2777d
    • X
      tipc: check the bearer min mtu properly when setting it by netlink · 35a089b5
      Xin Long 提交于
      Checking the bearer min mtu with tipc_udp_mtu_bad() only works for
      IPv4 UDP bearer, and IPv6 UDP bearer has a different value for the
      min mtu. This patch checks with encap_hlen + TIPC_MIN_BEARER_MTU
      for min mtu, which works for both IPv4 and IPv6 UDP bearer.
      
      Note that tipc_udp_mtu_bad() is still used to check media min mtu
      in __tipc_nl_media_set(), as m->mtu currently is only used by the
      IPv4 UDP bearer as its default mtu value.
      
      Fixes: 682cd3cf ("tipc: confgiure and apply UDP bearer MTU on running links")
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NJon Maloy <jmaloy@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      35a089b5
    • X
      tipc: do not update mtu if msg_max is too small in mtu negotiation · 56077b56
      Xin Long 提交于
      When doing link mtu negotiation, a malicious peer may send Activate msg
      with a very small mtu, e.g. 4 in Shuang's testing, without checking for
      the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then
      n->links[bearer_id].mtu is set to 4294967228, which is a overflow of
      '4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss().
      
      With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning:
      
       tipc: Too large msg, purging xmit list 1 5 0 40 4!
       tipc: Too large msg, purging xmit list 1 15 0 60 4!
      
      And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in
      named_distribute(), and when purging it in tipc_link_xmit(), a crash
      was even caused:
      
        general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI
        CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19
        RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0
        Call Trace:
         <IRQ>
         skb_release_data+0xf9/0x1d0
         kfree_skb_reason+0x40/0x100
         tipc_link_xmit+0x57a/0x740 [tipc]
         tipc_node_xmit+0x16c/0x5c0 [tipc]
         tipc_named_node_up+0x27f/0x2c0 [tipc]
         tipc_node_write_unlock+0x149/0x170 [tipc]
         tipc_rcv+0x608/0x740 [tipc]
         tipc_udp_recv+0xdc/0x1f0 [tipc]
         udp_queue_rcv_one_skb+0x33e/0x620
         udp_unicast_rcv_skb.isra.72+0x75/0x90
         __udp4_lib_rcv+0x56d/0xc20
         ip_protocol_deliver_rcu+0x100/0x2d0
      
      This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(),
      and not updating mtu if it is too small.
      
      Fixes: ed193ece ("tipc: simplify link mtu negotiation")
      Reported-by: NShuang Li <shuali@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NJon Maloy <jmaloy@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      56077b56
    • X
      tipc: add tipc_bearer_min_mtu to calculate min mtu · 3ae6d66b
      Xin Long 提交于
      As different media may requires different min mtu, and even the
      same media with different net family requires different min mtu,
      add tipc_bearer_min_mtu() to calculate min mtu accordingly.
      
      This API will be used to check the new mtu when doing the link
      mtu negotiation in the next patch.
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NJon Maloy <jmaloy@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3ae6d66b
    • R
      net: mdio: i2c: fix rollball accessors · b48a1864
      Russell King (Oracle) 提交于
      Commit 87e3bee0 ("net: mdio: i2c: Separate C22 and C45 transactions")
      separated the non-rollball bus accessors, but left the rollball
      accessors as is. As rollball accessors are clause 45, this results
      in the rollball protocol being completely non-functional. Fix this.
      
      Fixes: 87e3bee0 ("net: mdio: i2c: Separate C22 and C45 transactions")
      Signed-off-by: NRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b48a1864
    • F
      virtio_net: Fix error unwinding of XDP initialization · 5306623a
      Feng Liu 提交于
      When initializing XDP in virtnet_open(), some rq xdp initialization
      may hit an error causing net device open failed. However, previous
      rqs have already initialized XDP and enabled NAPI, which is not the
      expected behavior. Need to roll back the previous rq initialization
      to avoid leaks in error unwinding of init code.
      
      Also extract helper functions of disable and enable queue pairs.
      Use newly introduced disable helper function in error unwinding and
      virtnet_close. Use enable helper function in virtnet_open.
      
      Fixes: 754b8a21 ("virtio_net: setup xdp_rxq_info")
      Signed-off-by: NFeng Liu <feliu@nvidia.com>
      Reviewed-by: NJiri Pirko <jiri@nvidia.com>
      Reviewed-by: NWilliam Tu <witu@nvidia.com>
      Acked-by: NMichael S. Tsirkin <mst@redhat.com>
      Acked-by: NJason Wang <jasowang@redhat.com>
      Reviewed-by: NXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Acked-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5306623a
    • S
      net: fec: remove the xdp_return_frame when lack of tx BDs · 6ead9c98
      Shenwei Wang 提交于
      In the implementation, the sent_frame count does not increment when
      transmit errors occur. Therefore, bq_xmit_all() will take care of
      returning the XDP frames.
      
      Fixes: 26312c68 ("net: fec: correct the counting of XDP sent frames")
      Signed-off-by: NShenwei Wang <shenwei.wang@nxp.com>
      Reviewed-by: NHoratiu Vultur <horatiu.vultur@microchip.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6ead9c98
    • D
      net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() · c83b4938
      Dong Chenchen 提交于
      As the call trace shows, skb_panic was caused by wrong skb->mac_header
      in nsh_gso_segment():
      
      invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
      CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
      RIP: 0010:skb_panic+0xda/0xe0
      call Trace:
       skb_push+0x91/0xa0
       nsh_gso_segment+0x4f3/0x570
       skb_mac_gso_segment+0x19e/0x270
       __skb_gso_segment+0x1e8/0x3c0
       validate_xmit_skb+0x452/0x890
       validate_xmit_skb_list+0x99/0xd0
       sch_direct_xmit+0x294/0x7c0
       __dev_queue_xmit+0x16f0/0x1d70
       packet_xmit+0x185/0x210
       packet_snd+0xc15/0x1170
       packet_sendmsg+0x7b/0xa0
       sock_sendmsg+0x14f/0x160
      
      The root cause is:
      nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
      in skb_gso_error_unwind() if inner-layer protocol gso fails.
      However, skb->network_header may be reset by inner-layer protocol
      gso function e.g. mpls_gso_segment. skb->mac_header reset by the
      inaccurate network_header will be larger than skb headroom.
      
      nsh_gso_segment
          nhoff = skb->network_header - skb->mac_header;
          __skb_pull(skb,nsh_len)
          skb_mac_gso_segment
              mpls_gso_segment
                  skb_reset_network_header(skb);//skb->network_header+=nsh_len
                  return -EINVAL;
          skb_gso_error_unwind
              skb_push(skb, nsh_len);
              skb->mac_header = skb->network_header - nhoff;
              // skb->mac_header > skb->headroom, cause skb_push panic
      
      Use correct mac_offset to restore mac_header and get rid of nhoff.
      
      Fixes: c411ed85 ("nsh: add GSO support")
      Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com
      Suggested-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDong Chenchen <dongchenchen2@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c83b4938
  3. 14 5月, 2023 9 次提交
  4. 13 5月, 2023 1 次提交
  5. 12 5月, 2023 13 次提交