1. 05 6月, 2021 8 次提交
  2. 04 6月, 2021 22 次提交
    • D
      Merge tag 'for-net-2021-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 579028de
      David S. Miller 提交于
      bluetooth pull request for net:
      
       - Fixes UAF and CVE-2021-3564
       - Fix VIRTIO_ID_BT to use an unassigned ID
       - Fix firmware loading on some Intel Controllers
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      579028de
    • X
      virtio-net: fix for skb_over_panic inside big mode · 1a802423
      Xuan Zhuo 提交于
      In virtio-net's large packet mode, there is a hole in the space behind
      buf.
      
          hdr_padded_len - hdr_len
      
      We must take this into account when calculating tailroom.
      
      [   44.544385] skb_put.cold (net/core/skbuff.c:5254 (discriminator 1) net/core/skbuff.c:5252 (discriminator 1))
      [   44.544864] page_to_skb (drivers/net/virtio_net.c:485) [   44.545361] receive_buf (drivers/net/virtio_net.c:849 drivers/net/virtio_net.c:1131)
      [   44.545870] ? netif_receive_skb_list_internal (net/core/dev.c:5714)
      [   44.546628] ? dev_gro_receive (net/core/dev.c:6103)
      [   44.547135] ? napi_complete_done (./include/linux/list.h:35 net/core/dev.c:5867 net/core/dev.c:5862 net/core/dev.c:6565)
      [   44.547672] virtnet_poll (drivers/net/virtio_net.c:1427 drivers/net/virtio_net.c:1525)
      [   44.548251] __napi_poll (net/core/dev.c:6985)
      [   44.548744] net_rx_action (net/core/dev.c:7054 net/core/dev.c:7139)
      [   44.549264] __do_softirq (./arch/x86/include/asm/jump_label.h:19 ./include/linux/jump_label.h:200 ./include/trace/events/irq.h:142 kernel/softirq.c:560)
      [   44.549762] irq_exit_rcu (kernel/softirq.c:433 kernel/softirq.c:637 kernel/softirq.c:649)
      [   44.551384] common_interrupt (arch/x86/kernel/irq.c:240 (discriminator 13))
      [   44.551991] ? asm_common_interrupt (./arch/x86/include/asm/idtentry.h:638)
      [   44.552654] asm_common_interrupt (./arch/x86/include/asm/idtentry.h:638)
      
      Fixes: fb32856b ("virtio-net: page_to_skb() use build_skb when there's sufficient tailroom")
      Signed-off-by: NXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Reported-by: NCorentin Noël <corentin.noel@collabora.com>
      Tested-by: NCorentin Noël <corentin.noel@collabora.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1a802423
    • D
      Merge tag 'ieee802154-for-davem-2021-06-03' of... · e31d57ca
      David S. Miller 提交于
      Merge tag 'ieee802154-for-davem-2021-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan
      
      Stefan Schmidt says:
      
      ====================
      An update from ieee802154 for your *net* tree.
      
      This time we have fixes for the ieee802154 netlink code, as well as a driver
      fix. Zhen Lei, Wei Yongjun and Yang Li each had  a patch to cleanup some return
      code handling ensuring we actually get a real error code when things fails.
      
      Dan Robertson fixed a potential null dereference in our netlink handling.
      
      Andy Shevchenko removed of_match_ptr()usage in the mrf24j40 driver.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e31d57ca
    • C
      ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions · 821bbf79
      Coco Li 提交于
      Reported by syzbot:
      HEAD commit:    90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm..
      git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
      dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7
      compiler:       Debian clang version 11.0.1-2
      
      ==================================================================
      BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]
      BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732
      Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760
      
      CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:79 [inline]
       dump_stack+0x202/0x31e lib/dump_stack.c:120
       print_address_description+0x5f/0x3b0 mm/kasan/report.c:232
       __kasan_report mm/kasan/report.c:399 [inline]
       kasan_report+0x15c/0x200 mm/kasan/report.c:416
       fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]
       fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732
       fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536
       fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174
       rcu_do_batch kernel/rcu/tree.c:2559 [inline]
       rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794
       __do_softirq+0x372/0x7a6 kernel/softirq.c:345
       invoke_softirq kernel/softirq.c:221 [inline]
       __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422
       irq_exit_rcu+0x5/0x20 kernel/softirq.c:434
       sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100
       </IRQ>
       asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
      RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515
      Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d
      RSP: 0018:ffffc90009e06560 EFLAGS: 00000206
      RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1
      R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000
      R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4
       rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267
       rcu_read_lock include/linux/rcupdate.h:656 [inline]
       ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231
       ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212
       ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379
       ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982
       ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238
       ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638
       ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848
       ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900
       ext4_append+0x1a4/0x360 fs/ext4/namei.c:67
       ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768
       ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814
       vfs_mkdir+0x45b/0x640 fs/namei.c:3819
       ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline]
       ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146
       ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193
       ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788
       ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355
       ovl_get_workdir fs/overlayfs/super.c:1492 [inline]
       ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035
       mount_nodev+0x52/0xe0 fs/super.c:1413
       legacy_get_tree+0xea/0x180 fs/fs_context.c:592
       vfs_get_tree+0x86/0x270 fs/super.c:1497
       do_new_mount fs/namespace.c:2903 [inline]
       path_mount+0x196f/0x2be0 fs/namespace.c:3233
       do_mount fs/namespace.c:3246 [inline]
       __do_sys_mount fs/namespace.c:3454 [inline]
       __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      RIP: 0033:0x4665f9
      Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f68f2b87188 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
      RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9
      RDX: 00000000200000c0 RSI: 0000000020000000 RDI: 000000000040000a
      RBP: 00000000004bfbb9 R08: 0000000020000100 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
      R13: 00007ffe19002dff R14: 00007f68f2b87300 R15: 0000000000022000
      
      Allocated by task 17768:
       kasan_save_stack mm/kasan/common.c:38 [inline]
       kasan_set_track mm/kasan/common.c:46 [inline]
       set_alloc_info mm/kasan/common.c:427 [inline]
       ____kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506
       kasan_kmalloc include/linux/kasan.h:233 [inline]
       __kmalloc+0xb4/0x380 mm/slub.c:4055
       kmalloc include/linux/slab.h:559 [inline]
       kzalloc include/linux/slab.h:684 [inline]
       fib6_info_alloc+0x2c/0xd0 net/ipv6/ip6_fib.c:154
       ip6_route_info_create+0x55d/0x1a10 net/ipv6/route.c:3638
       ip6_route_add+0x22/0x120 net/ipv6/route.c:3728
       inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352
       rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553
       netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502
       netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
       netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338
       netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927
       sock_sendmsg_nosec net/socket.c:654 [inline]
       sock_sendmsg net/socket.c:674 [inline]
       ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350
       ___sys_sendmsg net/socket.c:2404 [inline]
       __sys_sendmsg+0x319/0x400 net/socket.c:2433
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Last potentially related work creation:
       kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
       kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345
       __call_rcu kernel/rcu/tree.c:3039 [inline]
       call_rcu+0x1b1/0xa30 kernel/rcu/tree.c:3114
       fib6_info_release include/net/ip6_fib.h:337 [inline]
       ip6_route_info_create+0x10c4/0x1a10 net/ipv6/route.c:3718
       ip6_route_add+0x22/0x120 net/ipv6/route.c:3728
       inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352
       rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553
       netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502
       netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
       netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338
       netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927
       sock_sendmsg_nosec net/socket.c:654 [inline]
       sock_sendmsg net/socket.c:674 [inline]
       ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350
       ___sys_sendmsg net/socket.c:2404 [inline]
       __sys_sendmsg+0x319/0x400 net/socket.c:2433
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Second to last potentially related work creation:
       kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
       kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345
       insert_work+0x54/0x400 kernel/workqueue.c:1331
       __queue_work+0x981/0xcc0 kernel/workqueue.c:1497
       queue_work_on+0x111/0x200 kernel/workqueue.c:1524
       queue_work include/linux/workqueue.h:507 [inline]
       call_usermodehelper_exec+0x283/0x470 kernel/umh.c:433
       kobject_uevent_env+0x1349/0x1730 lib/kobject_uevent.c:617
       kvm_uevent_notify_change+0x309/0x3b0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4809
       kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:877 [inline]
       kvm_put_kvm+0x9c/0xd10 arch/x86/kvm/../../../virt/kvm/kvm_main.c:920
       kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3120
       __fput+0x352/0x7b0 fs/file_table.c:280
       task_work_run+0x146/0x1c0 kernel/task_work.c:140
       tracehook_notify_resume include/linux/tracehook.h:189 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
       exit_to_user_mode_prepare+0x10b/0x1e0 kernel/entry/common.c:208
       __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
       syscall_exit_to_user_mode+0x26/0x70 kernel/entry/common.c:301
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      The buggy address belongs to the object at ffff8880145c7800
       which belongs to the cache kmalloc-192 of size 192
      The buggy address is located 56 bytes to the right of
       192-byte region [ffff8880145c7800, ffff8880145c78c0)
      The buggy address belongs to the page:
      page:ffffea00005171c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145c7
      flags: 0xfff00000000200(slab)
      raw: 00fff00000000200 ffffea00006474c0 0000000200000002 ffff888010c41a00
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8880145c7780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
       ffff8880145c7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff8880145c7880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
                                                                      ^
       ffff8880145c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8880145c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      ==================================================================
      
      In the ip6_route_info_create function, in the case that the nh pointer
      is not NULL, the fib6_nh in fib6_info has not been allocated.
      Therefore, when trying to free fib6_info in this error case using
      fib6_info_release, the function will call fib6_info_destroy_rcu,
      which it will access fib6_nh_release(f6i->fib6_nh);
      However, f6i->fib6_nh doesn't have any refcount yet given the lack of allocation
      causing the reported memory issue above.
      Therefore, releasing the empty pointer directly instead would be the solution.
      
      Fixes: f88d8ea6 ("ipv6: Plumb support for nexthop object in a fib6_info")
      Fixes: 706ec919 ("ipv6: Fix nexthop refcnt leak when creating ipv6 route info")
      Signed-off-by: NCoco Li <lixiaoyan@google.com>
      Cc: David Ahern <dsahern@kernel.org>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Reviewed-by: NDavid Ahern <dsahern@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      821bbf79
    • D
      Merge tag 'wireless-drivers-2021-06-03' of... · 5e7a2c64
      David S. Miller 提交于
      Merge tag 'wireless-drivers-2021-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.13
      
      We have only mt76 fixes this time, most important being the fix for
      A-MSDU injection attacks.
      
      mt76
      
      * mitigate A-MSDU injection attacks (CVE-2020-24588)
      
      * fix possible array out of bound access in mt7921_mcu_tx_rate_report
      
      * various aggregation and HE setting fixes
      
      * suspend/resume fix for pci devices
      
      * mt7615: fix crash when runtime-pm is not supported
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5e7a2c64
    • Z
      fib: Return the correct errno code · 59607863
      Zheng Yongjun 提交于
      When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
      Signed-off-by: NZheng Yongjun <zhengyongjun3@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      59607863
    • Z
      net: Return the correct errno code · 49251cd0
      Zheng Yongjun 提交于
      When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
      Signed-off-by: NZheng Yongjun <zhengyongjun3@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      49251cd0
    • Z
      net/x25: Return the correct errno code · d7736958
      Zheng Yongjun 提交于
      When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
      Signed-off-by: NZheng Yongjun <zhengyongjun3@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d7736958
    • R
      cxgb4: fix regression with HASH tc prio value update · a27fb314
      Rahul Lakkireddy 提交于
      commit db43b30c ("cxgb4: add ethtool n-tuple filter deletion")
      has moved searching for next highest priority HASH filter rule to
      cxgb4_flow_rule_destroy(), which searches the rhashtable before the
      the rule is removed from it and hence always finds at least 1 entry.
      Fix by removing the rule from rhashtable first before calling
      cxgb4_flow_rule_destroy() and hence avoid fetching stale info.
      
      Fixes: db43b30c ("cxgb4: add ethtool n-tuple filter deletion")
      Signed-off-by: NRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a27fb314
    • D
      Merge branch 'caif-fixes' · e0310182
      David S. Miller 提交于
      Pavel Skripkin says:
      
      ====================
      This patch series fix 2 memory leaks in caif
      interface.
      
      Syzbot reported memory leak in cfserl_create().
      The problem was in cfcnfg_add_phy_layer() function.
      This function accepts struct cflayer *link_support and
      assign it to corresponting structures, but it can fail
      in some cases.
      
      These cases must be handled to prevent leaking allocated
      struct cflayer *link_support pointer, because if error accured
      before assigning link_support pointer to somewhere, this pointer
      must be freed.
      
      Fail log:
      
      [   49.051872][ T7010] caif:cfcnfg_add_phy_layer(): Too many CAIF Link Layers (max 6)
      [   49.110236][ T7042] caif:cfcnfg_add_phy_layer(): Too many CAIF Link Layers (max 6)
      [   49.134936][ T7045] caif:cfcnfg_add_phy_layer(): Too many CAIF Link Layers (max 6)
      [   49.163083][ T7043] caif:cfcnfg_add_phy_layer(): Too many CAIF Link Layers (max 6)
      [   55.248950][ T6994] kmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
      
      int cfcnfg_add_phy_layer(..., struct cflayer *link_support, ...)
      {
      ...
      	/* CAIF protocol allow maximum 6 link-layers */
      	for (i = 0; i < 7; i++) {
      		phyid = (dev->ifindex + i) & 0x7;
      		if (phyid == 0)
      			continue;
      		if (cfcnfg_get_phyinfo_rcu(cnfg, phyid) == NULL)
      			goto got_phyid;
      	}
      	pr_warn("Too many CAIF Link Layers (max 6)\n");
      	goto out;
      ...
      	if (link_support != NULL) {
      		link_support->id = phyid;
      		layer_set_dn(frml, link_support);
      		layer_set_up(link_support, frml);
      		layer_set_dn(link_support, phy_layer);
      		layer_set_up(phy_layer, link_support);
      	}
      ...
      }
      
      As you can see, if cfcnfg_add_phy_layer fails before layer_set_*,
      link_support becomes leaked.
      
      So, in this series, I made cfcnfg_add_phy_layer()
      return an int and added error handling code to prevent
      leaking link_support pointer in caif_device_notify()
      and cfusbl_device_notify() functions.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e0310182
    • P
      net: caif: fix memory leak in cfusbl_device_notify · 7f5d8666
      Pavel Skripkin 提交于
      In case of caif_enroll_dev() fail, allocated
      link_support won't be assigned to the corresponding
      structure. So simply free allocated pointer in case
      of error.
      
      Fixes: 7ad65bf6 ("caif: Add support for CAIF over CDC NCM USB interface")
      Cc: stable@vger.kernel.org
      Signed-off-by: NPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7f5d8666
    • P
      net: caif: fix memory leak in caif_device_notify · b53558a9
      Pavel Skripkin 提交于
      In case of caif_enroll_dev() fail, allocated
      link_support won't be assigned to the corresponding
      structure. So simply free allocated pointer in case
      of error
      
      Fixes: 7c18d220 ("caif: Restructure how link caif link layer enroll")
      Cc: stable@vger.kernel.org
      Reported-and-tested-by: syzbot+7ec324747ce876a29db6@syzkaller.appspotmail.com
      Signed-off-by: NPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b53558a9
    • P
      net: caif: add proper error handling · a2805dca
      Pavel Skripkin 提交于
      caif_enroll_dev() can fail in some cases. Ingnoring
      these cases can lead to memory leak due to not assigning
      link_support pointer to anywhere.
      
      Fixes: 7c18d220 ("caif: Restructure how link caif link layer enroll")
      Cc: stable@vger.kernel.org
      Signed-off-by: NPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a2805dca
    • P
      net: caif: added cfserl_release function · bce130e7
      Pavel Skripkin 提交于
      Added cfserl_release() function.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bce130e7
    • D
      Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 4189777c
      David S. Miller 提交于
      Tony Nguyen says:
      
      ====================
      This series contains updates to igb, igc, ixgbe, ixgbevf, i40e and ice
      drivers.
      
      Kurt Kanzenbach fixes XDP for igb when PTP is enabled by pulling the
      timestamp and adjusting appropriate values prior to XDP operations.
      
      Magnus adds missing exception tracing for XDP on igb, igc, ixgbe,
      ixgbevf, i40e and ice drivers.
      
      Maciej adds tracking of AF_XDP zero copy enabled queues to resolve an
      issue with copy mode Tx for the ice driver.
      
      Note: Patch 7 will conflict when merged with net-next. Please carry
      these changes forward. IGC_XDP_TX and IGC_XDP_REDIRECT will need to be
      changed to return to conform with the net-next changes. Let me know if
      you have issues.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4189777c
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 86b84066
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2021-06-02
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 2 non-merge commits during the last 7 day(s) which contain
      a total of 4 files changed, 19 insertions(+), 24 deletions(-).
      
      The main changes are:
      
      1) Fix pahole BTF generation when ccache is used, from Javier Martinez Canillas.
      
      2) Fix BPF lockdown hooks in bpf_probe_read_kernel{,_str}() helpers which caused
         a deadlock from bcc programs, triggered OOM killer from audit side and didn't
         work generally with SELinux policy rules due to pointing to wrong task struct,
         from Daniel Borkmann.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      86b84066
    • P
      net: kcm: fix memory leak in kcm_sendmsg · c47cc304
      Pavel Skripkin 提交于
      Syzbot reported memory leak in kcm_sendmsg()[1].
      The problem was in non-freed frag_list in case of error.
      
      In the while loop:
      
      	if (head == skb)
      		skb_shinfo(head)->frag_list = tskb;
      	else
      		skb->next = tskb;
      
      frag_list filled with skbs, but nothing was freeing them.
      
      backtrace:
        [<0000000094c02615>] __alloc_skb+0x5e/0x250 net/core/skbuff.c:198
        [<00000000e5386cbd>] alloc_skb include/linux/skbuff.h:1083 [inline]
        [<00000000e5386cbd>] kcm_sendmsg+0x3b6/0xa50 net/kcm/kcmsock.c:967 [1]
        [<00000000f1613a8a>] sock_sendmsg_nosec net/socket.c:652 [inline]
        [<00000000f1613a8a>] sock_sendmsg+0x4c/0x60 net/socket.c:672
      
      Reported-and-tested-by: syzbot+b039f5699bd82e1fb011@syzkaller.appspotmail.com
      Fixes: ab7ac4eb ("kcm: Kernel Connection Multiplexor module")
      Cc: stable@vger.kernel.org
      Signed-off-by: NPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c47cc304
    • L
      Bluetooth: btusb: Fix failing to init controllers with operation firmware · 1f14a620
      Luiz Augusto von Dentz 提交于
      Some firmware when operation don't may have broken versions leading to
      error like the following:
      
      [    6.176482] Bluetooth: hci0: Firmware revision 0.0 build 121 week 7 2021
      [    6.177906] bluetooth hci0: Direct firmware load for intel/ibt-20-0-0.sfi failed with error -2
      [    6.177910] Bluetooth: hci0: Failed to load Intel firmware file intel/ibt-20-0-0.sfi (-2)
      
      Since we load the firmware file just to check if its version had changed
      comparing to the one already loaded we can just skip since the firmware
      is already operation.
      
      Fixes: ac056546 ("Bluetooth: btintel: Check firmware version before
      download")
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      1f14a620
    • M
      Bluetooth: Fix VIRTIO_ID_BT assigned number · a83d9585
      Marcel Holtmann 提交于
      It turned out that the VIRTIO_ID_* are not assigned in the virtio_ids.h
      file in the upstream kernel. Picking the next free one was wrong and
      there is a process that has been followed now.
      
      See https://github.com/oasis-tcs/virtio-spec/issues/108 for details.
      
      Fixes: afd2daa2 ("Bluetooth: Add support for virtio transport driver")
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      a83d9585
    • Z
      sit: set name of device back to struct parms · 261ba78c
      zhang kai 提交于
      addrconf_set_sit_dstaddr will use parms->name.
      Signed-off-by: Nzhang kai <zhangkaiheb@126.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      261ba78c
    • J
      rtnetlink: Fix missing error code in rtnl_bridge_notify() · a8db57c1
      Jiapeng Chong 提交于
      The error code is missing in this code scenario, add the error code
      '-EINVAL' to the return value 'err'.
      
      Eliminate the follow smatch warning:
      
      net/core/rtnetlink.c:4834 rtnl_bridge_notify() warn: missing error code
      'err'.
      Reported-by: NAbaci Robot <abaci@linux.alibaba.com>
      Signed-off-by: NJiapeng Chong <jiapeng.chong@linux.alibaba.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a8db57c1
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 59717f39
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Do not allow to add conntrack helper extension for confirmed
         conntracks in the nf_tables ct expectation support.
      
      2) Fix bogus EBUSY in nfnetlink_cthelper when NFCTH_PRIV_DATA_LEN
         is passed on userspace helper updates.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      59717f39
  3. 03 6月, 2021 10 次提交