* [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level
@ 2022-10-09 22:25 Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 02/23] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
` (21 more replies)
0 siblings, 22 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Wright Feng, Chi-hsien Lin, Ahmad Fatoum, Alvin Šipraga,
Kalle Valo, Sasha Levin, aspriel, franky.lin, hante.meuleman,
davem, edumazet, kuba, pabeni, linux-wireless,
brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, netdev
From: Wright Feng <wright.feng@cypress.com>
[ Upstream commit aa666b68e73fc06d83c070d96180b9010cf5a960 ]
The variable i is changed when setting random MAC address and causes
invalid address access when printing the value of pi->reqs[i]->reqid.
We replace reqs index with ri to fix the issue.
[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
[ 136.737365] Mem abort info:
[ 136.740172] ESR = 0x96000004
[ 136.743359] Exception class = DABT (current EL), IL = 32 bits
[ 136.749294] SET = 0, FnV = 0
[ 136.752481] EA = 0, S1PTW = 0
[ 136.755635] Data abort info:
[ 136.758514] ISV = 0, ISS = 0x00000004
[ 136.762487] CM = 0, WnR = 0
[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577
[ 136.772265] [0000000000000000] pgd=0000000000000000
[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)
[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)
[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1
[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)
[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)
[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]
[ 136.828162] sp : ffff00000e9a3880
[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400
[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0
[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400
[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8
[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400
[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000
[ 136.863343] x17: 0000000000000000 x16: 0000000000000000
[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050
[ 136.873966] x13: 0000000000003135 x12: 0000000000000000
[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888
[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008
[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d
[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942
[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8
[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000
[ 136.911146] Call trace:
[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]
[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]
[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211]
[ 136.937298] genl_rcv_msg+0x358/0x3f4
[ 136.940960] netlink_rcv_skb+0xb4/0x118
[ 136.944795] genl_rcv+0x34/0x48
[ 136.947935] netlink_unicast+0x264/0x300
[ 136.951856] netlink_sendmsg+0x2e4/0x33c
[ 136.955781] __sys_sendto+0x120/0x19c
Signed-off-by: Wright Feng <wright.feng@cypress.com>
Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220722115632.620681-4-alvin@pqrs.dk
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/broadcom/brcm80211/brcmfmac/pno.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
index ffa243e2e2d0..581a23549ee5 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
@@ -163,12 +163,12 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi)
struct brcmf_pno_macaddr_le pfn_mac;
u8 *mac_addr = NULL;
u8 *mac_mask = NULL;
- int err, i;
+ int err, i, ri;
- for (i = 0; i < pi->n_reqs; i++)
- if (pi->reqs[i]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
- mac_addr = pi->reqs[i]->mac_addr;
- mac_mask = pi->reqs[i]->mac_addr_mask;
+ for (ri = 0; ri < pi->n_reqs; ri++)
+ if (pi->reqs[ri]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
+ mac_addr = pi->reqs[ri]->mac_addr;
+ mac_mask = pi->reqs[ri]->mac_addr_mask;
break;
}
@@ -190,7 +190,7 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi)
pfn_mac.mac[0] |= 0x02;
brcmf_dbg(SCAN, "enabling random mac: reqid=%llu mac=%pM\n",
- pi->reqs[i]->reqid, pfn_mac.mac);
+ pi->reqs[ri]->reqid, pfn_mac.mac);
err = brcmf_fil_iovar_data_set(ifp, "pfn_macaddr", &pfn_mac,
sizeof(pfn_mac));
if (err)
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 02/23] openvswitch: Fix double reporting of drops in dropwatch
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 03/23] openvswitch: Fix overreporting " Sasha Levin
` (20 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Mike Pattrick, David S . Miller, Sasha Levin, pshelar, edumazet,
kuba, pabeni, netdev, dev
From: Mike Pattrick <mkp@redhat.com>
[ Upstream commit 1100248a5c5ccd57059eb8d02ec077e839a23826 ]
Frames sent to userspace can be reported as dropped in
ovs_dp_process_packet, however, if they are dropped in the netlink code
then netlink_attachskb will report the same frame as dropped.
This patch checks for error codes which indicate that the frame has
already been freed.
Signed-off-by: Mike Pattrick <mkp@redhat.com>
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109946
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 3248cf04d0b3..42616aca0ce4 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -276,10 +276,17 @@ void ovs_dp_process_packet(struct sk_buff *skb, struct sw_flow_key *key)
upcall.portid = ovs_vport_find_upcall_portid(p, skb);
upcall.mru = OVS_CB(skb)->mru;
error = ovs_dp_upcall(dp, skb, key, &upcall, 0);
- if (unlikely(error))
- kfree_skb(skb);
- else
+ switch (error) {
+ case 0:
+ case -EAGAIN:
+ case -ERESTARTSYS:
+ case -EINTR:
consume_skb(skb);
+ break;
+ default:
+ kfree_skb(skb);
+ break;
+ }
stats_counter = &stats->n_missed;
goto out;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 03/23] openvswitch: Fix overreporting of drops in dropwatch
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 02/23] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 04/23] tcp: annotate data-race around tcp_md5sig_pool_populated Sasha Levin
` (19 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Mike Pattrick, David S . Miller, Sasha Levin, pshelar, edumazet,
kuba, pabeni, netdev, dev
From: Mike Pattrick <mkp@redhat.com>
[ Upstream commit c21ab2afa2c64896a7f0e3cbc6845ec63dcfad2e ]
Currently queue_userspace_packet will call kfree_skb for all frames,
whether or not an error occurred. This can result in a single dropped
frame being reported as multiple drops in dropwatch. This functions
caller may also call kfree_skb in case of an error. This patch will
consume the skbs instead and allow caller's to use kfree_skb.
Signed-off-by: Mike Pattrick <mkp@redhat.com>
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109957
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 42616aca0ce4..8319628ab428 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -553,8 +553,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
out:
if (err)
skb_tx_error(skb);
- kfree_skb(user_skb);
- kfree_skb(nskb);
+ consume_skb(user_skb);
+ consume_skb(nskb);
+
return err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 04/23] tcp: annotate data-race around tcp_md5sig_pool_populated
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 02/23] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 03/23] openvswitch: Fix overreporting " Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 05/23] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Sasha Levin
` (18 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Eric Dumazet, Abhishek Shah, David S . Miller, Sasha Levin,
yoshfuji, dsahern, kuba, pabeni, netdev
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit aacd467c0a576e5e44d2de4205855dc0fe43f6fb ]
tcp_md5sig_pool_populated can be read while another thread
changes its value.
The race has no consequence because allocations
are protected with tcp_md5sig_mutex.
This patch adds READ_ONCE() and WRITE_ONCE() to document
the race and silence KCSAN.
Reported-by: Abhishek Shah <abhishek.shah@columbia.edu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index a0fd9ef2d2c6..875c929b5f08 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3316,12 +3316,16 @@ static void __tcp_alloc_md5sig_pool(void)
* to memory. See smp_rmb() in tcp_get_md5sig_pool()
*/
smp_wmb();
- tcp_md5sig_pool_populated = true;
+ /* Paired with READ_ONCE() from tcp_alloc_md5sig_pool()
+ * and tcp_get_md5sig_pool().
+ */
+ WRITE_ONCE(tcp_md5sig_pool_populated, true);
}
bool tcp_alloc_md5sig_pool(void)
{
- if (unlikely(!tcp_md5sig_pool_populated)) {
+ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
+ if (unlikely(!READ_ONCE(tcp_md5sig_pool_populated))) {
mutex_lock(&tcp_md5sig_mutex);
if (!tcp_md5sig_pool_populated)
@@ -3329,7 +3333,8 @@ bool tcp_alloc_md5sig_pool(void)
mutex_unlock(&tcp_md5sig_mutex);
}
- return tcp_md5sig_pool_populated;
+ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
+ return READ_ONCE(tcp_md5sig_pool_populated);
}
EXPORT_SYMBOL(tcp_alloc_md5sig_pool);
@@ -3345,7 +3350,8 @@ struct tcp_md5sig_pool *tcp_get_md5sig_pool(void)
{
local_bh_disable();
- if (tcp_md5sig_pool_populated) {
+ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
+ if (READ_ONCE(tcp_md5sig_pool_populated)) {
/* coupled with smp_wmb() in __tcp_alloc_md5sig_pool() */
smp_rmb();
return this_cpu_ptr(&tcp_md5sig_pool);
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 05/23] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (2 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 04/23] tcp: annotate data-race around tcp_md5sig_pool_populated Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 06/23] xfrm: Update ipcomp_scratches with NULL when freed Sasha Levin
` (17 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Tetsuo Handa, syzbot, Toke Høiland-Jørgensen,
Kalle Valo, Sasha Levin, kvalo, davem, edumazet, kuba, pabeni,
linux-wireless, netdev
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit b383e8abed41cc6ff1a3b34de75df9397fa4878c ]
syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for
ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with
pkt_len = 0 but ath9k_hif_usb_rx_stream() uses
__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that
pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb
with uninitialized memory and ath9k_htc_rx_msg() is reading from
uninitialized memory.
Since bytes accessed by ath9k_htc_rx_msg() is not known until
ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid
pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in
ath9k_hif_usb_rx_stream().
We have two choices. One is to workaround by adding __GFP_ZERO so that
ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let
ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose
the latter.
Note that I'm not sure threshold condition is correct, for I can't find
details on possible packet length used by this protocol.
Link: https://syzkaller.appspot.com/bug?extid=2ca247c2d60c7023de7f [1]
Reported-by: syzbot <syzbot+2ca247c2d60c7023de7f@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/htc_hst.c | 43 +++++++++++++++---------
1 file changed, 28 insertions(+), 15 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index e37de14bc502..6d69cf69fd86 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -367,33 +367,27 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
}
static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle,
- struct sk_buff *skb)
+ struct sk_buff *skb, u32 len)
{
uint32_t *pattern = (uint32_t *)skb->data;
- switch (*pattern) {
- case 0x33221199:
- {
+ if (*pattern == 0x33221199 && len >= sizeof(struct htc_panic_bad_vaddr)) {
struct htc_panic_bad_vaddr *htc_panic;
htc_panic = (struct htc_panic_bad_vaddr *) skb->data;
dev_err(htc_handle->dev, "ath: firmware panic! "
"exccause: 0x%08x; pc: 0x%08x; badvaddr: 0x%08x.\n",
htc_panic->exccause, htc_panic->pc,
htc_panic->badvaddr);
- break;
- }
- case 0x33221299:
- {
+ return;
+ }
+ if (*pattern == 0x33221299) {
struct htc_panic_bad_epid *htc_panic;
htc_panic = (struct htc_panic_bad_epid *) skb->data;
dev_err(htc_handle->dev, "ath: firmware panic! "
"bad epid: 0x%08x\n", htc_panic->epid);
- break;
- }
- default:
- dev_err(htc_handle->dev, "ath: unknown panic pattern!\n");
- break;
+ return;
}
+ dev_err(htc_handle->dev, "ath: unknown panic pattern!\n");
}
/*
@@ -414,16 +408,26 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
if (!htc_handle || !skb)
return;
+ /* A valid message requires len >= 8.
+ *
+ * sizeof(struct htc_frame_hdr) == 8
+ * sizeof(struct htc_ready_msg) == 8
+ * sizeof(struct htc_panic_bad_vaddr) == 16
+ * sizeof(struct htc_panic_bad_epid) == 8
+ */
+ if (unlikely(len < sizeof(struct htc_frame_hdr)))
+ goto invalid;
htc_hdr = (struct htc_frame_hdr *) skb->data;
epid = htc_hdr->endpoint_id;
if (epid == 0x99) {
- ath9k_htc_fw_panic_report(htc_handle, skb);
+ ath9k_htc_fw_panic_report(htc_handle, skb, len);
kfree_skb(skb);
return;
}
if (epid < 0 || epid >= ENDPOINT_MAX) {
+invalid:
if (pipe_id != USB_REG_IN_PIPE)
dev_kfree_skb_any(skb);
else
@@ -435,21 +439,30 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
/* Handle trailer */
if (htc_hdr->flags & HTC_FLAGS_RECV_TRAILER) {
- if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000)
+ if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000) {
/* Move past the Watchdog pattern */
htc_hdr = (struct htc_frame_hdr *)(skb->data + 4);
+ len -= 4;
+ }
}
/* Get the message ID */
+ if (unlikely(len < sizeof(struct htc_frame_hdr) + sizeof(__be16)))
+ goto invalid;
msg_id = (__be16 *) ((void *) htc_hdr +
sizeof(struct htc_frame_hdr));
/* Now process HTC messages */
switch (be16_to_cpu(*msg_id)) {
case HTC_MSG_READY_ID:
+ if (unlikely(len < sizeof(struct htc_ready_msg)))
+ goto invalid;
htc_process_target_rdy(htc_handle, htc_hdr);
break;
case HTC_MSG_CONNECT_SERVICE_RESPONSE_ID:
+ if (unlikely(len < sizeof(struct htc_frame_hdr) +
+ sizeof(struct htc_conn_svc_rspmsg)))
+ goto invalid;
htc_process_conn_rsp(htc_handle, htc_hdr);
break;
default:
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 06/23] xfrm: Update ipcomp_scratches with NULL when freed
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (3 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 05/23] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 07/23] net: xscale: Fix return type for implementation of ndo_start_xmit Sasha Levin
` (16 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Khalid Masum, Herbert Xu, syzbot+5ec9bb042ddfe9644773,
Steffen Klassert, Sasha Levin, davem, edumazet, kuba, pabeni,
netdev
From: Khalid Masum <khalid.masum.92@gmail.com>
[ Upstream commit 8a04d2fc700f717104bfb95b0f6694e448a4537f ]
Currently if ipcomp_alloc_scratches() fails to allocate memory
ipcomp_scratches holds obsolete address. So when we try to free the
percpu scratches using ipcomp_free_scratches() it tries to vfree non
existent vm area. Described below:
static void * __percpu *ipcomp_alloc_scratches(void)
{
...
scratches = alloc_percpu(void *);
if (!scratches)
return NULL;
ipcomp_scratches does not know about this allocation failure.
Therefore holding the old obsolete address.
...
}
So when we free,
static void ipcomp_free_scratches(void)
{
...
scratches = ipcomp_scratches;
Assigning obsolete address from ipcomp_scratches
if (!scratches)
return;
for_each_possible_cpu(i)
vfree(*per_cpu_ptr(scratches, i));
Trying to free non existent page, causing warning: trying to vfree
existent vm area.
...
}
Fix this breakage by updating ipcomp_scrtches with NULL when scratches
is freed
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
Tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
Signed-off-by: Khalid Masum <khalid.masum.92@gmail.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_ipcomp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index a00ec715aa46..32aed1d0f6ee 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -216,6 +216,7 @@ static void ipcomp_free_scratches(void)
vfree(*per_cpu_ptr(scratches, i));
free_percpu(scratches);
+ ipcomp_scratches = NULL;
}
static void * __percpu *ipcomp_alloc_scratches(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 07/23] net: xscale: Fix return type for implementation of ndo_start_xmit
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (4 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 06/23] xfrm: Update ipcomp_scratches with NULL when freed Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 08/23] net: lantiq_etop: " Sasha Levin
` (15 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: GUO Zihua, Jakub Kicinski, Sasha Levin, khalasa, davem, edumazet,
pabeni, netdev
From: GUO Zihua <guozihua@huawei.com>
[ Upstream commit 0dbaf0fa62329d9fe452d9041a707a33f6274f1f ]
Since Linux now supports CFI, it will be a good idea to fix mismatched
return type for implementation of hooks. Otherwise this might get
cought out by CFI and cause a panic.
eth_xmit() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so
change the return type to netdev_tx_t directly.
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Link: https://lore.kernel.org/r/20220902081612.60405-1-guozihua@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/xscale/ixp4xx_eth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/xscale/ixp4xx_eth.c b/drivers/net/ethernet/xscale/ixp4xx_eth.c
index aee55c03def0..d2aed667c0da 100644
--- a/drivers/net/ethernet/xscale/ixp4xx_eth.c
+++ b/drivers/net/ethernet/xscale/ixp4xx_eth.c
@@ -835,7 +835,7 @@ static void eth_txdone_irq(void *unused)
}
}
-static int eth_xmit(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t eth_xmit(struct sk_buff *skb, struct net_device *dev)
{
struct port *port = netdev_priv(dev);
unsigned int txreadyq = port->plat->txreadyq;
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 08/23] net: lantiq_etop: Fix return type for implementation of ndo_start_xmit
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (5 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 07/23] net: xscale: Fix return type for implementation of ndo_start_xmit Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 09/23] net: ftmac100: fix endianness-related issues from 'sparse' Sasha Levin
` (14 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: GUO Zihua, Jakub Kicinski, Sasha Levin, davem, edumazet, pabeni,
olek2, rdunlap, yangyingliang, netdev
From: GUO Zihua <guozihua@huawei.com>
[ Upstream commit c8ef3c94bda0e21123202d057d4a299698fa0ed9 ]
Since Linux now supports CFI, it will be a good idea to fix mismatched
return type for implementation of hooks. Otherwise this might get
cought out by CFI and cause a panic.
ltq_etop_tx() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so
change the return type to netdev_tx_t directly.
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Link: https://lore.kernel.org/r/20220902081521.59867-1-guozihua@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/lantiq_etop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
index afc810069440..c90886d74fde 100644
--- a/drivers/net/ethernet/lantiq_etop.c
+++ b/drivers/net/ethernet/lantiq_etop.c
@@ -464,7 +464,7 @@ ltq_etop_stop(struct net_device *dev)
return 0;
}
-static int
+static netdev_tx_t
ltq_etop_tx(struct sk_buff *skb, struct net_device *dev)
{
int queue = skb_get_queue_mapping(skb);
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 09/23] net: ftmac100: fix endianness-related issues from 'sparse'
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (6 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 08/23] net: lantiq_etop: " Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 10/23] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() Sasha Levin
` (13 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Sergei Antonov, Andrew Lunn, Paolo Abeni, Sasha Levin, davem,
edumazet, kuba, netdev
From: Sergei Antonov <saproj@gmail.com>
[ Upstream commit 9df696b3b3a4c96c3219eb87c7bf03fb50e490b8 ]
Sparse found a number of endianness-related issues of these kinds:
.../ftmac100.c:192:32: warning: restricted __le32 degrades to integer
.../ftmac100.c:208:23: warning: incorrect type in assignment (different base types)
.../ftmac100.c:208:23: expected unsigned int rxdes0
.../ftmac100.c:208:23: got restricted __le32 [usertype]
.../ftmac100.c:249:23: warning: invalid assignment: &=
.../ftmac100.c:249:23: left side has type unsigned int
.../ftmac100.c:249:23: right side has type restricted __le32
.../ftmac100.c:527:16: warning: cast to restricted __le32
Change type of some fields from 'unsigned int' to '__le32' to fix it.
Signed-off-by: Sergei Antonov <saproj@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/20220902113749.1408562-1-saproj@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/faraday/ftmac100.h | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/faraday/ftmac100.h b/drivers/net/ethernet/faraday/ftmac100.h
index 46a0c47b1ee1..0731d65e856c 100644
--- a/drivers/net/ethernet/faraday/ftmac100.h
+++ b/drivers/net/ethernet/faraday/ftmac100.h
@@ -135,9 +135,9 @@
* Transmit descriptor, aligned to 16 bytes
*/
struct ftmac100_txdes {
- unsigned int txdes0;
- unsigned int txdes1;
- unsigned int txdes2; /* TXBUF_BADR */
+ __le32 txdes0;
+ __le32 txdes1;
+ __le32 txdes2; /* TXBUF_BADR */
unsigned int txdes3; /* not used by HW */
} __attribute__ ((aligned(16)));
@@ -156,9 +156,9 @@ struct ftmac100_txdes {
* Receive descriptor, aligned to 16 bytes
*/
struct ftmac100_rxdes {
- unsigned int rxdes0;
- unsigned int rxdes1;
- unsigned int rxdes2; /* RXBUF_BADR */
+ __le32 rxdes0;
+ __le32 rxdes1;
+ __le32 rxdes2; /* RXBUF_BADR */
unsigned int rxdes3; /* not used by HW */
} __attribute__ ((aligned(16)));
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 10/23] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (7 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 09/23] net: ftmac100: fix endianness-related issues from 'sparse' Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 11/23] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Sasha Levin
` (12 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Alexander Coffin, Kalle Valo, Sasha Levin, aspriel, franky.lin,
hante.meuleman, davem, edumazet, kuba, pabeni, chi-hsien.lin,
hdegoede, alsi, bigeasy, wsa+renesas, pavel, wright.feng,
linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list,
netdev
From: Alexander Coffin <alex.coffin@matician.com>
[ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ]
> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb);
may be schedule, and then complete before the line
> ndev->stats.tx_bytes += skb->len;
[ 46.912801] ==================================================================
[ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
[ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328
[ 46.935991]
[ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1
[ 46.947255] Hardware name: [REDACTED]
[ 46.954568] Call trace:
[ 46.957037] dump_backtrace+0x0/0x2b8
[ 46.960719] show_stack+0x24/0x30
[ 46.964052] dump_stack+0x128/0x194
[ 46.967557] print_address_description.isra.0+0x64/0x380
[ 46.972877] __kasan_report+0x1d4/0x240
[ 46.976723] kasan_report+0xc/0x18
[ 46.980138] __asan_report_load4_noabort+0x18/0x20
[ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
[ 46.990613] dev_hard_start_xmit+0x1bc/0xda0
[ 46.994894] sch_direct_xmit+0x198/0xd08
[ 46.998827] __qdisc_run+0x37c/0x1dc0
[ 47.002500] __dev_queue_xmit+0x1528/0x21f8
[ 47.006692] dev_queue_xmit+0x24/0x30
[ 47.010366] neigh_resolve_output+0x37c/0x678
[ 47.014734] ip_finish_output2+0x598/0x2458
[ 47.018927] __ip_finish_output+0x300/0x730
[ 47.023118] ip_output+0x2e0/0x430
[ 47.026530] ip_local_out+0x90/0x140
[ 47.030117] igmpv3_sendpack+0x14c/0x228
[ 47.034049] igmpv3_send_cr+0x384/0x6b8
[ 47.037895] igmp_ifc_timer_expire+0x4c/0x118
[ 47.042262] call_timer_fn+0x1cc/0xbe8
[ 47.046021] __run_timers+0x4d8/0xb28
[ 47.049693] run_timer_softirq+0x24/0x40
[ 47.053626] __do_softirq+0x2c0/0x117c
[ 47.057387] irq_exit+0x2dc/0x388
[ 47.060715] __handle_domain_irq+0xb4/0x158
[ 47.064908] gic_handle_irq+0x58/0xb0
[ 47.068581] el0_irq_naked+0x50/0x5c
[ 47.072162]
[ 47.073665] Allocated by task 328:
[ 47.077083] save_stack+0x24/0xb0
[ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0
[ 47.084776] kasan_slab_alloc+0x14/0x20
[ 47.088622] kmem_cache_alloc+0x15c/0x468
[ 47.092643] __alloc_skb+0xa4/0x498
[ 47.096142] igmpv3_newpack+0x158/0xd78
[ 47.099987] add_grhead+0x210/0x288
[ 47.103485] add_grec+0x6b0/0xb70
[ 47.106811] igmpv3_send_cr+0x2e0/0x6b8
[ 47.110657] igmp_ifc_timer_expire+0x4c/0x118
[ 47.115027] call_timer_fn+0x1cc/0xbe8
[ 47.118785] __run_timers+0x4d8/0xb28
[ 47.122457] run_timer_softirq+0x24/0x40
[ 47.126389] __do_softirq+0x2c0/0x117c
[ 47.130142]
[ 47.131643] Freed by task 180:
[ 47.134712] save_stack+0x24/0xb0
[ 47.138041] __kasan_slab_free+0x108/0x180
[ 47.142146] kasan_slab_free+0x10/0x18
[ 47.145904] slab_free_freelist_hook+0xa4/0x1b0
[ 47.150444] kmem_cache_free+0x8c/0x528
[ 47.154292] kfree_skbmem+0x94/0x108
[ 47.157880] consume_skb+0x10c/0x5a8
[ 47.161466] __dev_kfree_skb_any+0x88/0xa0
[ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil]
[ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac]
[ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac]
[ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac]
[ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac]
[ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac]
[ 47.197859] process_one_work+0x7fc/0x1a80
[ 47.201965] worker_thread+0x31c/0xc40
[ 47.205726] kthread+0x2d8/0x370
[ 47.208967] ret_from_fork+0x10/0x18
[ 47.212546]
[ 47.214051] The buggy address belongs to the object at ffffff803f588280
[ 47.214051] which belongs to the cache skbuff_head_cache of size 208
[ 47.227086] The buggy address is located 104 bytes inside of
[ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350)
[ 47.238814] The buggy address belongs to the page:
[ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0
[ 47.255007] flags: 0x10200(slab|head)
[ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800
[ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000
[ 47.274180] page dumped because: kasan: bad access detected
[ 47.279752]
[ 47.281251] Memory state around the buggy address:
[ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.307723] ^
[ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 47.328789] ==================================================================
Signed-off-by: Alexander Coffin <alex.coffin@matician.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index 590bef2defb9..9c8102be1d0b 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -200,6 +200,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
struct brcmf_pub *drvr = ifp->drvr;
struct ethhdr *eh;
int head_delta;
+ unsigned int tx_bytes = skb->len;
brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
@@ -254,7 +255,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
ndev->stats.tx_dropped++;
} else {
ndev->stats.tx_packets++;
- ndev->stats.tx_bytes += skb->len;
+ ndev->stats.tx_bytes += tx_bytes;
}
/* Return ok: we always eat the packet */
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 11/23] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (8 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 10/23] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 12/23] net: davicom: Fix return type of dm9000_start_xmit Sasha Levin
` (11 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Tetsuo Handa, syzbot, Luiz Augusto von Dentz, Sasha Levin,
marcel, johan.hedberg, luiz.dentz, davem, edumazet, kuba, pabeni,
linux-bluetooth, netdev
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 ]
syzbot is reporting cancel_delayed_work() without INIT_DELAYED_WORK() at
l2cap_chan_del() [1], for CONF_NOT_COMPLETE flag (which meant to prevent
l2cap_chan_del() from calling cancel_delayed_work()) is cleared by timer
which fires before l2cap_chan_del() is called by closing file descriptor
created by socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP).
l2cap_bredr_sig_cmd(L2CAP_CONF_REQ) and l2cap_bredr_sig_cmd(L2CAP_CONF_RSP)
are calling l2cap_ertm_init(chan), and they call l2cap_chan_ready() (which
clears CONF_NOT_COMPLETE flag) only when l2cap_ertm_init(chan) succeeded.
l2cap_sock_init() does not call l2cap_ertm_init(chan), and it instead sets
CONF_NOT_COMPLETE flag by calling l2cap_chan_set_defaults(). However, when
connect() is requested, "command 0x0409 tx timeout" happens after 2 seconds
from connect() request, and CONF_NOT_COMPLETE flag is cleared after 4
seconds from connect() request, for l2cap_conn_start() from
l2cap_info_timeout() callback scheduled by
schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
in l2cap_connect() is calling l2cap_chan_ready().
Fix this problem by initializing delayed works used by L2CAP_MODE_ERTM
mode as soon as l2cap_chan_create() allocates a channel, like I did in
commit be8597239379f0f5 ("Bluetooth: initialize skb_queue_head at
l2cap_chan_create()").
Link: https://syzkaller.appspot.com/bug?extid=83672956c7aa6af698b3 [1]
Reported-by: syzbot <syzbot+83672956c7aa6af698b3@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index e45a12378bd1..75a76353525c 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -63,6 +63,9 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
struct sk_buff_head *skbs, u8 event);
+static void l2cap_retrans_timeout(struct work_struct *work);
+static void l2cap_monitor_timeout(struct work_struct *work);
+static void l2cap_ack_timeout(struct work_struct *work);
static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
{
@@ -470,6 +473,9 @@ struct l2cap_chan *l2cap_chan_create(void)
write_unlock(&chan_list_lock);
INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
+ INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
+ INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
+ INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
chan->state = BT_OPEN;
@@ -3154,10 +3160,6 @@ int l2cap_ertm_init(struct l2cap_chan *chan)
chan->rx_state = L2CAP_RX_STATE_RECV;
chan->tx_state = L2CAP_TX_STATE_XMIT;
- INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
- INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
- INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
-
skb_queue_head_init(&chan->srej_q);
err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 12/23] net: davicom: Fix return type of dm9000_start_xmit
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (9 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 11/23] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 13/23] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit Sasha Levin
` (10 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Nathan Huckleberry, Dan Carpenter, llvm, Nathan Chancellor,
Jakub Kicinski, Sasha Levin, davem, edumazet, pabeni,
ndesaulniers, khalasa, thomas.lendacky, shayagr, wsa+renesas,
dmitry.torokhov, netdev
From: Nathan Huckleberry <nhuck@google.com>
[ Upstream commit 0191580b000d50089a0b351f7cdbec4866e3d0d2 ]
The ndo_start_xmit field in net_device_ops is expected to be of type
netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
The mismatched return type breaks forward edge kCFI since the underlying
function definition does not match the function hook definition.
The return type of dm9000_start_xmit should be changed from int to
netdev_tx_t.
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://github.com/ClangBuiltLinux/linux/issues/1703
Cc: llvm@lists.linux.dev
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20220912194722.809525-1-nhuck@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/davicom/dm9000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c
index 8b07890b0b23..833e27ce4a57 100644
--- a/drivers/net/ethernet/davicom/dm9000.c
+++ b/drivers/net/ethernet/davicom/dm9000.c
@@ -1025,7 +1025,7 @@ static void dm9000_send_packet(struct net_device *dev,
* Hardware start transmission.
* Send a packet to media from the upper layer.
*/
-static int
+static netdev_tx_t
dm9000_start_xmit(struct sk_buff *skb, struct net_device *dev)
{
unsigned long flags;
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 13/23] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (10 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 12/23] net: davicom: Fix return type of dm9000_start_xmit Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 14/23] net: korina: Fix return type of korina_send_packet Sasha Levin
` (9 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Nathan Huckleberry, Dan Carpenter, llvm, Nathan Chancellor,
Jakub Kicinski, Sasha Levin, davem, edumazet, pabeni,
ndesaulniers, prabhakar.mahadev-lad.rj, paul, grygorii.strashko,
wsa+renesas, chi.minghao, bigunclemax, linux-omap, netdev
From: Nathan Huckleberry <nhuck@google.com>
[ Upstream commit 5972ca946098487c5155fe13654743f9010f5ed5 ]
The ndo_start_xmit field in net_device_ops is expected to be of type
netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
The mismatched return type breaks forward edge kCFI since the underlying
function definition does not match the function hook definition.
The return type of emac_dev_xmit should be changed from int to
netdev_tx_t.
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://github.com/ClangBuiltLinux/linux/issues/1703
Cc: llvm@lists.linux.dev
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20220912195023.810319-1-nhuck@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/davinci_emac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c
index da536385075a..f226e8f84835 100644
--- a/drivers/net/ethernet/ti/davinci_emac.c
+++ b/drivers/net/ethernet/ti/davinci_emac.c
@@ -955,7 +955,7 @@ static void emac_tx_handler(void *token, int len, int status)
*
* Returns success(NETDEV_TX_OK) or error code (typically out of desc's)
*/
-static int emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev)
+static netdev_tx_t emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev)
{
struct device *emac_dev = &ndev->dev;
int ret_code;
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 14/23] net: korina: Fix return type of korina_send_packet
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (11 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 13/23] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 15/23] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times Sasha Levin
` (8 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Nathan Huckleberry, Dan Carpenter, llvm, Nathan Chancellor,
Jakub Kicinski, Sasha Levin, davem, edumazet, pabeni,
ndesaulniers, thomas.lendacky, petrm, mw, geoff, wsa+renesas,
netdev
From: Nathan Huckleberry <nhuck@google.com>
[ Upstream commit 106c67ce46f3c82dd276e983668a91d6ed631173 ]
The ndo_start_xmit field in net_device_ops is expected to be of type
netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
The mismatched return type breaks forward edge kCFI since the underlying
function definition does not match the function hook definition.
The return type of korina_send_packet should be changed from int to
netdev_tx_t.
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://github.com/ClangBuiltLinux/linux/issues/1703
Cc: llvm@lists.linux.dev
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20220912214344.928925-1-nhuck@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/korina.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c
index ec1c14e3eace..09e3e516ded3 100644
--- a/drivers/net/ethernet/korina.c
+++ b/drivers/net/ethernet/korina.c
@@ -193,7 +193,8 @@ static void korina_chain_rx(struct korina_private *lp,
}
/* transmit packet */
-static int korina_send_packet(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t korina_send_packet(struct sk_buff *skb,
+ struct net_device *dev)
{
struct korina_private *lp = netdev_priv(dev);
unsigned long flags;
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 15/23] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (12 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 14/23] net: korina: Fix return type of korina_send_packet Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 16/23] can: bcm: check the result of can_send() in bcm_can_tx() Sasha Levin
` (7 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Luiz Augusto von Dentz, Hawkins Jiawei, Sasha Levin, marcel,
johan.hedberg, luiz.dentz, davem, edumazet, kuba, pabeni,
linux-bluetooth, netdev
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 448a496f760664d3e2e79466aa1787e6abc922b5 ]
device_add shall not be called multiple times as stated in its
documentation:
'Do not call this routine or device_register() more than once for
any device structure'
Syzkaller reports a bug as follows [1]:
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:33!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[...]
Call Trace:
<TASK>
__list_add include/linux/list.h:69 [inline]
list_add_tail include/linux/list.h:102 [inline]
kobj_kset_join lib/kobject.c:164 [inline]
kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214
kobject_add_varg lib/kobject.c:358 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:410
device_add+0x368/0x1e90 drivers/base/core.c:3452
hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53
hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799
hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110
hci_event_func net/bluetooth/hci_event.c:7440 [inline]
hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495
hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007
process_one_work+0x991/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Link: https://syzkaller.appspot.com/bug?id=da3246e2d33afdb92d66bc166a0934c5b146404a
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Hawkins Jiawei <yin31149@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sysfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index b568f7c21b30..0c9249339790 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -48,6 +48,9 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
BT_DBG("conn %p", conn);
+ if (device_is_registered(&conn->dev))
+ return;
+
dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
if (device_add(&conn->dev) < 0) {
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 16/23] can: bcm: check the result of can_send() in bcm_can_tx()
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (13 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 15/23] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 17/23] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 Sasha Levin
` (6 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Ziyang Xuan, Marc Kleine-Budde, Oliver Hartkopp, Sasha Levin,
davem, edumazet, kuba, pabeni, linux-can, netdev
From: Ziyang Xuan <william.xuanziyang@huawei.com>
[ Upstream commit 3fd7bfd28cfd68ae80a2fe92ea1615722cc2ee6e ]
If can_send() fail, it should not update frames_abs counter
in bcm_can_tx(). Add the result check for can_send() in bcm_can_tx().
Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
Suggested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/9851878e74d6d37aee2f1ee76d68361a46f89458.1663206163.git.william.xuanziyang@huawei.com
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/can/bcm.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index b3f3b02ffd42..89b955ef75d1 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -286,6 +286,7 @@ static void bcm_can_tx(struct bcm_op *op)
struct sk_buff *skb;
struct net_device *dev;
struct canfd_frame *cf = op->frames + op->cfsiz * op->currframe;
+ int err;
/* no target device? => exit */
if (!op->ifindex)
@@ -310,11 +311,11 @@ static void bcm_can_tx(struct bcm_op *op)
/* send with loopback */
skb->dev = dev;
can_skb_set_owner(skb, op->sk);
- can_send(skb, 1);
+ err = can_send(skb, 1);
+ if (!err)
+ op->frames_abs++;
- /* update statistics */
op->currframe++;
- op->frames_abs++;
/* reached last frame? */
if (op->currframe >= op->nframes)
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 17/23] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (14 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 16/23] can: bcm: check the result of can_send() in bcm_can_tx() Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 18/23] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 Sasha Levin
` (5 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Daniel Golle, Serge Vasilugin, Kalle Valo, Sasha Levin, stf_xl,
helmut.schaa, davem, edumazet, kuba, pabeni, linux-wireless,
netdev
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit d3aad83d05aec0cfd7670cf0028f2ad4b81de92e ]
The function rt2800_iq_calibrate is intended for Rt5592 only.
Don't call it for MT7620 which has it's own calibration functions.
Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/31a1c34ddbd296b82f38c18c9ae7339059215fdc.1663445157.git.daniel@makrotopia.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
index d2c289446c00..1309c136f7f3 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
@@ -3835,7 +3835,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev,
reg += 2 * rt2x00dev->lna_gain;
rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, reg);
- rt2800_iq_calibrate(rt2x00dev, rf->channel);
+ if (rt2x00_rt(rt2x00dev, RT5592))
+ rt2800_iq_calibrate(rt2x00dev, rf->channel);
}
bbp = rt2800_bbp_read(rt2x00dev, 4);
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 18/23] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (15 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 17/23] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 19/23] wifi: rt2x00: set SoC wmac clock register Sasha Levin
` (4 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Daniel Golle, Serge Vasilugin, Stanislaw Gruszka, Kalle Valo,
Sasha Levin, helmut.schaa, davem, edumazet, kuba, pabeni,
linux-wireless, netdev
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit eeb50acf15762b61921f9df18663f839f387c054 ]
Set correct TX_SW_CFG1 MAC register as it is done also in v3 of the
vendor driver[1].
[1]: https://gitlab.com/dm38/padavan-ng/-/blob/master/trunk/proprietary/rt_wifi/rtpci/3.0.X.X/mt76x2/chips/rt6352.c#L531
Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/4be38975ce600a34249e12d09a3cb758c6e71071.1663445157.git.daniel@makrotopia.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
index 1309c136f7f3..0c90bf0540b9 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
@@ -5315,7 +5315,7 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev)
rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000404);
} else if (rt2x00_rt(rt2x00dev, RT6352)) {
rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000401);
- rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0000);
+ rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0001);
rt2800_register_write(rt2x00dev, TX_SW_CFG2, 0x00000000);
rt2800_register_write(rt2x00dev, MIMO_PS_CFG, 0x00000002);
rt2800_register_write(rt2x00dev, TX_PIN_CFG, 0x00150F0F);
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 19/23] wifi: rt2x00: set SoC wmac clock register
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (16 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 18/23] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 20/23] wifi: rt2x00: correctly set BBP register 86 for MT7620 Sasha Levin
` (3 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Daniel Golle, Serge Vasilugin, Stanislaw Gruszka, Kalle Valo,
Sasha Levin, helmut.schaa, davem, edumazet, kuba, pabeni,
linux-wireless, netdev
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit cbde6ed406a51092d9e8a2df058f5f8490f27443 ]
Instead of using the default value 33 (pci), set US_CYC_CNT init based
on Programming guide:
If available, set chipset bus clock with fallback to cpu clock/3.
Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/3e275d259f476f597dab91a9c395015ef3fe3284.1663445157.git.daniel@makrotopia.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/ralink/rt2x00/rt2800lib.c | 21 +++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
index 0c90bf0540b9..57fa472b5c4e 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
@@ -5567,6 +5567,27 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev)
reg = rt2800_register_read(rt2x00dev, US_CYC_CNT);
rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, 125);
rt2800_register_write(rt2x00dev, US_CYC_CNT, reg);
+ } else if (rt2x00_is_soc(rt2x00dev)) {
+ struct clk *clk = clk_get_sys("bus", NULL);
+ int rate;
+
+ if (IS_ERR(clk)) {
+ clk = clk_get_sys("cpu", NULL);
+
+ if (IS_ERR(clk)) {
+ rate = 125;
+ } else {
+ rate = clk_get_rate(clk) / 3000000;
+ clk_put(clk);
+ }
+ } else {
+ rate = clk_get_rate(clk) / 1000000;
+ clk_put(clk);
+ }
+
+ reg = rt2800_register_read(rt2x00dev, US_CYC_CNT);
+ rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, rate);
+ rt2800_register_write(rt2x00dev, US_CYC_CNT, reg);
}
reg = rt2800_register_read(rt2x00dev, HT_FBK_CFG0);
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 20/23] wifi: rt2x00: correctly set BBP register 86 for MT7620
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (17 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 19/23] wifi: rt2x00: set SoC wmac clock register Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 21/23] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Sasha Levin
` (2 subsequent siblings)
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Daniel Golle, Serge Vasilugin, Stanislaw Gruszka, Kalle Valo,
Sasha Levin, helmut.schaa, davem, edumazet, kuba, pabeni,
linux-wireless, netdev
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit c9aada64fe6493461127f1522d7e2f01792d2424 ]
Instead of 0 set the correct value for BBP register 86 for MT7620.
Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/257267247ee4fa7ebc6a5d0c4948b3f8119c0d77.1663445157.git.daniel@makrotopia.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
index 57fa472b5c4e..155c08dc2e0e 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
@@ -3655,7 +3655,10 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev,
rt2800_bbp_write(rt2x00dev, 62, 0x37 - rt2x00dev->lna_gain);
rt2800_bbp_write(rt2x00dev, 63, 0x37 - rt2x00dev->lna_gain);
rt2800_bbp_write(rt2x00dev, 64, 0x37 - rt2x00dev->lna_gain);
- rt2800_bbp_write(rt2x00dev, 86, 0);
+ if (rt2x00_rt(rt2x00dev, RT6352))
+ rt2800_bbp_write(rt2x00dev, 86, 0x38);
+ else
+ rt2800_bbp_write(rt2x00dev, 86, 0);
}
if (rf->channel <= 14) {
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 21/23] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (18 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 20/23] wifi: rt2x00: correctly set BBP register 86 for MT7620 Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 22/23] Bluetooth: L2CAP: Fix user-after-free Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 23/23] r8152: Rate limit overflow messages Sasha Levin
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Liu Jian, Jakub Sitnicki, Daniel Borkmann, John Fastabend,
Eric Dumazet, Sasha Levin, davem, kuba, pabeni, netdev, bpf
From: Liu Jian <liujian56@huawei.com>
[ Upstream commit 3f8ef65af927db247418d4e1db49164d7a158fc5 ]
Fixes the below NULL pointer dereference:
[...]
[ 14.471200] Call Trace:
[ 14.471562] <TASK>
[ 14.471882] lock_acquire+0x245/0x2e0
[ 14.472416] ? remove_wait_queue+0x12/0x50
[ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50
[ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50
[ 14.474318] ? remove_wait_queue+0x12/0x50
[ 14.474907] remove_wait_queue+0x12/0x50
[ 14.475480] sk_stream_wait_memory+0x20d/0x340
[ 14.476127] ? do_wait_intr_irq+0x80/0x80
[ 14.476704] do_tcp_sendpages+0x287/0x600
[ 14.477283] tcp_bpf_push+0xab/0x260
[ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500
[ 14.478461] ? __local_bh_enable_ip+0x77/0xe0
[ 14.479096] tcp_bpf_send_verdict+0x105/0x470
[ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0
[ 14.480311] sock_sendmsg+0x2d/0x40
[ 14.480822] ____sys_sendmsg+0x1b4/0x1c0
[ 14.481390] ? copy_msghdr_from_user+0x62/0x80
[ 14.482048] ___sys_sendmsg+0x78/0xb0
[ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150
[ 14.483215] ? __do_fault+0x2a/0x1a0
[ 14.483738] ? do_fault+0x15e/0x5d0
[ 14.484246] ? __handle_mm_fault+0x56b/0x1040
[ 14.484874] ? lock_is_held_type+0xdf/0x130
[ 14.485474] ? find_held_lock+0x2d/0x90
[ 14.486046] ? __sys_sendmsg+0x41/0x70
[ 14.486587] __sys_sendmsg+0x41/0x70
[ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350
[ 14.487822] do_syscall_64+0x34/0x80
[ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
The test scenario has the following flow:
thread1 thread2
----------- ---------------
tcp_bpf_sendmsg
tcp_bpf_send_verdict
tcp_bpf_sendmsg_redir sock_close
tcp_bpf_push_locked __sock_release
tcp_bpf_push //inet_release
do_tcp_sendpages sock->ops->release
sk_stream_wait_memory // tcp_close
sk_wait_event sk->sk_prot->close
release_sock(__sk);
***
lock_sock(sk);
__tcp_close
sock_orphan(sk)
sk->sk_wq = NULL
release_sock
****
lock_sock(__sk);
remove_wait_queue(sk_sleep(sk), &wait);
sk_sleep(sk)
//NULL pointer dereference
&rcu_dereference_raw(sk->sk_wq)->wait
While waiting for memory in thread1, the socket is released with its wait
queue because thread2 has closed it. This caused by tcp_bpf_send_verdict
didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1.
We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory
before accessing the wait queue.
Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Liu Jian <liujian56@huawei.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/bpf/20220823133755.314697-2-liujian56@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/stream.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/stream.c b/net/core/stream.c
index cbe52b169070..e5c6c9e5e0aa 100644
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -159,7 +159,8 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
*timeo_p = current_timeo;
}
out:
- remove_wait_queue(sk_sleep(sk), &wait);
+ if (!sock_flag(sk, SOCK_DEAD))
+ remove_wait_queue(sk_sleep(sk), &wait);
return err;
do_error:
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 22/23] Bluetooth: L2CAP: Fix user-after-free
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (19 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 21/23] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 23/23] r8152: Rate limit overflow messages Sasha Levin
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Luiz Augusto von Dentz, Sungwoo Kim, Sasha Levin, marcel,
johan.hedberg, luiz.dentz, davem, edumazet, kuba, pabeni,
linux-bluetooth, netdev
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f ]
This uses l2cap_chan_hold_unless_zero() after calling
__l2cap_get_chan_blah() to prevent the following trace:
Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
*kref)
Bluetooth: chan 0000000023c4974d
Bluetooth: parent 00000000ae861c08
==================================================================
BUG: KASAN: use-after-free in __mutex_waiter_is_first
kernel/locking/mutex.c:191 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common
kernel/locking/mutex.c:671 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
kernel/locking/mutex.c:729
Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 75a76353525c..652c0723051b 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4049,6 +4049,12 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
}
}
+ chan = l2cap_chan_hold_unless_zero(chan);
+ if (!chan) {
+ err = -EBADSLT;
+ goto unlock;
+ }
+
err = 0;
l2cap_chan_lock(chan);
@@ -4078,6 +4084,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
}
l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
unlock:
mutex_unlock(&conn->chan_lock);
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH AUTOSEL 4.14 23/23] r8152: Rate limit overflow messages
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
` (20 preceding siblings ...)
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 22/23] Bluetooth: L2CAP: Fix user-after-free Sasha Levin
@ 2022-10-09 22:25 ` Sasha Levin
21 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2022-10-09 22:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Andrew Gaul, Andrew Gaul, Jakub Kicinski, Sasha Levin, davem,
edumazet, pabeni, hayeswang, jflf_kernel, aaron.ma, chenhao288,
dober6023, svenva, linux-usb, netdev
From: Andrew Gaul <gaul@gaul.org>
[ Upstream commit 93e2be344a7db169b7119de21ac1bf253b8c6907 ]
My system shows almost 10 million of these messages over a 24-hour
period which pollutes my logs.
Signed-off-by: Andrew Gaul <gaul@google.com>
Link: https://lore.kernel.org/r/20221002034128.2026653-1-gaul@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/r8152.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index a5a4fef09b93..1ed358d0da84 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1382,7 +1382,9 @@ static void intr_callback(struct urb *urb)
"Stop submitting intr, status %d\n", status);
return;
case -EOVERFLOW:
- netif_info(tp, intr, tp->netdev, "intr status -EOVERFLOW\n");
+ if (net_ratelimit())
+ netif_info(tp, intr, tp->netdev,
+ "intr status -EOVERFLOW\n");
goto resubmit;
/* -EPIPE: should clear the halt */
default:
--
2.35.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
end of thread, other threads:[~2022-10-10 0:34 UTC | newest]
Thread overview: 23+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-09 22:25 [PATCH AUTOSEL 4.14 01/23] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 02/23] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 03/23] openvswitch: Fix overreporting " Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 04/23] tcp: annotate data-race around tcp_md5sig_pool_populated Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 05/23] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 06/23] xfrm: Update ipcomp_scratches with NULL when freed Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 07/23] net: xscale: Fix return type for implementation of ndo_start_xmit Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 08/23] net: lantiq_etop: " Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 09/23] net: ftmac100: fix endianness-related issues from 'sparse' Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 10/23] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 11/23] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 12/23] net: davicom: Fix return type of dm9000_start_xmit Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 13/23] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 14/23] net: korina: Fix return type of korina_send_packet Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 15/23] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 16/23] can: bcm: check the result of can_send() in bcm_can_tx() Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 17/23] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 18/23] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 19/23] wifi: rt2x00: set SoC wmac clock register Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 20/23] wifi: rt2x00: correctly set BBP register 86 for MT7620 Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 21/23] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 22/23] Bluetooth: L2CAP: Fix user-after-free Sasha Levin
2022-10-09 22:25 ` [PATCH AUTOSEL 4.14 23/23] r8152: Rate limit overflow messages Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).