1. 25 Aug, 2019 40 commits
    • Sasha Levin's avatar
      Linux 5.2.10 · f7d5b3dc
      Sasha Levin authored
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f7d5b3dc
    • David Ahern's avatar
      netlink: Fix nlmsg_parse as a wrapper for strict message parsing · cabd470b
      David Ahern authored
      [ Upstream commit d00ee64e ]
      
      Eric reported a syzbot warning:
      
      BUG: KMSAN: uninit-value in nh_valid_get_del_req+0x6f1/0x8c0 net/ipv4/nexthop.c:1510
      CPU: 0 PID: 11812 Comm: syz-executor444 Not tainted 5.3.0-rc3+ #17
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x191/0x1f0 lib/dump_stack.c:113
       kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
       __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
       nh_valid_get_del_req+0x6f1/0x8c0 net/ipv4/nexthop.c:1510
       rtm_del_nexthop+0x1b1/0x610 net/ipv4/nexthop.c:1543
       rtnetlink_rcv_msg+0x115a/0x1580 net/core/rtnetlink.c:5223
       netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5241
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf6c/0x1050 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x110f/0x1330 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       ___sys_sendmsg+0x14ff/0x1590 net/socket.c:2311
       __sys_sendmmsg+0x53a/0xae0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2439
       __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2439
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The root cause is nlmsg_parse calling __nla_parse which means the
      header struct size is not checked.
      
      nlmsg_parse should be a wrapper around __nlmsg_parse with
      NL_VALIDATE_STRICT for the validate argument very much like
      nlmsg_parse_deprecated is for NL_VALIDATE_LIBERAL.
      
      Fixes: 3de64403
      
       ("netlink: re-add parse/validate functions in strict mode")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cabd470b
    • Heiner Kallweit's avatar
      net: phy: consider AN_RESTART status when reading link status · 9a31192e
      Heiner Kallweit authored
      [ Upstream commit c36757eb ]
      
      After configuring and restarting aneg we immediately try to read the
      link status. On some systems the PHY may not yet have cleared the
      "aneg complete" and "link up" bits, resulting in a false link-up
      signal. See [0] for a report.
      Clause 22 and 45 both require the PHY to keep the AN_RESTART
      bit set until the PHY actually starts auto-negotiation.
      Let's consider this in the generic functions for reading link status.
      The commit marked as fixed is the first one where the patch applies
      cleanly.
      
      [0] https://marc.info/?t=156518400300003&r=1&w=2
      
      Fixes: c1164bb1
      
       ("net: phy: check PMAPMD link status only in genphy_c45_read_link")
      Tested-by: default avatarYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a31192e
    • Jakub Kicinski's avatar
      net/tls: prevent skb_orphan() from leaking TLS plain text with offload · bc110443
      Jakub Kicinski authored
      [ Upstream commit 41477662 ]
      
      sk_validate_xmit_skb() and drivers depend on the sk member of
      struct sk_buff to identify segments requiring encryption.
      Any operation which removes or does not preserve the original TLS
      socket such as skb_orphan() or skb_clone() will cause clear text
      leaks.
      
      Make the TCP socket underlying an offloaded TLS connection
      mark all skbs as decrypted, if TLS TX is in offload mode.
      Then in sk_validate_xmit_skb() catch skbs which have no socket
      (or a socket with no validation) and decrypted flag set.
      
      Note that CONFIG_SOCK_VALIDATE_XMIT, CONFIG_TLS_DEVICE and
      sk->sk_validate_xmit_skb are slightly interchangeable right now,
      they all imply TLS offload. The new checks are guarded by
      CONFIG_TLS_DEVICE because that's the option guarding the
      sk_buff->decrypted member.
      
      Second, smaller issue with orphaning is that it breaks
      the guarantee that packets will be delivered to device
      queues in-order. All TLS offload drivers depend on that
      scheduling property. This means skb_orphan_partial()'s
      trick of preserving partial socket references will cause
      issues in the drivers. We need a full orphan, and as a
      result netem delay/throttling will cause all TLS offload
      skbs to be dropped.
      
      Reusing the sk_buff->decrypted flag also protects from
      leaking clear text when incoming, decrypted skb is redirected
      (e.g. by TC).
      
      See commit 0608c69c
      
       ("bpf: sk_msg, sock{map|hash} redirect
      through ULP") for justification why the internal flag is safe.
      The only location which could leak the flag in is tcp_bpf_sendmsg(),
      which is taken care of by clearing the previously unused bit.
      
      v2:
       - remove superfluous decrypted mark copy (Willem);
       - remove the stale doc entry (Boris);
       - rely entirely on EOR marking to prevent coalescing (Boris);
       - use an internal sendpages flag instead of marking the socket
         (Boris).
      v3 (Willem):
       - reorganize the can_skb_orphan_partial() condition;
       - fix the flag leak-in through tcp_bpf_sendmsg.
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc110443
    • Maxim Mikityanskiy's avatar
      net/mlx5e: Use flow keys dissector to parse packets for ARFS · bfdbef8a
      Maxim Mikityanskiy authored
      [ Upstream commit 405b93eb ]
      
      The current ARFS code relies on certain fields to be set in the SKB
      (e.g. transport_header) and extracts IP addresses and ports by custom
      code that parses the packet. The necessary SKB fields, however, are not
      always set at that point, which leads to an out-of-bounds access. Use
      skb_flow_dissect_flow_keys() to get the necessary information reliably,
      fix the out-of-bounds access and reuse the code.
      
      Fixes: 18c908e4
      
       ("net/mlx5e: Add accelerated RFS support")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bfdbef8a
    • Aya Levin's avatar
      net/mlx5e: Remove redundant check in CQE recovery flow of tx reporter · 7c682c96
      Aya Levin authored
      [ Upstream commit a4e508ca ]
      
      Remove check of recovery bit, in the beginning of the CQE recovery
      function. This test is already performed right before the reporter
      is invoked, when CQE error is detected.
      
      Fixes: de8650a8
      
       ("net/mlx5e: Add tx reporter support")
      Signed-off-by: default avatarAya Levin <ayal@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7c682c96
    • Aya Levin's avatar
      net/mlx5e: Fix false negative indication on tx reporter CQE recovery · 0fd12075
      Aya Levin authored
      [ Upstream commit d9a2fcf5 ]
      
      Remove wrong error return value when SQ is not in error state.
      CQE recovery on TX reporter queries the sq state. If the sq is not in
      error state, the sq is either in ready or reset state. Ready state is
      good state which doesn't require recovery and reset state is a temporal
      state which ends in ready state. With this patch, CQE recovery in this
      scenario is successful.
      
      Fixes: de8650a8
      
       ("net/mlx5e: Add tx reporter support")
      Signed-off-by: default avatarAya Levin <ayal@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0fd12075
    • Mohamad Heib's avatar
      net/mlx5e: ethtool, Avoid setting speed to 56GBASE when autoneg off · c02f1766
      Mohamad Heib authored
      [ Upstream commit 5faf5b70 ]
      
      Setting speed to 56GBASE is allowed only with auto-negotiation enabled.
      
      This patch prevent setting speed to 56GBASE when auto-negotiation disabled.
      
      Fixes: f62b8bb8
      
       ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality")
      Signed-off-by: default avatarMohamad Heib <mohamadh@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c02f1766
    • David Ahern's avatar
      netdevsim: Restore per-network namespace accounting for fib entries · beb811bd
      David Ahern authored
      [ Upstream commit 59c84b9f ]
      
      Prior to the commit in the fixes tag, the resource controller in netdevsim
      tracked fib entries and rules per network namespace. Restore that behavior.
      
      Fixes: 5fc49422
      
       ("netdevsim: create devlink instance per netdevsim instance")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      beb811bd
    • Roman Mashak's avatar
      tc-testing: updated skbedit action tests with batch create/delete · e0b3ec04
      Roman Mashak authored
      [ Upstream commit 7bc16184
      
       ]
      
      Update TDC tests with cases varifying ability of TC to install or delete
      batches of skbedit actions.
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0b3ec04
    • Roman Mashak's avatar
      net sched: update skbedit action for batched events operations · a237148b
      Roman Mashak authored
      [ Upstream commit e1fea322 ]
      
      Add get_fill_size() routine used to calculate the action size
      when building a batch of events.
      
      Fixes: ca9b0e27
      
       ("pkt_action: add new action skbedit")
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a237148b
    • Somnath Kotur's avatar
      bnxt_en: Fix to include flow direction in L2 key · 13ac261e
      Somnath Kotur authored
      [ Upstream commit 9bf46566 ]
      
      FW expects the driver to provide unique flow reference handles
      for Tx or Rx flows. When a Tx flow and an Rx flow end up sharing
      a reference handle, flow offload does not seem to work.
      This could happen in the case of 2 flows having their L2 fields
      wildcarded but in different direction.
      Fix to incorporate the flow direction as part of the L2 key
      
      v2: Move the dir field to the end of the bnxt_tc_l2_key struct to
      fix the warning reported by kbuild test robot <lkp@intel.com>.
      There is existing code that initializes the structure using
      nested initializer and will warn with the new u8 field added to
      the beginning.  The structure also packs nicer when this new u8 is
      added to the end of the structure [MChan].
      
      Fixes: abd43a13
      
       ("bnxt_en: Support for 64-bit flow handle.")
      Signed-off-by: default avatarSomnath Kotur <somnath.kotur@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      13ac261e
    • Venkat Duvvuru's avatar
      bnxt_en: Use correct src_fid to determine direction of the flow · 58516d32
      Venkat Duvvuru authored
      [ Upstream commit 685ec6a8 ]
      
      Direction of the flow is determined using src_fid. For an RX flow,
      src_fid is PF's fid and for TX flow, src_fid is VF's fid. Direction
      of the flow must be specified, when getting statistics for that flow.
      Currently, for DECAP flow, direction is determined incorrectly, i.e.,
      direction is initialized as TX for DECAP flow, instead of RX. Because
      of which, stats are not reported for this DECAP flow, though it is
      offloaded and there is traffic for that flow, resulting in flow age out.
      
      This patch fixes the problem by determining the DECAP flow's direction
      using correct fid.  Set the flow direction in all cases for consistency
      even if 64-bit flow handle is not used.
      
      Fixes: abd43a13
      
       ("bnxt_en: Support for 64-bit flow handle.")
      Signed-off-by: default avatarVenkat Duvvuru <venkatkumar.duvvuru@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58516d32
    • Vasundhara Volam's avatar
      bnxt_en: Suppress HWRM errors for HWRM_NVM_GET_VARIABLE command · 45ad3556
      Vasundhara Volam authored
      [ Upstream commit b703ba75 ]
      
      For newly added NVM parameters, older firmware may not have the support.
      Suppress the error message to avoid the unncessary error message which is
      triggered when devlink calls the driver during initialization.
      
      Fixes: 782a624d
      
       ("bnxt_en: Add bnxt_en initial params table and register it.")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      45ad3556
    • Vasundhara Volam's avatar
      bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails · d54cfa9d
      Vasundhara Volam authored
      [ Upstream commit dd2ebf34 ]
      
      If FW returns FRAG_ERR in response error code, driver is resending the
      command only when HWRM command returns success. Fix the code to resend
      NVM_INSTALL_UPDATE command with DEFRAG install flags, if FW returns
      FRAG_ERR in its response error code.
      
      Fixes: cb4d1d62
      
       ("bnxt_en: Retry failed NVM_INSTALL_UPDATE with defragmentation flag enabled.")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d54cfa9d
    • Michael Chan's avatar
      bnxt_en: Improve RX doorbell sequence. · 889e8658
      Michael Chan authored
      [ Upstream commit e8f267b0 ]
      
      When both RX buffers and RX aggregation buffers have to be
      replenished at the end of NAPI, post the RX aggregation buffers first
      before RX buffers.  Otherwise, we may run into a situation where
      there are only RX buffers without RX aggregation buffers for a split
      second.  This will cause the hardware to abort the RX packet and
      report buffer errors, which will cause unnecessary cleanup by the
      driver.
      
      Ringing the Aggregation ring doorbell first before the RX ring doorbell
      will prevent some of these buffer errors.  Use the same sequence during
      ring initialization as well.
      
      Fixes: 697197e5
      
       ("bnxt_en: Re-structure doorbells.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      889e8658
    • Michael Chan's avatar
      bnxt_en: Fix VNIC clearing logic for 57500 chips. · 6fdedaf3
      Michael Chan authored
      [ Upstream commit a46ecb11 ]
      
      During device shutdown, the VNIC clearing sequence needs to be modified
      to free the VNIC first before freeing the RSS contexts.  The current
      code is doing the reverse and we can get mis-directed RX completions
      to CP ring ID 0 when the RSS contexts are freed and zeroed.  The clearing
      of RSS contexts is not required with the new sequence.
      
      Refactor the VNIC clearing logic into a new function bnxt_clear_vnic()
      and do the chip specific VNIC clearing sequence.
      
      Fixes: 7b3af4f7
      
       ("bnxt_en: Add RSS support for 57500 chips.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6fdedaf3
    • Huy Nguyen's avatar
      net/mlx5e: Only support tx/rx pause setting for port owner · 168c2657
      Huy Nguyen authored
      [ Upstream commit 466df6eb ]
      
      Only support changing tx/rx pause frame setting if the net device
      is the vport group manager.
      
      Fixes: 3c2d18ef
      
       ("net/mlx5e: Support ethtool get/set_pauseparam")
      Signed-off-by: default avatarHuy Nguyen <huyn@mellanox.com>
      Reviewed-by: default avatarParav Pandit <parav@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      168c2657
    • Ross Lagerwall's avatar
      xen/netback: Reset nr_frags before freeing skb · 34f2824a
      Ross Lagerwall authored
      [ Upstream commit 3a0233dd
      
       ]
      
      At this point nr_frags has been incremented but the frag does not yet
      have a page assigned so freeing the skb results in a crash. Reset
      nr_frags before freeing the skb to prevent this.
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34f2824a
    • Chris Packham's avatar
      tipc: initialise addr_trail_end when setting node addresses · e5cdd65c
      Chris Packham authored
      [ Upstream commit 8874ecae
      
       ]
      
      We set the field 'addr_trial_end' to 'jiffies', instead of the current
      value 0, at the moment the node address is initialized. This guarantees
      we don't inadvertently enter an address trial period when the node
      address is explicitly set by the user.
      Signed-off-by: default avatarChris Packham <chris.packham@alliedtelesis.co.nz>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e5cdd65c
    • YueHaibing's avatar
      team: Add vlan tx offload to hw_enc_features · 55cd9b92
      YueHaibing authored
      [ Upstream commit 227f2f03 ]
      
      We should also enable team's vlan tx offload in hw_enc_features,
      pass the vlan packets to the slave devices with vlan tci, let the
      slave handle vlan tunneling offload implementation.
      
      Fixes: 3268e5cb
      
       ("team: Advertise tunneling offload features")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      55cd9b92
    • Xin Long's avatar
      sctp: fix the transport error_count check · 1a04318d
      Xin Long authored
      [ Upstream commit a1794de8 ]
      
      As the annotation says in sctp_do_8_2_transport_strike():
      
        "If the transport error count is greater than the pf_retrans
         threshold, and less than pathmaxrtx ..."
      
      It should be transport->error_count checked with pathmaxrxt,
      instead of asoc->pf_retrans.
      
      Fixes: 5aa93bcf
      
       ("sctp: Implement quick failover draft from tsvwg")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1a04318d
    • zhengbin's avatar
      sctp: fix memleak in sctp_send_reset_streams · 07a1e155
      zhengbin authored
      [ Upstream commit 6d5afe20 ]
      
      If the stream outq is not empty, need to kfree nstr_list.
      
      Fixes: d570a59c
      
       ("sctp: only allow the out stream reset when the stream outq is empty")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarzhengbin <zhengbin13@huawei.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      07a1e155
    • Ivan Khoronzhuk's avatar
      net: sched: sch_taprio: fix memleak in error path for sched list parse · aa21b3e2
      Ivan Khoronzhuk authored
      [ Upstream commit 51650d33 ]
      
      In error case, all entries should be freed from the sched list
      before deleting it. For simplicity use rcu way.
      
      Fixes: 5a781ccb
      
       ("tc: Add support for configuring the taprio scheduler")
      Acked-by: default avatarVinicius Costa Gomes <vinicius.gomes@intel.com>
      Signed-off-by: default avatarIvan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa21b3e2
    • Eric Dumazet's avatar
      net/packet: fix race in tpacket_snd() · bd15d466
      Eric Dumazet authored
      [ Upstream commit 32d3182c ]
      
      packet_sendmsg() checks tx_ring.pg_vec to decide
      if it must call tpacket_snd().
      
      Problem is that the check is lockless, meaning another thread
      can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
      tx_ring.pg_vec back to NULL.
      
      Given that tpacket_snd() grabs pg_vec_lock mutex, we can
      perform the check again to solve the race.
      
      syzbot reported :
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
      Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
      RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
      RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
      R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
      R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
      FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       packet_current_frame net/packet/af_packet.c:487 [inline]
       tpacket_snd net/packet/af_packet.c:2667 [inline]
       packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:657
       ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
       __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg net/socket.c:2439 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
       do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 69e3c75f
      
       ("net: TX_RING and packet mmap")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd15d466
    • Wenwen Wang's avatar
      net/mlx4_en: fix a memory leak bug · ea4b1cf5
      Wenwen Wang authored
      [ Upstream commit 48ec7014 ]
      
      In mlx4_en_config_rss_steer(), 'rss_map->indir_qp' is allocated through
      kzalloc(). After that, mlx4_qp_alloc() is invoked to configure RSS
      indirection. However, if mlx4_qp_alloc() fails, the allocated
      'rss_map->indir_qp' is not deallocated, leading to a memory leak bug.
      
      To fix the above issue, add the 'qp_alloc_err' label to free
      'rss_map->indir_qp'.
      
      Fixes: 4931c6ef
      
       ("net/mlx4_en: Optimized single ring steering")
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea4b1cf5
    • Chen-Yu Tsai's avatar
      net: dsa: Check existence of .port_mdb_add callback before calling it · 4c3e9cdb
      Chen-Yu Tsai authored
      [ Upstream commit 58799865 ]
      
      The dsa framework has optional .port_mdb_{prepare,add,del} callback fields
      for drivers to handle multicast database entries. When adding an entry, the
      framework goes through a prepare phase, then a commit phase. Drivers not
      providing these callbacks should be detected in the prepare phase.
      
      DSA core may still bypass the bridge layer and call the dsa_port_mdb_add
      function directly with no prepare phase or no switchdev trans object,
      and the framework ends up calling an undefined .port_mdb_add callback.
      This results in a NULL pointer dereference, as shown in the log below.
      
      The other functions seem to be properly guarded. Do the same for
      .port_mdb_add in dsa_switch_mdb_add_bitmap() as well.
      
          8<--- cut here ---
          Unable to handle kernel NULL pointer dereference at virtual address 00000000
          pgd = (ptrval)
          [00000000] *pgd=00000000
          Internal error: Oops: 80000005 [#1] SMP ARM
          Modules linked in: rtl8xxxu rtl8192cu rtl_usb rtl8192c_common rtlwifi mac80211 cfg80211
          CPU: 1 PID: 134 Comm: kworker/1:2 Not tainted 5.3.0-rc1-00247-gd3519030752a #1
          Hardware name: Allwinner sun7i (A20) Family
          Workqueue: events switchdev_deferred_process_work
          PC is at 0x0
          LR is at dsa_switch_event+0x570/0x620
          pc : [<00000000>]    lr : [<c08533ec>]    psr: 80070013
          sp : ee871db8  ip : 00000000  fp : ee98d0a4
          r10: 0000000c  r9 : 00000008  r8 : ee89f710
          r7 : ee98d040  r6 : ee98d088  r5 : c0f04c48  r4 : ee98d04c
          r3 : 00000000  r2 : ee89f710  r1 : 00000008  r0 : ee98d040
          Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
          Control: 10c5387d  Table: 6deb406a  DAC: 00000051
          Process kworker/1:2 (pid: 134, stack limit = 0x(ptrval))
          Stack: (0xee871db8 to 0xee872000)
          1da0:                                                       ee871e14 103ace2d
          1dc0: 00000000 ffffffff 00000000 ee871e14 00000005 00000000 c08524a0 00000000
          1de0: ffffe000 c014bdfc c0f04c48 ee871e98 c0f04c48 ee9e5000 c0851120 c014bef0
          1e00: 00000000 b643aea2 ee9b4068 c08509a8 ee2bf940 ee89f710 ee871ecb 00000000
          1e20: 00000008 103ace2d 00000000 c087e248 ee29c868 103ace2d 00000001 ffffffff
          1e40: 00000000 ee871e98 00000006 00000000 c0fb2a50 c087e2d0 ffffffff c08523c4
          1e60: ffffffff c014bdfc 00000006 c0fad2d0 ee871e98 ee89f710 00000000 c014c500
          1e80: 00000000 ee89f3c0 c0f04c48 00000000 ee9e5000 c087dfb4 ee9e5000 00000000
          1ea0: ee89f710 ee871ecb 00000001 103ace2d 00000000 c0f04c48 00000000 c087e0a8
          1ec0: 00000000 efd9a3e0 0089f3c0 103ace2d ee89f700 ee89f710 ee9e5000 00000122
          1ee0: 00000100 c087e130 ee89f700 c0fad2c8 c1003ef0 c087de4c 2e928000 c0fad2ec
          1f00: c0fad2ec ee839580 ef7a62c0 ef7a9400 00000000 c087def8 c0fad2ec c01447dc
          1f20: ef315640 ef7a62c0 00000008 ee839580 ee839594 ef7a62c0 00000008 c0f03d00
          1f40: ef7a62d8 ef7a62c0 ffffe000 c0145b84 ffffe000 c0fb2420 c0bfaa8c 00000000
          1f60: ffffe000 ee84b600 ee84b5c0 00000000 ee870000 ee839580 c0145b40 ef0e5ea4
          1f80: ee84b61c c014a6f8 00000001 ee84b5c0 c014a5b0 00000000 00000000 00000000
          1fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
          1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
          1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
          [<c08533ec>] (dsa_switch_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
          [<c014bdfc>] (notifier_call_chain) from [<c014bef0>] (raw_notifier_call_chain+0x18/0x20)
          [<c014bef0>] (raw_notifier_call_chain) from [<c08509a8>] (dsa_port_mdb_add+0x48/0x74)
          [<c08509a8>] (dsa_port_mdb_add) from [<c087e248>] (__switchdev_handle_port_obj_add+0x54/0xd4)
          [<c087e248>] (__switchdev_handle_port_obj_add) from [<c087e2d0>] (switchdev_handle_port_obj_add+0x8/0x14)
          [<c087e2d0>] (switchdev_handle_port_obj_add) from [<c08523c4>] (dsa_slave_switchdev_blocking_event+0x94/0xa4)
          [<c08523c4>] (dsa_slave_switchdev_blocking_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
          [<c014bdfc>] (notifier_call_chain) from [<c014c500>] (blocking_notifier_call_chain+0x50/0x68)
          [<c014c500>] (blocking_notifier_call_chain) from [<c087dfb4>] (switchdev_port_obj_notify+0x44/0xa8)
          [<c087dfb4>] (switchdev_port_obj_notify) from [<c087e0a8>] (switchdev_port_obj_add_now+0x90/0x104)
          [<c087e0a8>] (switchdev_port_obj_add_now) from [<c087e130>] (switchdev_port_obj_add_deferred+0x14/0x5c)
          [<c087e130>] (switchdev_port_obj_add_deferred) from [<c087de4c>] (switchdev_deferred_process+0x64/0x104)
          [<c087de4c>] (switchdev_deferred_process) from [<c087def8>] (switchdev_deferred_process_work+0xc/0x14)
          [<c087def8>] (switchdev_deferred_process_work) from [<c01447dc>] (process_one_work+0x218/0x50c)
          [<c01447dc>] (process_one_work) from [<c0145b84>] (worker_thread+0x44/0x5bc)
          [<c0145b84>] (worker_thread) from [<c014a6f8>] (kthread+0x148/0x150)
          [<c014a6f8>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
          Exception stack(0xee871fb0 to 0xee871ff8)
          1fa0:                                     00000000 00000000 00000000 00000000
          1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
          1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
          Code: bad PC value
          ---[ end trace 1292c61abd17b130 ]---
      
          [<c08533ec>] (dsa_switch_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
          corresponds to
      
      	$ arm-linux-gnueabihf-addr2line -C -i -e vmlinux c08533ec
      
      	linux/net/dsa/switch.c:156
      	linux/net/dsa/switch.c:178
      	linux/net/dsa/switch.c:328
      
      Fixes: e6db98db
      
       ("net: dsa: add switch mdb bitmap functions")
      Signed-off-by: default avatarChen-Yu Tsai <wens@csie.org>
      Reviewed-by: default avatarVivien Didelot <vivien.didelot@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c3e9cdb
    • YueHaibing's avatar
      bonding: Add vlan tx offload to hw_enc_features · d66635a0
      YueHaibing authored
      [ Upstream commit d595b03d ]
      
      As commit 30d8177e ("bonding: Always enable vlan tx offload")
      said, we should always enable bonding's vlan tx offload, pass the
      vlan packets to the slave devices with vlan tci, let them to handle
      vlan implementation.
      
      Now if encapsulation protocols like VXLAN is used, skb->encapsulation
      may be set, then the packet is passed to vlan device which based on
      bonding device. However in netif_skb_features(), the check of
      hw_enc_features:
      
      	 if (skb->encapsulation)
                       features &= dev->hw_enc_features;
      
      clears NETIF_F_HW_VLAN_CTAG_TX/NETIF_F_HW_VLAN_STAG_TX. This results
      in same issue in commit 30d8177e like this:
      
      vlan_dev_hard_start_xmit
        -->dev_queue_xmit
          -->validate_xmit_skb
            -->netif_skb_features //NETIF_F_HW_VLAN_CTAG_TX is cleared
            -->validate_xmit_vlan
              -->__vlan_hwaccel_push_inside //skb->tci is cleared
      ...
       --> bond_start_xmit
         --> bond_xmit_hash //BOND_XMIT_POLICY_ENCAP34
           --> __skb_flow_dissect // nhoff point to IP header
              -->  case htons(ETH_P_8021Q)
                   // skb_vlan_tag_present is false, so
                   vlan = __skb_header_pointer(skb, nhoff, sizeof(_vlan),
                   //vlan point to ip header wrongly
      
      Fixes: b2a103e6
      
       ("bonding: convert to ndo_fix_features")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Acked-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d66635a0
    • Manish Chopra's avatar
      bnx2x: Fix VF's VLAN reconfiguration in reload. · 5d6f83b9
      Manish Chopra authored
      [ Upstream commit 4a4d2d37 ]
      
      Commit 04f05230 ("bnx2x: Remove configured vlans as
      part of unload sequence."), introduced a regression in driver
      that as a part of VF's reload flow, VLANs created on the VF
      doesn't get re-configured in hardware as vlan metadata/info
      was not getting cleared for the VFs which causes vlan PING to stop.
      
      This patch clears the vlan metadata/info so that VLANs gets
      re-configured back in the hardware in VF's reload flow and
      PING/traffic continues for VLANs created over the VFs.
      
      Fixes: 04f05230
      
       ("bnx2x: Remove configured vlans as part of unload sequence.")
      Signed-off-by: default avatarManish Chopra <manishc@marvell.com>
      Signed-off-by: default avatarSudarsana Kalluru <skalluru@marvell.com>
      Signed-off-by: default avatarShahed Shaikh <shshaikh@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5d6f83b9
    • YueHaibing's avatar
      Input: psmouse - fix build error of multiple definition · e8904e5e
      YueHaibing authored
      commit 49e6979e
      
       upstream.
      
      trackpoint_detect() should be static inline while
      CONFIG_MOUSE_PS2_TRACKPOINT is not set, otherwise, we build fails:
      
      drivers/input/mouse/alps.o: In function `trackpoint_detect':
      alps.c:(.text+0x8e00): multiple definition of `trackpoint_detect'
      drivers/input/mouse/psmouse-base.o:psmouse-base.c:(.text+0x1b50): first defined here
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Fixes: 55e3d922
      
       ("Input: psmouse - allow disabing certain protocol extensions")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: Hui Wang <hui.wang@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8904e5e
    • Haim Dreyfuss's avatar
      iwlwifi: Add support for SAR South Korea limitation · 825169c9
      Haim Dreyfuss authored
      commit 0c3d7282
      
       upstream.
      
      South Korea is adding a more strict SAR limit called "Limb SAR".
      Currently, WGDS SAR offset group 3 is not used (not mapped to any country).
      In order to be able to comply with South Korea new restriction:
      - OEM will use WGDS SAR offset group 3 to South Korea limitation.
      - OEM will change WGDS revision to 1 (currently latest revision is 0)
      	to notify that Korea Limb SAR applied.
      - Driver will read the WGDS table and pass the values to FW (as usual)
      - Driver will pass to FW an indication that Korea Limb SAR is applied
      	in case table revision is 1.
      Signed-off-by: default avatarHaim Dreyfuss <haim.dreyfuss@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      825169c9
    • Dirk Morris's avatar
      netfilter: conntrack: Use consistent ct id hash calculation · 9aaf2243
      Dirk Morris authored
      commit 656c8e9c upstream.
      
      Change ct id hash calculation to only use invariants.
      
      Currently the ct id hash calculation is based on some fields that can
      change in the lifetime on a conntrack entry in some corner cases. The
      current hash uses the whole tuple which contains an hlist pointer which
      will change when the conntrack is placed on the dying list resulting in
      a ct id change.
      
      This patch also removes the reply-side tuple and extension pointer from
      the hash calculation so that the ct id will will not change from
      initialization until confirmation.
      
      Fixes: 3c791076
      
       ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
      Signed-off-by: default avatarDirk Morris <dmorris@metaloft.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9aaf2243
    • Thiébaud Weksteen's avatar
      usb: setup authorized_default attributes using usb_bus_notify · 178398e1
      Thiébaud Weksteen authored
      commit 27709ae4
      
       upstream.
      
      Currently, the authorized_default and interface_authorized_default
      attributes for HCD are set up after the uevent has been sent to userland.
      This creates a race condition where userland may fail to access this
      file when processing the event. Move the appending of these attributes
      earlier relying on the usb_bus_notify dispatcher.
      Signed-off-by: default avatarThiébaud Weksteen <tweek@google.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20190806110050.38918-1-tweek@google.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      178398e1
    • Tony Lindgren's avatar
      USB: serial: option: Add Motorola modem UARTs · 24223b9c
      Tony Lindgren authored
      commit 6caf0be4
      
       upstream.
      
      On Motorola Mapphone devices such as Droid 4 there are five USB ports
      that do not use the same layout as Gobi 1K/2K/etc devices listed in
      qcserial.c. So we should use qcaux.c or option.c as noted by
      Dan Williams <dan.j.williams@intel.com>.
      
      As the Motorola USB serial ports have an interrupt endpoint as shown
      with lsusb -v, we should use option.c instead of qcaux.c as pointed out
      by Johan Hovold <johan@kernel.org>.
      
      The ff/ff/ff interfaces seem to always be UARTs on Motorola devices.
      For the other interfaces, class 0x0a (CDC Data) should not in general
      be added as they are typically part of a multi-interface function as
      noted earlier by Bjørn Mork <bjorn@mork.no>.
      
      However, looking at the Motorola mapphone kernel code, the mdm6600 0x0a
      class is only used for flashing the modem firmware, and there are no
      other interfaces. So I've added that too with more details below as it
      works just fine.
      
      The ttyUSB ports on Droid 4 are:
      
      ttyUSB0 DIAG, CQDM-capable
      ttyUSB1 MUX or NMEA, no response
      ttyUSB2 MUX or NMEA, no response
      ttyUSB3 TCMD
      ttyUSB4 AT-capable
      
      The ttyUSB0 is detected as QCDM capable by ModemManager. I think
      it's only used for debugging with ModemManager --debug for sending
      custom AT commands though. ModemManager already can manage data
      connection using the USB QMI ports that are already handled by the
      qmi_wwan.c driver.
      
      To enable the MUX or NMEA ports, it seems that something needs to be
      done additionally to enable them, maybe via the DIAG or TCMD port.
      It might be just a NVRAM setting somewhere, but I have no idea what
      NVRAM settings may need changing for that.
      
      The TCMD port seems to be a Motorola custom protocol for testing
      the modem and to configure it's NVRAM and seems to work just fine
      based on a quick test with a minimal tcmdrw tool I wrote.
      
      The voice modem AT-capable port seems to provide only partial
      support, and no PM support compared to the TS 27.010 based UART
      wired directly to the modem.
      
      The UARTs added with this change are the same product IDs as the
      Motorola Mapphone Android Linux kernel mdm6600_id_table. I don't
      have any mdm9600 based devices, so I have only tested these on
      mdm6600 based droid 4.
      
      Then for the class 0x0a (CDC Data) mode, the Motorola Mapphone Android
      Linux kernel driver moto_flashqsc.c just seems to change the
      port->bulk_out_size to 8K from the default. And is only used for
      flashing the modem firmware it seems.
      
      I've verified that flashing the modem with signed firmware works just
      fine with the option driver after manually toggling the GPIO pins, so
      I've added droid 4 modem flashing mode to the option driver. I've not
      added the other devices listed in moto_flashqsc.c in case they really
      need different port->bulk_out_size. Those can be added as they get
      tested to work for flashing the modem.
      
      After this patch the output of /sys/kernel/debug/usb/devices has
      the following for normal 22b8:2a70 mode including the related qmi_wwan
      interfaces:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=22b8 ProdID=2a70 Rev= 0.00
      S:  Manufacturer=Motorola, Incorporated
      S:  Product=Flash MZ600
      C:* #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=83(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=03(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=84(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=85(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
      E:  Ad=86(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=05(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
      E:  Ad=87(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
      E:  Ad=88(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=06(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
      E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
      E:  Ad=8a(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=07(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 7 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
      E:  Ad=8b(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
      E:  Ad=8c(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=08(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
      E:  Ad=8d(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
      E:  Ad=8e(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=09(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      
      In 22b8:900e "qc_dload" mode the device shows up as:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=22b8 ProdID=900e Rev= 0.00
      S:  Manufacturer=Motorola, Incorporated
      S:  Product=Flash MZ600
      C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      
      And in 22b8:4281 "ram_downloader" mode the device shows up as:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=22b8 ProdID=4281 Rev= 0.00
      S:  Manufacturer=Motorola, Incorporated
      S:  Product=Flash MZ600
      C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=fc Driver=option
      E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      
      Cc: Bjørn Mork <bjorn@mork.no>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Lars Melin <larsm17@gmail.com>
      Cc: Marcel Partap <mpartap@gmx.net>
      Cc: Merlijn Wajer <merlijn@wizzup.org>
      Cc: Michael Scott <hashcode0f@gmail.com>
      Cc: NeKit <nekit1000@gmail.com>
      Cc: Pavel Machek <pavel@ucw.cz>
      Cc: Sebastian Reichel <sre@kernel.org>
      Tested-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24223b9c
    • Bob Ham's avatar
      USB: serial: option: add the BroadMobi BM818 card · efb1afa1
      Bob Ham authored
      commit e5d8badf
      
       upstream.
      
      Add a VID:PID for the BroadMobi BM818 M.2 card
      
      T:  Bus=01 Lev=03 Prnt=40 Port=03 Cnt=01 Dev#= 44 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2020 ProdID=2060 Rev=00.00
      S:  Manufacturer=Qualcomm, Incorporated
      S:  Product=Qualcomm CDMA Technologies MSM
      C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I:  If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fe Prot=ff Driver=(none)
      I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      Signed-off-by: default avatarBob Ham <bob.ham@puri.sm>
      Signed-off-by: default avatarAngus Ainslie (Purism) <angus@akkea.ca>
      Cc: stable <stable@vger.kernel.org>
      [ johan: use USB_DEVICE_INTERFACE_CLASS() ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      efb1afa1
    • Yoshiaki Okamoto's avatar
      USB: serial: option: Add support for ZTE MF871A · 27894257
      Yoshiaki Okamoto authored
      commit 7e7ae38b
      
       upstream.
      
      This patch adds support for MF871A USB modem (aka Speed USB STICK U03)
      to option driver. This modem is manufactured by ZTE corporation, and
      sold by KDDI.
      
      Interface layout:
      0: AT
      1: MODEM
      
      usb-devices output:
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  9 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=19d2 ProdID=1481 Rev=52.87
      S:  Manufacturer=ZTE,Incorporated
      S:  Product=ZTE Technologies MSM
      S:  SerialNumber=1234567890ABCDEF
      C:  #Ifs= 2 Cfg#= 1 Atr=80 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      Co-developed-by: default avatarHiroyuki Yamamoto <hyamamo@allied-telesis.co.jp>
      Signed-off-by: default avatarHiroyuki Yamamoto <hyamamo@allied-telesis.co.jp>
      Signed-off-by: default avatarYoshiaki Okamoto <yokamoto@allied-telesis.co.jp>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27894257
    • Rogan Dawes's avatar
      USB: serial: option: add D-Link DWM-222 device ID · 57abf8f9
      Rogan Dawes authored
      commit 552573e4
      
       upstream.
      
      Add device id for D-Link DWM-222 A2.
      
      MI_00 D-Link HS-USB Diagnostics
      MI_01 D-Link HS-USB Modem
      MI_02 D-Link HS-USB AT Port
      MI_03 D-Link HS-USB NMEA
      MI_04 D-Link HS-USB WWAN Adapter (qmi_wwan)
      MI_05 USB Mass Storage Device
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRogan Dawes <rogan@dawes.za.net>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57abf8f9
    • Oliver Neukum's avatar
      USB: CDC: fix sanity checks in CDC union parser · 58ab4f8f
      Oliver Neukum authored
      commit 54364278 upstream.
      
      A few checks checked for the size of the pointer to a structure
      instead of the structure itself. Copy & paste issue presumably.
      
      Fixes: e4c6fb77
      
       ("usbnet: move the CDC parser into USB core")
      Cc: stable <stable@vger.kernel.org>
      Reported-by: syzbot+45a53506b65321c1fe91@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Link: https://lore.kernel.org/r/20190813093541.18889-1-oneukum@suse.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58ab4f8f
    • Oliver Neukum's avatar
      usb: cdc-acm: make sure a refcount is taken early enough · 058a394e
      Oliver Neukum authored
      commit c52873e5 upstream.
      
      destroy() will decrement the refcount on the interface, so that
      it needs to be taken so early that it never undercounts.
      
      Fixes: 7fb57a01
      
       ("USB: cdc-acm: Fix potential deadlock (lockdep warning)")
      Cc: stable <stable@vger.kernel.org>
      Reported-and-tested-by: syzbot+1b2449b7b5dc240d107a@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Link: https://lore.kernel.org/r/20190808142119.7998-1-oneukum@suse.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      058a394e
    • Yoshihiro Shimoda's avatar
      usb: gadget: udc: renesas_usb3: Fix sysfs interface of "role" · da395ccd
      Yoshihiro Shimoda authored
      commit 5dac665c upstream.
      
      Since the role_store() uses strncmp(), it's possible to refer
      out-of-memory if the sysfs data size is smaller than strlen("host").
      This patch fixes it by using sysfs_streq() instead of strncmp().
      
      Fixes: cc995c9e
      
       ("usb: gadget: udc: renesas_usb3: add support for usb role swap")
      Cc: <stable@vger.kernel.org> # v4.12+
      Reviewed-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da395ccd