Commit 010b6761 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'net-6.1-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 

Pull networking fixes from Jakub Kicinski:
 "Including fixes from bluetooth, can and netfilter.

  Current release - new code bugs:

   - bonding: ipv6: correct address used in Neighbour Advertisement
     parsing (src vs dst typo)

   - fec: properly scope IRQ coalesce setup during link up to supported
     chips only

  Previous releases - regressions:

   - Bluetooth fixes for fake CSR clones (knockoffs):
       - re-add ERR_DATA_REPORTING quirk
       - fix crash when device is replugged

   - Bluetooth:
       - silence a user-triggerable dmesg error message
       - L2CAP: fix u8 overflow, oob access
       - correct vendor codec definition
       - fix support for Read Local Supported Codecs V2

   - ti: am65-cpsw: fix RGMII configuration at SPEED_10

   - mana: fix race on per-CQ variable NAPI work_done

  Previous releases - always broken:

   - af_unix: diag: fetch user_ns from in_skb in unix_diag_get_exact(),
     avoid null-deref

   - af_can: fix NULL pointer dereference in can_rcv_filter

   - can: slcan: fix UAF with a freed work

   - can: can327: flush TX_work on ldisc .close()

   - macsec: add missing attribute validation for offload

   - ipv6: avoid use-after-free in ip6_fragment()

   - nft_set_pipapo: actually validate intervals in fields after the
     first one

   - mvneta: prevent oob access in mvneta_config_rss()

   - ipv4: fix incorrect route flushing when table ID 0 is used, or when
     source address is deleted

   - phy: mxl-gpy: add workaround for IRQ bug on GPY215B and GPY215C"

* tag 'net-6.1-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (77 commits)
  net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
  s390/qeth: fix use-after-free in hsci
  macsec: add missing attribute validation for offload
  net: mvneta: Fix an out of bounds check
  net: thunderbolt: fix memory leak in tbnet_open()
  ipv6: avoid use-after-free in ip6_fragment()
  net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq()
  net: phy: mxl-gpy: add MDINT workaround
  net: dsa: mv88e6xxx: accept phy-mode = "internal" for internal PHY ports
  xen/netback: don't call kfree_skb() under spin_lock_irqsave()
  dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()
  ethernet: aeroflex: fix potential skb leak in greth_init_rings()
  tipc: call tipc_lxc_xmit without holding node_read_lock
  can: esd_usb: Allow REC and TEC to return to zero
  can: can327: flush TX_work on ldisc .close()
  can: slcan: fix freed work crash
  can: af_can: fix NULL pointer dereference in can_rcv_filter
  net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()
  ipv4: Fix incorrect route flushing when table ID 0 is used
  ipv4: Fix incorrect route flushing when source address is deleted
  ...
parents ce19275f f8bac7f9

.clang-format

+1 −0
Original line number Diff line number Diff line
@@ -535,6 +535,7 @@ ForEachMacros: 
  - 'perf_hpp_list__for_each_sort_list_safe'

  - 'perf_pmu__for_each_hybrid_pmu'

  - 'ping_portaddr_for_each_entry'

  - 'ping_portaddr_for_each_entry_rcu'

  - 'plist_for_each'

  - 'plist_for_each_continue'

  - 'plist_for_each_entry'

drivers/bluetooth/btusb.c

+6 −0
Original line number Diff line number Diff line
@@ -2056,6 +2056,11 @@ static int btusb_setup_csr(struct hci_dev *hdev) 


	rp = (struct hci_rp_read_local_version *)skb->data;



	bt_dev_info(hdev, "CSR: Setting up dongle with HCI ver=%u rev=%04x; LMP ver=%u subver=%04x; manufacturer=%u",

		le16_to_cpu(rp->hci_ver), le16_to_cpu(rp->hci_rev),

		le16_to_cpu(rp->lmp_ver), le16_to_cpu(rp->lmp_subver),

		le16_to_cpu(rp->manufacturer));



	/* Detect a wide host of Chinese controllers that aren't CSR.

	 *

	 * Known fake bcdDevices: 0x0100, 0x0134, 0x1915, 0x2520, 0x7558, 0x8891
@@ -2118,6 +2123,7 @@ static int btusb_setup_csr(struct hci_dev *hdev) 
		 * without these the controller will lock up.

		 */

		set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);

		set_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks);

		set_bit(HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL, &hdev->quirks);

		set_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks);

drivers/net/bonding/bond_main.c

+1 −1
Original line number Diff line number Diff line
@@ -3247,7 +3247,7 @@ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond, 
		goto out;



	saddr = &combined->ip6.saddr;

	daddr = &combined->ip6.saddr;

	daddr = &combined->ip6.daddr;



	slave_dbg(bond->dev, slave->dev, "%s: %s/%d av %d sv %d sip %pI6c tip %pI6c\n",

		  __func__, slave->dev->name, bond_slave_state(slave),

drivers/net/can/can327.c

+10 −7
Original line number Diff line number Diff line
@@ -796,9 +796,9 @@ static int can327_netdev_close(struct net_device *dev) 


	netif_stop_queue(dev);



	/* Give UART one final chance to flush. */

	clear_bit(TTY_DO_WRITE_WAKEUP, &elm->tty->flags);

	flush_work(&elm->tx_work);

	/* We don't flush the UART TX queue here, as we want final stop

	 * commands (like the above dummy char) to be flushed out.

	 */



	can_rx_offload_disable(&elm->offload);

	elm->can.state = CAN_STATE_STOPPED;
@@ -1069,12 +1069,15 @@ static void can327_ldisc_close(struct tty_struct *tty) 
{

	struct can327 *elm = (struct can327 *)tty->disc_data;



	/* unregister_netdev() calls .ndo_stop() so we don't have to.

	 * Our .ndo_stop() also flushes the TTY write wakeup handler,

	 * so we can safely set elm->tty = NULL after this.

	 */

	/* unregister_netdev() calls .ndo_stop() so we don't have to. */

	unregister_candev(elm->dev);



	/* Give UART one final chance to flush.

	 * No need to clear TTY_DO_WRITE_WAKEUP since .write_wakeup() is

	 * serialised against .close() and will not be called once we return.

	 */

	flush_work(&elm->tx_work);



	/* Mark channel as dead */

	spin_lock_bh(&elm->lock);

	tty->disc_data = NULL;

drivers/net/can/slcan/slcan-core.c

+6 −4
Original line number Diff line number Diff line
@@ -864,12 +864,14 @@ static void slcan_close(struct tty_struct *tty) 
{

	struct slcan *sl = (struct slcan *)tty->disc_data;



	/* unregister_netdev() calls .ndo_stop() so we don't have to.

	 * Our .ndo_stop() also flushes the TTY write wakeup handler,

	 * so we can safely set sl->tty = NULL after this.

	 */

	unregister_candev(sl->dev);



	/*

	 * The netdev needn't be UP (so .ndo_stop() is not called). Hence make

	 * sure this is not running before freeing it up.

	 */

	flush_work(&sl->tx_work);



	/* Mark channel as dead */

	spin_lock_bh(&sl->lock);

	tty->disc_data = NULL;