Commit 453a4a5f authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'net-7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 

Pull networking fixes from Paolo Abeni:
 "Including fixes from Bluetooth, CAN, IPsec and Netfilter.

  Notably, this includes the fix for the Bluetooth regression that you
  were notified about. I'm not aware of any other pending regressions.

  Current release - regressions:

    - bluetooth:
       - fix stack-out-of-bounds read in l2cap_ecred_conn_req
       - fix regressions caused by reusing ident

    - netfilter: revisit array resize logic

    - eth: ice: set max queues in alloc_etherdev_mqs()

  Previous releases - regressions:

    - core: correctly handle tunneled traffic on IPV6_CSUM GSO fallback

    - bluetooth:
       - fix dangling pointer on mgmt_add_adv_patterns_monitor_complete
       - fix deadlock in l2cap_conn_del()

    - sched: codel: fix stale state for empty flows in fq_codel

    - ipv6: remove permanent routes from tb6_gc_hlist when all exceptions expire.

    - xfrm: fix skb_put() panic on non-linear skb during reassembly

    - openvswitch:
       - avoid releasing netdev before teardown completes
       - validate MPLS set/set_masked payload length

    - eth: iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()

  Previous releases - always broken:

    - bluetooth: fix null-ptr-deref on l2cap_sock_ready_cb

    - udp: fix wildcard bind conflict check when using hash2

    - netfilter: fix use of uninitialized rtp_addr in process_sdp

    - tls: Purge async_hold in tls_decrypt_async_wait()

    - xfrm:
       - prevent policy_hthresh.work from racing with netns teardown
       - fix skb leak with espintcp and async crypto

    - smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer

    - can:
       - add missing error handling to call can_ctrlmode_changelink()
       - fix OOB heap access in cgw_csum_crc8_rel()

    - eth:
       - mana: fix use-after-free in add_adev() error path
       - virtio-net: fix for VIRTIO_NET_F_GUEST_HDRLEN
       - bcmasp: fix double free of WoL irq"

* tag 'net-7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (90 commits)
  net: macb: use the current queue number for stats
  netfilter: ctnetlink: use netlink policy range checks
  netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
  netfilter: nf_conntrack_expect: skip expectations in other netns via proc
  netfilter: nf_conntrack_expect: store netns and zone in expectation
  netfilter: ctnetlink: ensure safe access to master conntrack
  netfilter: nf_conntrack_expect: use expect->helper
  netfilter: nf_conntrack_expect: honor expectation helper field
  netfilter: nft_set_rbtree: revisit array resize logic
  netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
  netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
  tls: Purge async_hold in tls_decrypt_async_wait()
  selftests: netfilter: nft_concat_range.sh: add check for flush+reload bug
  netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry
  Bluetooth: btusb: clamp SCO altsetting table indices
  Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
  Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()
  Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
  Bluetooth: L2CAP: Fix send LE flow credits in ACL link
  net: mana: fix use-after-free in add_adev() error path
  ...
parents 75c78a4f db472c34

drivers/bluetooth/btintel.c

+8 −3
Original line number Diff line number Diff line
@@ -251,11 +251,13 @@ void btintel_hw_error(struct hci_dev *hdev, u8 code) 


	bt_dev_err(hdev, "Hardware error 0x%2.2x", code);



	hci_req_sync_lock(hdev);



	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);

	if (IS_ERR(skb)) {

		bt_dev_err(hdev, "Reset after hardware error failed (%ld)",

			   PTR_ERR(skb));

		return;

		goto unlock;

	}

	kfree_skb(skb);
@@ -263,18 +265,21 @@ void btintel_hw_error(struct hci_dev *hdev, u8 code) 
	if (IS_ERR(skb)) {

		bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",

			   PTR_ERR(skb));

		return;

		goto unlock;

	}



	if (skb->len != 13) {

		bt_dev_err(hdev, "Exception info size mismatch");

		kfree_skb(skb);

		return;

		goto unlock;

	}



	bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));



	kfree_skb(skb);



unlock:

	hci_req_sync_unlock(hdev);

}

EXPORT_SYMBOL_GPL(btintel_hw_error);

drivers/bluetooth/btusb.c

+4 −1
Original line number Diff line number Diff line
@@ -2376,8 +2376,11 @@ static void btusb_work(struct work_struct *work) 
		if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {

			if (hdev->voice_setting & 0x0020) {

				static const int alts[3] = { 2, 4, 5 };

				unsigned int sco_idx;



				new_alts = alts[data->sco_num - 1];

				sco_idx = min_t(unsigned int, data->sco_num - 1,

						ARRAY_SIZE(alts) - 1);

				new_alts = alts[sco_idx];

			} else {

				new_alts = data->sco_num;

			}

drivers/bluetooth/hci_ll.c

+2 −0
Original line number Diff line number Diff line
@@ -541,6 +541,8 @@ static int download_firmware(struct ll_device *lldev) 
	if (err || !fw->data || !fw->size) {

		bt_dev_err(lldev->hu.hdev, "request_firmware failed(errno %d) for %s",

			   err, bts_scr_name);

		if (!err)

			release_firmware(fw);

		return -EINVAL;

	}

	ptr = (void *)fw->data;

drivers/net/can/dev/netlink.c

+3 −1
Original line number Diff line number Diff line
@@ -601,7 +601,9 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[], 
	/* We need synchronization with dev->stop() */

	ASSERT_RTNL();



	can_ctrlmode_changelink(dev, data, extack);

	err = can_ctrlmode_changelink(dev, data, extack);

	if (err)

		return err;



	if (data[IFLA_CAN_BITTIMING]) {

		struct can_bittiming bt;

drivers/net/can/spi/mcp251x.c

+24 −5
Original line number Diff line number Diff line
@@ -1225,7 +1225,11 @@ static int mcp251x_open(struct net_device *net) 
	}



	mutex_lock(&priv->mcp_lock);

	mcp251x_power_enable(priv->transceiver, 1);

	ret = mcp251x_power_enable(priv->transceiver, 1);

	if (ret) {

		dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret));

		goto out_close_candev;

	}



	priv->force_quit = 0;

	priv->tx_skb = NULL;
@@ -1272,6 +1276,7 @@ static int mcp251x_open(struct net_device *net) 
	mcp251x_hw_sleep(spi);

out_close:

	mcp251x_power_enable(priv->transceiver, 0);

out_close_candev:

	close_candev(net);

	mutex_unlock(&priv->mcp_lock);

	if (release_irq)
@@ -1516,11 +1521,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev) 
{

	struct spi_device *spi = to_spi_device(dev);

	struct mcp251x_priv *priv = spi_get_drvdata(spi);

	int ret = 0;



	if (priv->after_suspend & AFTER_SUSPEND_POWER) {

		ret = mcp251x_power_enable(priv->power, 1);

		if (ret) {

			dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret));

			return ret;

		}

	}



	if (priv->after_suspend & AFTER_SUSPEND_UP) {

		ret = mcp251x_power_enable(priv->transceiver, 1);

		if (ret) {

			dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret));

			if (priv->after_suspend & AFTER_SUSPEND_POWER)

		mcp251x_power_enable(priv->power, 1);

	if (priv->after_suspend & AFTER_SUSPEND_UP)

		mcp251x_power_enable(priv->transceiver, 1);

				mcp251x_power_enable(priv->power, 0);

			return ret;

		}

	}



	if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP))

		queue_work(priv->wq, &priv->restart_work);