Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'net-6.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Paolo Abeni:
"Including fixes from Bluetooth, IPsec and CAN.

No known regressions at this point.

Current release - regressions:

- xfrm: xfrm_alloc_spi shouldn't use 0 as SPI

Previous releases - regressions:

- xfrm: fix offloading of cross-family tunnels

- bluetooth: fix several races leading to UaFs

- dsa: lantiq_gswip: fix FDB entries creation for the CPU port

- eth:
- tun: update napi->skb after XDP process
- mlx: fix UAF in flow counter release

Previous releases - always broken:

- core: forbid FDB status change while nexthop is in a group

- smc: fix warning in smc_rx_splice() when calling get_page()

- can: provide missing ndo_change_mtu(), to prevent buffer overflow.

- eth:
- i40e: fix VF config validation
- broadcom: fix support for PTP_EXTTS_REQUEST2 ioctl"

* tag 'net-6.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (40 commits)
octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries added to the CPU port
net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to port_setup()
libie: fix string names for AQ error codes
net/mlx5e: Fix missing FEC RS stats for RS_544_514_INTERLEAVED_QUAD
net/mlx5: HWS, ignore flow level for multi-dest table
net/mlx5: fs, fix UAF in flow counter release
selftests: fib_nexthops: Add test cases for FDB status change
selftests: fib_nexthops: Fix creation of non-FDB nexthops
nexthop: Forbid FDB status change while nexthop is in a group
net: allow alloc_skb_with_frags() to use MAX_SKB_FRAGS
bnxt_en: correct offset handling for IPv6 destination address
ptp: document behavior of PTP_STRICT_FLAGS
broadcom: fix support for PTP_EXTTS_REQUEST2 ioctl
broadcom: fix support for PTP_PEROUT_DUTY_CYCLE
Bluetooth: MGMT: Fix possible UAFs
Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
Bluetooth: hci_sync: Fix hci_resume_advertising_sync
Bluetooth: Fix build after header cleanup
...

+548 -201
+6
drivers/bluetooth/Kconfig
··· 312 312 313 313 config BT_HCIBPA10X 314 314 tristate "HCI BPA10x USB driver" 315 + depends on BT_HCIUART 315 316 depends on USB 317 + select BT_HCIUART_H4 316 318 help 317 319 Bluetooth HCI BPA10x USB driver. 318 320 This driver provides support for the Digianswer BPA 100/105 Bluetooth ··· 439 437 440 438 config BT_MTKUART 441 439 tristate "MediaTek HCI UART driver" 440 + depends on BT_HCIUART 442 441 depends on SERIAL_DEV_BUS 443 442 depends on USB || !BT_HCIBTUSB_MTK 443 + select BT_HCIUART_H4 444 444 select BT_MTK 445 445 help 446 446 MediaTek Bluetooth HCI UART driver. ··· 487 483 488 484 config BT_NXPUART 489 485 tristate "NXP protocol support" 486 + depends on BT_HCIUART 490 487 depends on SERIAL_DEV_BUS 488 + select BT_HCIUART_H4 491 489 select CRC32 492 490 select CRC8 493 491 help
+4 -4
drivers/bluetooth/hci_uart.h
··· 121 121 void hci_uart_set_speeds(struct hci_uart *hu, unsigned int init_speed, 122 122 unsigned int oper_speed); 123 123 124 - #ifdef CONFIG_BT_HCIUART_H4 125 - int h4_init(void); 126 - int h4_deinit(void); 127 - 128 124 struct h4_recv_pkt { 129 125 u8 type; /* Packet type */ 130 126 u8 hlen; /* Header length */ ··· 157 161 .loff = 2, \ 158 162 .lsize = 2, \ 159 163 .maxlen = HCI_MAX_FRAME_SIZE \ 164 + 165 + #ifdef CONFIG_BT_HCIUART_H4 166 + int h4_init(void); 167 + int h4_deinit(void); 160 168 161 169 struct sk_buff *h4_recv_buf(struct hci_dev *hdev, struct sk_buff *skb, 162 170 const unsigned char *buffer, int count,
+4 -3
drivers/net/can/rcar/rcar_canfd.c
··· 823 823 /* Reset Global error flags */ 824 824 rcar_canfd_write(gpriv->base, RCANFD_GERFL, 0x0); 825 825 826 - /* Set the controller into appropriate mode */ 827 - rcar_canfd_set_mode(gpriv); 828 - 829 826 /* Transition all Channels to reset mode */ 830 827 for_each_set_bit(ch, &gpriv->channels_mask, gpriv->info->max_channels) { 831 828 rcar_canfd_clear_bit(gpriv->base, ··· 841 844 return err; 842 845 } 843 846 } 847 + 848 + /* Set the controller into appropriate mode */ 849 + rcar_canfd_set_mode(gpriv); 850 + 844 851 return 0; 845 852 } 846 853
+18 -16
drivers/net/can/spi/hi311x.c
··· 545 545 546 546 priv->force_quit = 1; 547 547 free_irq(spi->irq, priv); 548 - destroy_workqueue(priv->wq); 549 - priv->wq = NULL; 550 548 551 549 mutex_lock(&priv->hi3110_lock); 552 550 ··· 768 770 goto out_close; 769 771 } 770 772 771 - priv->wq = alloc_workqueue("hi3110_wq", WQ_FREEZABLE | WQ_MEM_RECLAIM, 772 - 0); 773 - if (!priv->wq) { 774 - ret = -ENOMEM; 775 - goto out_free_irq; 776 - } 777 - INIT_WORK(&priv->tx_work, hi3110_tx_work_handler); 778 - INIT_WORK(&priv->restart_work, hi3110_restart_work_handler); 779 - 780 773 ret = hi3110_hw_reset(spi); 781 774 if (ret) 782 - goto out_free_wq; 775 + goto out_free_irq; 783 776 784 777 ret = hi3110_setup(net); 785 778 if (ret) 786 - goto out_free_wq; 779 + goto out_free_irq; 787 780 788 781 ret = hi3110_set_normal_mode(spi); 789 782 if (ret) 790 - goto out_free_wq; 783 + goto out_free_irq; 791 784 792 785 netif_wake_queue(net); 793 786 mutex_unlock(&priv->hi3110_lock); 794 787 795 788 return 0; 796 789 797 - out_free_wq: 798 - destroy_workqueue(priv->wq); 799 790 out_free_irq: 800 791 free_irq(spi->irq, priv); 801 792 hi3110_hw_sleep(spi); ··· 799 812 .ndo_open = hi3110_open, 800 813 .ndo_stop = hi3110_stop, 801 814 .ndo_start_xmit = hi3110_hard_start_xmit, 815 + .ndo_change_mtu = can_change_mtu, 802 816 }; 803 817 804 818 static const struct ethtool_ops hi3110_ethtool_ops = { ··· 896 908 if (ret) 897 909 goto out_clk; 898 910 911 + priv->wq = alloc_workqueue("hi3110_wq", WQ_FREEZABLE | WQ_MEM_RECLAIM, 912 + 0); 913 + if (!priv->wq) { 914 + ret = -ENOMEM; 915 + goto out_clk; 916 + } 917 + INIT_WORK(&priv->tx_work, hi3110_tx_work_handler); 918 + INIT_WORK(&priv->restart_work, hi3110_restart_work_handler); 919 + 899 920 priv->spi = spi; 900 921 mutex_init(&priv->hi3110_lock); 901 922 ··· 940 943 return 0; 941 944 942 945 error_probe: 946 + destroy_workqueue(priv->wq); 947 + priv->wq = NULL; 943 948 hi3110_power_enable(priv->power, 0); 944 949 945 950 out_clk: ··· 961 962 unregister_candev(net); 962 963 963 964 hi3110_power_enable(priv->power, 0); 965 + 966 + destroy_workqueue(priv->wq); 967 + priv->wq = NULL; 964 968 965 969 clk_disable_unprepare(priv->clk); 966 970
+1
drivers/net/can/sun4i_can.c
··· 768 768 .ndo_open = sun4ican_open, 769 769 .ndo_stop = sun4ican_close, 770 770 .ndo_start_xmit = sun4ican_start_xmit, 771 + .ndo_change_mtu = can_change_mtu, 771 772 }; 772 773 773 774 static const struct ethtool_ops sun4ican_ethtool_ops = {
+2 -1
drivers/net/can/usb/etas_es58x/es58x_core.c
··· 7 7 * 8 8 * Copyright (c) 2019 Robert Bosch Engineering and Business Solutions. All rights reserved. 9 9 * Copyright (c) 2020 ETAS K.K.. All rights reserved. 10 - * Copyright (c) 2020-2022 Vincent Mailhol <mailhol.vincent@wanadoo.fr> 10 + * Copyright (c) 2020-2025 Vincent Mailhol <mailhol@kernel.org> 11 11 */ 12 12 13 13 #include <linux/unaligned.h> ··· 1977 1977 .ndo_stop = es58x_stop, 1978 1978 .ndo_start_xmit = es58x_start_xmit, 1979 1979 .ndo_eth_ioctl = can_eth_ioctl_hwts, 1980 + .ndo_change_mtu = can_change_mtu, 1980 1981 }; 1981 1982 1982 1983 static const struct ethtool_ops es58x_ethtool_ops = {
+1
drivers/net/can/usb/mcba_usb.c
··· 761 761 .ndo_open = mcba_usb_open, 762 762 .ndo_stop = mcba_usb_close, 763 763 .ndo_start_xmit = mcba_usb_start_xmit, 764 + .ndo_change_mtu = can_change_mtu, 764 765 }; 765 766 766 767 static const struct ethtool_ops mcba_ethtool_ops = {
+1 -1
drivers/net/can/usb/peak_usb/pcan_usb_core.c
··· 111 111 u32 delta_ts = time_ref->ts_dev_2 - time_ref->ts_dev_1; 112 112 113 113 if (time_ref->ts_dev_2 < time_ref->ts_dev_1) 114 - delta_ts &= (1 << time_ref->adapter->ts_used_bits) - 1; 114 + delta_ts &= (1ULL << time_ref->adapter->ts_used_bits) - 1; 115 115 116 116 time_ref->ts_total += delta_ts; 117 117 }
+16 -5
drivers/net/dsa/lantiq_gswip.c
··· 685 685 return 0; 686 686 } 687 687 688 - static int gswip_port_enable(struct dsa_switch *ds, int port, 689 - struct phy_device *phydev) 688 + static int gswip_port_setup(struct dsa_switch *ds, int port) 690 689 { 691 690 struct gswip_priv *priv = ds->priv; 692 691 int err; 693 692 694 693 if (!dsa_is_cpu_port(ds, port)) { 695 - u32 mdio_phy = 0; 696 - 697 694 err = gswip_add_single_port_br(priv, port, true); 698 695 if (err) 699 696 return err; 697 + } 698 + 699 + return 0; 700 + } 701 + 702 + static int gswip_port_enable(struct dsa_switch *ds, int port, 703 + struct phy_device *phydev) 704 + { 705 + struct gswip_priv *priv = ds->priv; 706 + 707 + if (!dsa_is_cpu_port(ds, port)) { 708 + u32 mdio_phy = 0; 700 709 701 710 if (phydev) 702 711 mdio_phy = phydev->mdio.addr & GSWIP_MDIO_PHY_ADDR_MASK; ··· 1368 1359 int i; 1369 1360 int err; 1370 1361 1362 + /* Operation not supported on the CPU port, don't throw errors */ 1371 1363 if (!bridge) 1372 - return -EINVAL; 1364 + return 0; 1373 1365 1374 1366 for (i = max_ports; i < ARRAY_SIZE(priv->vlans); i++) { 1375 1367 if (priv->vlans[i].bridge == bridge) { ··· 1839 1829 static const struct dsa_switch_ops gswip_xrx200_switch_ops = { 1840 1830 .get_tag_protocol = gswip_get_tag_protocol, 1841 1831 .setup = gswip_setup, 1832 + .port_setup = gswip_port_setup, 1842 1833 .port_enable = gswip_port_enable, 1843 1834 .port_disable = gswip_port_disable, 1844 1835 .port_bridge_join = gswip_port_bridge_join,
+1 -1
drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
··· 244 244 offset < offset_of_ip6_daddr + 16) { 245 245 actions->nat.src_xlate = false; 246 246 idx = (offset - offset_of_ip6_daddr) / 4; 247 - actions->nat.l3.ipv6.saddr.s6_addr32[idx] = htonl(val); 247 + actions->nat.l3.ipv6.daddr.s6_addr32[idx] = htonl(val); 248 248 } else { 249 249 netdev_err(bp->dev, 250 250 "%s: IPv6_hdr: Invalid pedit field\n",
+2 -1
drivers/net/ethernet/intel/i40e/i40e.h
··· 1278 1278 const u8 *macaddr); 1279 1279 int i40e_del_mac_filter(struct i40e_vsi *vsi, const u8 *macaddr); 1280 1280 bool i40e_is_vsi_in_vlan(struct i40e_vsi *vsi); 1281 - int i40e_count_filters(struct i40e_vsi *vsi); 1281 + int i40e_count_all_filters(struct i40e_vsi *vsi); 1282 + int i40e_count_active_filters(struct i40e_vsi *vsi); 1282 1283 struct i40e_mac_filter *i40e_find_mac(struct i40e_vsi *vsi, const u8 *macaddr); 1283 1284 void i40e_vlan_stripping_enable(struct i40e_vsi *vsi); 1284 1285 static inline bool i40e_is_sw_dcb(struct i40e_pf *pf)
+22 -4
drivers/net/ethernet/intel/i40e/i40e_main.c
··· 1243 1243 } 1244 1244 1245 1245 /** 1246 - * i40e_count_filters - counts VSI mac filters 1246 + * i40e_count_all_filters - counts VSI MAC filters 1247 1247 * @vsi: the VSI to be searched 1248 1248 * 1249 - * Returns count of mac filters 1250 - **/ 1251 - int i40e_count_filters(struct i40e_vsi *vsi) 1249 + * Return: count of MAC filters in any state. 1250 + */ 1251 + int i40e_count_all_filters(struct i40e_vsi *vsi) 1252 + { 1253 + struct i40e_mac_filter *f; 1254 + struct hlist_node *h; 1255 + int bkt, cnt = 0; 1256 + 1257 + hash_for_each_safe(vsi->mac_filter_hash, bkt, h, f, hlist) 1258 + cnt++; 1259 + 1260 + return cnt; 1261 + } 1262 + 1263 + /** 1264 + * i40e_count_active_filters - counts VSI MAC filters 1265 + * @vsi: the VSI to be searched 1266 + * 1267 + * Return: count of active MAC filters. 1268 + */ 1269 + int i40e_count_active_filters(struct i40e_vsi *vsi) 1252 1270 { 1253 1271 struct i40e_mac_filter *f; 1254 1272 struct hlist_node *h;
+64 -46
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
··· 448 448 (qtype << I40E_QINT_RQCTL_NEXTQ_TYPE_SHIFT) | 449 449 (pf_queue_id << I40E_QINT_RQCTL_NEXTQ_INDX_SHIFT) | 450 450 BIT(I40E_QINT_RQCTL_CAUSE_ENA_SHIFT) | 451 - (itr_idx << I40E_QINT_RQCTL_ITR_INDX_SHIFT); 451 + FIELD_PREP(I40E_QINT_RQCTL_ITR_INDX_MASK, itr_idx); 452 452 wr32(hw, reg_idx, reg); 453 453 } 454 454 ··· 653 653 654 654 /* only set the required fields */ 655 655 tx_ctx.base = info->dma_ring_addr / 128; 656 + 657 + /* ring_len has to be multiple of 8 */ 658 + if (!IS_ALIGNED(info->ring_len, 8) || 659 + info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { 660 + ret = -EINVAL; 661 + goto error_context; 662 + } 656 663 tx_ctx.qlen = info->ring_len; 657 664 tx_ctx.rdylist = le16_to_cpu(vsi->info.qs_handle[0]); 658 665 tx_ctx.rdylist_act = 0; ··· 723 716 724 717 /* only set the required fields */ 725 718 rx_ctx.base = info->dma_ring_addr / 128; 719 + 720 + /* ring_len has to be multiple of 32 */ 721 + if (!IS_ALIGNED(info->ring_len, 32) || 722 + info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { 723 + ret = -EINVAL; 724 + goto error_param; 725 + } 726 726 rx_ctx.qlen = info->ring_len; 727 727 728 728 if (info->splithdr_enabled) { ··· 1464 1450 * functions that may still be running at this point. 1465 1451 */ 1466 1452 clear_bit(I40E_VF_STATE_INIT, &vf->vf_states); 1453 + clear_bit(I40E_VF_STATE_RESOURCES_LOADED, &vf->vf_states); 1467 1454 1468 1455 /* In the case of a VFLR, the HW has already reset the VF and we 1469 1456 * just need to clean up, so don't hit the VFRTRIG register. ··· 2131 2116 size_t len = 0; 2132 2117 int ret; 2133 2118 2134 - if (!i40e_sync_vf_state(vf, I40E_VF_STATE_INIT)) { 2119 + i40e_sync_vf_state(vf, I40E_VF_STATE_INIT); 2120 + 2121 + if (!test_bit(I40E_VF_STATE_INIT, &vf->vf_states) || 2122 + test_bit(I40E_VF_STATE_RESOURCES_LOADED, &vf->vf_states)) { 2135 2123 aq_ret = -EINVAL; 2136 2124 goto err; 2137 2125 } ··· 2237 2219 vf->default_lan_addr.addr); 2238 2220 } 2239 2221 set_bit(I40E_VF_STATE_ACTIVE, &vf->vf_states); 2222 + set_bit(I40E_VF_STATE_RESOURCES_LOADED, &vf->vf_states); 2240 2223 2241 2224 err: 2242 2225 /* send the response back to the VF */ ··· 2400 2381 } 2401 2382 2402 2383 if (vf->adq_enabled) { 2403 - if (idx >= ARRAY_SIZE(vf->ch)) { 2384 + if (idx >= vf->num_tc) { 2404 2385 aq_ret = -ENODEV; 2405 2386 goto error_param; 2406 2387 } ··· 2421 2402 * to its appropriate VSIs based on TC mapping 2422 2403 */ 2423 2404 if (vf->adq_enabled) { 2424 - if (idx >= ARRAY_SIZE(vf->ch)) { 2405 + if (idx >= vf->num_tc) { 2425 2406 aq_ret = -ENODEV; 2426 2407 goto error_param; 2427 2408 } ··· 2471 2452 u16 vsi_queue_id, queue_id; 2472 2453 2473 2454 for_each_set_bit(vsi_queue_id, &queuemap, I40E_MAX_VSI_QP) { 2474 - if (vf->adq_enabled) { 2475 - vsi_id = vf->ch[vsi_queue_id / I40E_MAX_VF_VSI].vsi_id; 2455 + u16 idx = vsi_queue_id / I40E_MAX_VF_VSI; 2456 + 2457 + if (vf->adq_enabled && idx < vf->num_tc) { 2458 + vsi_id = vf->ch[idx].vsi_id; 2476 2459 queue_id = (vsi_queue_id % I40E_DEFAULT_QUEUES_PER_VF); 2477 2460 } else { 2478 2461 queue_id = vsi_queue_id; ··· 2862 2841 (u8 *)&stats, sizeof(stats)); 2863 2842 } 2864 2843 2865 - /** 2866 - * i40e_can_vf_change_mac 2867 - * @vf: pointer to the VF info 2868 - * 2869 - * Return true if the VF is allowed to change its MAC filters, false otherwise 2870 - */ 2871 - static bool i40e_can_vf_change_mac(struct i40e_vf *vf) 2872 - { 2873 - /* If the VF MAC address has been set administratively (via the 2874 - * ndo_set_vf_mac command), then deny permission to the VF to 2875 - * add/delete unicast MAC addresses, unless the VF is trusted 2876 - */ 2877 - if (vf->pf_set_mac && !vf->trusted) 2878 - return false; 2879 - 2880 - return true; 2881 - } 2882 - 2883 2844 #define I40E_MAX_MACVLAN_PER_HW 3072 2884 2845 #define I40E_MAX_MACVLAN_PER_PF(num_ports) (I40E_MAX_MACVLAN_PER_HW / \ 2885 2846 (num_ports)) ··· 2900 2897 struct i40e_pf *pf = vf->pf; 2901 2898 struct i40e_vsi *vsi = pf->vsi[vf->lan_vsi_idx]; 2902 2899 struct i40e_hw *hw = &pf->hw; 2903 - int mac2add_cnt = 0; 2904 - int i; 2900 + int i, mac_add_max, mac_add_cnt = 0; 2901 + bool vf_trusted; 2902 + 2903 + vf_trusted = test_bit(I40E_VIRTCHNL_VF_CAP_PRIVILEGE, &vf->vf_caps); 2905 2904 2906 2905 for (i = 0; i < al->num_elements; i++) { 2907 2906 struct i40e_mac_filter *f; ··· 2923 2918 * The VF may request to set the MAC address filter already 2924 2919 * assigned to it so do not return an error in that case. 2925 2920 */ 2926 - if (!i40e_can_vf_change_mac(vf) && 2927 - !is_multicast_ether_addr(addr) && 2928 - !ether_addr_equal(addr, vf->default_lan_addr.addr)) { 2921 + if (!vf_trusted && !is_multicast_ether_addr(addr) && 2922 + vf->pf_set_mac && !ether_addr_equal(addr, vf->default_lan_addr.addr)) { 2929 2923 dev_err(&pf->pdev->dev, 2930 2924 "VF attempting to override administratively set MAC address, bring down and up the VF interface to resume normal operation\n"); 2931 2925 return -EPERM; ··· 2933 2929 /*count filters that really will be added*/ 2934 2930 f = i40e_find_mac(vsi, addr); 2935 2931 if (!f) 2936 - ++mac2add_cnt; 2932 + ++mac_add_cnt; 2937 2933 } 2938 2934 2939 2935 /* If this VF is not privileged, then we can't add more than a limited 2940 - * number of addresses. Check to make sure that the additions do not 2941 - * push us over the limit. 2942 - */ 2943 - if (!test_bit(I40E_VIRTCHNL_VF_CAP_PRIVILEGE, &vf->vf_caps)) { 2944 - if ((i40e_count_filters(vsi) + mac2add_cnt) > 2945 - I40E_VC_MAX_MAC_ADDR_PER_VF) { 2946 - dev_err(&pf->pdev->dev, 2947 - "Cannot add more MAC addresses, VF is not trusted, switch the VF to trusted to add more functionality\n"); 2948 - return -EPERM; 2949 - } 2950 - /* If this VF is trusted, it can use more resources than untrusted. 2936 + * number of addresses. 2937 + * 2938 + * If this VF is trusted, it can use more resources than untrusted. 2951 2939 * However to ensure that every trusted VF has appropriate number of 2952 2940 * resources, divide whole pool of resources per port and then across 2953 2941 * all VFs. 2954 2942 */ 2955 - } else { 2956 - if ((i40e_count_filters(vsi) + mac2add_cnt) > 2957 - I40E_VC_MAX_MACVLAN_PER_TRUSTED_VF(pf->num_alloc_vfs, 2958 - hw->num_ports)) { 2943 + if (!vf_trusted) 2944 + mac_add_max = I40E_VC_MAX_MAC_ADDR_PER_VF; 2945 + else 2946 + mac_add_max = I40E_VC_MAX_MACVLAN_PER_TRUSTED_VF(pf->num_alloc_vfs, hw->num_ports); 2947 + 2948 + /* VF can replace all its filters in one step, in this case mac_add_max 2949 + * will be added as active and another mac_add_max will be in 2950 + * a to-be-removed state. Account for that. 2951 + */ 2952 + if ((i40e_count_active_filters(vsi) + mac_add_cnt) > mac_add_max || 2953 + (i40e_count_all_filters(vsi) + mac_add_cnt) > 2 * mac_add_max) { 2954 + if (!vf_trusted) { 2955 + dev_err(&pf->pdev->dev, 2956 + "Cannot add more MAC addresses, VF is not trusted, switch the VF to trusted to add more functionality\n"); 2957 + return -EPERM; 2958 + } else { 2959 2959 dev_err(&pf->pdev->dev, 2960 2960 "Cannot add more MAC addresses, trusted VF exhausted it's resources\n"); 2961 2961 return -EPERM; ··· 3595 3587 3596 3588 /* action_meta is TC number here to which the filter is applied */ 3597 3589 if (!tc_filter->action_meta || 3598 - tc_filter->action_meta > vf->num_tc) { 3590 + tc_filter->action_meta >= vf->num_tc) { 3599 3591 dev_info(&pf->pdev->dev, "VF %d: Invalid TC number %u\n", 3600 3592 vf->vf_id, tc_filter->action_meta); 3601 3593 goto err; ··· 3892 3884 aq_ret); 3893 3885 } 3894 3886 3887 + #define I40E_MAX_VF_CLOUD_FILTER 0xFF00 3888 + 3895 3889 /** 3896 3890 * i40e_vc_add_cloud_filter 3897 3891 * @vf: pointer to the VF info ··· 3930 3920 "VF %d: Invalid input/s, can't apply cloud filter\n", 3931 3921 vf->vf_id); 3932 3922 aq_ret = -EINVAL; 3923 + goto err_out; 3924 + } 3925 + 3926 + if (vf->num_cloud_filters >= I40E_MAX_VF_CLOUD_FILTER) { 3927 + dev_warn(&pf->pdev->dev, 3928 + "VF %d: Max number of filters reached, can't apply cloud filter\n", 3929 + vf->vf_id); 3930 + aq_ret = -ENOSPC; 3933 3931 goto err_out; 3934 3932 } 3935 3933
+2 -1
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
··· 41 41 I40E_VF_STATE_MC_PROMISC, 42 42 I40E_VF_STATE_UC_PROMISC, 43 43 I40E_VF_STATE_PRE_ENABLE, 44 - I40E_VF_STATE_RESETTING 44 + I40E_VF_STATE_RESETTING, 45 + I40E_VF_STATE_RESOURCES_LOADED, 45 46 }; 46 47 47 48 /* VF capabilities */
+1 -1
drivers/net/ethernet/intel/libie/adminq.c
··· 6 6 7 7 static const char * const libie_aq_str_arr[] = { 8 8 #define LIBIE_AQ_STR(x) \ 9 - [LIBIE_AQ_RC_##x] = "LIBIE_AQ_RC" #x 9 + [LIBIE_AQ_RC_##x] = "LIBIE_AQ_RC_" #x 10 10 LIBIE_AQ_STR(OK), 11 11 LIBIE_AQ_STR(EPERM), 12 12 LIBIE_AQ_STR(ENOENT),
+1 -2
drivers/net/ethernet/marvell/octeontx2/af/cgx.c
··· 21 21 #include "rvu.h" 22 22 #include "lmac_common.h" 23 23 24 - #define DRV_NAME "Marvell-CGX/RPM" 25 - #define DRV_STRING "Marvell CGX/RPM Driver" 24 + #define DRV_NAME "Marvell-CGX-RPM" 26 25 27 26 #define CGX_RX_STAT_GLOBAL_INDEX 9 28 27
+1 -1
drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
··· 1326 1326 1327 1327 free_leaf: 1328 1328 otx2_tc_del_from_flow_list(flow_cfg, new_node); 1329 - kfree_rcu(new_node, rcu); 1330 1329 if (new_node->is_act_police) { 1331 1330 mutex_lock(&nic->mbox.lock); 1332 1331 ··· 1345 1346 1346 1347 mutex_unlock(&nic->mbox.lock); 1347 1348 } 1349 + kfree_rcu(new_node, rcu); 1348 1350 1349 1351 return rc; 1350 1352 }
+1
drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
··· 1466 1466 case MLX5E_FEC_RS_528_514: 1467 1467 case MLX5E_FEC_RS_544_514: 1468 1468 case MLX5E_FEC_LLRS_272_257_1: 1469 + case MLX5E_FEC_RS_544_514_INTERLEAVED_QUAD: 1469 1470 fec_set_rs_stats(fec_stats, out); 1470 1471 return; 1471 1472 case MLX5E_FEC_FIRECODE:
+1 -1
drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
··· 663 663 BIT(MLX5_SET_FTE_MODIFY_ENABLE_MASK_ACTION) | 664 664 BIT(MLX5_SET_FTE_MODIFY_ENABLE_MASK_FLOW_COUNTERS); 665 665 fte->act_dests.action.action &= ~MLX5_FLOW_CONTEXT_ACTION_COUNT; 666 - mlx5_fc_local_destroy(rule->dest_attr.counter); 666 + mlx5_fc_local_put(rule->dest_attr.counter); 667 667 goto out; 668 668 } 669 669
+1
drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
··· 343 343 enum mlx5_fc_type type; 344 344 struct mlx5_fc_bulk *bulk; 345 345 struct mlx5_fc_cache cache; 346 + refcount_t fc_local_refcount; 346 347 /* last{packets,bytes} are used for calculating deltas since last reading. */ 347 348 u64 lastpackets; 348 349 u64 lastbytes;
+22 -3
drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c
··· 562 562 counter->id = counter_id; 563 563 fc_bulk->base_id = counter_id - offset; 564 564 fc_bulk->fs_bulk.bulk_len = bulk_size; 565 + refcount_set(&fc_bulk->hws_data.hws_action_refcount, 0); 566 + mutex_init(&fc_bulk->hws_data.lock); 565 567 counter->bulk = fc_bulk; 568 + refcount_set(&counter->fc_local_refcount, 1); 566 569 return counter; 567 570 } 568 571 EXPORT_SYMBOL(mlx5_fc_local_create); 569 572 570 573 void mlx5_fc_local_destroy(struct mlx5_fc *counter) 571 574 { 572 - if (!counter || counter->type != MLX5_FC_TYPE_LOCAL) 573 - return; 574 - 575 575 kfree(counter->bulk); 576 576 kfree(counter); 577 577 } 578 578 EXPORT_SYMBOL(mlx5_fc_local_destroy); 579 + 580 + void mlx5_fc_local_get(struct mlx5_fc *counter) 581 + { 582 + if (!counter || counter->type != MLX5_FC_TYPE_LOCAL) 583 + return; 584 + 585 + refcount_inc(&counter->fc_local_refcount); 586 + } 587 + 588 + void mlx5_fc_local_put(struct mlx5_fc *counter) 589 + { 590 + if (!counter || counter->type != MLX5_FC_TYPE_LOCAL) 591 + return; 592 + 593 + if (!refcount_dec_and_test(&counter->fc_local_refcount)) 594 + return; 595 + 596 + mlx5_fc_local_destroy(counter); 597 + }
+2 -2
drivers/net/ethernet/mellanox/mlx5/core/steering/hws/action.c
··· 1360 1360 struct mlx5hws_action * 1361 1361 mlx5hws_action_create_dest_array(struct mlx5hws_context *ctx, size_t num_dest, 1362 1362 struct mlx5hws_action_dest_attr *dests, 1363 - bool ignore_flow_level, u32 flags) 1363 + u32 flags) 1364 1364 { 1365 1365 struct mlx5hws_cmd_set_fte_dest *dest_list = NULL; 1366 1366 struct mlx5hws_cmd_ft_create_attr ft_attr = {0}; ··· 1397 1397 MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; 1398 1398 dest_list[i].destination_id = dests[i].dest->dest_obj.obj_id; 1399 1399 fte_attr.action_flags |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; 1400 - fte_attr.ignore_flow_level = ignore_flow_level; 1400 + fte_attr.ignore_flow_level = 1; 1401 1401 if (dests[i].is_wire_ft) 1402 1402 last_dest_idx = i; 1403 1403 break;
+3 -8
drivers/net/ethernet/mellanox/mlx5/core/steering/hws/fs_hws.c
··· 572 572 static struct mlx5hws_action * 573 573 mlx5_fs_create_action_dest_array(struct mlx5hws_context *ctx, 574 574 struct mlx5hws_action_dest_attr *dests, 575 - u32 num_of_dests, bool ignore_flow_level) 575 + u32 num_of_dests) 576 576 { 577 577 u32 flags = MLX5HWS_ACTION_FLAG_HWS_FDB | MLX5HWS_ACTION_FLAG_SHARED; 578 578 579 579 return mlx5hws_action_create_dest_array(ctx, num_of_dests, dests, 580 - ignore_flow_level, flags); 580 + flags); 581 581 } 582 582 583 583 static struct mlx5hws_action * ··· 1014 1014 } 1015 1015 (*ractions)[num_actions++].action = dest_actions->dest; 1016 1016 } else if (num_dest_actions > 1) { 1017 - bool ignore_flow_level; 1018 - 1019 1017 if (num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX || 1020 1018 num_fs_actions == MLX5_FLOW_CONTEXT_ACTION_MAX) { 1021 1019 err = -EOPNOTSUPP; 1022 1020 goto free_actions; 1023 1021 } 1024 - ignore_flow_level = 1025 - !!(fte_action->flags & FLOW_ACT_IGNORE_FLOW_LEVEL); 1026 1022 tmp_action = 1027 1023 mlx5_fs_create_action_dest_array(ctx, dest_actions, 1028 - num_dest_actions, 1029 - ignore_flow_level); 1024 + num_dest_actions); 1030 1025 if (!tmp_action) { 1031 1026 err = -EOPNOTSUPP; 1032 1027 goto free_actions;
+7 -1
drivers/net/ethernet/mellanox/mlx5/core/steering/hws/fs_hws_pools.c
··· 407 407 { 408 408 struct mlx5_fs_hws_create_action_ctx create_ctx; 409 409 struct mlx5_fc_bulk *fc_bulk = counter->bulk; 410 + struct mlx5hws_action *hws_action; 410 411 411 412 create_ctx.hws_ctx = ctx; 412 413 create_ctx.id = fc_bulk->base_id; 413 414 create_ctx.actions_type = MLX5HWS_ACTION_TYP_CTR; 414 415 415 - return mlx5_fs_get_hws_action(&fc_bulk->hws_data, &create_ctx); 416 + mlx5_fc_local_get(counter); 417 + hws_action = mlx5_fs_get_hws_action(&fc_bulk->hws_data, &create_ctx); 418 + if (!hws_action) 419 + mlx5_fc_local_put(counter); 420 + return hws_action; 416 421 } 417 422 418 423 void mlx5_fc_put_hws_action(struct mlx5_fc *counter) 419 424 { 420 425 mlx5_fs_put_hws_action(&counter->bulk->hws_data); 426 + mlx5_fc_local_put(counter); 421 427 }
+1 -2
drivers/net/ethernet/mellanox/mlx5/core/steering/hws/mlx5hws.h
··· 735 735 * @num_dest: The number of dests attributes. 736 736 * @dests: The destination array. Each contains a destination action and can 737 737 * have additional actions. 738 - * @ignore_flow_level: Whether to turn on 'ignore_flow_level' for this dest. 739 738 * @flags: Action creation flags (enum mlx5hws_action_flags). 740 739 * 741 740 * Return: pointer to mlx5hws_action on success NULL otherwise. ··· 742 743 struct mlx5hws_action * 743 744 mlx5hws_action_create_dest_array(struct mlx5hws_context *ctx, size_t num_dest, 744 745 struct mlx5hws_action_dest_attr *dests, 745 - bool ignore_flow_level, u32 flags); 746 + u32 flags); 746 747 747 748 /** 748 749 * mlx5hws_action_create_insert_header - Create insert header action.
+2 -4
drivers/net/phy/bcm-phy-ptp.c
··· 597 597 598 598 period = BCM_MAX_PERIOD_8NS; /* write nonzero value */ 599 599 600 - /* Reject unsupported flags */ 601 - if (req->flags & ~PTP_PEROUT_DUTY_CYCLE) 602 - return -EOPNOTSUPP; 603 - 604 600 if (req->flags & PTP_PEROUT_DUTY_CYCLE) 605 601 pulse = ktime_to_ns(ktime_set(req->on.sec, req->on.nsec)); 606 602 else ··· 737 741 .n_pins = 1, 738 742 .n_per_out = 1, 739 743 .n_ext_ts = 1, 744 + .supported_perout_flags = PTP_PEROUT_DUTY_CYCLE, 745 + .supported_extts_flags = PTP_STRICT_FLAGS | PTP_RISING_EDGE, 740 746 }; 741 747 742 748 static void bcm_ptp_txtstamp(struct mii_timestamper *mii_ts,
+3
drivers/net/tun.c
··· 1875 1875 local_bh_enable(); 1876 1876 goto unlock_frags; 1877 1877 } 1878 + 1879 + if (frags && skb != tfile->napi.skb) 1880 + tfile->napi.skb = skb; 1878 1881 } 1879 1882 rcu_read_unlock(); 1880 1883 local_bh_enable();
+2
include/linux/mlx5/fs.h
··· 308 308 void mlx5_fc_destroy(struct mlx5_core_dev *dev, struct mlx5_fc *counter); 309 309 struct mlx5_fc *mlx5_fc_local_create(u32 counter_id, u32 offset, u32 bulk_size); 310 310 void mlx5_fc_local_destroy(struct mlx5_fc *counter); 311 + void mlx5_fc_local_get(struct mlx5_fc *counter); 312 + void mlx5_fc_local_put(struct mlx5_fc *counter); 311 313 u64 mlx5_fc_query_lastuse(struct mlx5_fc *counter); 312 314 void mlx5_fc_query_cached(struct mlx5_fc *counter, 313 315 u64 *bytes, u64 *packets, u64 *lastuse);
+21
include/net/bluetooth/hci_core.h
··· 1245 1245 return NULL; 1246 1246 } 1247 1247 1248 + static inline struct hci_conn *hci_conn_hash_lookup_role(struct hci_dev *hdev, 1249 + __u8 type, __u8 role, 1250 + bdaddr_t *ba) 1251 + { 1252 + struct hci_conn_hash *h = &hdev->conn_hash; 1253 + struct hci_conn *c; 1254 + 1255 + rcu_read_lock(); 1256 + 1257 + list_for_each_entry_rcu(c, &h->list, list) { 1258 + if (c->type == type && c->role == role && !bacmp(&c->dst, ba)) { 1259 + rcu_read_unlock(); 1260 + return c; 1261 + } 1262 + } 1263 + 1264 + rcu_read_unlock(); 1265 + 1266 + return NULL; 1267 + } 1268 + 1248 1269 static inline struct hci_conn *hci_conn_hash_lookup_le(struct hci_dev *hdev, 1249 1270 bdaddr_t *ba, 1250 1271 __u8 ba_type)
+3
include/uapi/linux/ptp_clock.h
··· 37 37 38 38 /* 39 39 * flag fields valid for the new PTP_EXTTS_REQUEST2 ioctl. 40 + * 41 + * Note: PTP_STRICT_FLAGS is always enabled by the kernel for 42 + * PTP_EXTTS_REQUEST2 regardless of whether it is set by userspace. 40 43 */ 41 44 #define PTP_EXTTS_VALID_FLAGS (PTP_ENABLE_FEATURE | \ 42 45 PTP_RISING_EDGE | \
+27 -3
net/bluetooth/hci_event.c
··· 3087 3087 3088 3088 hci_dev_lock(hdev); 3089 3089 3090 + /* Check for existing connection: 3091 + * 3092 + * 1. If it doesn't exist then it must be receiver/slave role. 3093 + * 2. If it does exist confirm that it is connecting/BT_CONNECT in case 3094 + * of initiator/master role since there could be a collision where 3095 + * either side is attempting to connect or something like a fuzzing 3096 + * testing is trying to play tricks to destroy the hcon object before 3097 + * it even attempts to connect (e.g. hcon->state == BT_OPEN). 3098 + */ 3090 3099 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3091 - if (!conn) { 3100 + if (!conn || 3101 + (conn->role == HCI_ROLE_MASTER && conn->state != BT_CONNECT)) { 3092 3102 /* In case of error status and there is no connection pending 3093 3103 * just unlock as there is nothing to cleanup. 3094 3104 */ ··· 4401 4391 4402 4392 bt_dev_dbg(hdev, "num %d", ev->num); 4403 4393 4394 + hci_dev_lock(hdev); 4395 + 4404 4396 for (i = 0; i < ev->num; i++) { 4405 4397 struct hci_comp_pkts_info *info = &ev->handles[i]; 4406 4398 struct hci_conn *conn; ··· 4484 4472 } 4485 4473 4486 4474 queue_work(hdev->workqueue, &hdev->tx_work); 4475 + 4476 + hci_dev_unlock(hdev); 4487 4477 } 4488 4478 4489 4479 static void hci_mode_change_evt(struct hci_dev *hdev, void *data, ··· 5648 5634 */ 5649 5635 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5650 5636 5651 - conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr); 5652 - if (!conn) { 5637 + /* Check for existing connection: 5638 + * 5639 + * 1. If it doesn't exist then use the role to create a new object. 5640 + * 2. If it does exist confirm that it is connecting/BT_CONNECT in case 5641 + * of initiator/master role since there could be a collision where 5642 + * either side is attempting to connect or something like a fuzzing 5643 + * testing is trying to play tricks to destroy the hcon object before 5644 + * it even attempts to connect (e.g. hcon->state == BT_OPEN). 5645 + */ 5646 + conn = hci_conn_hash_lookup_role(hdev, LE_LINK, role, bdaddr); 5647 + if (!conn || 5648 + (conn->role == HCI_ROLE_MASTER && conn->state != BT_CONNECT)) { 5653 5649 /* In case of error status and there is no connection pending 5654 5650 * just unlock as there is nothing to cleanup. 5655 5651 */
+7
net/bluetooth/hci_sync.c
··· 2594 2594 hci_remove_ext_adv_instance_sync(hdev, adv->instance, 2595 2595 NULL); 2596 2596 } 2597 + 2598 + /* If current advertising instance is set to instance 0x00 2599 + * then we need to re-enable it. 2600 + */ 2601 + if (!hdev->cur_adv_instance) 2602 + err = hci_enable_ext_advertising_sync(hdev, 2603 + hdev->cur_adv_instance); 2597 2604 } else { 2598 2605 /* Schedule for most recent instance to be restarted and begin 2599 2606 * the software rotation loop
+182 -77
net/bluetooth/mgmt.c
··· 1323 1323 struct mgmt_mode *cp; 1324 1324 1325 1325 /* Make sure cmd still outstanding. */ 1326 - if (err == -ECANCELED || 1327 - cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) 1326 + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) 1328 1327 return; 1329 1328 1330 1329 cp = cmd->param; ··· 1350 1351 mgmt_status(err)); 1351 1352 } 1352 1353 1353 - mgmt_pending_remove(cmd); 1354 + mgmt_pending_free(cmd); 1354 1355 } 1355 1356 1356 1357 static int set_powered_sync(struct hci_dev *hdev, void *data) 1357 1358 { 1358 1359 struct mgmt_pending_cmd *cmd = data; 1359 - struct mgmt_mode *cp; 1360 + struct mgmt_mode cp; 1361 + 1362 + mutex_lock(&hdev->mgmt_pending_lock); 1360 1363 1361 1364 /* Make sure cmd still outstanding. */ 1362 - if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) 1365 + if (!__mgmt_pending_listed(hdev, cmd)) { 1366 + mutex_unlock(&hdev->mgmt_pending_lock); 1363 1367 return -ECANCELED; 1368 + } 1364 1369 1365 - cp = cmd->param; 1370 + memcpy(&cp, cmd->param, sizeof(cp)); 1371 + 1372 + mutex_unlock(&hdev->mgmt_pending_lock); 1366 1373 1367 1374 BT_DBG("%s", hdev->name); 1368 1375 1369 - return hci_set_powered_sync(hdev, cp->val); 1376 + return hci_set_powered_sync(hdev, cp.val); 1370 1377 } 1371 1378 1372 1379 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data, ··· 1521 1516 bt_dev_dbg(hdev, "err %d", err); 1522 1517 1523 1518 /* Make sure cmd still outstanding. */ 1524 - if (err == -ECANCELED || 1525 - cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev)) 1519 + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) 1526 1520 return; 1527 1521 1528 1522 hci_dev_lock(hdev); ··· 1543 1539 new_settings(hdev, cmd->sk); 1544 1540 1545 1541 done: 1546 - mgmt_pending_remove(cmd); 1542 + mgmt_pending_free(cmd); 1547 1543 hci_dev_unlock(hdev); 1548 1544 } 1549 1545 1550 1546 static int set_discoverable_sync(struct hci_dev *hdev, void *data) 1551 1547 { 1548 + if (!mgmt_pending_listed(hdev, data)) 1549 + return -ECANCELED; 1550 + 1552 1551 BT_DBG("%s", hdev->name); 1553 1552 1554 1553 return hci_update_discoverable_sync(hdev); ··· 1698 1691 bt_dev_dbg(hdev, "err %d", err); 1699 1692 1700 1693 /* Make sure cmd still outstanding. */ 1701 - if (err == -ECANCELED || 1702 - cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) 1694 + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) 1703 1695 return; 1704 1696 1705 1697 hci_dev_lock(hdev); ··· 1713 1707 new_settings(hdev, cmd->sk); 1714 1708 1715 1709 done: 1716 - mgmt_pending_remove(cmd); 1710 + mgmt_pending_free(cmd); 1717 1711 1718 1712 hci_dev_unlock(hdev); 1719 1713 } ··· 1749 1743 1750 1744 static int set_connectable_sync(struct hci_dev *hdev, void *data) 1751 1745 { 1746 + if (!mgmt_pending_listed(hdev, data)) 1747 + return -ECANCELED; 1748 + 1752 1749 BT_DBG("%s", hdev->name); 1753 1750 1754 1751 return hci_update_connectable_sync(hdev); ··· 1928 1919 { 1929 1920 struct cmd_lookup match = { NULL, hdev }; 1930 1921 struct mgmt_pending_cmd *cmd = data; 1931 - struct mgmt_mode *cp = cmd->param; 1932 - u8 enable = cp->val; 1922 + struct mgmt_mode *cp; 1923 + u8 enable; 1933 1924 bool changed; 1934 1925 1935 1926 /* Make sure cmd still outstanding. */ 1936 - if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev)) 1927 + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) 1937 1928 return; 1929 + 1930 + cp = cmd->param; 1931 + enable = cp->val; 1938 1932 1939 1933 if (err) { 1940 1934 u8 mgmt_err = mgmt_status(err); ··· 1947 1935 new_settings(hdev, NULL); 1948 1936 } 1949 1937 1950 - mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, 1951 - cmd_status_rsp, &mgmt_err); 1938 + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err); 1952 1939 return; 1953 1940 } 1954 1941 ··· 1957 1946 changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED); 1958 1947 } 1959 1948 1960 - mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match); 1949 + settings_rsp(cmd, &match); 1961 1950 1962 1951 if (changed) 1963 1952 new_settings(hdev, match.sk); ··· 1971 1960 static int set_ssp_sync(struct hci_dev *hdev, void *data) 1972 1961 { 1973 1962 struct mgmt_pending_cmd *cmd = data; 1974 - struct mgmt_mode *cp = cmd->param; 1963 + struct mgmt_mode cp; 1975 1964 bool changed = false; 1976 1965 int err; 1977 1966 1978 - if (cp->val) 1967 + mutex_lock(&hdev->mgmt_pending_lock); 1968 + 1969 + if (!__mgmt_pending_listed(hdev, cmd)) { 1970 + mutex_unlock(&hdev->mgmt_pending_lock); 1971 + return -ECANCELED; 1972 + } 1973 + 1974 + memcpy(&cp, cmd->param, sizeof(cp)); 1975 + 1976 + mutex_unlock(&hdev->mgmt_pending_lock); 1977 + 1978 + if (cp.val) 1979 1979 changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED); 1980 1980 1981 - err = hci_write_ssp_mode_sync(hdev, cp->val); 1981 + err = hci_write_ssp_mode_sync(hdev, cp.val); 1982 1982 1983 1983 if (!err && changed) 1984 1984 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); ··· 2082 2060 2083 2061 static void set_le_complete(struct hci_dev *hdev, void *data, int err) 2084 2062 { 2063 + struct mgmt_pending_cmd *cmd = data; 2085 2064 struct cmd_lookup match = { NULL, hdev }; 2086 2065 u8 status = mgmt_status(err); 2087 2066 2088 2067 bt_dev_dbg(hdev, "err %d", err); 2089 2068 2090 - if (status) { 2091 - mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp, 2092 - &status); 2069 + if (err == -ECANCELED || !mgmt_pending_valid(hdev, data)) 2093 2070 return; 2071 + 2072 + if (status) { 2073 + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status); 2074 + goto done; 2094 2075 } 2095 2076 2096 - mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match); 2077 + settings_rsp(cmd, &match); 2097 2078 2098 2079 new_settings(hdev, match.sk); 2099 2080 2100 2081 if (match.sk) 2101 2082 sock_put(match.sk); 2083 + 2084 + done: 2085 + mgmt_pending_free(cmd); 2102 2086 } 2103 2087 2104 2088 static int set_le_sync(struct hci_dev *hdev, void *data) 2105 2089 { 2106 2090 struct mgmt_pending_cmd *cmd = data; 2107 - struct mgmt_mode *cp = cmd->param; 2108 - u8 val = !!cp->val; 2091 + struct mgmt_mode cp; 2092 + u8 val; 2109 2093 int err; 2094 + 2095 + mutex_lock(&hdev->mgmt_pending_lock); 2096 + 2097 + if (!__mgmt_pending_listed(hdev, cmd)) { 2098 + mutex_unlock(&hdev->mgmt_pending_lock); 2099 + return -ECANCELED; 2100 + } 2101 + 2102 + memcpy(&cp, cmd->param, sizeof(cp)); 2103 + val = !!cp.val; 2104 + 2105 + mutex_unlock(&hdev->mgmt_pending_lock); 2110 2106 2111 2107 if (!val) { 2112 2108 hci_clear_adv_instance_sync(hdev, NULL, 0x00, true); ··· 2167 2127 { 2168 2128 struct mgmt_pending_cmd *cmd = data; 2169 2129 u8 status = mgmt_status(err); 2170 - struct sock *sk = cmd->sk; 2130 + struct sock *sk; 2131 + 2132 + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) 2133 + return; 2134 + 2135 + sk = cmd->sk; 2171 2136 2172 2137 if (status) { 2173 2138 mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true, ··· 2187 2142 static int set_mesh_sync(struct hci_dev *hdev, void *data) 2188 2143 { 2189 2144 struct mgmt_pending_cmd *cmd = data; 2190 - struct mgmt_cp_set_mesh *cp = cmd->param; 2191 - size_t len = cmd->param_len; 2145 + struct mgmt_cp_set_mesh cp; 2146 + size_t len; 2147 + 2148 + mutex_lock(&hdev->mgmt_pending_lock); 2149 + 2150 + if (!__mgmt_pending_listed(hdev, cmd)) { 2151 + mutex_unlock(&hdev->mgmt_pending_lock); 2152 + return -ECANCELED; 2153 + } 2154 + 2155 + memcpy(&cp, cmd->param, sizeof(cp)); 2156 + 2157 + mutex_unlock(&hdev->mgmt_pending_lock); 2158 + 2159 + len = cmd->param_len; 2192 2160 2193 2161 memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types)); 2194 2162 2195 - if (cp->enable) 2163 + if (cp.enable) 2196 2164 hci_dev_set_flag(hdev, HCI_MESH); 2197 2165 else 2198 2166 hci_dev_clear_flag(hdev, HCI_MESH); 2199 2167 2200 - hdev->le_scan_interval = __le16_to_cpu(cp->period); 2201 - hdev->le_scan_window = __le16_to_cpu(cp->window); 2168 + hdev->le_scan_interval = __le16_to_cpu(cp.period); 2169 + hdev->le_scan_window = __le16_to_cpu(cp.window); 2202 2170 2203 - len -= sizeof(*cp); 2171 + len -= sizeof(cp); 2204 2172 2205 2173 /* If filters don't fit, forward all adv pkts */ 2206 2174 if (len <= sizeof(hdev->mesh_ad_types)) 2207 - memcpy(hdev->mesh_ad_types, cp->ad_types, len); 2175 + memcpy(hdev->mesh_ad_types, cp.ad_types, len); 2208 2176 2209 2177 hci_update_passive_scan_sync(hdev); 2210 2178 return 0; ··· 3925 3867 static void set_name_complete(struct hci_dev *hdev, void *data, int err) 3926 3868 { 3927 3869 struct mgmt_pending_cmd *cmd = data; 3928 - struct mgmt_cp_set_local_name *cp = cmd->param; 3870 + struct mgmt_cp_set_local_name *cp; 3929 3871 u8 status = mgmt_status(err); 3930 3872 3931 3873 bt_dev_dbg(hdev, "err %d", err); 3932 3874 3933 - if (err == -ECANCELED || 3934 - cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev)) 3875 + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) 3935 3876 return; 3877 + 3878 + cp = cmd->param; 3936 3879 3937 3880 if (status) { 3938 3881 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, ··· 3946 3887 hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL); 3947 3888 } 3948 3889 3949 - mgmt_pending_remove(cmd); 3890 + mgmt_pending_free(cmd); 3950 3891 } 3951 3892 3952 3893 static int set_name_sync(struct hci_dev *hdev, void *data) 3953 3894 { 3954 3895 struct mgmt_pending_cmd *cmd = data; 3955 - struct mgmt_cp_set_local_name *cp = cmd->param; 3896 + struct mgmt_cp_set_local_name cp; 3897 + 3898 + mutex_lock(&hdev->mgmt_pending_lock); 3899 + 3900 + if (!__mgmt_pending_listed(hdev, cmd)) { 3901 + mutex_unlock(&hdev->mgmt_pending_lock); 3902 + return -ECANCELED; 3903 + } 3904 + 3905 + memcpy(&cp, cmd->param, sizeof(cp)); 3906 + 3907 + mutex_unlock(&hdev->mgmt_pending_lock); 3956 3908 3957 3909 if (lmp_bredr_capable(hdev)) { 3958 - hci_update_name_sync(hdev, cp->name); 3910 + hci_update_name_sync(hdev, cp.name); 3959 3911 hci_update_eir_sync(hdev); 3960 3912 } 3961 3913 ··· 4118 4048 static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err) 4119 4049 { 4120 4050 struct mgmt_pending_cmd *cmd = data; 4121 - struct sk_buff *skb = cmd->skb; 4051 + struct sk_buff *skb; 4122 4052 u8 status = mgmt_status(err); 4123 4053 4124 - if (err == -ECANCELED || 4125 - cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) 4126 - return; 4054 + skb = cmd->skb; 4127 4055 4128 4056 if (!status) { 4129 4057 if (!skb) ··· 4148 4080 if (skb && !IS_ERR(skb)) 4149 4081 kfree_skb(skb); 4150 4082 4151 - mgmt_pending_remove(cmd); 4083 + mgmt_pending_free(cmd); 4152 4084 } 4153 4085 4154 4086 static int set_default_phy_sync(struct hci_dev *hdev, void *data) ··· 4156 4088 struct mgmt_pending_cmd *cmd = data; 4157 4089 struct mgmt_cp_set_phy_configuration *cp = cmd->param; 4158 4090 struct hci_cp_le_set_default_phy cp_phy; 4159 - u32 selected_phys = __le32_to_cpu(cp->selected_phys); 4091 + u32 selected_phys; 4092 + 4093 + selected_phys = __le32_to_cpu(cp->selected_phys); 4160 4094 4161 4095 memset(&cp_phy, 0, sizeof(cp_phy)); 4162 4096 ··· 4298 4228 goto unlock; 4299 4229 } 4300 4230 4301 - cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data, 4231 + cmd = mgmt_pending_new(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data, 4302 4232 len); 4303 4233 if (!cmd) 4304 4234 err = -ENOMEM; ··· 5259 5189 { 5260 5190 struct mgmt_rp_add_adv_patterns_monitor rp; 5261 5191 struct mgmt_pending_cmd *cmd = data; 5262 - struct adv_monitor *monitor = cmd->user_data; 5192 + struct adv_monitor *monitor; 5193 + 5194 + /* This is likely the result of hdev being closed and mgmt_index_removed 5195 + * is attempting to clean up any pending command so 5196 + * hci_adv_monitors_clear is about to be called which will take care of 5197 + * freeing the adv_monitor instances. 5198 + */ 5199 + if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd)) 5200 + return; 5201 + 5202 + monitor = cmd->user_data; 5263 5203 5264 5204 hci_dev_lock(hdev); 5265 5205 ··· 5295 5215 static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data) 5296 5216 { 5297 5217 struct mgmt_pending_cmd *cmd = data; 5298 - struct adv_monitor *monitor = cmd->user_data; 5218 + struct adv_monitor *mon; 5299 5219 5300 - return hci_add_adv_monitor(hdev, monitor); 5220 + mutex_lock(&hdev->mgmt_pending_lock); 5221 + 5222 + if (!__mgmt_pending_listed(hdev, cmd)) { 5223 + mutex_unlock(&hdev->mgmt_pending_lock); 5224 + return -ECANCELED; 5225 + } 5226 + 5227 + mon = cmd->user_data; 5228 + 5229 + mutex_unlock(&hdev->mgmt_pending_lock); 5230 + 5231 + return hci_add_adv_monitor(hdev, mon); 5301 5232 } 5302 5233 5303 5234 static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev, ··· 5575 5484 status); 5576 5485 } 5577 5486 5578 - static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err) 5487 + static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, 5488 + int err) 5579 5489 { 5580 5490 struct mgmt_rp_read_local_oob_data mgmt_rp; 5581 5491 size_t rp_size = sizeof(mgmt_rp); ··· 5596 5504 bt_dev_dbg(hdev, "status %d", status); 5597 5505 5598 5506 if (status) { 5599 - mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status); 5507 + mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, 5508 + status); 5600 5509 goto remove; 5601 5510 } 5602 5511 ··· 5879 5786 5880 5787 bt_dev_dbg(hdev, "err %d", err); 5881 5788 5882 - if (err == -ECANCELED) 5883 - return; 5884 - 5885 - if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) && 5886 - cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) && 5887 - cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev)) 5789 + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) 5888 5790 return; 5889 5791 5890 5792 mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err), 5891 5793 cmd->param, 1); 5892 - mgmt_pending_remove(cmd); 5794 + mgmt_pending_free(cmd); 5893 5795 5894 5796 hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED: 5895 5797 DISCOVERY_FINDING); ··· 5892 5804 5893 5805 static int start_discovery_sync(struct hci_dev *hdev, void *data) 5894 5806 { 5807 + if (!mgmt_pending_listed(hdev, data)) 5808 + return -ECANCELED; 5809 + 5895 5810 return hci_start_discovery_sync(hdev); 5896 5811 } 5897 5812 ··· 6100 6009 { 6101 6010 struct mgmt_pending_cmd *cmd = data; 6102 6011 6103 - if (err == -ECANCELED || 6104 - cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev)) 6012 + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) 6105 6013 return; 6106 6014 6107 6015 bt_dev_dbg(hdev, "err %d", err); 6108 6016 6109 6017 mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err), 6110 6018 cmd->param, 1); 6111 - mgmt_pending_remove(cmd); 6019 + mgmt_pending_free(cmd); 6112 6020 6113 6021 if (!err) 6114 6022 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); ··· 6115 6025 6116 6026 static int stop_discovery_sync(struct hci_dev *hdev, void *data) 6117 6027 { 6028 + if (!mgmt_pending_listed(hdev, data)) 6029 + return -ECANCELED; 6030 + 6118 6031 return hci_stop_discovery_sync(hdev); 6119 6032 } 6120 6033 ··· 6327 6234 6328 6235 static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) 6329 6236 { 6237 + struct mgmt_pending_cmd *cmd = data; 6330 6238 struct cmd_lookup match = { NULL, hdev }; 6331 6239 u8 instance; 6332 6240 struct adv_info *adv_instance; 6333 6241 u8 status = mgmt_status(err); 6334 6242 6243 + if (err == -ECANCELED || !mgmt_pending_valid(hdev, data)) 6244 + return; 6245 + 6335 6246 if (status) { 6336 - mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, 6337 - cmd_status_rsp, &status); 6247 + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status); 6248 + mgmt_pending_free(cmd); 6338 6249 return; 6339 6250 } 6340 6251 ··· 6347 6250 else 6348 6251 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 6349 6252 6350 - mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp, 6351 - &match); 6253 + settings_rsp(cmd, &match); 6352 6254 6353 6255 new_settings(hdev, match.sk); 6354 6256 ··· 6379 6283 static int set_adv_sync(struct hci_dev *hdev, void *data) 6380 6284 { 6381 6285 struct mgmt_pending_cmd *cmd = data; 6382 - struct mgmt_mode *cp = cmd->param; 6383 - u8 val = !!cp->val; 6286 + struct mgmt_mode cp; 6287 + u8 val; 6384 6288 6385 - if (cp->val == 0x02) 6289 + mutex_lock(&hdev->mgmt_pending_lock); 6290 + 6291 + if (!__mgmt_pending_listed(hdev, cmd)) { 6292 + mutex_unlock(&hdev->mgmt_pending_lock); 6293 + return -ECANCELED; 6294 + } 6295 + 6296 + memcpy(&cp, cmd->param, sizeof(cp)); 6297 + 6298 + mutex_unlock(&hdev->mgmt_pending_lock); 6299 + 6300 + val = !!cp.val; 6301 + 6302 + if (cp.val == 0x02) 6386 6303 hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE); 6387 6304 else 6388 6305 hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE); ··· 8148 8039 u8 status = mgmt_status(err); 8149 8040 u16 eir_len; 8150 8041 8151 - if (err == -ECANCELED || 8152 - cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev)) 8153 - return; 8154 - 8155 8042 if (!status) { 8156 8043 if (!skb) 8157 8044 status = MGMT_STATUS_FAILED; ··· 8254 8149 kfree_skb(skb); 8255 8150 8256 8151 kfree(mgmt_rp); 8257 - mgmt_pending_remove(cmd); 8152 + mgmt_pending_free(cmd); 8258 8153 } 8259 8154 8260 8155 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk, ··· 8263 8158 struct mgmt_pending_cmd *cmd; 8264 8159 int err; 8265 8160 8266 - cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev, 8161 + cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev, 8267 8162 cp, sizeof(*cp)); 8268 8163 if (!cmd) 8269 8164 return -ENOMEM;
+46
net/bluetooth/mgmt_util.c
··· 320 320 mgmt_pending_free(cmd); 321 321 } 322 322 323 + bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) 324 + { 325 + struct mgmt_pending_cmd *tmp; 326 + 327 + lockdep_assert_held(&hdev->mgmt_pending_lock); 328 + 329 + if (!cmd) 330 + return false; 331 + 332 + list_for_each_entry(tmp, &hdev->mgmt_pending, list) { 333 + if (cmd == tmp) 334 + return true; 335 + } 336 + 337 + return false; 338 + } 339 + 340 + bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) 341 + { 342 + bool listed; 343 + 344 + mutex_lock(&hdev->mgmt_pending_lock); 345 + listed = __mgmt_pending_listed(hdev, cmd); 346 + mutex_unlock(&hdev->mgmt_pending_lock); 347 + 348 + return listed; 349 + } 350 + 351 + bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) 352 + { 353 + bool listed; 354 + 355 + if (!cmd) 356 + return false; 357 + 358 + mutex_lock(&hdev->mgmt_pending_lock); 359 + 360 + listed = __mgmt_pending_listed(hdev, cmd); 361 + if (listed) 362 + list_del(&cmd->list); 363 + 364 + mutex_unlock(&hdev->mgmt_pending_lock); 365 + 366 + return listed; 367 + } 368 + 323 369 void mgmt_mesh_foreach(struct hci_dev *hdev, 324 370 void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data), 325 371 void *data, struct sock *sk)
+3
net/bluetooth/mgmt_util.h
··· 65 65 void *data, u16 len); 66 66 void mgmt_pending_free(struct mgmt_pending_cmd *cmd); 67 67 void mgmt_pending_remove(struct mgmt_pending_cmd *cmd); 68 + bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); 69 + bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); 70 + bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); 68 71 void mgmt_mesh_foreach(struct hci_dev *hdev, 69 72 void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data), 70 73 void *data, struct sock *sk);
+1 -1
net/core/skbuff.c
··· 6667 6667 return NULL; 6668 6668 6669 6669 while (data_len) { 6670 - if (nr_frags == MAX_SKB_FRAGS - 1) 6670 + if (nr_frags == MAX_SKB_FRAGS) 6671 6671 goto failure; 6672 6672 while (order && PAGE_ALIGN(data_len) < (PAGE_SIZE << order)) 6673 6673 order--;
+7
net/ipv4/nexthop.c
··· 2399 2399 return -EINVAL; 2400 2400 } 2401 2401 2402 + if (!list_empty(&old->grp_list) && 2403 + rtnl_dereference(new->nh_info)->fdb_nh != 2404 + rtnl_dereference(old->nh_info)->fdb_nh) { 2405 + NL_SET_ERR_MSG(extack, "Cannot change nexthop FDB status while in a group"); 2406 + return -EINVAL; 2407 + } 2408 + 2402 2409 err = call_nexthop_notifiers(net, NEXTHOP_EVENT_REPLACE, new, extack); 2403 2410 if (err) 2404 2411 return err;
+9 -5
net/smc/smc_loopback.c
··· 56 56 { 57 57 struct smc_lo_dmb_node *dmb_node, *tmp_node; 58 58 struct smc_lo_dev *ldev = smcd->priv; 59 + struct folio *folio; 59 60 int sba_idx, rc; 60 61 61 62 /* check space for new dmb */ ··· 75 74 76 75 dmb_node->sba_idx = sba_idx; 77 76 dmb_node->len = dmb->dmb_len; 78 - dmb_node->cpu_addr = kzalloc(dmb_node->len, GFP_KERNEL | 79 - __GFP_NOWARN | __GFP_NORETRY | 80 - __GFP_NOMEMALLOC); 81 - if (!dmb_node->cpu_addr) { 77 + 78 + /* not critical; fail under memory pressure and fallback to TCP */ 79 + folio = folio_alloc(GFP_KERNEL | __GFP_NOWARN | __GFP_NOMEMALLOC | 80 + __GFP_NORETRY | __GFP_ZERO, 81 + get_order(dmb_node->len)); 82 + if (!folio) { 82 83 rc = -ENOMEM; 83 84 goto err_node; 84 85 } 86 + dmb_node->cpu_addr = folio_address(folio); 85 87 dmb_node->dma_addr = SMC_DMA_ADDR_INVALID; 86 88 refcount_set(&dmb_node->refcnt, 1); 87 89 ··· 126 122 write_unlock_bh(&ldev->dmb_ht_lock); 127 123 128 124 clear_bit(dmb_node->sba_idx, ldev->sba_idx_mask); 129 - kvfree(dmb_node->cpu_addr); 125 + folio_put(virt_to_folio(dmb_node->cpu_addr)); 130 126 kfree(dmb_node); 131 127 132 128 if (atomic_dec_and_test(&ldev->dmb_cnt))
+1 -1
net/xfrm/xfrm_device.c
··· 438 438 439 439 check_tunnel_size = x->xso.type == XFRM_DEV_OFFLOAD_PACKET && 440 440 x->props.mode == XFRM_MODE_TUNNEL; 441 - switch (x->props.family) { 441 + switch (x->inner_mode.family) { 442 442 case AF_INET: 443 443 /* Check for IPv4 options */ 444 444 if (ip_hdr(skb)->ihl != 5)
+3
net/xfrm/xfrm_state.c
··· 2583 2583 2584 2584 for (h = 0; h < range; h++) { 2585 2585 u32 spi = (low == high) ? low : get_random_u32_inclusive(low, high); 2586 + if (spi == 0) 2587 + goto next; 2586 2588 newspi = htonl(spi); 2587 2589 2588 2590 spin_lock_bh(&net->xfrm.xfrm_state_lock); ··· 2600 2598 xfrm_state_put(x0); 2601 2599 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 2602 2600 2601 + next: 2603 2602 if (signal_pending(current)) { 2604 2603 err = -ERESTARTSYS; 2605 2604 goto unlock;
+46 -6
tools/testing/selftests/net/fib_nexthops.sh
··· 467 467 log_test $? 0 "Get Fdb nexthop group by id" 468 468 469 469 # fdb nexthop group can only contain fdb nexthops 470 - run_cmd "$IP nexthop add id 63 via 2001:db8:91::4" 471 - run_cmd "$IP nexthop add id 64 via 2001:db8:91::5" 470 + run_cmd "$IP nexthop add id 63 via 2001:db8:91::4 dev veth1" 471 + run_cmd "$IP nexthop add id 64 via 2001:db8:91::5 dev veth1" 472 472 run_cmd "$IP nexthop add id 103 group 63/64 fdb" 473 473 log_test $? 2 "Fdb Nexthop group with non-fdb nexthops" 474 474 ··· 493 493 # fdb nexthop with encap 494 494 run_cmd "$IP nexthop add id 69 encap mpls 101 via 2001:db8:91::8 dev veth1 fdb" 495 495 log_test $? 2 "Fdb Nexthop with encap" 496 + 497 + # Replace FDB nexthop to non-FDB and vice versa 498 + run_cmd "$IP nexthop add id 70 via 2001:db8:91::2 fdb" 499 + run_cmd "$IP nexthop replace id 70 via 2001:db8:91::2 dev veth1" 500 + log_test $? 0 "Replace FDB nexthop to non-FDB nexthop" 501 + run_cmd "$IP nexthop replace id 70 via 2001:db8:91::2 fdb" 502 + log_test $? 0 "Replace non-FDB nexthop to FDB nexthop" 503 + 504 + # Replace FDB nexthop address while in a group 505 + run_cmd "$IP nexthop add id 71 group 70 fdb" 506 + run_cmd "$IP nexthop replace id 70 via 2001:db8:91::3 fdb" 507 + log_test $? 0 "Replace FDB nexthop address while in a group" 508 + 509 + # Cannot replace FDB nexthop to non-FDB and vice versa while in a group 510 + run_cmd "$IP nexthop replace id 70 via 2001:db8:91::2 dev veth1" 511 + log_test $? 2 "Replace FDB nexthop to non-FDB nexthop while in a group" 512 + run_cmd "$IP nexthop add id 72 via 2001:db8:91::2 dev veth1" 513 + run_cmd "$IP nexthop add id 73 group 72" 514 + run_cmd "$IP nexthop replace id 72 via 2001:db8:91::2 fdb" 515 + log_test $? 2 "Replace non-FDB nexthop to FDB nexthop while in a group" 496 516 497 517 run_cmd "$IP link add name vx10 type vxlan id 1010 local 2001:db8:91::9 remote 2001:db8:91::10 dstport 4789 nolearning noudpcsum tos inherit ttl 100" 498 518 run_cmd "$BRIDGE fdb add 02:02:00:00:00:13 dev vx10 nhid 102 self" ··· 567 547 log_test $? 0 "Get Fdb nexthop group by id" 568 548 569 549 # fdb nexthop group can only contain fdb nexthops 570 - run_cmd "$IP nexthop add id 14 via 172.16.1.2" 571 - run_cmd "$IP nexthop add id 15 via 172.16.1.3" 550 + run_cmd "$IP nexthop add id 14 via 172.16.1.2 dev veth1" 551 + run_cmd "$IP nexthop add id 15 via 172.16.1.3 dev veth1" 572 552 run_cmd "$IP nexthop add id 103 group 14/15 fdb" 573 553 log_test $? 2 "Fdb Nexthop group with non-fdb nexthops" 574 554 575 555 # Non fdb nexthop group can not contain fdb nexthops 576 556 run_cmd "$IP nexthop add id 16 via 172.16.1.2 fdb" 577 557 run_cmd "$IP nexthop add id 17 via 172.16.1.3 fdb" 578 - run_cmd "$IP nexthop add id 104 group 14/15" 558 + run_cmd "$IP nexthop add id 104 group 16/17" 579 559 log_test $? 2 "Non-Fdb Nexthop group with fdb nexthops" 580 560 581 561 # fdb nexthop cannot have blackhole ··· 594 574 run_cmd "$IP nexthop add id 17 encap mpls 101 via 172.16.1.2 dev veth1 fdb" 595 575 log_test $? 2 "Fdb Nexthop with encap" 596 576 577 + # Replace FDB nexthop to non-FDB and vice versa 578 + run_cmd "$IP nexthop add id 18 via 172.16.1.2 fdb" 579 + run_cmd "$IP nexthop replace id 18 via 172.16.1.2 dev veth1" 580 + log_test $? 0 "Replace FDB nexthop to non-FDB nexthop" 581 + run_cmd "$IP nexthop replace id 18 via 172.16.1.2 fdb" 582 + log_test $? 0 "Replace non-FDB nexthop to FDB nexthop" 583 + 584 + # Replace FDB nexthop address while in a group 585 + run_cmd "$IP nexthop add id 19 group 18 fdb" 586 + run_cmd "$IP nexthop replace id 18 via 172.16.1.3 fdb" 587 + log_test $? 0 "Replace FDB nexthop address while in a group" 588 + 589 + # Cannot replace FDB nexthop to non-FDB and vice versa while in a group 590 + run_cmd "$IP nexthop replace id 18 via 172.16.1.2 dev veth1" 591 + log_test $? 2 "Replace FDB nexthop to non-FDB nexthop while in a group" 592 + run_cmd "$IP nexthop add id 20 via 172.16.1.2 dev veth1" 593 + run_cmd "$IP nexthop add id 21 group 20" 594 + run_cmd "$IP nexthop replace id 20 via 172.16.1.2 fdb" 595 + log_test $? 2 "Replace non-FDB nexthop to FDB nexthop while in a group" 596 + 597 597 run_cmd "$IP link add name vx10 type vxlan id 1010 local 10.0.0.1 remote 10.0.0.2 dstport 4789 nolearning noudpcsum tos inherit ttl 100" 598 598 run_cmd "$BRIDGE fdb add 02:02:00:00:00:13 dev vx10 nhid 102 self" 599 599 log_test $? 0 "Fdb mac add with nexthop group" ··· 622 582 run_cmd "$BRIDGE fdb add 02:02:00:00:00:14 dev vx10 nhid 12 self" 623 583 log_test $? 255 "Fdb mac add with nexthop" 624 584 625 - run_cmd "$IP ro add 172.16.0.0/22 nhid 15" 585 + run_cmd "$IP ro add 172.16.0.0/22 nhid 16" 626 586 log_test $? 2 "Route add with fdb nexthop" 627 587 628 588 run_cmd "$IP ro add 172.16.0.0/22 nhid 103"