linux-dev/drivers/isdn, branch master Linux kernel development work - see feature branches https://git.zx2c4.com/linux-dev/atom/drivers/isdn?h=master 2022-11-02T12:34:48Z isdn: mISDN: netjet: fix wrong check of device registration 2022-11-02T12:34:48Z Yang Yingliang yangyingliang@huawei.com 2022-10-31T12:13:41Z urn:sha1:bf00f5426074249058a106a6edbb89e4b25a4d79 The class is set in mISDN_register_device(), but if device_add() returns error, it will lead to delete a device without added, fix this by using device_is_registered() to check if the device is registered. Fixes: a900845e5661 ("mISDN: Add support for Traverse Technologies NETJet PCI cards") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> mISDN: fix possible memory leak in mISDN_register_device() 2022-11-02T12:34:48Z Yang Yingliang yangyingliang@huawei.com 2022-10-31T12:13:40Z urn:sha1:e7d1d4d9ac0dfa40be4c2c8abd0731659869b297 Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically, add put_device() to give up the reference, so that the name can be freed in kobject_cleanup() when the refcount is 0. Set device class before put_device() to avoid null release() function WARN message in device_release(). Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq 2022-10-09T18:11:54Z Duoming Zhou duoming@zju.edu.cn 2022-10-09T06:37:31Z urn:sha1:175302f6b79ebbb207c2d58d6d3e679465de23b0 The function hfcpci_softirq() is a timer handler. If it is running, the timer_pending() will return 0 and the del_timer_sync() in HFC_cleanup() will not be executed. As a result, the use-after-free bug will happen. The process is shown below: (cleanup routine) | (timer handler) HFC_cleanup() | hfcpci_softirq() if (timer_pending(&hfc_tl)) | del_timer_sync() | ... | ... pci_unregister_driver(hc) | driver_unregister | driver_for_each_device bus_remove_driver | _hfcpci_softirq driver_detach | ... put_device(dev) //[1]FREE | | dev_get_drvdata(dev) //[2]USE The device is deallocated is position [1] and used in position [2]. Fix by removing the "timer_pending" check in HFC_cleanup(), which makes sure that the hfcpci_softirq() have finished before the resource is deallocated. Fixes: 009fc857c5f6 ("mISDN: fix possible use-after-free in HFC_cleanup()") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Signed-off-by: David S. Miller <davem@davemloft.net> Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-04T00:44:18Z Jakub Kicinski kuba@kernel.org 2022-10-04T00:44:18Z urn:sha1:e52f7c1ddf3e47243c330923ea764e7ccfbe99f7 Merge in the left-over fixes before the net-next pull-request. Conflicts: drivers/net/ethernet/mediatek/mtk_ppe.c ae3ed15da588 ("net: ethernet: mtk_eth_soc: fix state in __mtk_foe_entry_clear") 9d8cb4c096ab ("net: ethernet: mtk_eth_soc: add foe_entry_size to mtk_eth_soc") https://lore.kernel.org/all/6cb6893b-4921-a068-4c30-1109795110bb@tessares.net/ kernel/bpf/helpers.c 8addbfc7b308 ("bpf: Gate dynptr API behind CAP_BPF") 5679ff2f138f ("bpf: Move bpf_loop and bpf_for_each_map_elem under CAP_BPF") 8a67f2de9b1d ("bpf: expose bpf_strtol and bpf_strtoul to all program types") https://lore.kernel.org/all/20221003201957.13149-1-daniel@iogearbox.net/ Signed-off-by: Jakub Kicinski <kuba@kernel.org> mISDN: fix use-after-free bugs in l1oip timer handlers 2022-09-30T11:32:42Z Duoming Zhou duoming@zju.edu.cn 2022-09-28T13:39:38Z urn:sha1:2568a7e0832ee30b0a351016d03062ab4e0e0a3f The l1oip_cleanup() traverses the l1oip_ilist and calls release_card() to cleanup module and stack. However, release_card() calls del_timer() to delete the timers such as keep_tl and timeout_tl. If the timer handler is running, the del_timer() will not stop it and result in UAF bugs. One of the processes is shown below: (cleanup routine) | (timer handler) release_card() | l1oip_timeout() ... | del_timer() | ... ... | kfree(hc) //FREE | | hc->timeout_on = 0 //USE Fix by calling del_timer_sync() in release_card(), which makes sure the timer handlers have finished before the resources, such as l1oip and so on, have been deallocated. What's more, the hc->workq and hc->socket_thread can kick those timers right back in. We add a bool flag to show if card is released. Then, check this flag in hc->workq and hc->socket_thread. Fixes: 3712b42d4b1b ("Add layer1 over IP support") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Reviewed-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net> isdn: move from strlcpy with unused retval to strscpy 2022-08-23T00:54:03Z Wolfram Sang wsa+renesas@sang-engineering.com 2022-08-18T21:00:23Z urn:sha1:cdb27b7b2d8fe9f066e30f560b7e88defc456d78 Follow the advice of the below link and prefer 'strscpy' in this subsystem. Conversion is 1:1 because the return value is not used. Generated by a coccinelle script. Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/ Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> Link: https://lore.kernel.org/r/20220818210023.6889-1-wsa+renesas@sang-engineering.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> isdn: mISDN: hfcsusb: drop unexpected word "the" in the comments 2022-06-23T01:20:46Z Jiang Jian jiangjian@cdjrlc.com 2022-06-21T11:45:29Z urn:sha1:d4667f96f485af809f3f9383d9eadb2650355522 there is an unexpected word "the" in the comments that need to be dropped file: ./drivers/isdn/hardware/mISDN/hfcsusb.c line: 1560 /* set USB_SIZE_I to match the the wMaxPacketSize for ISO transfers */ changed to /* set USB_SIZE_I to match the wMaxPacketSize for ISO transfers */ Signed-off-by: Jiang Jian <jiangjian@cdjrlc.com> Link: https://lore.kernel.org/r/20220621114529.108079-1-jiangjian@cdjrlc.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> net: remove noblock parameter from skb_recv_datagram() 2022-04-06T12:45:26Z Oliver Hartkopp socketcan@hartkopp.net 2022-04-04T16:30:22Z urn:sha1:f4b41f062c424209e3939a81e6da022e049a45f2 skb_recv_datagram() has two parameters 'flags' and 'noblock' that are merged inside skb_recv_datagram() by 'flags | (noblock ? MSG_DONTWAIT : 0)' As 'flags' may contain MSG_DONTWAIT as value most callers split the 'flags' into 'flags' and 'noblock' with finally obsolete bit operations like this: skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, flags & MSG_DONTWAIT, &rc); And this is not even done consistently with the 'flags' parameter. This patch removes the obsolete and costly splitting into two parameters and only performs bit operations when really needed on the caller side. One missing conversion thankfully reported by kernel test robot. I missed to enable kunit tests to build the mctp code. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net> mISDN: fix typo "frame to short" -> "frame too short" 2022-03-21T13:26:38Z Tong Zhang ztong0001@gmail.com 2022-03-21T07:18:18Z urn:sha1:dc97870682e19fb5260281e9b7636e796869075e "frame to short" -> "frame too short" Signed-off-by: Tong Zhang <ztong0001@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> isdn: hfcpci: check the return value of dma_set_mask() in setup_hw() 2022-03-07T11:27:12Z Jia-Ju Bai baijiaju1990@gmail.com 2022-03-05T08:58:16Z urn:sha1:d0aeb0d4a3f7d2a0df7e9545892bbeede8f2ac7e The function dma_set_mask() in setup_hw() can fail, so its return value should be checked. Fixes: 1700fe1a10dc ("Add mISDN HFC PCI driver") Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>