1. 18 Jan, 2023 14 commits
    • Randy Dunlap's avatar
      net: mlx5: eliminate anonymous module_init & module_exit · 2c1e1b94
      Randy Dunlap authored
      Eliminate anonymous module_init() and module_exit(), which can lead to
      confusion or ambiguity when reading System.map, crashes/oops/bugs,
      or an initcall_debug log.
      
      Give each of these init and exit functions unique driver-specific
      names to eliminate the anonymous names.
      
      Example 1: (System.map)
       ffffffff832fc78c t init
       ffffffff832fc79e t init
       ffffffff832fc8f8 t init
      
      Example 2: (initcall_debug log)
       calling  init+0x0/0x12 @ 1
       initcall init+0x0/0x12 returned 0 after 15 usecs
       calling  init+0x0/0x60 @ 1
       initcall init+0x0/0x60 returned 0 after 2 usecs
       calling  init+0x0/0x9a @ 1
       initcall init+0x0/0x9a returned 0 after 74 usecs
      
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Eli Cohen <eli@mellanox.com>
      Cc: Saeed Mahameed <saeedm@nvidia.com>
      Cc: Leon Romanovsky <leon@kernel.org>
      Cc: linux-rdma@vger.kernel.org
      Reviewed-by: default avatarIra Weiny <ira.weiny@intel.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      2c1e1b94
    • Chris Mi's avatar
      net/mlx5: E-switch, Fix switchdev mode after devlink reload · 7c83d1f4
      Chris Mi authored
      The cited commit removes eswitch mode none. So after devlink reload
      in switchdev mode, eswitch mode is not changed. But actually eswitch
      is disabled during devlink reload.
      
      Fix it by setting eswitch mode to legacy when disabling eswitch
      which is called by reload_down.
      
      Fixes: f019679e ("net/mlx5: E-switch, Remove dependency between sriov and eswitch mode")
      Signed-off-by: default avatarChris Mi <cmi@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      7c83d1f4
    • Leon Romanovsky's avatar
      net/mlx5e: Protect global IPsec ASO · e4d38c45
      Leon Romanovsky authored
      ASO operations are global to whole IPsec as they share one DMA address
      for all operations. As such all WQE operations need to be protected with
      lock. In this case, it must be spinlock to allow mlx5e_ipsec_aso_query()
      operate in atomic context.
      
      Fixes: 1ed78fc0 ("net/mlx5e: Update IPsec soft and hard limits")
      Reviewed-by: default avatarJianbo Liu <jianbol@nvidia.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      e4d38c45
    • Leon Romanovsky's avatar
      net/mlx5e: Remove optimization which prevented update of ESN state · 16bccbaa
      Leon Romanovsky authored
      aso->use_cache variable introduced in commit 8c582ddf ("net/mlx5e: Handle
      hardware IPsec limits events") was an optimization to skip recurrent calls
      to mlx5e_ipsec_aso_query(). Such calls are possible when lifetime event is
      generated:
       -> mlx5e_ipsec_handle_event()
        -> mlx5e_ipsec_aso_query() - first call
        -> xfrm_state_check_expire()
         -> mlx5e_xfrm_update_curlft()
          -> mlx5e_ipsec_aso_query() - second call
      
      However, such optimization not really effective as mlx5e_ipsec_aso_query()
      is needed to be called for update ESN anyway, which was missed due to misplaced
      use_cache assignment.
      
      Fixes: cee137a6 ("net/mlx5e: Handle ESN update events")
      Reviewed-by: default avatarJianbo Liu <jianbol@nvidia.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      16bccbaa
    • Chris Mi's avatar
      net/mlx5e: Set decap action based on attr for sample · ffa99b53
      Chris Mi authored
      Currently decap action is set based on tunnel_id. That means it is
      set unconditionally. But for decap, ct and sample actions, decap is
      done before ct. No need to decap again in sample.
      
      And the actions are set correctly when parsing. So set decap action
      based on attr instead of tunnel_id.
      
      Fixes: 2741f223 ("net/mlx5e: TC, Support sample offload action for tunneled traffic")
      Signed-off-by: default avatarChris Mi <cmi@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      ffa99b53
    • Maor Dickman's avatar
      net/mlx5e: QoS, Fix wrongfully setting parent_element_id on MODIFY_SCHEDULING_ELEMENT · 4ddf77f9
      Maor Dickman authored
      According to HW spec parent_element_id field should be reserved (0x0) when calling
      MODIFY_SCHEDULING_ELEMENT command.
      
      This patch remove the wrong initialization of reserved field, parent_element_id, on
      mlx5_qos_update_node.
      
      Fixes: 214baf22 ("net/mlx5e: Support HTB offload")
      Signed-off-by: default avatarMaor Dickman <maord@nvidia.com>
      Reviewed-by: default avatarEli Cohen <elic@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      4ddf77f9
    • Maor Dickman's avatar
      net/mlx5: E-switch, Fix setting of reserved fields on MODIFY_SCHEDULING_ELEMENT · f51471d1
      Maor Dickman authored
      According to HW spec element_type, element_attributes and parent_element_id fields
      should be reserved (0x0) when calling MODIFY_SCHEDULING_ELEMENT command.
      
      This patch remove initialization of these fields when calling the command.
      
      Fixes: bd77bf1c ("net/mlx5: Add SRIOV VF max rate configuration support")
      Signed-off-by: default avatarMaor Dickman <maord@nvidia.com>
      Reviewed-by: default avatarEli Cohen <elic@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      f51471d1
    • Adham Faris's avatar
      net/mlx5e: Remove redundant xsk pointer check in mlx5e_mpwrq_validate_xsk · 6624bfee
      Adham Faris authored
      This validation function is relevant only for XSK cases, hence it
      assumes to be called only with xsk != NULL.
      Thus checking for invalid xsk pointer is redundant and misleads static
      code analyzers.
      This commit removes redundant xsk pointer check.
      
      This solves the following smatch warning:
      drivers/net/ethernet/mellanox/mlx5/core/en/params.c:481
      mlx5e_mpwrq_validate_xsk() error: we previously assumed 'xsk' could be
      null (see line 478)
      
      Fixes: 6470d2e7 ("net/mlx5e: xsk: Use KSM for unaligned XSK")
      Signed-off-by: default avatarAdham Faris <afaris@nvidia.com>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Reported-by: default avatarDan Carpenter <error27@gmail.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      6624bfee
    • Vlad Buslov's avatar
      net/mlx5e: Avoid false lock dependency warning on tc_ht even more · 5aa56105
      Vlad Buslov authored
      The cited commit changed class of tc_ht internal mutex in order to avoid
      false lock dependency with fs_core node and flow_table hash table
      structures. However, hash table implementation internally also includes a
      workqueue task with its own lockdep map which causes similar bogus lockdep
      splat[0]. Fix it by also adding dedicated class for hash table workqueue
      work structure of tc_ht.
      
      [0]:
      
      [ 1139.672465] ======================================================
      [ 1139.673552] WARNING: possible circular locking dependency detected
      [ 1139.674635] 6.1.0_for_upstream_debug_2022_12_12_17_02 #1 Not tainted
      [ 1139.675734] ------------------------------------------------------
      [ 1139.676801] modprobe/5998 is trying to acquire lock:
      [ 1139.677726] ffff88811e7b93b8 (&node->lock){++++}-{3:3}, at: down_write_ref_node+0x7c/0xe0 [mlx5_core]
      [ 1139.679662]
                     but task is already holding lock:
      [ 1139.680703] ffff88813c1f96a0 (&tc_ht_lock_key){+.+.}-{3:3}, at: rhashtable_free_and_destroy+0x38/0x6f0
      [ 1139.682223]
                     which lock already depends on the new lock.
      
      [ 1139.683640]
                     the existing dependency chain (in reverse order) is:
      [ 1139.684887]
                     -> #2 (&tc_ht_lock_key){+.+.}-{3:3}:
      [ 1139.685975]        __mutex_lock+0x12c/0x14b0
      [ 1139.686659]        rht_deferred_worker+0x35/0x1540
      [ 1139.687405]        process_one_work+0x7c2/0x1310
      [ 1139.688134]        worker_thread+0x59d/0xec0
      [ 1139.688820]        kthread+0x28f/0x330
      [ 1139.689444]        ret_from_fork+0x1f/0x30
      [ 1139.690106]
                     -> #1 ((work_completion)(&ht->run_work)){+.+.}-{0:0}:
      [ 1139.691250]        __flush_work+0xe8/0x900
      [ 1139.691915]        __cancel_work_timer+0x2ca/0x3f0
      [ 1139.692655]        rhashtable_free_and_destroy+0x22/0x6f0
      [ 1139.693472]        del_sw_flow_table+0x22/0xb0 [mlx5_core]
      [ 1139.694592]        tree_put_node+0x24c/0x450 [mlx5_core]
      [ 1139.695686]        tree_remove_node+0x6e/0x100 [mlx5_core]
      [ 1139.696803]        mlx5_destroy_flow_table+0x187/0x690 [mlx5_core]
      [ 1139.698017]        mlx5e_tc_nic_cleanup+0x2f8/0x400 [mlx5_core]
      [ 1139.699217]        mlx5e_cleanup_nic_rx+0x2b/0x210 [mlx5_core]
      [ 1139.700397]        mlx5e_detach_netdev+0x19d/0x2b0 [mlx5_core]
      [ 1139.701571]        mlx5e_suspend+0xdb/0x140 [mlx5_core]
      [ 1139.702665]        mlx5e_remove+0x89/0x190 [mlx5_core]
      [ 1139.703756]        auxiliary_bus_remove+0x52/0x70
      [ 1139.704492]        device_release_driver_internal+0x3c1/0x600
      [ 1139.705360]        bus_remove_device+0x2a5/0x560
      [ 1139.706080]        device_del+0x492/0xb80
      [ 1139.706724]        mlx5_rescan_drivers_locked+0x194/0x6a0 [mlx5_core]
      [ 1139.707961]        mlx5_unregister_device+0x7a/0xa0 [mlx5_core]
      [ 1139.709138]        mlx5_uninit_one+0x5f/0x160 [mlx5_core]
      [ 1139.710252]        remove_one+0xd1/0x160 [mlx5_core]
      [ 1139.711297]        pci_device_remove+0x96/0x1c0
      [ 1139.722721]        device_release_driver_internal+0x3c1/0x600
      [ 1139.723590]        unbind_store+0x1b1/0x200
      [ 1139.724259]        kernfs_fop_write_iter+0x348/0x520
      [ 1139.725019]        vfs_write+0x7b2/0xbf0
      [ 1139.725658]        ksys_write+0xf3/0x1d0
      [ 1139.726292]        do_syscall_64+0x3d/0x90
      [ 1139.726942]        entry_SYSCALL_64_after_hwframe+0x46/0xb0
      [ 1139.727769]
                     -> #0 (&node->lock){++++}-{3:3}:
      [ 1139.728698]        __lock_acquire+0x2cf5/0x62f0
      [ 1139.729415]        lock_acquire+0x1c1/0x540
      [ 1139.730076]        down_write+0x8e/0x1f0
      [ 1139.730709]        down_write_ref_node+0x7c/0xe0 [mlx5_core]
      [ 1139.731841]        mlx5_del_flow_rules+0x6f/0x610 [mlx5_core]
      [ 1139.732982]        __mlx5_eswitch_del_rule+0xdd/0x560 [mlx5_core]
      [ 1139.734207]        mlx5_eswitch_del_offloaded_rule+0x14/0x20 [mlx5_core]
      [ 1139.735491]        mlx5e_tc_rule_unoffload+0x104/0x2b0 [mlx5_core]
      [ 1139.736716]        mlx5e_tc_unoffload_fdb_rules+0x10c/0x1f0 [mlx5_core]
      [ 1139.738007]        mlx5e_tc_del_fdb_flow+0xc3c/0xfa0 [mlx5_core]
      [ 1139.739213]        mlx5e_tc_del_flow+0x146/0xa20 [mlx5_core]
      [ 1139.740377]        _mlx5e_tc_del_flow+0x38/0x60 [mlx5_core]
      [ 1139.741534]        rhashtable_free_and_destroy+0x3be/0x6f0
      [ 1139.742351]        mlx5e_tc_ht_cleanup+0x1b/0x30 [mlx5_core]
      [ 1139.743512]        mlx5e_cleanup_rep_tx+0x4a/0xe0 [mlx5_core]
      [ 1139.744683]        mlx5e_detach_netdev+0x1ca/0x2b0 [mlx5_core]
      [ 1139.745860]        mlx5e_netdev_change_profile+0xd9/0x1c0 [mlx5_core]
      [ 1139.747098]        mlx5e_netdev_attach_nic_profile+0x1b/0x30 [mlx5_core]
      [ 1139.748372]        mlx5e_vport_rep_unload+0x16a/0x1b0 [mlx5_core]
      [ 1139.749590]        __esw_offloads_unload_rep+0xb1/0xd0 [mlx5_core]
      [ 1139.750813]        mlx5_eswitch_unregister_vport_reps+0x409/0x5f0 [mlx5_core]
      [ 1139.752147]        mlx5e_rep_remove+0x62/0x80 [mlx5_core]
      [ 1139.753293]        auxiliary_bus_remove+0x52/0x70
      [ 1139.754028]        device_release_driver_internal+0x3c1/0x600
      [ 1139.754885]        driver_detach+0xc1/0x180
      [ 1139.755553]        bus_remove_driver+0xef/0x2e0
      [ 1139.756260]        auxiliary_driver_unregister+0x16/0x50
      [ 1139.757059]        mlx5e_rep_cleanup+0x19/0x30 [mlx5_core]
      [ 1139.758207]        mlx5e_cleanup+0x12/0x30 [mlx5_core]
      [ 1139.759295]        mlx5_cleanup+0xc/0x49 [mlx5_core]
      [ 1139.760384]        __x64_sys_delete_module+0x2b5/0x450
      [ 1139.761166]        do_syscall_64+0x3d/0x90
      [ 1139.761827]        entry_SYSCALL_64_after_hwframe+0x46/0xb0
      [ 1139.762663]
                     other info that might help us debug this:
      
      [ 1139.763925] Chain exists of:
                       &node->lock --> (work_completion)(&ht->run_work) --> &tc_ht_lock_key
      
      [ 1139.765743]  Possible unsafe locking scenario:
      
      [ 1139.766688]        CPU0                    CPU1
      [ 1139.767399]        ----                    ----
      [ 1139.768111]   lock(&tc_ht_lock_key);
      [ 1139.768704]                                lock((work_completion)(&ht->run_work));
      [ 1139.769869]                                lock(&tc_ht_lock_key);
      [ 1139.770770]   lock(&node->lock);
      [ 1139.771326]
                      *** DEADLOCK ***
      
      [ 1139.772345] 2 locks held by modprobe/5998:
      [ 1139.772994]  #0: ffff88813c1ff0e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0x8d/0x600
      [ 1139.774399]  #1: ffff88813c1f96a0 (&tc_ht_lock_key){+.+.}-{3:3}, at: rhashtable_free_and_destroy+0x38/0x6f0
      [ 1139.775822]
                     stack backtrace:
      [ 1139.776579] CPU: 3 PID: 5998 Comm: modprobe Not tainted 6.1.0_for_upstream_debug_2022_12_12_17_02 #1
      [ 1139.777935] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      [ 1139.779529] Call Trace:
      [ 1139.779992]  <TASK>
      [ 1139.780409]  dump_stack_lvl+0x57/0x7d
      [ 1139.781015]  check_noncircular+0x278/0x300
      [ 1139.781687]  ? print_circular_bug+0x460/0x460
      [ 1139.782381]  ? rcu_read_lock_sched_held+0x3f/0x70
      [ 1139.783121]  ? lock_release+0x487/0x7c0
      [ 1139.783759]  ? orc_find.part.0+0x1f1/0x330
      [ 1139.784423]  ? mark_lock.part.0+0xef/0x2fc0
      [ 1139.785091]  __lock_acquire+0x2cf5/0x62f0
      [ 1139.785754]  ? register_lock_class+0x18e0/0x18e0
      [ 1139.786483]  lock_acquire+0x1c1/0x540
      [ 1139.787093]  ? down_write_ref_node+0x7c/0xe0 [mlx5_core]
      [ 1139.788195]  ? lockdep_hardirqs_on_prepare+0x3f0/0x3f0
      [ 1139.788978]  ? register_lock_class+0x18e0/0x18e0
      [ 1139.789715]  down_write+0x8e/0x1f0
      [ 1139.790292]  ? down_write_ref_node+0x7c/0xe0 [mlx5_core]
      [ 1139.791380]  ? down_write_killable+0x220/0x220
      [ 1139.792080]  ? find_held_lock+0x2d/0x110
      [ 1139.792713]  down_write_ref_node+0x7c/0xe0 [mlx5_core]
      [ 1139.793795]  mlx5_del_flow_rules+0x6f/0x610 [mlx5_core]
      [ 1139.794879]  __mlx5_eswitch_del_rule+0xdd/0x560 [mlx5_core]
      [ 1139.796032]  ? __esw_offloads_unload_rep+0xd0/0xd0 [mlx5_core]
      [ 1139.797227]  ? xa_load+0x11a/0x200
      [ 1139.797800]  ? __xa_clear_mark+0xf0/0xf0
      [ 1139.798438]  mlx5_eswitch_del_offloaded_rule+0x14/0x20 [mlx5_core]
      [ 1139.799660]  mlx5e_tc_rule_unoffload+0x104/0x2b0 [mlx5_core]
      [ 1139.800821]  mlx5e_tc_unoffload_fdb_rules+0x10c/0x1f0 [mlx5_core]
      [ 1139.802049]  ? mlx5_eswitch_get_uplink_priv+0x25/0x80 [mlx5_core]
      [ 1139.803260]  mlx5e_tc_del_fdb_flow+0xc3c/0xfa0 [mlx5_core]
      [ 1139.804398]  ? __cancel_work_timer+0x1c2/0x3f0
      [ 1139.805099]  ? mlx5e_tc_unoffload_from_slow_path+0x460/0x460 [mlx5_core]
      [ 1139.806387]  mlx5e_tc_del_flow+0x146/0xa20 [mlx5_core]
      [ 1139.807481]  _mlx5e_tc_del_flow+0x38/0x60 [mlx5_core]
      [ 1139.808564]  rhashtable_free_and_destroy+0x3be/0x6f0
      [ 1139.809336]  ? mlx5e_tc_del_flow+0xa20/0xa20 [mlx5_core]
      [ 1139.809336]  ? mlx5e_tc_del_flow+0xa20/0xa20 [mlx5_core]
      [ 1139.810455]  mlx5e_tc_ht_cleanup+0x1b/0x30 [mlx5_core]
      [ 1139.811552]  mlx5e_cleanup_rep_tx+0x4a/0xe0 [mlx5_core]
      [ 1139.812655]  mlx5e_detach_netdev+0x1ca/0x2b0 [mlx5_core]
      [ 1139.813768]  mlx5e_netdev_change_profile+0xd9/0x1c0 [mlx5_core]
      [ 1139.814952]  mlx5e_netdev_attach_nic_profile+0x1b/0x30 [mlx5_core]
      [ 1139.816166]  mlx5e_vport_rep_unload+0x16a/0x1b0 [mlx5_core]
      [ 1139.817336]  __esw_offloads_unload_rep+0xb1/0xd0 [mlx5_core]
      [ 1139.818507]  mlx5_eswitch_unregister_vport_reps+0x409/0x5f0 [mlx5_core]
      [ 1139.819788]  ? mlx5_eswitch_uplink_get_proto_dev+0x30/0x30 [mlx5_core]
      [ 1139.821051]  ? kernfs_find_ns+0x137/0x310
      [ 1139.821705]  mlx5e_rep_remove+0x62/0x80 [mlx5_core]
      [ 1139.822778]  auxiliary_bus_remove+0x52/0x70
      [ 1139.823449]  device_release_driver_internal+0x3c1/0x600
      [ 1139.824240]  driver_detach+0xc1/0x180
      [ 1139.824842]  bus_remove_driver+0xef/0x2e0
      [ 1139.825504]  auxiliary_driver_unregister+0x16/0x50
      [ 1139.826245]  mlx5e_rep_cleanup+0x19/0x30 [mlx5_core]
      [ 1139.827322]  mlx5e_cleanup+0x12/0x30 [mlx5_core]
      [ 1139.828345]  mlx5_cleanup+0xc/0x49 [mlx5_core]
      [ 1139.829382]  __x64_sys_delete_module+0x2b5/0x450
      [ 1139.830119]  ? module_flags+0x300/0x300
      [ 1139.830750]  ? task_work_func_match+0x50/0x50
      [ 1139.831440]  ? task_work_cancel+0x20/0x20
      [ 1139.832088]  ? lockdep_hardirqs_on_prepare+0x273/0x3f0
      [ 1139.832873]  ? syscall_enter_from_user_mode+0x1d/0x50
      [ 1139.833661]  ? trace_hardirqs_on+0x2d/0x100
      [ 1139.834328]  do_syscall_64+0x3d/0x90
      [ 1139.834922]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      [ 1139.835700] RIP: 0033:0x7f153e71288b
      [ 1139.836302] Code: 73 01 c3 48 8b 0d 9d 75 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6d 75 0e 00 f7 d8 64 89 01 48
      [ 1139.838866] RSP: 002b:00007ffe0a3ed938 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [ 1139.840020] RAX: ffffffffffffffda RBX: 0000564c2cbf8220 RCX: 00007f153e71288b
      [ 1139.841043] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000564c2cbf8288
      [ 1139.842072] RBP: 0000564c2cbf8220 R08: 0000000000000000 R09: 0000000000000000
      [ 1139.843094] R10: 00007f153e7a3ac0 R11: 0000000000000206 R12: 0000564c2cbf8288
      [ 1139.844118] R13: 0000000000000000 R14: 0000564c2cbf7ae8 R15: 00007ffe0a3efcb8
      
      Fixes: 9ba33339 ("net/mlx5e: Avoid false lock depenency warning on tc_ht")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarEli Cohen <elic@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      5aa56105
    • Yang Yingliang's avatar
      net/mlx5: fix missing mutex_unlock in mlx5_fw_fatal_reporter_err_work() · 90e7cb78
      Yang Yingliang authored
      Add missing mutex_unlock() before returning from
      mlx5_fw_fatal_reporter_err_work().
      
      Fixes: 9078e843 ("net/mlx5: Avoid recovery in probe flows")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Reported-by: default avatarDan Carpenter <error27@gmail.com>
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarShay Drory <shayd@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      90e7cb78
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2023-01-17' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 010a74f5
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Fix a buffer overflow in mgmt_mesh_add
       - Fix use HCI_OP_LE_READ_BUFFER_SIZE_V2
       - Fix hci_qca shutdown on closed serdev
       - Fix possible circular locking dependencies on ISO code
       - Fix possible deadlock in rfcomm_sk_state_change
      
      * tag 'for-net-2023-01-17' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: Fix possible deadlock in rfcomm_sk_state_change
        Bluetooth: ISO: Fix possible circular locking dependency
        Bluetooth: hci_event: Fix Invalid wait context
        Bluetooth: ISO: Fix possible circular locking dependency
        Bluetooth: hci_sync: fix memory leak in hci_update_adv_data()
        Bluetooth: hci_qca: Fix driver shutdown on closed serdev
        Bluetooth: hci_conn: Fix memory leaks
        Bluetooth: hci_sync: Fix use HCI_OP_LE_READ_BUFFER_SIZE_V2
        Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
      ====================
      
      Link: https://lore.kernel.org/r/20230118002944.1679845-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      010a74f5
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 423c1d36
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      bpf 2023-01-16
      
      We've added 6 non-merge commits during the last 8 day(s) which contain
      a total of 6 files changed, 22 insertions(+), 24 deletions(-).
      
      The main changes are:
      
      1) Mitigate a Spectre v4 leak in unprivileged BPF from speculative
         pointer-as-scalar type confusion, from Luis Gerhorst.
      
      2) Fix a splat when pid 1 attaches a BPF program that attempts to
         send killing signal to itself, from Hao Sun.
      
      3) Fix BPF program ID information in BPF_AUDIT_UNLOAD as well as
         PERF_BPF_EVENT_PROG_UNLOAD events, from Paul Moore.
      
      4) Fix BPF verifier warning triggered from invalid kfunc call in
         backtrack_insn, also from Hao Sun.
      
      5) Fix potential deadlock in htab_lock_bucket from same bucket index
         but different map_locked index, from Tonghao Zhang.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation
        bpf: hash map, avoid deadlock with suitable hash mask
        bpf: remove the do_idr_lock parameter from bpf_prog_free_id()
        bpf: restore the ebpf program ID for BPF_AUDIT_UNLOAD and PERF_BPF_EVENT_PROG_UNLOAD
        bpf: Skip task with pid=1 in send_signal_common()
        bpf: Skip invalid kfunc call in backtrack_insn
      ====================
      
      Link: https://lore.kernel.org/r/20230116230745.21742-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      423c1d36
    • Shyam Sundar S K's avatar
      MAINTAINERS: Update AMD XGBE driver maintainers · 441717b6
      Shyam Sundar S K authored
      Due to other additional responsibilities Tom would no longer
      be able to support AMD XGBE driver.
      
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarShyam Sundar S K <Shyam-sundar.S-k@amd.com>
      Link: https://lore.kernel.org/r/20230116085015.443127-1-Shyam-sundar.S-k@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      441717b6
    • Caleb Connolly's avatar
      net: ipa: disable ipa interrupt during suspend · 9ec9b2a3
      Caleb Connolly authored
      The IPA interrupt can fire when pm_runtime is disabled due to it racing
      with the PM suspend/resume code. This causes a splat in the interrupt
      handler when it tries to call pm_runtime_get().
      
      Explicitly disable the interrupt in our ->suspend callback, and
      re-enable it in ->resume to avoid this. If there is an interrupt pending
      it will be handled after resuming. The interrupt is a wake_irq, as a
      result even when disabled if it fires it will cause the system to wake
      from suspend as well as cancel any suspend transition that may be in
      progress. If there is an interrupt pending, the ipa_isr_thread handler
      will be called after resuming.
      
      Fixes: 1aac309d ("net: ipa: use autosuspend")
      Signed-off-by: default avatarCaleb Connolly <caleb.connolly@linaro.org>
      Reviewed-by: default avatarAlex Elder <elder@linaro.org>
      Link: https://lore.kernel.org/r/20230115175925.465918-1-caleb.connolly@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9ec9b2a3
  2. 17 Jan, 2023 12 commits
    • Ying Hsu's avatar
      Bluetooth: Fix possible deadlock in rfcomm_sk_state_change · 1d80d57f
      Ying Hsu authored
      syzbot reports a possible deadlock in rfcomm_sk_state_change [1].
      While rfcomm_sock_connect acquires the sk lock and waits for
      the rfcomm lock, rfcomm_sock_release could have the rfcomm
      lock and hit a deadlock for acquiring the sk lock.
      Here's a simplified flow:
      
      rfcomm_sock_connect:
        lock_sock(sk)
        rfcomm_dlc_open:
          rfcomm_lock()
      
      rfcomm_sock_release:
        rfcomm_sock_shutdown:
          rfcomm_lock()
          __rfcomm_dlc_close:
              rfcomm_k_state_change:
      	  lock_sock(sk)
      
      This patch drops the sk lock before calling rfcomm_dlc_open to
      avoid the possible deadlock and holds sk's reference count to
      prevent use-after-free after rfcomm_dlc_open completes.
      
      Reported-by: syzbot+d7ce59...@syzkaller.appspotmail.com
      Fixes: 1804fdf6 ("Bluetooth: btintel: Combine setting up MSFT extension")
      Link: https://syzkaller.appspot.com/bug?extid=d7ce59b06b3eb14fd218 [1]
      Signed-off-by: default avatarYing Hsu <yinghsu@chromium.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      1d80d57f
    • Luiz Augusto von Dentz's avatar
      Bluetooth: ISO: Fix possible circular locking dependency · 506d9b40
      Luiz Augusto von Dentz authored
      This attempts to fix the following trace:
      
      iso-tester/52 is trying to acquire lock:
      ffff8880024e0070 (&hdev->lock){+.+.}-{3:3}, at:
      iso_sock_listen+0x29e/0x440
      
      but task is already holding lock:
      ffff888001978130 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}, at:
      iso_sock_listen+0x8b/0x440
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #2 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:
             lock_acquire+0x176/0x3d0
             lock_sock_nested+0x32/0x80
             iso_connect_cfm+0x1a3/0x630
             hci_cc_le_setup_iso_path+0x195/0x340
             hci_cmd_complete_evt+0x1ae/0x500
             hci_event_packet+0x38e/0x7c0
             hci_rx_work+0x34c/0x980
             process_one_work+0x5a5/0x9a0
             worker_thread+0x89/0x6f0
             kthread+0x14e/0x180
             ret_from_fork+0x22/0x30
      
      -> #1 (hci_cb_list_lock){+.+.}-{3:3}:
             lock_acquire+0x176/0x3d0
             __mutex_lock+0x13b/0xf50
             hci_le_remote_feat_complete_evt+0x17e/0x320
             hci_event_packet+0x38e/0x7c0
             hci_rx_work+0x34c/0x980
             process_one_work+0x5a5/0x9a0
             worker_thread+0x89/0x6f0
             kthread+0x14e/0x180
             ret_from_fork+0x22/0x30
      
      -> #0 (&hdev->lock){+.+.}-{3:3}:
             check_prev_add+0xfc/0x1190
             __lock_acquire+0x1e27/0x2750
             lock_acquire+0x176/0x3d0
             __mutex_lock+0x13b/0xf50
             iso_sock_listen+0x29e/0x440
             __sys_listen+0xe6/0x160
             __x64_sys_listen+0x25/0x30
             do_syscall_64+0x42/0x90
             entry_SYSCALL_64_after_hwframe+0x62/0xcc
      
      other info that might help us debug this:
      
      Chain exists of:
        &hdev->lock --> hci_cb_list_lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO);
                                     lock(hci_cb_list_lock);
                                     lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO);
        lock(&hdev->lock);
      
       *** DEADLOCK ***
      
      1 lock held by iso-tester/52:
       #0: ffff888001978130 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}, at:
       iso_sock_listen+0x8b/0x440
      
      Fixes: f764a6c2 ("Bluetooth: ISO: Add broadcast support")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      506d9b40
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_event: Fix Invalid wait context · e9d50f76
      Luiz Augusto von Dentz authored
      This fixes the following trace caused by attempting to lock
      cmd_sync_work_lock while holding the rcu_read_lock:
      
      kworker/u3:2/212 is trying to lock:
      ffff888002600910 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}, at:
      hci_cmd_sync_queue+0xad/0x140
      other info that might help us debug this:
      context-{4:4}
      4 locks held by kworker/u3:2/212:
       #0: ffff8880028c6530 ((wq_completion)hci0#2){+.+.}-{0:0}, at:
       process_one_work+0x4dc/0x9a0
       #1: ffff888001aafde0 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0},
       at: process_one_work+0x4dc/0x9a0
       #2: ffff888002600070 (&hdev->lock){+.+.}-{3:3}, at:
       hci_cc_le_set_cig_params+0x64/0x4f0
       #3: ffffffffa5994b00 (rcu_read_lock){....}-{1:2}, at:
       hci_cc_le_set_cig_params+0x2f9/0x4f0
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      e9d50f76
    • Luiz Augusto von Dentz's avatar
      Bluetooth: ISO: Fix possible circular locking dependency · 6a5ad251
      Luiz Augusto von Dentz authored
      This attempts to fix the following trace:
      
      kworker/u3:1/184 is trying to acquire lock:
      ffff888001888130 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}, at:
      iso_connect_cfm+0x2de/0x690
      
      but task is already holding lock:
      ffff8880028d1c20 (&conn->lock){+.+.}-{2:2}, at:
      iso_connect_cfm+0x265/0x690
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&conn->lock){+.+.}-{2:2}:
             lock_acquire+0x176/0x3d0
             _raw_spin_lock+0x2a/0x40
             __iso_sock_close+0x1dd/0x4f0
             iso_sock_release+0xa0/0x1b0
             sock_close+0x5e/0x120
             __fput+0x102/0x410
             task_work_run+0xf1/0x160
             exit_to_user_mode_prepare+0x170/0x180
             syscall_exit_to_user_mode+0x19/0x50
             do_syscall_64+0x4e/0x90
             entry_SYSCALL_64_after_hwframe+0x62/0xcc
      
      -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:
             check_prev_add+0xfc/0x1190
             __lock_acquire+0x1e27/0x2750
             lock_acquire+0x176/0x3d0
             lock_sock_nested+0x32/0x80
             iso_connect_cfm+0x2de/0x690
             hci_cc_le_setup_iso_path+0x195/0x340
             hci_cmd_complete_evt+0x1ae/0x500
             hci_event_packet+0x38e/0x7c0
             hci_rx_work+0x34c/0x980
             process_one_work+0x5a5/0x9a0
             worker_thread+0x89/0x6f0
             kthread+0x14e/0x180
             ret_from_fork+0x22/0x30
      
      other info that might help us debug this:
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(&conn->lock);
                                     lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO);
                                     lock(&conn->lock);
        lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO);
      
       *** DEADLOCK ***
      
      Fixes: ccf74f23 ("Bluetooth: Add BTPROTO_ISO socket type")
      Fixes: f764a6c2 ("Bluetooth: ISO: Add broadcast support")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      6a5ad251
    • Zhengchao Shao's avatar
      Bluetooth: hci_sync: fix memory leak in hci_update_adv_data() · 1ed8b37c
      Zhengchao Shao authored
      When hci_cmd_sync_queue() failed in hci_update_adv_data(), inst_ptr is
      not freed, which will cause memory leak, convert to use ERR_PTR/PTR_ERR
      to pass the instance to callback so no memory needs to be allocated.
      
      Fixes: 651cd3d6 ("Bluetooth: convert hci_update_adv_data to hci_sync")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      1ed8b37c
    • Krzysztof Kozlowski's avatar
      Bluetooth: hci_qca: Fix driver shutdown on closed serdev · 272970be
      Krzysztof Kozlowski authored
      The driver shutdown callback (which sends EDL_SOC_RESET to the device
      over serdev) should not be invoked when HCI device is not open (e.g. if
      hci_dev_open_sync() failed), because the serdev and its TTY are not open
      either.  Also skip this step if device is powered off
      (qca_power_shutdown()).
      
      The shutdown callback causes use-after-free during system reboot with
      Qualcomm Atheros Bluetooth:
      
        Unable to handle kernel paging request at virtual address
        0072662f67726fd7
        ...
        CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G        W
        6.1.0-rt5-00325-g8a5f56bcfcca #8
        Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
        Call trace:
         tty_driver_flush_buffer+0x4/0x30
         serdev_device_write_flush+0x24/0x34
         qca_serdev_shutdown+0x80/0x130 [hci_uart]
         device_shutdown+0x15c/0x260
         kernel_restart+0x48/0xac
      
      KASAN report:
      
        BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50
        Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1
      
        CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted
        6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28
        Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
        Call trace:
         dump_backtrace.part.0+0xdc/0xf0
         show_stack+0x18/0x30
         dump_stack_lvl+0x68/0x84
         print_report+0x188/0x488
         kasan_report+0xa4/0xf0
         __asan_load8+0x80/0xac
         tty_driver_flush_buffer+0x1c/0x50
         ttyport_write_flush+0x34/0x44
         serdev_device_write_flush+0x48/0x60
         qca_serdev_shutdown+0x124/0x274
         device_shutdown+0x1e8/0x350
         kernel_restart+0x48/0xb0
         __do_sys_reboot+0x244/0x2d0
         __arm64_sys_reboot+0x54/0x70
         invoke_syscall+0x60/0x190
         el0_svc_common.constprop.0+0x7c/0x160
         do_el0_svc+0x44/0xf0
         el0_svc+0x2c/0x6c
         el0t_64_sync_handler+0xbc/0x140
         el0t_64_sync+0x190/0x194
      
      Fixes: 7e7bbddd ("Bluetooth: hci_qca: Fix qca6390 enable failure after warm reboot")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      272970be
    • Zhengchao Shao's avatar
      Bluetooth: hci_conn: Fix memory leaks · 3aa21311
      Zhengchao Shao authored
      When hci_cmd_sync_queue() failed in hci_le_terminate_big() or
      hci_le_big_terminate(), the memory pointed by variable d is not freed,
      which will cause memory leak. Add release process to error path.
      
      Fixes: eca0ae4a ("Bluetooth: Add initial implementation of BIS connections")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      3aa21311
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_sync: Fix use HCI_OP_LE_READ_BUFFER_SIZE_V2 · 3a4d29b6
      Luiz Augusto von Dentz authored
      Don't try to use HCI_OP_LE_READ_BUFFER_SIZE_V2 if controller don't
      support ISO channels, but in order to check if ISO channels are
      supported HCI_OP_LE_READ_LOCAL_FEATURES needs to be done earlier so the
      features bits can be checked on hci_le_read_buffer_size_sync.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216817
      Fixes: c1631dbc ("Bluetooth: hci_sync: Fix hci_read_buffer_size_sync")
      Cc: stable@vger.kernel.org # 6.1
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      3a4d29b6
    • Harshit Mogalapalli's avatar
      Bluetooth: Fix a buffer overflow in mgmt_mesh_add() · 2185e0fd
      Harshit Mogalapalli authored
      Smatch Warning:
      net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
      'mesh_tx->param' too small (48 vs 50)
      
      Analysis:
      
      'mesh_tx->param' is array of size 48. This is the destination.
      u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
      
      But in the caller 'mesh_send' we reject only when len > 50.
      len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.
      
      Fixes: b338d917 ("Bluetooth: Implement support for Mesh")
      Signed-off-by: default avatarHarshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
      Signed-off-by: default avatarBrian Gix <brian.gix@intel.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      2185e0fd
    • Heiner Kallweit's avatar
      net: stmmac: fix invalid call to mdiobus_get_phy() · 1f3bd64a
      Heiner Kallweit authored
      In a number of cases the driver assigns a default value of -1 to
      priv->plat->phy_addr. This may result in calling mdiobus_get_phy()
      with addr parameter being -1. Therefore check for this scenario and
      bail out before calling mdiobus_get_phy().
      
      Fixes: 42e87024 ("net: stmmac: Fix case when PHY handle is not present")
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Link: https://lore.kernel.org/r/669f9671-ecd1-a41b-2727-7b73e3003985@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      1f3bd64a
    • Heiner Kallweit's avatar
      net: mdio: validate parameter addr in mdiobus_get_phy() · 867dbe78
      Heiner Kallweit authored
      The caller may pass any value as addr, what may result in an out-of-bounds
      access to array mdio_map. One existing case is stmmac_init_phy() that
      may pass -1 as addr. Therefore validate addr before using it.
      
      Fixes: 7f854420 ("phy: Add API for {un}registering an mdio device to a bus.")
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/cdf664ea-3312-e915-73f8-021678d08887@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      867dbe78
    • Szymon Heidrich's avatar
      net: usb: sr9700: Handle negative len · ecf7cf8e
      Szymon Heidrich authored
      Packet len computed as difference of length word extracted from
      skb data and four may result in a negative value. In such case
      processing of the buffer should be interrupted rather than
      setting sr_skb->len to an unexpectedly large value (due to cast
      from signed to unsigned integer) and passing sr_skb to
      usbnet_skb_return.
      
      Fixes: e9da0b56 ("sr9700: sanity check for packet length")
      Signed-off-by: default avatarSzymon Heidrich <szymon.heidrich@gmail.com>
      Link: https://lore.kernel.org/r/20230114182326.30479-1-szymon.heidrich@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ecf7cf8e
  3. 16 Jan, 2023 7 commits
    • Geetha sowjanya's avatar
      octeontx2-pf: Avoid use of GFP_KERNEL in atomic context · 87b93b67
      Geetha sowjanya authored
      Using GFP_KERNEL in preemption disable context, causing below warning
      when CONFIG_DEBUG_ATOMIC_SLEEP is enabled.
      
      [   32.542271] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274
      [   32.550883] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0
      [   32.558707] preempt_count: 1, expected: 0
      [   32.562710] RCU nest depth: 0, expected: 0
      [   32.566800] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G        W          6.2.0-rc2-00269-gae9dcb91 #7
      [   32.576188] Hardware name: Marvell CN106XX board (DT)
      [   32.581232] Call trace:
      [   32.583670]  dump_backtrace.part.0+0xe0/0xf0
      [   32.587937]  show_stack+0x18/0x30
      [   32.591245]  dump_stack_lvl+0x68/0x84
      [   32.594900]  dump_stack+0x18/0x34
      [   32.598206]  __might_resched+0x12c/0x160
      [   32.602122]  __might_sleep+0x48/0xa0
      [   32.605689]  __kmem_cache_alloc_node+0x2b8/0x2e0
      [   32.610301]  __kmalloc+0x58/0x190
      [   32.613610]  otx2_sq_aura_pool_init+0x1a8/0x314
      [   32.618134]  otx2_open+0x1d4/0x9d0
      
      To avoid use of GFP_ATOMIC for memory allocation, disable preemption
      after all memory allocation is done.
      
      Fixes: 4af1b64f ("octeontx2-pf: Fix lmtst ID used in aura free")
      Signed-off-by: default avatarGeetha sowjanya <gakula@marvell.com>
      Signed-off-by: default avatarSunil Kovvuri Goutham <sgoutham@marvell.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      87b93b67
    • David S. Miller's avatar
      Merge branch 'l2tp-races' · 4101971a
      David S. Miller authored
      Cong Wang says:
      
      ====================
      l2tp: fix race conditions in l2tp_tunnel_register()
      
      This patchset contains two patches, the first one is a preparation for
      the second one which is the actual fix. Please find more details in
      each patch description.
      
      I have ran the l2tp test (https://github.com/katalix/l2tp-ktest),
      all test cases are passed.
      
      v3: preserve EEXIST errno for user-space
      v2: move IDR allocation to l2tp_tunnel_register()
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4101971a
    • Cong Wang's avatar
      l2tp: close all race conditions in l2tp_tunnel_register() · 0b2c5972
      Cong Wang authored
      The code in l2tp_tunnel_register() is racy in several ways:
      
      1. It modifies the tunnel socket _after_ publishing it.
      
      2. It calls setup_udp_tunnel_sock() on an existing socket without
         locking.
      
      3. It changes sock lock class on fly, which triggers many syzbot
         reports.
      
      This patch amends all of them by moving socket initialization code
      before publishing and under sock lock. As suggested by Jakub, the
      l2tp lockdep class is not necessary as we can just switch to
      bh_lock_sock_nested().
      
      Fixes: 37159ef2 ("l2tp: fix a lockdep splat")
      Fixes: 6b9f3423 ("l2tp: fix races in tunnel creation")
      Reported-by: syzbot+52866e24647f9a23403f@syzkaller.appspotmail.com
      Reported-by: syzbot+94cc2a66fc228b23f360@syzkaller.appspotmail.com
      Reported-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Guillaume Nault <gnault@redhat.com>
      Cc: Jakub Sitnicki <jakub@cloudflare.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Tom Parkin <tparkin@katalix.com>
      Signed-off-by: default avatarCong Wang <cong.wang@bytedance.com>
      Reviewed-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b2c5972
    • Cong Wang's avatar
      l2tp: convert l2tp_tunnel_list to idr · c4d48a58
      Cong Wang authored
      l2tp uses l2tp_tunnel_list to track all registered tunnels and
      to allocate tunnel ID's. IDR can do the same job.
      
      More importantly, with IDR we can hold the ID before a successful
      registration so that we don't need to worry about late error
      handling, it is not easy to rollback socket changes.
      
      This is a preparation for the following fix.
      
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Guillaume Nault <gnault@redhat.com>
      Cc: Jakub Sitnicki <jakub@cloudflare.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Tom Parkin <tparkin@katalix.com>
      Signed-off-by: default avatarCong Wang <cong.wang@bytedance.com>
      Reviewed-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4d48a58
    • Eric Dumazet's avatar
      net/sched: sch_taprio: fix possible use-after-free · 3a415d59
      Eric Dumazet authored
      syzbot reported a nasty crash [1] in net_tx_action() which
      made little sense until we got a repro.
      
      This repro installs a taprio qdisc, but providing an
      invalid TCA_RATE attribute.
      
      qdisc_create() has to destroy the just initialized
      taprio qdisc, and taprio_destroy() is called.
      
      However, the hrtimer used by taprio had already fired,
      therefore advance_sched() called __netif_schedule().
      
      Then net_tx_action was trying to use a destroyed qdisc.
      
      We can not undo the __netif_schedule(), so we must wait
      until one cpu serviced the qdisc before we can proceed.
      
      Many thanks to Alexander Potapenko for his help.
      
      [1]
      BUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]
      BUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]
      BUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]
      BUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138
       queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]
       do_raw_spin_trylock include/linux/spinlock.h:191 [inline]
       __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]
       _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138
       spin_trylock include/linux/spinlock.h:359 [inline]
       qdisc_run_begin include/net/sch_generic.h:187 [inline]
       qdisc_run+0xee/0x540 include/net/pkt_sched.h:125
       net_tx_action+0x77c/0x9a0 net/core/dev.c:5086
       __do_softirq+0x1cc/0x7fb kernel/softirq.c:571
       run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934
       smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164
       kthread+0x31b/0x430 kernel/kthread.c:376
       ret_from_fork+0x1f/0x30
      
      Uninit was created at:
       slab_post_alloc_hook mm/slab.h:732 [inline]
       slab_alloc_node mm/slub.c:3258 [inline]
       __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970
       kmalloc_reserve net/core/skbuff.c:358 [inline]
       __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430
       alloc_skb include/linux/skbuff.h:1257 [inline]
       nlmsg_new include/net/netlink.h:953 [inline]
       netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436
       netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507
       rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108
       netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
       netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345
       netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg net/socket.c:734 [inline]
       ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482
       ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536
       __sys_sendmsg net/socket.c:2565 [inline]
       __do_sys_sendmsg net/socket.c:2574 [inline]
       __se_sys_sendmsg net/socket.c:2572 [inline]
       __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
      
      Fixes: 5a781ccb ("tc: Add support for configuring the taprio scheduler")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3a415d59
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 21705c77
      David S. Miller authored
      Pable Neira Ayuso says:
      
      ====================
      
      The following patchset contains Netfilter fixes for net:
      
      1) Increase timeout to 120 seconds for netfilter selftests to fix
         nftables transaction tests, from Florian Westphal.
      
      2) Fix overflow in bitmap_ip_create() due to integer arithmetics
         in a 64-bit bitmask, from Gavrilov Ilia.
      
      3) Fix incorrect arithmetics in nft_payload with double-tagged
         vlan matching.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21705c77
    • Kurt Kanzenbach's avatar
      net: stmmac: Fix queue statistics reading · c296c77e
      Kurt Kanzenbach authored
      Correct queue statistics reading. All queue statistics are stored as unsigned
      long values. The retrieval for ethtool fetches these values as u64. However, on
      some systems the size of the counters are 32 bit. That yields wrong queue
      statistic counters e.g., on arm32 systems such as the stm32mp157. Fix it by
      using the correct data type.
      
      Tested on Olimex STMP157-OLinuXino-LIME2 by simple running linuxptp for a short
      period of time:
      
      Non-patched kernel:
      |root@st1:~# ethtool -S eth0 | grep q0
      |     q0_tx_pkt_n: 3775276254951 # ???
      |     q0_tx_irq_n: 879
      |     q0_rx_pkt_n: 1194000908909 # ???
      |     q0_rx_irq_n: 278
      
      Patched kernel:
      |root@st1:~# ethtool -S eth0 | grep q0
      |     q0_tx_pkt_n: 2434
      |     q0_tx_irq_n: 1274
      |     q0_rx_pkt_n: 1604
      |     q0_rx_irq_n: 846
      
      Fixes: 68e9c5de ("net: stmmac: add ethtool per-queue statistic framework")
      Signed-off-by: Kurt Kanzenbach's avatarKurt Kanzenbach <kurt@linutronix.de>
      Cc: Vijayakannan Ayyathurai <vijayakannan.ayyathurai@intel.com>
      Cc: Wong Vee Khee <vee.khee.wong@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c296c77e
  4. 14 Jan, 2023 7 commits
    • Rahul Rameshbabu's avatar
      sch_htb: Avoid grafting on htb_destroy_class_offload when destroying htb · a22b7388
      Rahul Rameshbabu authored
      Peek at old qdisc and graft only when deleting a leaf class in the htb,
      rather than when deleting the htb itself. Do not peek at the qdisc of the
      netdev queue when destroying the htb. The caller may already have grafted a
      new qdisc that is not part of the htb structure being destroyed.
      
      This fix resolves two use cases.
      
        1. Using tc to destroy the htb.
          - Netdev was being prematurely activated before the htb was fully
            destroyed.
        2. Using tc to replace the htb with another qdisc (which also leads to
           the htb being destroyed).
          - Premature netdev activation like previous case. Newly grafted qdisc
            was also getting accidentally overwritten when destroying the htb.
      
      Fixes: d03b195b ("sch_htb: Hierarchical QoS hardware offload")
      Signed-off-by: default avatarRahul Rameshbabu <rrameshbabu@nvidia.com>
      Reviewed-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Reviewed-by: default avatarMaxim Mikityanskiy <maxtram95@gmail.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/20230113005528.302625-1-rrameshbabu@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a22b7388
    • Jakub Kicinski's avatar
      Merge branch 'mptcp-userspace-pm-create-sockets-for-the-right-family' · da263fcb
      Jakub Kicinski authored
      Matthieu Baerts says:
      
      ====================
      mptcp: userspace pm: create sockets for the right family
      
      Before these patches, the Userspace Path Manager would allow the
      creation of subflows with wrong families: taking the one of the MPTCP
      socket instead of the provided ones and resulting in the creation of
      subflows with likely not the right source and/or destination IPs. It
      would also allow the creation of subflows between different families or
      not respecting v4/v6-only socket attributes.
      
      Patch 1 lets the userspace PM select the proper family to avoid creating
      subflows with the wrong source and/or destination addresses because the
      family is not the expected one.
      
      Patch 2 makes sure the userspace PM doesn't allow the userspace to
      create subflows for a family that is not allowed.
      
      Patch 3 validates scenarios with a mix of v4 and v6 subflows for the
      same MPTCP connection.
      
      These patches fix issues introduced in v5.19 when the userspace path
      manager has been introduced.
      ====================
      
      Link: https://lore.kernel.org/r/20230112-upstream-net-20230112-netlink-v4-v6-v1-0-6a8363a221d2@tessares.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      da263fcb
    • Matthieu Baerts's avatar
      selftests: mptcp: userspace: validate v4-v6 subflows mix · 4656d72c
      Matthieu Baerts authored
      MPTCP protocol supports having subflows in both IPv4 and IPv6. In Linux,
      it is possible to have that if the MPTCP socket has been created with
      AF_INET6 family without the IPV6_V6ONLY option.
      
      Here, a new IPv4 subflow is being added to the initial IPv6 connection,
      then being removed using Netlink commands.
      
      Cc: stable@vger.kernel.org # v5.19+
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4656d72c
    • Matthieu Baerts's avatar
      mptcp: netlink: respect v4/v6-only sockets · fb00ee4f
      Matthieu Baerts authored
      If an MPTCP socket has been created with AF_INET6 and the IPV6_V6ONLY
      option has been set, the userspace PM would allow creating subflows
      using IPv4 addresses, e.g. mapped in v6.
      
      The kernel side of userspace PM will also accept creating subflows with
      local and remote addresses having different families. Depending on the
      subflow socket's family, different behaviours are expected:
       - If AF_INET is forced with a v6 address, the kernel will take the last
         byte of the IP and try to connect to that: a new subflow is created
         but to a non expected address.
       - If AF_INET6 is forced with a v4 address, the kernel will try to
         connect to a v4 address (v4-mapped-v6). A -EBADF error from the
         connect() part is then expected.
      
      It is then required to check the given families can be accepted. This is
      done by using a new helper for addresses family matching, taking care of
      IPv4 vs IPv4-mapped-IPv6 addresses. This helper will be re-used later by
      the in-kernel path-manager to use mixed IPv4 and IPv6 addresses.
      
      While at it, a clear error message is now reported if there are some
      conflicts with the families that have been passed by the userspace.
      
      Fixes: 702c2f64 ("mptcp: netlink: allow userspace-driven subflow establishment")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fb00ee4f
    • Paolo Abeni's avatar
      mptcp: explicitly specify sock family at subflow creation time · 6bc1fe7d
      Paolo Abeni authored
      Let the caller specify the to-be-created subflow family.
      
      For a given MPTCP socket created with the AF_INET6 family, the current
      userspace PM can already ask the kernel to create subflows in v4 and v6.
      If "plain" IPv4 addresses are passed to the kernel, they are
      automatically mapped in v6 addresses "by accident". This can be
      problematic because the userspace will need to pass different addresses,
      now the v4-mapped-v6 addresses to destroy this new subflow.
      
      On the other hand, if the MPTCP socket has been created with the AF_INET
      family, the command to create a subflow in v6 will be accepted but the
      result will not be the one as expected as new subflow will be created in
      IPv4 using part of the v6 addresses passed to the kernel: not creating
      the expected subflow then.
      
      No functional change intended for the in-kernel PM where an explicit
      enforcement is currently in place. This arbitrary enforcement will be
      leveraged by other patches in a future version.
      
      Fixes: 702c2f64 ("mptcp: netlink: allow userspace-driven subflow establishment")
      Cc: stable@vger.kernel.org
      Co-developed-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6bc1fe7d
    • Clément Léger's avatar
      net: lan966x: add missing fwnode_handle_put() for ports node · 925f3deb
      Clément Léger authored
      Since the "ethernet-ports" node is retrieved using
      device_get_named_child_node(), it should be release after using it. Add
      missing fwnode_handle_put() and move the code that retrieved the node
      from device-tree to avoid complicated handling in case of error.
      
      Fixes: db8bcaad ("net: lan966x: add the basic lan966x driver")
      Signed-off-by: default avatarClément Léger <clement.leger@bootlin.com>
      Reviewed-by: default avatarAlexander Duyck <alexanderduyck@fb.com>
      Link: https://lore.kernel.org/r/20230112161311.495124-1-clement.leger@bootlin.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      925f3deb
    • Vladimir Oltean's avatar
      net: enetc: avoid deadlock in enetc_tx_onestep_tstamp() · 3c463721
      Vladimir Oltean authored
      This lockdep splat says it better than I could:
      
      ================================
      WARNING: inconsistent lock state
      6.2.0-rc2-07010-ga9b9500ffaac-dirty #967 Not tainted
      --------------------------------
      inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
      kworker/1:3/179 [HC0[0]:SC0[0]:HE1:SE1] takes:
      ffff3ec4036ce098 (_xmit_ETHER#2){+.?.}-{3:3}, at: netif_freeze_queues+0x5c/0xc0
      {IN-SOFTIRQ-W} state was registered at:
        _raw_spin_lock+0x5c/0xc0
        sch_direct_xmit+0x148/0x37c
        __dev_queue_xmit+0x528/0x111c
        ip6_finish_output2+0x5ec/0xb7c
        ip6_finish_output+0x240/0x3f0
        ip6_output+0x78/0x360
        ndisc_send_skb+0x33c/0x85c
        ndisc_send_rs+0x54/0x12c
        addrconf_rs_timer+0x154/0x260
        call_timer_fn+0xb8/0x3a0
        __run_timers.part.0+0x214/0x26c
        run_timer_softirq+0x3c/0x74
        __do_softirq+0x14c/0x5d8
        ____do_softirq+0x10/0x20
        call_on_irq_stack+0x2c/0x5c
        do_softirq_own_stack+0x1c/0x30
        __irq_exit_rcu+0x168/0x1a0
        irq_exit_rcu+0x10/0x40
        el1_interrupt+0x38/0x64
      irq event stamp: 7825
      hardirqs last  enabled at (7825): [<ffffdf1f7200cae4>] exit_to_kernel_mode+0x34/0x130
      hardirqs last disabled at (7823): [<ffffdf1f708105f0>] __do_softirq+0x550/0x5d8
      softirqs last  enabled at (7824): [<ffffdf1f7081050c>] __do_softirq+0x46c/0x5d8
      softirqs last disabled at (7811): [<ffffdf1f708166e0>] ____do_softirq+0x10/0x20
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(_xmit_ETHER#2);
        <Interrupt>
          lock(_xmit_ETHER#2);
      
       *** DEADLOCK ***
      
      3 locks held by kworker/1:3/179:
       #0: ffff3ec400004748 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1f4/0x6c0
       #1: ffff80000a0bbdc8 ((work_completion)(&priv->tx_onestep_tstamp)){+.+.}-{0:0}, at: process_one_work+0x1f4/0x6c0
       #2: ffff3ec4036cd438 (&dev->tx_global_lock){+.+.}-{3:3}, at: netif_tx_lock+0x1c/0x34
      
      Workqueue: events enetc_tx_onestep_tstamp
      Call trace:
       print_usage_bug.part.0+0x208/0x22c
       mark_lock+0x7f0/0x8b0
       __lock_acquire+0x7c4/0x1ce0
       lock_acquire.part.0+0xe0/0x220
       lock_acquire+0x68/0x84
       _raw_spin_lock+0x5c/0xc0
       netif_freeze_queues+0x5c/0xc0
       netif_tx_lock+0x24/0x34
       enetc_tx_onestep_tstamp+0x20/0x100
       process_one_work+0x28c/0x6c0
       worker_thread+0x74/0x450
       kthread+0x118/0x11c
      
      but I'll say it anyway: the enetc_tx_onestep_tstamp() work item runs in
      process context, therefore with softirqs enabled (i.o.w., it can be
      interrupted by a softirq). If we hold the netif_tx_lock() when there is
      an interrupt, and the NET_TX softirq then gets scheduled, this will take
      the netif_tx_lock() a second time and deadlock the kernel.
      
      To solve this, use netif_tx_lock_bh(), which blocks softirqs from
      running.
      
      Fixes: 7294380c ("enetc: support PTP Sync packet one-step timestamping")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarAlexander Duyck <alexanderduyck@fb.com>
      Link: https://lore.kernel.org/r/20230112105440.1786799-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3c463721