1. 02 Mar, 2023 1 commit
  2. 01 Mar, 2023 5 commits
    • Horatiu Vultur's avatar
      net: lan966x: Fix port police support using tc-matchall · 81563d85
      Horatiu Vultur authored
      When the police was removed from the port, then it was trying to
      remove the police from the police id and not from the actual
      police index.
      The police id represents the id of the police and police index
      represents the position in HW where the police is situated.
      The port police id can be any number while the port police index
      is a number based on the port chip port.
      Fix this by deleting the police from HW that is situated at the
      police index and not police id.
      
      Fixes: 5390334b ("net: lan966x: Add port police support using tc-matchall")
      Signed-off-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81563d85
    • Eric Dumazet's avatar
      net/sched: flower: fix fl_change() error recovery path · dfd2f0eb
      Eric Dumazet authored
      The two "goto errout;" paths in fl_change() became wrong
      after cited commit.
      
      Indeed we only must not call __fl_put() until the net pointer
      has been set in tcf_exts_init_ex()
      
      This is a minimal fix. We might in the future validate TCA_FLOWER_FLAGS
      before we allocate @fnew.
      
      BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:72 [inline]
      BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
      BUG: KASAN: null-ptr-deref in refcount_read include/linux/refcount.h:147 [inline]
      BUG: KASAN: null-ptr-deref in __refcount_add_not_zero include/linux/refcount.h:152 [inline]
      BUG: KASAN: null-ptr-deref in __refcount_inc_not_zero include/linux/refcount.h:227 [inline]
      BUG: KASAN: null-ptr-deref in refcount_inc_not_zero include/linux/refcount.h:245 [inline]
      BUG: KASAN: null-ptr-deref in maybe_get_net include/net/net_namespace.h:269 [inline]
      BUG: KASAN: null-ptr-deref in tcf_exts_get_net include/net/pkt_cls.h:260 [inline]
      BUG: KASAN: null-ptr-deref in __fl_put net/sched/cls_flower.c:513 [inline]
      BUG: KASAN: null-ptr-deref in __fl_put+0x13e/0x3b0 net/sched/cls_flower.c:508
      Read of size 4 at addr 000000000000014c by task syz-executor548/5082
      
      CPU: 0 PID: 5082 Comm: syz-executor548 Not tainted 6.2.0-syzkaller-05251-g5b7c4cab #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
      print_report mm/kasan/report.c:420 [inline]
      kasan_report+0xec/0x130 mm/kasan/report.c:517
      check_region_inline mm/kasan/generic.c:183 [inline]
      kasan_check_range+0x141/0x190 mm/kasan/generic.c:189
      instrument_atomic_read include/linux/instrumented.h:72 [inline]
      atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
      refcount_read include/linux/refcount.h:147 [inline]
      __refcount_add_not_zero include/linux/refcount.h:152 [inline]
      __refcount_inc_not_zero include/linux/refcount.h:227 [inline]
      refcount_inc_not_zero include/linux/refcount.h:245 [inline]
      maybe_get_net include/net/net_namespace.h:269 [inline]
      tcf_exts_get_net include/net/pkt_cls.h:260 [inline]
      __fl_put net/sched/cls_flower.c:513 [inline]
      __fl_put+0x13e/0x3b0 net/sched/cls_flower.c:508
      fl_change+0x101b/0x4ab0 net/sched/cls_flower.c:2341
      tc_new_tfilter+0x97c/0x2290 net/sched/cls_api.c:2310
      rtnetlink_rcv_msg+0x996/0xd50 net/core/rtnetlink.c:6165
      netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574
      netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
      netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
      netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1942
      sock_sendmsg_nosec net/socket.c:722 [inline]
      sock_sendmsg+0xde/0x190 net/socket.c:745
      ____sys_sendmsg+0x334/0x900 net/socket.c:2504
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2558
      __sys_sendmmsg+0x18f/0x460 net/socket.c:2644
      __do_sys_sendmmsg net/socket.c:2673 [inline]
      __se_sys_sendmmsg net/socket.c:2670 [inline]
      __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2670
      
      Fixes: 08a0063d ("net/sched: flower: Move filter handle initialization earlier")
      Reported-by: syzbot+baabf3efa7c1e57d28b2@syzkaller.appspotmail.com
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Paul Blakey <paulb@nvidia.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dfd2f0eb
    • Eric Dumazet's avatar
      ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() · 693aa2c0
      Eric Dumazet authored
      ila_xlat_nl_cmd_get_mapping() generates an empty skb,
      triggerring a recent sanity check [1].
      
      Instead, return an error code, so that user space
      can get it.
      
      [1]
      skb_assert_len
      WARNING: CPU: 0 PID: 5923 at include/linux/skbuff.h:2527 skb_assert_len include/linux/skbuff.h:2527 [inline]
      WARNING: CPU: 0 PID: 5923 at include/linux/skbuff.h:2527 __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156
      Modules linked in:
      CPU: 0 PID: 5923 Comm: syz-executor269 Not tainted 6.2.0-syzkaller-18300-g2ebd1fbb946d #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
      pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      pc : skb_assert_len include/linux/skbuff.h:2527 [inline]
      pc : __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156
      lr : skb_assert_len include/linux/skbuff.h:2527 [inline]
      lr : __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156
      sp : ffff80001e0d6c40
      x29: ffff80001e0d6e60 x28: dfff800000000000 x27: ffff0000c86328c0
      x26: dfff800000000000 x25: ffff0000c8632990 x24: ffff0000c8632a00
      x23: 0000000000000000 x22: 1fffe000190c6542 x21: ffff0000c8632a10
      x20: ffff0000c8632a00 x19: ffff80001856e000 x18: ffff80001e0d5fc0
      x17: 0000000000000000 x16: ffff80001235d16c x15: 0000000000000000
      x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001
      x11: ff80800008353a30 x10: 0000000000000000 x9 : 21567eaf25bfb600
      x8 : 21567eaf25bfb600 x7 : 0000000000000001 x6 : 0000000000000001
      x5 : ffff80001e0d6558 x4 : ffff800015c74760 x3 : ffff800008596744
      x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000000e
      Call trace:
      skb_assert_len include/linux/skbuff.h:2527 [inline]
      __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156
      dev_queue_xmit include/linux/netdevice.h:3033 [inline]
      __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 [inline]
      __netlink_deliver_tap+0x45c/0x6f8 net/netlink/af_netlink.c:325
      netlink_deliver_tap+0xf4/0x174 net/netlink/af_netlink.c:338
      __netlink_sendskb net/netlink/af_netlink.c:1283 [inline]
      netlink_sendskb+0x6c/0x154 net/netlink/af_netlink.c:1292
      netlink_unicast+0x334/0x8d4 net/netlink/af_netlink.c:1380
      nlmsg_unicast include/net/netlink.h:1099 [inline]
      genlmsg_unicast include/net/genetlink.h:433 [inline]
      genlmsg_reply include/net/genetlink.h:443 [inline]
      ila_xlat_nl_cmd_get_mapping+0x620/0x7d0 net/ipv6/ila/ila_xlat.c:493
      genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]
      genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
      genl_rcv_msg+0x938/0xc1c net/netlink/genetlink.c:1065
      netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574
      genl_rcv+0x38/0x50 net/netlink/genetlink.c:1076
      netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
      netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
      netlink_sendmsg+0x800/0xae0 net/netlink/af_netlink.c:1942
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg net/socket.c:734 [inline]
      ____sys_sendmsg+0x558/0x844 net/socket.c:2479
      ___sys_sendmsg net/socket.c:2533 [inline]
      __sys_sendmsg+0x26c/0x33c net/socket.c:2562
      __do_sys_sendmsg net/socket.c:2571 [inline]
      __se_sys_sendmsg net/socket.c:2569 [inline]
      __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2569
      __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
      invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
      el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
      do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
      el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
      el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
      el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
      irq event stamp: 136484
      hardirqs last enabled at (136483): [<ffff800008350244>] __up_console_sem+0x60/0xb4 kernel/printk/printk.c:345
      hardirqs last disabled at (136484): [<ffff800012358d60>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
      softirqs last enabled at (136418): [<ffff800008020ea8>] softirq_handle_end kernel/softirq.c:414 [inline]
      softirqs last enabled at (136418): [<ffff800008020ea8>] __do_softirq+0xd4c/0xfa4 kernel/softirq.c:600
      softirqs last disabled at (136371): [<ffff80000802b4a4>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
      ---[ end trace 0000000000000000 ]---
      skb len=0 headroom=0 headlen=0 tailroom=192
      mac=(0,0) net=(0,-1) trans=-1
      shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
      csum(0x0 ip_summed=0 complete_sw=0 valid=0 level=0)
      hash(0x0 sw=0 l4=0) proto=0x0010 pkttype=6 iif=0
      dev name=nlmon0 feat=0x0000000000005861
      
      Fixes: 7f00feaf ("ila: Add generic ILA translation facility")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      693aa2c0
    • Pedro Tammela's avatar
      net/sched: act_connmark: handle errno on tcf_idr_check_alloc · fb073904
      Pedro Tammela authored
      Smatch reports that 'ci' can be used uninitialized.
      The current code ignores errno coming from tcf_idr_check_alloc, which
      will lead to the incorrect usage of 'ci'. Handle the errno as it should.
      
      Fixes: 288864ef ("net/sched: act_connmark: transition to percpu stats and rcu")
      Reviewed-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fb073904
    • Eric Dumazet's avatar
      net: avoid skb end_offset change in __skb_unclone_keeptruesize() · 880ce5f2
      Eric Dumazet authored
      Once initial skb->head has been allocated from skb_small_head_cache,
      we need to make sure to use the same strategy whenever skb->head
      has to be re-allocated, as found by syzbot [1]
      
      This means kmalloc_reserve() can not fallback from using
      skb_small_head_cache to generic (power-of-two) kmem caches.
      
      It seems that we probably want to rework things in the future,
      to partially revert following patch, because we no longer use
      ksize() for skb allocated in TX path.
      
      2b88cba5 ("net: preserve skb_end_offset() in skb_unclone_keeptruesize()")
      
      Ideally, TCP stack should never put payload in skb->head,
      this effort has to be completed.
      
      In the mean time, add a sanity check.
      
      [1]
      BUG: KASAN: invalid-free in slab_free mm/slub.c:3787 [inline]
      BUG: KASAN: invalid-free in kmem_cache_free+0xee/0x5c0 mm/slub.c:3809
      Free of addr ffff88806cdee800 by task syz-executor239/5189
      
      CPU: 0 PID: 5189 Comm: syz-executor239 Not tainted 6.2.0-rc8-syzkaller-02400-gd1fabc68 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:306 [inline]
      print_report+0x15e/0x45d mm/kasan/report.c:417
      kasan_report_invalid_free+0x9b/0x1b0 mm/kasan/report.c:482
      ____kasan_slab_free+0x1a5/0x1c0 mm/kasan/common.c:216
      kasan_slab_free include/linux/kasan.h:177 [inline]
      slab_free_hook mm/slub.c:1781 [inline]
      slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
      slab_free mm/slub.c:3787 [inline]
      kmem_cache_free+0xee/0x5c0 mm/slub.c:3809
      skb_kfree_head net/core/skbuff.c:857 [inline]
      skb_kfree_head net/core/skbuff.c:853 [inline]
      skb_free_head+0x16f/0x1a0 net/core/skbuff.c:872
      skb_release_data+0x57a/0x820 net/core/skbuff.c:901
      skb_release_all net/core/skbuff.c:966 [inline]
      __kfree_skb+0x4f/0x70 net/core/skbuff.c:980
      tcp_wmem_free_skb include/net/tcp.h:302 [inline]
      tcp_rtx_queue_purge net/ipv4/tcp.c:3061 [inline]
      tcp_write_queue_purge+0x617/0xcf0 net/ipv4/tcp.c:3074
      tcp_v4_destroy_sock+0x125/0x810 net/ipv4/tcp_ipv4.c:2302
      inet_csk_destroy_sock+0x19a/0x440 net/ipv4/inet_connection_sock.c:1195
      __tcp_close+0xb96/0xf50 net/ipv4/tcp.c:3021
      tcp_close+0x2d/0xc0 net/ipv4/tcp.c:3033
      inet_release+0x132/0x270 net/ipv4/af_inet.c:426
      __sock_release+0xcd/0x280 net/socket.c:651
      sock_close+0x1c/0x20 net/socket.c:1393
      __fput+0x27c/0xa90 fs/file_table.c:320
      task_work_run+0x16f/0x270 kernel/task_work.c:179
      resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
      exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
      exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
      __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
      syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
      do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7f2511f546c3
      Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8
      RSP: 002b:00007ffef0103d48 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
      RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f2511f546c3
      RDX: 0000000000000978 RSI: 00000000200000c0 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000003434
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffef0103d6c
      R13: 00007ffef0103d80 R14: 00007ffef0103dc0 R15: 0000000000000003
      </TASK>
      
      Allocated by task 5189:
      kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
      kasan_set_track+0x25/0x30 mm/kasan/common.c:52
      ____kasan_kmalloc mm/kasan/common.c:374 [inline]
      ____kasan_kmalloc mm/kasan/common.c:333 [inline]
      __kasan_kmalloc+0xa5/0xb0 mm/kasan/common.c:383
      kasan_kmalloc include/linux/kasan.h:211 [inline]
      __do_kmalloc_node mm/slab_common.c:968 [inline]
      __kmalloc_node_track_caller+0x5b/0xc0 mm/slab_common.c:988
      kmalloc_reserve+0xf1/0x230 net/core/skbuff.c:539
      pskb_expand_head+0x237/0x1160 net/core/skbuff.c:1995
      __skb_unclone_keeptruesize+0x93/0x220 net/core/skbuff.c:2094
      skb_unclone_keeptruesize include/linux/skbuff.h:1910 [inline]
      skb_prepare_for_shift net/core/skbuff.c:3804 [inline]
      skb_shift+0xef8/0x1e20 net/core/skbuff.c:3877
      tcp_skb_shift net/ipv4/tcp_input.c:1538 [inline]
      tcp_shift_skb_data net/ipv4/tcp_input.c:1646 [inline]
      tcp_sacktag_walk+0x93b/0x18a0 net/ipv4/tcp_input.c:1713
      tcp_sacktag_write_queue+0x1599/0x31d0 net/ipv4/tcp_input.c:1974
      tcp_ack+0x2e9f/0x5a10 net/ipv4/tcp_input.c:3847
      tcp_rcv_established+0x667/0x2230 net/ipv4/tcp_input.c:6006
      tcp_v4_do_rcv+0x670/0x9b0 net/ipv4/tcp_ipv4.c:1721
      sk_backlog_rcv include/net/sock.h:1113 [inline]
      __release_sock+0x133/0x3b0 net/core/sock.c:2921
      release_sock+0x58/0x1b0 net/core/sock.c:3488
      tcp_sendmsg+0x3a/0x50 net/ipv4/tcp.c:1485
      inet_sendmsg+0x9d/0xe0 net/ipv4/af_inet.c:825
      sock_sendmsg_nosec net/socket.c:722 [inline]
      sock_sendmsg+0xde/0x190 net/socket.c:745
      sock_write_iter+0x295/0x3d0 net/socket.c:1136
      call_write_iter include/linux/fs.h:2189 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x9ed/0xdd0 fs/read_write.c:584
      ksys_write+0x1ec/0x250 fs/read_write.c:637
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      The buggy address belongs to the object at ffff88806cdee800
      which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 0 bytes inside of
      1024-byte region [ffff88806cdee800, ffff88806cdeec00)
      
      The buggy address belongs to the physical page:
      page:ffffea0001b37a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6cde8
      head:ffffea0001b37a00 order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
      flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
      raw: 00fff00000010200 ffff888012441dc0 dead000000000122 0000000000000000
      raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1f2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_MEMALLOC|__GFP_HARDWALL), pid 75, tgid 75 (kworker/u4:4), ts 96369578780, free_ts 26734162530
      prep_new_page mm/page_alloc.c:2531 [inline]
      get_page_from_freelist+0x119c/0x2ce0 mm/page_alloc.c:4283
      __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5549
      alloc_pages+0x1aa/0x270 mm/mempolicy.c:2287
      alloc_slab_page mm/slub.c:1851 [inline]
      allocate_slab+0x25f/0x350 mm/slub.c:1998
      new_slab mm/slub.c:2051 [inline]
      ___slab_alloc+0xa91/0x1400 mm/slub.c:3193
      __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
      __slab_alloc_node mm/slub.c:3345 [inline]
      slab_alloc_node mm/slub.c:3442 [inline]
      __kmem_cache_alloc_node+0x1a4/0x430 mm/slub.c:3491
      __do_kmalloc_node mm/slab_common.c:967 [inline]
      __kmalloc_node_track_caller+0x4b/0xc0 mm/slab_common.c:988
      kmalloc_reserve+0xf1/0x230 net/core/skbuff.c:539
      __alloc_skb+0x129/0x330 net/core/skbuff.c:608
      __netdev_alloc_skb+0x74/0x410 net/core/skbuff.c:672
      __netdev_alloc_skb_ip_align include/linux/skbuff.h:3203 [inline]
      netdev_alloc_skb_ip_align include/linux/skbuff.h:3213 [inline]
      batadv_iv_ogm_aggregate_new+0x106/0x4e0 net/batman-adv/bat_iv_ogm.c:558
      batadv_iv_ogm_queue_add net/batman-adv/bat_iv_ogm.c:670 [inline]
      batadv_iv_ogm_schedule_buff+0xe6b/0x1450 net/batman-adv/bat_iv_ogm.c:849
      batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:868 [inline]
      batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:861 [inline]
      batadv_iv_send_outstanding_bat_ogm_packet+0x744/0x910 net/batman-adv/bat_iv_ogm.c:1712
      process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
      worker_thread+0x669/0x1090 kernel/workqueue.c:2436
      page last free stack trace:
      reset_page_owner include/linux/page_owner.h:24 [inline]
      free_pages_prepare mm/page_alloc.c:1446 [inline]
      free_pcp_prepare+0x66a/0xc20 mm/page_alloc.c:1496
      free_unref_page_prepare mm/page_alloc.c:3369 [inline]
      free_unref_page+0x1d/0x490 mm/page_alloc.c:3464
      free_contig_range+0xb5/0x180 mm/page_alloc.c:9488
      destroy_args+0xa8/0x64c mm/debug_vm_pgtable.c:998
      debug_vm_pgtable+0x28de/0x296f mm/debug_vm_pgtable.c:1318
      do_one_initcall+0x141/0x790 init/main.c:1306
      do_initcall_level init/main.c:1379 [inline]
      do_initcalls init/main.c:1395 [inline]
      do_basic_setup init/main.c:1414 [inline]
      kernel_init_freeable+0x6f9/0x782 init/main.c:1634
      kernel_init+0x1e/0x1d0 init/main.c:1522
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
      
      Memory state around the buggy address:
      ffff88806cdee700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      ffff88806cdee780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88806cdee800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      ^
      ffff88806cdee880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      
      Fixes: bf9f1baa ("net: add dedicated kmem_cache for typical/small skb->head")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Tested-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      880ce5f2
  3. 28 Feb, 2023 7 commits
  4. 27 Feb, 2023 19 commits
  5. 26 Feb, 2023 8 commits
    • Linus Torvalds's avatar
      Merge tag 'rproc-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux · f3a2439f
      Linus Torvalds authored
      Pull remoteproc updates from Bjorn Andersson:
      
       - Support for PRU clients to acquire a control reference to the PRU
         instances is introduced, and the PRU now allows specifying
         firmware-name in Devicetree. sysfs is requested to be read-only when
         the remoteproc instance is consumed by another kernel driver
      
       - Support for the C7xv DSP on AM62A SoC is introduced
      
       - The Devicetree binding for the Qualcomm PAS devices are split up in
         multiple files, to better account for the differences in resources
         between them. A number of missing Devicetree bindings are added, and
         the Qualcomm WCNSS binding is converted to YAML
      
       - A few cleanups are introduced for the Mediatek SCP driver. And a
         sanity check of the firmware image is introduced in the Mediatek
         driver
      
       - For Qualcomm SC7280 ADSP support is added, MSM8953 gains ADSP and
         modem support, SM6115 and SM8550 gains ADSP, CDSP and modem support,
         and support for pronto v3 support (used on e.g. MSM8953) is added
      
       - The Qualcomm modem remoteproc driver is modified to use a no-map
         reserved-memory region for it's authentication metadata, in order to
         avoid fatal security violations caused by accesses from Linux during
         the authentication process
      
       - Support for separate loading of a Devicetree blob is added to the PAS
         driver, and support for the PAS driver to carve out DSM memory for
         the modem is added as well
      
       - The Qualcomm ADSP remoteproc driver gains support for mapping memory
         into specific range using the IOMMU. The sysmon driver is
         transitioned to strlcpy()
      
      * tag 'rproc-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux: (69 commits)
        dt-bindings: mailbox: qcom,apcs-kpss-global: drop mbox-names from example
        dt-bindings: remoteproc: qcom,glink-edge: correct label description
        dt-bindings: remoteproc: qcom,glink-rpm-edge: convert to DT schema
        dt-bindings: remoteproc: qcom,sm8550-pas: correct power domains
        remoteproc: qcom_q6v5_pas: enable sm8550 adsp & cdsp autoboot
        dt-bindings: remoteproc: qcom: Add sm6115 pas yaml file
        remoteproc: qcom: pas: Add sm6115 remoteprocs
        remoteproc: qcom: pas: Adjust the phys addr wrt the mem region
        remoteproc: qcom: fix sparse warnings
        remoteproc: qcom: replace kstrdup with kstrndup
        remoteproc: mediatek: Check the SCP image format
        remoteproc: qcom_q6v5_mss: Use a carveout to authenticate modem headers
        Revert "remoteproc: qcom_q6v5_mss: map/unmap metadata region before/after use"
        dt-bindings: remoteproc: qcom,sc7280-mss-pil: Update memory-region
        dt-bindings: remoteproc: qcom,sc7180-mss-pil: Update memory-region
        dt-bindings: remoteproc: qcom,msm8996-mss-pil: Update memory region
        dt-bindings: remoteproc: qcom,q6v5: Move MSM8996 to schema
        remoteproc: qcom_q6v5_pas: add sm8550 adsp, cdsp & mpss compatible & data
        remoteproc: qcom_q6v5_pas: add support for assigning memory to firmware
        remoteproc: qcom_q6v5_pas: add support for dtb co-firmware loading
        ...
      f3a2439f
    • Linus Torvalds's avatar
      Merge tag 'rpmsg-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux · cc38a46d
      Linus Torvalds authored
      Pull rpmsg updates from Bjorn Andersson:
      
       - rpmsg ctrl and char driver locking is ensure ordering in cases where
         the communication link is being torn down in parallel with calls to
         open(2) or poll(2)
      
       - The glink driver is refactored, to move rpm/smem-specifics out of the
         common logic and better suite further improvements, such as
         transports without a mailbox controller. The handling of remoteproc
         shutdown is improved, to fail clients immediately instead of having
         them to wait for timeouts. A driver_override memory leak is corrected
         and a few spelling improvements are introduced
      
       - glink_ssr is transitioned off strlcpy() and "gpr" is added as a valid
         child node of the glink-edge DT binding
      
      * tag 'rpmsg-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux:
        rpmsg: glink: Release driver_override
        rpmsg: glink: Avoid infinite loop on intent for missing channel
        rpmsg: glink: Fix GLINK command prefix
        rpmsg: glink: Fix spelling of peek
        rpmsg: glink: Cancel pending intent requests at removal
        rpmsg: glink: Fail qcom_glink_tx() once remove has been initiated
        rpmsg: glink: Move irq and mbox handling to transports
        rpmsg: glink: rpm: Wrap driver context
        rpmsg: glink: smem: Wrap driver context
        rpmsg: glink: Extract tx kick operation
        rpmsg: glink: Include types in qcom_glink_native.h
        rpmsg: ctrl: Add lock to rpmsg_ctrldev_remove
        rpmsg: char: Add lock to avoid race when rpmsg device is released
        rpmsg: move from strlcpy with unused retval to strscpy
        dt-bindings: remoteproc: qcom,glink-edge: add GPR node
      cc38a46d
    • Linus Torvalds's avatar
      Merge tag 'hwlock-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux · 9b0b0dd8
      Linus Torvalds authored
      Pull hwspinlock updates from Bjorn Andersson:
       "This updates the sun6i DT binding to allow (and require) #hwlock-cells
        and makes use of device_match_of_node() to slight clean up the
        condition in of_hwspin_lock_get_id()"
      
      * tag 'hwlock-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux:
        dt-bindings: hwlock: sun6i: Add #hwlock-cells to example
        dt-bindings: hwlock: sun6i: Add missing #hwlock-cells
        hwspinlock: Use device_match_of_node()
      9b0b0dd8
    • Linus Torvalds's avatar
      Merge tag 'kbuild-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild · 498a1cf9
      Linus Torvalds authored
      Pull Kbuild updates from Masahiro Yamada:
      
       - Change V=1 option to print both short log and full command log
      
       - Allow V=1 and V=2 to be combined as V=12
      
       - Make W=1 detect wrong .gitignore files
      
       - Tree-wide cleanups for unused command line arguments passed to Clang
      
       - Stop using -Qunused-arguments with Clang
      
       - Make scripts/setlocalversion handle only correct release tags instead
         of any arbitrary annotated tag
      
       - Create Debian and RPM source packages without cleaning the source
         tree
      
       - Various cleanups for packaging
      
      * tag 'kbuild-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: (74 commits)
        kbuild: rpm-pkg: remove unneeded KERNELRELEASE from modules/headers_install
        docs: kbuild: remove description of KBUILD_LDS_MODULE
        .gitattributes: use 'dts' diff driver for *.dtso files
        kbuild: deb-pkg: improve the usability of source package
        kbuild: deb-pkg: fix binary-arch and clean in debian/rules
        kbuild: tar-pkg: use tar rules in scripts/Makefile.package
        kbuild: make perf-tar*-src-pkg work without relying on git
        kbuild: deb-pkg: switch over to source format 3.0 (quilt)
        kbuild: deb-pkg: make .orig tarball a hard link if possible
        kbuild: deb-pkg: hide KDEB_SOURCENAME from Makefile
        kbuild: srcrpm-pkg: create source package without cleaning
        kbuild: rpm-pkg: build binary packages from source rpm
        kbuild: deb-pkg: create source package without cleaning
        kbuild: add a tool to list files ignored by git
        Documentation/llvm: add Chimera Linux, Google and Meta datacenters
        setlocalversion: use only the correct release tag for git-describe
        setlocalversion: clean up the construction of version output
        .gitignore: ignore *.cover and *.mbx
        kbuild: remove --include-dir MAKEFLAG from top Makefile
        kbuild: fix trivial typo in comment
        ...
      498a1cf9
    • Linus Torvalds's avatar
      Merge tag 'media/v6.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 4b8c673b
      Linus Torvalds authored
      Pull media updates from Mauro Carvalho Chehab:
      
       - Removal of several VB1-only deprecated drivers: cpia2, fsl-viu, meye,
         stkwebcam, tm6000, vpfe_capture and zr364xx
      
       - saa7146 recovered from staging/deprecated. We opted to give ti a
         chance, and, instead of deprecating it, the intention is to write
         patches migrating it from VB1 to VB2.
      
       - av7110 returned from staging/deprecated/ to staging/ as we're not
         planning on dropping it any time soon
      
       - media controller API has gained experimental support for G_ROUTING
         and streams API. No drivers use it right now. We're planning to add
         one after -rc1, giving some time to experience the API and eventually
         have changes during the next development cycle
      
       - New sensor drivers: imx296, imx415, ov8858
      
       - Atomisp had lots of changes, specially on its sensor's interface,
         making atomisp sensor drivers closer to normal sensor drivers
      
       - media controller kAPI has gained some helpers to traverse pipelines
      
       - uvcvideo now better support power line control
      
       - lots of bug fixes, cleanups and driver improvements
      
      * tag 'media/v6.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (296 commits)
        media: imx-mipi-csis: Check csis_fmt validity before use
        media: v4l2-subdev.c: clear stream field
        media: v4l2-ctrls-api.c: move ctrl->is_new = 1 to the correct line
        media: Revert "media: saa7146: deprecate hexium_gemini/orion, mxb and ttpci"
        media: Revert "media: av7110: move to staging/media/deprecated/saa7146"
        media: imx-pxp: convert to regmap
        media: imx-pxp: Use non-threaded IRQ
        media: imx-pxp: Introduce pxp_read() and pxp_write() wrappers
        media: imx-pxp: Implement frame size enumeration
        media: imx-pxp: Pass pixel format value to find_format()
        media: imx-pxp: Add media controller support
        media: imx-pxp: Don't set bus_info manually in .querycap()
        media: imx-pxp: Sort headers alphabetically
        media: imx-pxp: add support for i.MX7D
        media: imx-pxp: make data_path_ctrl0 platform dependent
        media: imx-pxp: disable LUT block
        media: imx-pxp: explicitly disable unused blocks
        media: imx-pxp: extract helper function to setup data path
        media: imx-pxp: detect PXP version
        media: dt-bindings: media: fsl-pxp: convert to yaml
        ...
      4b8c673b
    • Linus Torvalds's avatar
      Documentation: simplify and clarify DCO contribution example language · d4563201
      Linus Torvalds authored
      Long long ago, in a more innocent time, Greg wrote the clarification for
      how the DCO should work and that you couldn't make anonymous
      contributions, because the sign-off needed to be something we could
      check back with.
      
      It was 2006, and nobody reacted to the wording, the whole Facebook 'real
      name' controversy was a decade in the future, and nobody even thought
      about it.  And despite the language, we've always accepted nicknames and
      that language was never meant to be any kind of exclusionary wording.
      
      In fact, even when it became a discussion in other adjacent projects,
      apparently nobody even thought to just clarify the language in the
      kernel docs, and instead we had projects like the CNCF that had long
      discussions about it, and wrote their own clarifications [1] of it.
      
      Just simplify the wording to the point where it shouldn't be causing
      unnecessary angst and pain, or scare away people who go by preferred
      naming.
      
      Link: https://github.com/cncf/foundation/blob/659fd32c86dc/dco-guidelines.md [1]
      Fixes: af45f32d ("We can not allow anonymous contributions to the kernel")
      Acked-by: default avatarGreg KH <gregkh@linuxfoundation.org>
      Acked-by: default avatarMichael Dolan <mdolan@linuxfoundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d4563201
    • Russell King (Oracle)'s avatar
      net: dsa: ocelot_ext: remove unnecessary phylink.h include · 724337be
      Russell King (Oracle) authored
      During review of ocelot_ext, it created a private phylink instance
      that wasn't necessary. This was removed for subsequent postings,
      but the include file seems to have been left behind. Remove it.
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      724337be
    • David S. Miller's avatar
      Merge branch 'net-ocelot-switch-regressions' · 5f79f12c
      David S. Miller authored
      Vladimir Oltean says:
      
      ====================
      Regressions in Ocelot switch drivers
      
      These are 3 patches which resolve a regression in the Seville driver,
      one in the Felix driver and a generic one which affects any kernel
      compiled with 2 Kconfig options enabled. All of them have in common my
      lack of attention during review/testing. The patches touch the DSA, MFD
      and MDIO drivers for Ocelot. I think it would be preferable if all
      patches went through netdev (with Lee's Ack).
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f79f12c