1. 07 Feb, 2024 6 commits
    • Allison Henderson's avatar
      MAINTAINERS: Maintainer change for rds · 5001bfe9
      Allison Henderson authored
      At this point, Santosh has moved onto other things and I am happy
      to take over the role of rds maintainer. Update the MAINTAINERS
      accordingly.
      Signed-off-by: default avatarAllison Henderson <allison.henderson@oracle.com>
      Link: https://lore.kernel.org/r/20240205190343.112436-1-allison.henderson@oracle.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5001bfe9
    • Jakub Kicinski's avatar
      selftests: cmsg_ipv6: repeat the exact packet · 4b00d0c5
      Jakub Kicinski authored
      cmsg_ipv6 test requests tcpdump to capture 4 packets,
      and sends until tcpdump quits. Only the first packet
      is "real", however, and the rest are basic UDP packets.
      So if tcpdump doesn't start in time it will miss
      the real packet and only capture the UDP ones.
      
      This makes the test fail on slow machine (no KVM or with
      debug enabled) 100% of the time, while it passes in fast
      environments.
      
      Repeat the "real" / expected packet.
      
      Fixes: 9657ad09 ("selftests: net: test IPV6_TCLASS")
      Fixes: 05ae83d5 ("selftests: net: test IPV6_HOPLIMIT")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b00d0c5
    • Petr Tesarik's avatar
      net: stmmac: protect updates of 64-bit statistics counters · 38cc3c6d
      Petr Tesarik authored
      As explained by a comment in <linux/u64_stats_sync.h>, write side of struct
      u64_stats_sync must ensure mutual exclusion, or one seqcount update could
      be lost on 32-bit platforms, thus blocking readers forever. Such lockups
      have been observed in real world after stmmac_xmit() on one CPU raced with
      stmmac_napi_poll_tx() on another CPU.
      
      To fix the issue without introducing a new lock, split the statics into
      three parts:
      
      1. fields updated only under the tx queue lock,
      2. fields updated only during NAPI poll,
      3. fields updated only from interrupt context,
      
      Updates to fields in the first two groups are already serialized through
      other locks. It is sufficient to split the existing struct u64_stats_sync
      so that each group has its own.
      
      Note that tx_set_ic_bit is updated from both contexts. Split this counter
      so that each context gets its own, and calculate their sum to get the total
      value in stmmac_get_ethtool_stats().
      
      For the third group, multiple interrupts may be processed by different CPUs
      at the same time, but interrupts on the same CPU will not nest. Move fields
      from this group to a newly created per-cpu struct stmmac_pcpu_stats.
      
      Fixes: 133466c3 ("net: stmmac: use per-queue 64 bit statistics where necessary")
      Link: https://lore.kernel.org/netdev/Za173PhviYg-1qIn@torres.zugschlus.de/t/
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPetr Tesarik <petr@tesarici.cz>
      Reviewed-by: default avatarJisheng Zhang <jszhang@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      38cc3c6d
    • Eric Dumazet's avatar
      ppp_async: limit MRU to 64K · cb88cb53
      Eric Dumazet authored
      syzbot triggered a warning [1] in __alloc_pages():
      
      WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)
      
      Willem fixed a similar issue in commit c0a2a1b0 ("ppp: limit MRU to 64K")
      
      Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)
      
      [1]:
      
       WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
      Modules linked in:
      CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
      Workqueue: events_unbound flush_to_ldisc
      pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
       pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
       lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537
      sp : ffff800093967580
      x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000
      x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0
      x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8
      x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120
      x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005
      x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000
      x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001
      x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f
      x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020
      x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0
      Call trace:
        __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
        __alloc_pages_node include/linux/gfp.h:238 [inline]
        alloc_pages_node include/linux/gfp.h:261 [inline]
        __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926
        __do_kmalloc_node mm/slub.c:3969 [inline]
        __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001
        kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590
        __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651
        __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715
        netdev_alloc_skb include/linux/skbuff.h:3235 [inline]
        dev_alloc_skb include/linux/skbuff.h:3248 [inline]
        ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]
        ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341
        tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390
        tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37
        receive_buf drivers/tty/tty_buffer.c:444 [inline]
        flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494
        process_one_work+0x694/0x1204 kernel/workqueue.c:2633
        process_scheduled_works kernel/workqueue.c:2706 [inline]
        worker_thread+0x938/0xef4 kernel/workqueue.c:2787
        kthread+0x288/0x310 kernel/kthread.c:388
        ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-and-tested-by: syzbot+c5da1f087c9e4ec6c933@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://lore.kernel.org/r/20240205171004.1059724-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cb88cb53
    • Jiri Pirko's avatar
      devlink: avoid potential loop in devlink_rel_nested_in_notify_work() · 58086721
      Jiri Pirko authored
      In case devlink_rel_nested_in_notify_work() can not take the devlink
      lock mutex. Convert the work to delayed work and in case of reschedule
      do it jiffie later and avoid potential looping.
      Suggested-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Fixes: c137743b ("devlink: introduce object and nested devlink relationship infra")
      Signed-off-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/20240205171114.338679-1-jiri@resnulli.usSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      58086721
    • Kuniyuki Iwashima's avatar
      af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. · 1279f9d9
      Kuniyuki Iwashima authored
      syzbot reported a warning [0] in __unix_gc() with a repro, which
      creates a socketpair and sends one socket's fd to itself using the
      peer.
      
        socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0
        sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}],
                msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,
                                            cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],
                msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1
      
      This forms a self-cyclic reference that GC should finally untangle
      but does not due to lack of MSG_OOB handling, resulting in memory
      leak.
      
      Recently, commit 11498715 ("af_unix: Remove io_uring code for
      GC.") removed io_uring's dead code in GC and revealed the problem.
      
      The code was executed at the final stage of GC and unconditionally
      moved all GC candidates from gc_candidates to gc_inflight_list.
      That papered over the reported problem by always making the following
      WARN_ON_ONCE(!list_empty(&gc_candidates)) false.
      
      The problem has been there since commit 2aab4b96 ("af_unix: fix
      struct pid leaks in OOB support") added full scm support for MSG_OOB
      while fixing another bug.
      
      To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb
      if the socket still exists in gc_candidates after purging collected skb.
      
      Then, we need to set NULL to oob_skb before calling kfree_skb() because
      it calls last fput() and triggers unix_release_sock(), where we call
      duplicate kfree_skb(u->oob_skb) if not NULL.
      
      Note that the leaked socket remained being linked to a global list, so
      kmemleak also could not detect it.  We need to check /proc/net/protocol
      to notice the unfreed socket.
      
      [0]:
      WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345
      Modules linked in:
      CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
      Workqueue: events_unbound __unix_gc
      RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345
      Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8
      RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293
      RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e
      RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30
      RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66
      R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000
      R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001
      FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       process_one_work+0x889/0x15e0 kernel/workqueue.c:2633
       process_scheduled_works kernel/workqueue.c:2706 [inline]
       worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787
       kthread+0x2c6/0x3b0 kernel/kthread.c:388
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
       </TASK>
      
      Reported-by: syzbot+fa3ef895554bdbfd1183@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183
      Fixes: 2aab4b96 ("af_unix: fix struct pid leaks in OOB support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20240203183149.63573-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1279f9d9
  2. 06 Feb, 2024 3 commits
  3. 05 Feb, 2024 10 commits
    • Paolo Abeni's avatar
      selftests: net: let big_tcp test cope with slow env · a19747c3
      Paolo Abeni authored
      In very slow environments, most big TCP cases including
      segmentation and reassembly of big TCP packets have a good
      chance to fail: by default the TCP client uses write size
      well below 64K. If the host is low enough autocorking is
      unable to build real big TCP packets.
      
      Address the issue using much larger write operations.
      
      Note that is hard to observe the issue without an extremely
      slow and/or overloaded environment; reduce the TCP transfer
      time to allow for much easier/faster reproducibility.
      
      Fixes: 6bb382bc ("selftests: add a selftest for big tcp")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a19747c3
    • David S. Miller's avatar
      Merge branch 'rxrpc-fixes' · 645eb543
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Miscellaneous fixes
      
      Here some miscellaneous fixes for AF_RXRPC:
      
       (1) The zero serial number has a special meaning in an ACK packet serial
           reference, so skip it when assigning serial numbers to transmitted
           packets.
      
       (2) Don't set the reference serial number in a delayed ACK as the ACK
           cannot be used for RTT calculation.
      
       (3) Don't emit a DUP ACK response to a PING RESPONSE ACK coming back to a
           call that completed in the meantime.
      
       (4) Fix the counting of acks and nacks in ACK packet to better drive
           congestion management.  We want to know if there have been new
           acks/nacks since the last ACK packet, not that there are still
           acks/nacks.  This is more complicated as we have to save the old SACK
           table and compare it.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      645eb543
    • David Howells's avatar
      rxrpc: Fix counting of new acks and nacks · 41b7fa15
      David Howells authored
      Fix the counting of new acks and nacks when parsing a packet - something
      that is used in congestion control.
      
      As the code stands, it merely notes if there are any nacks whereas what we
      really should do is compare the previous SACK table to the new one,
      assuming we get two successive ACK packets with nacks in them.  However, we
      really don't want to do that if we can avoid it as the tables might not
      correspond directly as one may be shifted from the other - something that
      will only get harder to deal with once extended ACK tables come into full
      use (with a capacity of up to 8192).
      
      Instead, count the number of nacks shifted out of the old SACK, the number
      of nacks retained in the portion still active and the number of new acks
      and nacks in the new table then calculate what we need.
      
      Note this ends up a bit of an estimate as the Rx protocol allows acks to be
      withdrawn by the receiver and packets requested to be retransmitted.
      
      Fixes: d57a3a15 ("rxrpc: Save last ACK's SACK table rather than marking txbufs")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: "David S. Miller" <davem@davemloft.net>
      cc: Eric Dumazet <edumazet@google.com>
      cc: Jakub Kicinski <kuba@kernel.org>
      cc: Paolo Abeni <pabeni@redhat.com>
      cc: linux-afs@lists.infradead.org
      cc: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      41b7fa15
    • David Howells's avatar
      rxrpc: Fix response to PING RESPONSE ACKs to a dead call · 6f769f22
      David Howells authored
      Stop rxrpc from sending a DUP ACK in response to a PING RESPONSE ACK on a
      dead call.  We may have initiated the ping but the call may have beaten the
      response to completion.
      
      Fixes: 18bfeba5 ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: "David S. Miller" <davem@davemloft.net>
      cc: Eric Dumazet <edumazet@google.com>
      cc: Jakub Kicinski <kuba@kernel.org>
      cc: Paolo Abeni <pabeni@redhat.com>
      cc: linux-afs@lists.infradead.org
      cc: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f769f22
    • David Howells's avatar
      rxrpc: Fix delayed ACKs to not set the reference serial number · e7870cf1
      David Howells authored
      Fix the construction of delayed ACKs to not set the reference serial number
      as they can't be used as an RTT reference.
      
      Fixes: 17926a79 ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: "David S. Miller" <davem@davemloft.net>
      cc: Eric Dumazet <edumazet@google.com>
      cc: Jakub Kicinski <kuba@kernel.org>
      cc: Paolo Abeni <pabeni@redhat.com>
      cc: linux-afs@lists.infradead.org
      cc: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e7870cf1
    • David Howells's avatar
      rxrpc: Fix generation of serial numbers to skip zero · f3104141
      David Howells authored
      In the Rx protocol, every packet generated is marked with a per-connection
      monotonically increasing serial number.  This number can be referenced in
      an ACK packet generated in response to an incoming packet - thereby
      allowing the sender to use this for RTT determination, amongst other
      things.
      
      However, if the reference field in the ACK is zero, it doesn't refer to any
      incoming packet (it could be a ping to find out if a packet got lost, for
      example) - so we shouldn't generate zero serial numbers.
      
      Fix the generation of serial numbers to retry if it comes up with a zero.
      
      Furthermore, since the serial numbers are only ever allocated within the
      I/O thread this connection is bound to, there's no need for atomics so
      remove that too.
      
      Fixes: 17926a79 ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: "David S. Miller" <davem@davemloft.net>
      cc: Eric Dumazet <edumazet@google.com>
      cc: Jakub Kicinski <kuba@kernel.org>
      cc: Paolo Abeni <pabeni@redhat.com>
      cc: linux-afs@lists.infradead.org
      cc: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f3104141
    • David S. Miller's avatar
      Merge branch 'nfp-fixes' · fdeba0b5
      David S. Miller authored
      Louis Peens says:
      
      ====================
      nfp: a few simple driver fixes
      
      This is combining a few unrelated one-liner fixes which have been
      floating around internally into a single series. I'm not sure what is
      the least amount of overhead for reviewers, this or a separate
      submission per-patch? I guess it probably depends on personal
      preference, but please let me know if there is a strong preference to
      rather split these in the future.
      
      Summary:
      
      Patch1: Fixes an old issue which was hidden because 0 just so happens to
              be the correct value.
      Patch2: Fixes a corner case for flower offloading with bond ports
      Patch3: Re-enables the 'NETDEV_XDP_ACT_REDIRECT', which was accidentally
              disabled after a previous refactor.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fdeba0b5
    • James Hershaw's avatar
      nfp: enable NETDEV_XDP_ACT_REDIRECT feature flag · 0f4d6f01
      James Hershaw authored
      Enable previously excluded xdp feature flag for NFD3 devices. This
      feature flag is required in order to bind nfp interfaces to an xdp
      socket and the nfp driver does in fact support the feature.
      
      Fixes: 66c0e13a ("drivers: net: turn on XDP features")
      Cc: stable@vger.kernel.org # 6.3+
      Signed-off-by: default avatarJames Hershaw <james.hershaw@corigine.com>
      Signed-off-by: default avatarLouis Peens <louis.peens@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0f4d6f01
    • Daniel de Villiers's avatar
      nfp: flower: prevent re-adding mac index for bonded port · 1a1c1330
      Daniel de Villiers authored
      When physical ports are reset (either through link failure or manually
      toggled down and up again) that are slaved to a Linux bond with a tunnel
      endpoint IP address on the bond device, not all tunnel packets arriving
      on the bond port are decapped as expected.
      
      The bond dev assigns the same MAC address to itself and each of its
      slaves. When toggling a slave device, the same MAC address is therefore
      offloaded to the NFP multiple times with different indexes.
      
      The issue only occurs when re-adding the shared mac. The
      nfp_tunnel_add_shared_mac() function has a conditional check early on
      that checks if a mac entry already exists and if that mac entry is
      global: (entry && nfp_tunnel_is_mac_idx_global(entry->index)). In the
      case of a bonded device (For example br-ex), the mac index is obtained,
      and no new index is assigned.
      
      We therefore modify the conditional in nfp_tunnel_add_shared_mac() to
      check if the port belongs to the LAG along with the existing checks to
      prevent a new global mac index from being re-assigned to the slave port.
      
      Fixes: 20cce886 ("nfp: flower: enable MAC address sharing for offloadable devs")
      CC: stable@vger.kernel.org # 5.1+
      Signed-off-by: default avatarDaniel de Villiers <daniel.devilliers@corigine.com>
      Signed-off-by: default avatarLouis Peens <louis.peens@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1a1c1330
    • Daniel Basilio's avatar
      nfp: use correct macro for LengthSelect in BAR config · b3d4f7f2
      Daniel Basilio authored
      The 1st and 2nd expansion BAR configuration registers are configured,
      when the driver starts up, in variables 'barcfg_msix_general' and
      'barcfg_msix_xpb', respectively. The 'LengthSelect' field is ORed in
      from bit 0, which is incorrect. The 'LengthSelect' field should
      start from bit 27.
      
      This has largely gone un-noticed because
      NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT happens to be 0.
      
      Fixes: 4cb584e0 ("nfp: add CPP access core")
      Cc: stable@vger.kernel.org # 4.11+
      Signed-off-by: default avatarDaniel Basilio <daniel.basilio@corigine.com>
      Signed-off-by: default avatarLouis Peens <louis.peens@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b3d4f7f2
  4. 04 Feb, 2024 2 commits
  5. 03 Feb, 2024 10 commits
  6. 02 Feb, 2024 3 commits
    • Eric Dumazet's avatar
      netdevsim: avoid potential loop in nsim_dev_trap_report_work() · ba5e1272
      Eric Dumazet authored
      Many syzbot reports include the following trace [1]
      
      If nsim_dev_trap_report_work() can not grab the mutex,
      it should rearm itself at least one jiffie later.
      
      [1]
      Sending NMI from CPU 1 to CPUs 0:
      NMI backtrace for cpu 0
      CPU: 0 PID: 32383 Comm: kworker/0:2 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
      Workqueue: events nsim_dev_trap_report_work
       RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:89 [inline]
       RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
       RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
       RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
       RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
       RIP: 0010:kasan_check_range+0x101/0x190 mm/kasan/generic.c:189
      Code: 07 49 39 d1 75 0a 45 3a 11 b8 01 00 00 00 7c 0b 44 89 c2 e8 21 ed ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 <48> 83 c0 01 48 39 d0 74 41 80 38 00 74 f2 eb b6 41 bc 08 00 00 00
      RSP: 0018:ffffc90012dcf998 EFLAGS: 00000046
      RAX: fffffbfff258af1e RBX: fffffbfff258af1f RCX: ffffffff8168eda3
      RDX: fffffbfff258af1f RSI: 0000000000000004 RDI: ffffffff92c578f0
      RBP: fffffbfff258af1e R08: 0000000000000000 R09: fffffbfff258af1e
      R10: ffffffff92c578f3 R11: ffffffff8acbcbc0 R12: 0000000000000002
      R13: ffff88806db38400 R14: 1ffff920025b9f42 R15: ffffffff92c578e8
      FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000000c00994e078 CR3: 000000002c250000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <NMI>
       </NMI>
       <TASK>
        instrument_atomic_read include/linux/instrumented.h:68 [inline]
        atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
        queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline]
        debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline]
        do_raw_spin_unlock+0x53/0x230 kernel/locking/spinlock_debug.c:141
        __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline]
        _raw_spin_unlock_irqrestore+0x22/0x70 kernel/locking/spinlock.c:194
        debug_object_activate+0x349/0x540 lib/debugobjects.c:726
        debug_work_activate kernel/workqueue.c:578 [inline]
        insert_work+0x30/0x230 kernel/workqueue.c:1650
        __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802
        __queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953
        queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989
        queue_delayed_work include/linux/workqueue.h:563 [inline]
        schedule_delayed_work include/linux/workqueue.h:677 [inline]
        nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842
        process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
        process_scheduled_works kernel/workqueue.c:2706 [inline]
        worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
        kthread+0x2c6/0x3a0 kernel/kthread.c:388
        ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
        ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
       </TASK>
      
      Fixes: 012ec02a ("netdevsim: convert driver to use unlocked devlink API during init/fini")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/20240201175324.3752746-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ba5e1272
    • Michael Lass's avatar
      net: Fix from address in memcpy_to_iter_csum() · fe92f874
      Michael Lass authored
      While inlining csum_and_memcpy() into memcpy_to_iter_csum(), the from
      address passed to csum_partial_copy_nocheck() was accidentally changed.
      This causes a regression in applications using UDP, as for example
      OpenAFS, causing loss of datagrams.
      
      Fixes: dc32bff1 ("iov_iter, net: Fold in csum_and_memcpy()")
      Cc: David Howells <dhowells@redhat.com>
      Cc: stable@vger.kernel.org
      Cc: regressions@lists.linux.dev
      Signed-off-by: default avatarMichael Lass <bevan@bi-co.net>
      Reviewed-by: default avatarJeffrey Altman <jaltman@auristor.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fe92f874
    • Furong Xu's avatar
      net: stmmac: xgmac: fix handling of DPP safety error for DMA channels · 46eba193
      Furong Xu authored
      Commit 56e58d6c ("net: stmmac: Implement Safety Features in
      XGMAC core") checks and reports safety errors, but leaves the
      Data Path Parity Errors for each channel in DMA unhandled at all, lead to
      a storm of interrupt.
      Fix it by checking and clearing the DMA_DPP_Interrupt_Status register.
      
      Fixes: 56e58d6c ("net: stmmac: Implement Safety Features in XGMAC core")
      Signed-off-by: default avatarFurong Xu <0x1207@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      46eba193
  7. 01 Feb, 2024 6 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 41b9fb38
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter.
      
        As Paolo promised we continue to hammer out issues in our selftests.
        This is not the end but probably the peak.
      
        Current release - regressions:
      
         - smc: fix incorrect SMC-D link group matching logic
      
        Current release - new code bugs:
      
         - eth: bnxt: silence WARN() when device skips a timestamp, it happens
      
        Previous releases - regressions:
      
         - ipmr: fix null-deref when forwarding mcast packets
      
         - conntrack: evaluate window negotiation only for packets in the
           REPLY direction, otherwise SYN retransmissions trigger incorrect
           window scale negotiation
      
         - ipset: fix performance regression in swap operation
      
        Previous releases - always broken:
      
         - tcp: add sanity checks to types of pages getting into the rx
           zerocopy path, we only support basic NIC -> user, no page cache
           pages etc.
      
         - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
      
         - nt_tables: more input sanitization changes
      
         - dsa: mt7530: fix 10M/100M speed on MediaTek MT7988 switch
      
         - bridge: mcast: fix loss of snooping after long uptime, jiffies do
           wrap on 32bit
      
         - xen-netback: properly sync TX responses, protect with locking
      
         - phy: mediatek-ge-soc: sync calibration values with MediaTek SDK,
           increase connection stability
      
         - eth: pds: fixes for various teardown, and reset races
      
        Misc:
      
         - hsr: silence WARN() if we can't alloc supervision frame, it
           happens"
      
      * tag 'net-6.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (82 commits)
        doc/netlink/specs: Add missing attr in rt_link spec
        idpf: avoid compiler padding in virtchnl2_ptype struct
        selftests: mptcp: join: stop transfer when check is done (part 2)
        selftests: mptcp: join: stop transfer when check is done (part 1)
        selftests: mptcp: allow changing subtests prefix
        selftests: mptcp: decrease BW in simult flows
        selftests: mptcp: increase timeout to 30 min
        selftests: mptcp: add missing kconfig for NF Mangle
        selftests: mptcp: add missing kconfig for NF Filter in v6
        selftests: mptcp: add missing kconfig for NF Filter
        mptcp: fix data re-injection from stale subflow
        selftests: net: enable some more knobs
        selftests: net: add missing config for NF_TARGET_TTL
        selftests: forwarding: List helper scripts in TEST_FILES Makefile variable
        selftests: net: List helper scripts in TEST_FILES Makefile variable
        selftests: net: Remove executable bits from library scripts
        selftests: bonding: Check initial state
        selftests: team: Add missing config options
        hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove
        xen-netback: properly sync TX responses
        ...
      41b9fb38
    • Linus Torvalds's avatar
      Merge tag 'parisc-for-6.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 91481c90
      Linus Torvalds authored
      Pull parisc architecture fixes from Helge Deller:
       "The current exception handler, which helps on kernel accesses to
        userspace, may exhibit data corruption. The problem is that it is not
        guaranteed that the compiler will use the processor register we
        specified in the source code, but may choose another register which
        then will lead to silent register- and data corruption. To fix this
        issue we now use another strategy to help the exception handler to
        always find and set the error code into the correct CPU register.
      
        The other fixes are small: fixing CPU hotplug bringup, fix the page
        alignment of the RO_DATA section, added a check for the calculated
        cache stride and fix possible hangups when printing longer output at
        bootup when running on serial console.
      
        Most of the patches are tagged for stable series.
      
         - Fix random data corruption triggered by exception handler
      
         - Fix crash when setting up BTLB at CPU bringup
      
         - Prevent hung tasks when printing inventory on serial console
      
         - Make RO_DATA page aligned in vmlinux.lds.S
      
         - Add check for valid cache stride size"
      
      * tag 'parisc-for-6.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: BTLB: Fix crash when setting up BTLB at CPU bringup
        parisc: Fix random data corruption from exception handler
        parisc: Drop unneeded semicolon in parse_tree_node()
        parisc: Prevent hung tasks when printing inventory on serial console
        parisc: Check for valid stride size for cache flushes
        parisc: Make RO_DATA page aligned in vmlinux.lds.S
      91481c90
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.8' of... · a4126826
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Fix UML build with clang-18 and newer
      
       - Avoid using the alias attribute in host programs
      
       - Replace tabs with spaces when followed by conditionals for future GNU
         Make versions
      
       - Fix rpm-pkg for the systemd-provided kernel-install tool
      
       - Fix the undefined behavior in Kconfig for a 'int' symbol used in a
         conditional
      
      * tag 'kbuild-fixes-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kconfig: initialize sym->curr.tri to 'no' for all symbol types again
        kbuild: rpm-pkg: simplify installkernel %post
        kbuild: Replace tabs with spaces when followed by conditionals
        modpost: avoid using the alias attribute
        kbuild: fix W= flags in the help message
        modpost: Add '.ltext' and '.ltext.*' to TEXT_SECTIONS
        um: Fix adding '-no-pie' for clang
        kbuild: defconf: use SRCARCH to find merged configs
      a4126826
    • Linus Torvalds's avatar
      Merge tag 'nfsd-6.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · cfdf0c09
      Linus Torvalds authored
      Pull nfsd fix from Chuck Lever:
      
       - Fix a recent backchannel timeout fix
      
      * tag 'nfsd-6.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        NFSv4.1: Assign the right value for initval and retries for rpc timeout
      cfdf0c09
    • Linus Torvalds's avatar
      Merge tag 'exfat-for-6.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat · 49a4be2c
      Linus Torvalds authored
      Pull exfat fix from Namjae Jeon:
      
       - Fix BUG in iov_iter_revert reported from syzbot
      
      * tag 'exfat-for-6.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat:
        exfat: fix zero the unwritten part for dio read
      49a4be2c
    • Linus Torvalds's avatar
      Merge tag 'hid-for-linus-2024020101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 5c24e4e9
      Linus Torvalds authored
      Pull HID fixes from Benjamin Tissoires:
      
       - cleanups in the error path in hid-steam (Dan Carpenter)
      
       - fixes for Wacom tablets selftests that sneaked in while the CI was
         taking a break during the year end holidays (Benjamin Tissoires)
      
       - null pointer check in nvidia-shield (Kunwu Chan)
      
       - memory leak fix in hidraw (Su Hui)
      
       - another null pointer fix in i2c-hid-of (Johan Hovold)
      
       - another memory leak fix in HID-BPF this time, as well as a double
         fdget() fix reported by Dan Carpenter (Benjamin Tissoires)
      
       - fix for Cirque touchpad when they go on suspend (Kai-Heng Feng)
      
       - new device ID in hid-logitech-hidpp: "Logitech G Pro X SuperLight 2"
         (Jiri Kosina)
      
      * tag 'hid-for-linus-2024020101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: bpf: use __bpf_kfunc instead of noinline
        HID: bpf: actually free hdev memory after attaching a HID-BPF program
        HID: bpf: remove double fdget()
        HID: i2c-hid-of: fix NULL-deref on failed power up
        HID: hidraw: fix a problem of memory leak in hidraw_release()
        HID: i2c-hid: Skip SET_POWER SLEEP for Cirque touchpad on system suspend
        HID: nvidia-shield: Add missing null pointer checks to LED initialization
        HID: logitech-hidpp: add support for Logitech G Pro X Superlight 2
        selftests/hid: wacom: fix confidence tests
        HID: hid-steam: Fix cleanup in probe()
        HID: hid-steam: remove pointless error message
      5c24e4e9