1. 25 Apr, 2024 5 commits
    • Ido Schimmel's avatar
      mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash · 54225988
      Ido Schimmel authored
      The rehash delayed work migrates filters from one region to another
      according to the number of available credits.
      
      The migrated from region is destroyed at the end of the work if the
      number of credits is non-negative as the assumption is that this is
      indicative of migration being complete. This assumption is incorrect as
      a non-negative number of credits can also be the result of a failed
      migration.
      
      The destruction of a region that still has filters referencing it can
      result in a use-after-free [1].
      
      Fix by not destroying the region if migration failed.
      
      [1]
      BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230
      Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858
      
      CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G        W          6.9.0-rc2-custom-00782-gf2275c2157d8 #5
      Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
      Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work
      Call Trace:
       <TASK>
       dump_stack_lvl+0xc6/0x120
       print_report+0xce/0x670
       kasan_report+0xd7/0x110
       mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230
       mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70
       mlxsw_sp_acl_atcam_entry_del+0x81/0x210
       mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50
       mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300
       process_one_work+0x8eb/0x19b0
       worker_thread+0x6c9/0xf70
       kthread+0x2c9/0x3b0
       ret_from_fork+0x4d/0x80
       ret_from_fork_asm+0x1a/0x30
       </TASK>
      
      Allocated by task 174:
       kasan_save_stack+0x33/0x60
       kasan_save_track+0x14/0x30
       __kasan_kmalloc+0x8f/0xa0
       __kmalloc+0x19c/0x360
       mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0
       mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300
       process_one_work+0x8eb/0x19b0
       worker_thread+0x6c9/0xf70
       kthread+0x2c9/0x3b0
       ret_from_fork+0x4d/0x80
       ret_from_fork_asm+0x1a/0x30
      
      Freed by task 7:
       kasan_save_stack+0x33/0x60
       kasan_save_track+0x14/0x30
       kasan_save_free_info+0x3b/0x60
       poison_slab_object+0x102/0x170
       __kasan_slab_free+0x14/0x30
       kfree+0xc1/0x290
       mlxsw_sp_acl_tcam_region_destroy+0x272/0x310
       mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300
       process_one_work+0x8eb/0x19b0
       worker_thread+0x6c9/0xf70
       kthread+0x2c9/0x3b0
       ret_from_fork+0x4d/0x80
       ret_from_fork_asm+0x1a/0x30
      
      Fixes: c9c9af91 ("mlxsw: spectrum_acl: Allow to interrupt/continue rehash work")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Tested-by: default avatarAlexander Zubkov <green@qrator.net>
      Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/3e412b5659ec2310c5c615760dfe5eac18dd7ebd.1713797103.git.petrm@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      54225988
    • Ido Schimmel's avatar
      mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update · 79b5b4b1
      Ido Schimmel authored
      The rule activity update delayed work periodically traverses the list of
      configured rules and queries their activity from the device.
      
      As part of this task it accesses the entry pointed by 'ventry->entry',
      but this entry can be changed concurrently by the rehash delayed work,
      leading to a use-after-free [1].
      
      Fix by closing the race and perform the activity query under the
      'vregion->lock' mutex.
      
      [1]
      BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140
      Read of size 8 at addr ffff8881054ed808 by task kworker/0:18/181
      
      CPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2
      Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
      Workqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work
      Call Trace:
       <TASK>
       dump_stack_lvl+0xc6/0x120
       print_report+0xce/0x670
       kasan_report+0xd7/0x110
       mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140
       mlxsw_sp_acl_rule_activity_update_work+0x219/0x400
       process_one_work+0x8eb/0x19b0
       worker_thread+0x6c9/0xf70
       kthread+0x2c9/0x3b0
       ret_from_fork+0x4d/0x80
       ret_from_fork_asm+0x1a/0x30
       </TASK>
      
      Allocated by task 1039:
       kasan_save_stack+0x33/0x60
       kasan_save_track+0x14/0x30
       __kasan_kmalloc+0x8f/0xa0
       __kmalloc+0x19c/0x360
       mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0
       mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50
       mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300
       process_one_work+0x8eb/0x19b0
       worker_thread+0x6c9/0xf70
       kthread+0x2c9/0x3b0
       ret_from_fork+0x4d/0x80
       ret_from_fork_asm+0x1a/0x30
      
      Freed by task 1039:
       kasan_save_stack+0x33/0x60
       kasan_save_track+0x14/0x30
       kasan_save_free_info+0x3b/0x60
       poison_slab_object+0x102/0x170
       __kasan_slab_free+0x14/0x30
       kfree+0xc1/0x290
       mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50
       mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300
       process_one_work+0x8eb/0x19b0
       worker_thread+0x6c9/0xf70
       kthread+0x2c9/0x3b0
       ret_from_fork+0x4d/0x80
       ret_from_fork_asm+0x1a/0x30
      
      Fixes: 2bffc532 ("mlxsw: spectrum_acl: Don't take mutex in mlxsw_sp_acl_tcam_vregion_rehash_work()")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Tested-by: default avatarAlexander Zubkov <green@qrator.net>
      Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/1fcce0a60b231ebeb2515d91022284ba7b4ffe7a.1713797103.git.petrm@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      79b5b4b1
    • Ido Schimmel's avatar
      mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work · d90cfe20
      Ido Schimmel authored
      The purpose of the rehash delayed work is to reduce the number of masks
      (eRPs) used by an ACL region as the eRP bank is a global and limited
      resource.
      
      This is done in three steps:
      
      1. Creating a new set of masks and a new ACL region which will use the
         new masks and to which the existing filters will be migrated to. The
         new region is assigned to 'vregion->region' and the region from which
         the filters are migrated from is assigned to 'vregion->region2'.
      
      2. Migrating all the filters from the old region to the new region.
      
      3. Destroying the old region and setting 'vregion->region2' to NULL.
      
      Only the second steps is performed under the 'vregion->lock' mutex
      although its comments says that among other things it "Protects
      consistency of region, region2 pointers".
      
      This is problematic as the first step can race with filter insertion
      from user space that uses 'vregion->region', but under the mutex.
      
      Fix by holding the mutex across the entirety of the delayed work and not
      only during the second step.
      
      Fixes: 2bffc532 ("mlxsw: spectrum_acl: Don't take mutex in mlxsw_sp_acl_tcam_vregion_rehash_work()")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Tested-by: default avatarAlexander Zubkov <green@qrator.net>
      Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/1ec1d54edf2bad0a369e6b4fa030aba64e1f124b.1713797103.git.petrm@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d90cfe20
    • Ido Schimmel's avatar
      mlxsw: spectrum_acl_tcam: Fix race in region ID allocation · 627f9c1b
      Ido Schimmel authored
      Region identifiers can be allocated both when user space tries to insert
      a new tc filter and when filters are migrated from one region to another
      as part of the rehash delayed work.
      
      There is no lock protecting the bitmap from which these identifiers are
      allocated from, which is racy and leads to bad parameter errors from the
      device's firmware.
      
      Fix by converting the bitmap to IDA which handles its own locking. For
      consistency, do the same for the group identifiers that are part of the
      same structure.
      
      Fixes: 2bffc532 ("mlxsw: spectrum_acl: Don't take mutex in mlxsw_sp_acl_tcam_vregion_rehash_work()")
      Reported-by: default avatarAmit Cohen <amcohen@nvidia.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Tested-by: default avatarAlexander Zubkov <green@qrator.net>
      Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/ce494b7940cadfe84f3e18da7785b51ef5f776e3.1713797103.git.petrm@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      627f9c1b
    • Hyunwoo Kim's avatar
      net: openvswitch: Fix Use-After-Free in ovs_ct_exit · 5ea7b72d
      Hyunwoo Kim authored
      Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal
      of ovs_ct_limit_exit, is not part of the RCU read critical section, it
      is possible that the RCU grace period will pass during the traversal and
      the key will be free.
      
      To prevent this, it should be changed to hlist_for_each_entry_safe.
      
      Fixes: 11efd5cb ("openvswitch: Support conntrack zone limit")
      Signed-off-by: default avatarHyunwoo Kim <v4bel@theori.io>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarAaron Conole <aconole@redhat.com>
      Link: https://lore.kernel.org/r/ZiYvzQN/Ry5oeFQW@v4bel-B760M-AORUS-ELITE-AXSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5ea7b72d
  2. 24 Apr, 2024 6 commits
  3. 23 Apr, 2024 2 commits
    • Jakub Kicinski's avatar
      tools: ynl: don't ignore errors in NLMSG_DONE messages · a44f2eb1
      Jakub Kicinski authored
      NLMSG_DONE contains an error code, it has to be extracted.
      Prior to this change all dumps will end in success,
      and in case of failure the result is silently truncated.
      
      Fixes: e4b48ed4 ("tools: ynl: add a completely generic client")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarDonald Hunter <donald.hunter@gmail.com>
      Link: https://lore.kernel.org/r/20240420020827.3288615-1-kuba@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a44f2eb1
    • Duoming Zhou's avatar
      ax25: Fix netdev refcount issue · 467324bc
      Duoming Zhou authored
      The dev_tracker is added to ax25_cb in ax25_bind(). When the
      ax25 device is detaching, the dev_tracker of ax25_cb should be
      deallocated in ax25_kill_by_device() instead of the dev_tracker
      of ax25_dev. The log reported by ref_tracker is shown below:
      
      [   80.884935] ref_tracker: reference already released.
      [   80.885150] ref_tracker: allocated in:
      [   80.885349]  ax25_dev_device_up+0x105/0x540
      [   80.885730]  ax25_device_event+0xa4/0x420
      [   80.885730]  notifier_call_chain+0xc9/0x1e0
      [   80.885730]  __dev_notify_flags+0x138/0x280
      [   80.885730]  dev_change_flags+0xd7/0x180
      [   80.885730]  dev_ifsioc+0x6a9/0xa30
      [   80.885730]  dev_ioctl+0x4d8/0xd90
      [   80.885730]  sock_do_ioctl+0x1c2/0x2d0
      [   80.885730]  sock_ioctl+0x38b/0x4f0
      [   80.885730]  __se_sys_ioctl+0xad/0xf0
      [   80.885730]  do_syscall_64+0xc4/0x1b0
      [   80.885730]  entry_SYSCALL_64_after_hwframe+0x67/0x6f
      [   80.885730] ref_tracker: freed in:
      [   80.885730]  ax25_device_event+0x272/0x420
      [   80.885730]  notifier_call_chain+0xc9/0x1e0
      [   80.885730]  dev_close_many+0x272/0x370
      [   80.885730]  unregister_netdevice_many_notify+0x3b5/0x1180
      [   80.885730]  unregister_netdev+0xcf/0x120
      [   80.885730]  sixpack_close+0x11f/0x1b0
      [   80.885730]  tty_ldisc_kill+0xcb/0x190
      [   80.885730]  tty_ldisc_hangup+0x338/0x3d0
      [   80.885730]  __tty_hangup+0x504/0x740
      [   80.885730]  tty_release+0x46e/0xd80
      [   80.885730]  __fput+0x37f/0x770
      [   80.885730]  __x64_sys_close+0x7b/0xb0
      [   80.885730]  do_syscall_64+0xc4/0x1b0
      [   80.885730]  entry_SYSCALL_64_after_hwframe+0x67/0x6f
      [   80.893739] ------------[ cut here ]------------
      [   80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0
      [   80.894297] Modules linked in:
      [   80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd9 #11
      [   80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4
      [   80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0
      [   80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9
      [   80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286
      [   80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000
      [   80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518
      [   80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a
      [   80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4
      [   80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518
      [   80.898279] FS:  00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000
      [   80.899436] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0
      ...
      [   80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at
      [   80.935774]      ax25_bind+0x424/0x4e0
      [   80.935774]      __sys_bind+0x1d9/0x270
      [   80.935774]      __x64_sys_bind+0x75/0x80
      [   80.935774]      do_syscall_64+0xc4/0x1b0
      [   80.935774]      entry_SYSCALL_64_after_hwframe+0x67/0x6f
      
      Change ax25_dev->dev_tracker to the dev_tracker of ax25_cb
      in order to mitigate the bug.
      
      Fixes: feef318c ("ax25: fix UAF bugs of net_device caused by rebinding operation")
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Link: https://lore.kernel.org/r/20240419020456.29826-1-duoming@zju.edu.cnSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      467324bc
  4. 22 Apr, 2024 11 commits
    • Paul Geurts's avatar
      NFC: trf7970a: disable all regulators on removal · 6bea4f03
      Paul Geurts authored
      During module probe, regulator 'vin' and 'vdd-io' are used and enabled,
      but the vdd-io regulator overwrites the 'vin' regulator pointer. During
      remove, only the vdd-io is disabled, as the vin regulator pointer is not
      available anymore. When regulator_put() is called during resource
      cleanup a kernel warning is given, as the regulator is still enabled.
      
      Store the two regulators in separate pointers and disable both the
      regulators on module remove.
      
      Fixes: 49d22c70 ("NFC: trf7970a: Add device tree option of 1.8 Volt IO voltage")
      Signed-off-by: default avatarPaul Geurts <paul_geurts@live.nl>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Link: https://lore.kernel.org/r/DB7PR09MB26847A4EBF88D9EDFEB1DA0F950E2@DB7PR09MB2684.eurprd09.prod.outlook.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6bea4f03
    • David Christensen's avatar
      MAINTAINERS: eth: mark IBM eHEA as an Orphan · 97ec32b5
      David Christensen authored
      Current maintainer Douglas Miller has left IBM and no replacement has
      been assigned for the driver. The eHEA hardware was last used on
      IBM POWER7 systems, the last of which reached end-of-support at the
      end of 2020.
      Signed-off-by: default avatarDavid Christensen <drc@linux.ibm.com>
      Reviewed-by: default avatarPradeep Satyanarayana <pradeeps@linux.ibm.com>
      Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
      Link: https://lore.kernel.org/r/20240418195517.528577-1-drc@linux.ibm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      97ec32b5
    • Matthias Schiffer's avatar
      net: dsa: mv88e6xx: fix supported_interfaces setup in mv88e6250_phylink_get_caps() · a4e38990
      Matthias Schiffer authored
      With the recent PHYLINK changes requiring supported_interfaces to be set,
      MV88E6250 family switches like the 88E6020 fail to probe - cmode is
      never initialized on these devices, so mv88e6250_phylink_get_caps() does
      not set any supported_interfaces flags.
      
      Instead of a cmode, on 88E6250 we have a read-only port mode value that
      encodes similar information. There is no reason to bother mapping port
      mode to the cmodes of other switch models; instead we introduce a
      mv88e6250_setup_supported_interfaces() that is called directly from
      mv88e6250_phylink_get_caps().
      
      Fixes: de5c9bf4 ("net: phylink: require supported_interfaces to be filled")
      Signed-off-by: default avatarMatthias Schiffer <matthias.schiffer@ew.tq-group.com>
      Link: https://lore.kernel.org/r/20240417103737.166651-1-matthias.schiffer@ew.tq-group.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a4e38990
    • David S. Miller's avatar
      Merge branch 'bnxt_en-aer-fixes' · 9e91bf75
      David S. Miller authored
      Michael Chan says:
      
      ====================
      bnxt_en: AER fixes
      
      This patchset fixes issues in the AER recovery logic.  The first patch
      refactors the code to make a shutdown function available for AER fatal
      errors.  The second patch fixes the AER fatal recovery logic.  The
      third patch fixes the health register logic to fix AER recovery failure
      for the new P7 chips.
      ====================
      Signed-off-by: default avatarArınç ÜNAL <arinc.unal@arinc9.com>
      9e91bf75
    • Michael Chan's avatar
      bnxt_en: Fix error recovery for 5760X (P7) chips · 41e54045
      Michael Chan authored
      During error recovery, such as AER fatal error slot reset, we call
      bnxt_try_map_fw_health_reg() to try to get access to the health
      register to determine the firmware state.  Fix
      bnxt_try_map_fw_health_reg() to recognize the P7 chip correctly
      and set up the health register.
      
      This fixes this type of AER slot reset failure:
      
      bnxt_en 0000:04:00.0: AER: PCIe Bus Error: severity=Uncorrectable (Fatal), type=Inaccessible, (Unregistered Agent ID)
      bnxt_en 0000:04:00.0 enp4s0f0np0: PCI I/O error detected
      bnxt_en 0000:04:00.0 bnxt_re0: Handle device suspend call
      bnxt_en 0000:04:00.1 enp4s0f1np1: PCI I/O error detected
      bnxt_en 0000:04:00.1 bnxt_re1: Handle device suspend call
      pcieport 0000:00:02.0: AER: Root Port link has been reset (0)
      bnxt_en 0000:04:00.0 enp4s0f0np0: PCI Slot Reset
      bnxt_en 0000:04:00.0: enabling device (0000 -> 0002)
      bnxt_en 0000:04:00.0: Firmware not ready
      bnxt_en 0000:04:00.1 enp4s0f1np1: PCI Slot Reset
      bnxt_en 0000:04:00.1: enabling device (0000 -> 0002)
      bnxt_en 0000:04:00.1: Firmware not ready
      pcieport 0000:00:02.0: AER: device recovery failed
      
      Fixes: a432a45b ("bnxt_en: Define basic P7 macros")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      41e54045
    • Vikas Gupta's avatar
      bnxt_en: Fix the PCI-AER routines · a1acdc22
      Vikas Gupta authored
      We do not support two simultaneous recoveries so check for reset
      flag, BNXT_STATE_IN_FW_RESET, and do not proceed with AER further.
      When the pci channel state is pci_channel_io_frozen, the PCIe link
      can not be trusted so we disable the traffic immediately and stop
      BAR access by calling bnxt_fw_fatal_close().  BAR access after
      AER fatal error can cause an NMI.
      
      Fixes: f75d9a0a ("bnxt_en: Re-write PCI BARs after PCI fatal error.")
      Signed-off-by: default avatarVikas Gupta <vikas.gupta@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1acdc22
    • Vikas Gupta's avatar
      bnxt_en: refactor reset close code · 7474b1c8
      Vikas Gupta authored
      Introduce bnxt_fw_fatal_close() API which can be used
      to stop data path and disable device when firmware
      is in fatal state.
      Signed-off-by: default avatarVikas Gupta <vikas.gupta@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7474b1c8
    • Hangbin Liu's avatar
      bridge/br_netlink.c: no need to return void function · 4fd1edcd
      Hangbin Liu authored
      br_info_notify is a void function. There is no need to return.
      
      Fixes: b6d0425b ("bridge: cfm: Netlink Notifications.")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4fd1edcd
    • Alex Elder's avatar
      mailmap: add entries for Alex Elder · 70dcdf5f
      Alex Elder authored
      Define my kernel.org address to be the canonical one, and add mailmap
      entries for the various addresses (including typos) that have been
      used over the years.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      70dcdf5f
    • Eric Dumazet's avatar
      icmp: prevent possible NULL dereferences from icmp_build_probe() · c58e88d4
      Eric Dumazet authored
      First problem is a double call to __in_dev_get_rcu(), because
      the second one could return NULL.
      
      if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)
      
      Second problem is a read from dev->ip6_ptr with no NULL check:
      
      if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))
      
      Use the correct RCU API to fix these.
      
      v2: add missing include <net/addrconf.h>
      
      Fixes: d329ea5b ("icmp: add response to RFC 8335 PROBE messages")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Andreas Roeseler <andreas.a.roeseler@gmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c58e88d4
    • Daniele Palmas's avatar
      net: usb: qmi_wwan: add Telit FN920C04 compositions · 0b8fe5bd
      Daniele Palmas authored
      Add the following Telit FN920C04 compositions:
      
      0x10a0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag)
      T:  Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#=  5 Spd=480  MxCh= 0
      D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=1bc7 ProdID=10a0 Rev=05.15
      S:  Manufacturer=Telit Cinterion
      S:  Product=FN920
      S:  SerialNumber=92c4c4d8
      C:  #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      
      0x10a4: rmnet + tty (AT) + tty (AT) + tty (diag)
      T:  Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#=  8 Spd=480  MxCh= 0
      D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=1bc7 ProdID=10a4 Rev=05.15
      S:  Manufacturer=Telit Cinterion
      S:  Product=FN920
      S:  SerialNumber=92c4c4d8
      C:  #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      
      0x10a9: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb
      T:  Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#=  9 Spd=480  MxCh= 0
      D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=1bc7 ProdID=10a9 Rev=05.15
      S:  Manufacturer=Telit Cinterion
      S:  Product=FN920
      S:  SerialNumber=92c4c4d8
      C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:  If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b8fe5bd
  5. 20 Apr, 2024 6 commits
  6. 19 Apr, 2024 2 commits
    • David Bauer's avatar
      vxlan: drop packets from invalid src-address · f58f45c1
      David Bauer authored
      The VXLAN driver currently does not check if the inner layer2
      source-address is valid.
      
      In case source-address snooping/learning is enabled, a entry in the FDB
      for the invalid address is created with the layer3 address of the tunnel
      endpoint.
      
      If the frame happens to have a non-unicast address set, all this
      non-unicast traffic is subsequently not flooded to the tunnel network
      but sent to the learnt host in the FDB. To make matters worse, this FDB
      entry does not expire.
      
      Apply the same filtering for packets as it is done for bridges. This not
      only drops these invalid packets but avoids them from being learnt into
      the FDB.
      
      Fixes: d342894c ("vxlan: virtual extensible lan")
      Suggested-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid Bauer <mail@david-bauer.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f58f45c1
    • Duanqiang Wen's avatar
      net: libwx: fix alloc msix vectors failed · 69197dfc
      Duanqiang Wen authored
      driver needs queue msix vectors and one misc irq vector,
      but only queue vectors need irq affinity.
      when num_online_cpus is less than chip max msix vectors,
      driver will acquire (num_online_cpus + 1) vecotrs, and
      call pci_alloc_irq_vectors_affinity functions with affinity
      params without setting pre_vectors or post_vectors, it will
      cause return error code -ENOSPC.
      Misc irq vector is vector 0, driver need to set affinity params
      .pre_vectors = 1.
      
      Fixes: 3f703186 ("net: libwx: Add irq flow functions")
      Signed-off-by: default avatarDuanqiang Wen <duanqiangwen@net-swift.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69197dfc
  7. 18 Apr, 2024 8 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 7586c850
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "A little calmer than usual, probably just the timing of sub-tree PRs.
      
        Including fixes from netfilter.
      
        Current release - regressions:
      
         - inet: bring NLM_DONE out to a separate recv() again, fix user space
           which assumes multiple recv()s will happen and gets blocked forever
      
         - drv: mlx5:
             - restore mistakenly dropped parts in register devlink flow
             - use channel mdev reference instead of global mdev instance for
               coalescing
             - acquire RTNL lock before RQs/SQs activation/deactivation
      
        Previous releases - regressions:
      
         - net: change maximum number of UDP segments to 128, fix virtio
           compatibility with Windows peers
      
         - usb: ax88179_178a: avoid writing the mac address before first
           reading
      
        Previous releases - always broken:
      
         - sched: fix mirred deadlock on device recursion
      
         - netfilter:
             - br_netfilter: skip conntrack input hook for promisc packets
             - fixes removal of duplicate elements in the pipapo set backend
             - various fixes for abort paths and error handling
      
         - af_unix: don't peek OOB data without MSG_OOB
      
         - drv: flower: fix fragment flags handling in multiple drivers
      
         - drv: ravb: fix jumbo frames and packet stats accounting
      
        Misc:
      
         - kselftest_harness: fix Clang warning about zero-length format
      
         - tun: limit printing rate when illegal packet received by tun dev"
      
      * tag 'net-6.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (46 commits)
        net: ethernet: ti: am65-cpsw-nuss: cleanup DMA Channels before using them
        net: usb: ax88179_178a: avoid writing the mac address before first reading
        net: ravb: Fix RX byte accounting for jumbo packets
        net: ravb: Fix GbEth jumbo packet RX checksum handling
        net: ravb: Allow RX loop to move past DMA mapping errors
        net: ravb: Count packets instead of descriptors in R-Car RX path
        net: ethernet: mtk_eth_soc: fix WED + wifi reset
        net:usb:qmi_wwan: support Rolling modules
        selftests: kselftest_harness: fix Clang warning about zero-length format
        net/sched: Fix mirred deadlock on device recursion
        netfilter: nf_tables: fix memleak in map from abort path
        netfilter: nf_tables: restore set elements when delete set fails
        netfilter: nf_tables: missing iterator type in lookup walk
        s390/ism: Properly fix receive message buffer allocation
        net: dsa: mt7530: fix port mirroring for MT7988 SoC switch
        net: dsa: mt7530: fix mirroring frames received on local port
        tun: limit printing rate when illegal packet received by tun dev
        ice: Fix checking for unsupported keys on non-tunnel device
        ice: tc: allow zero flags in parsing tc flower
        ice: tc: check src_vsi in case of traffic from VF
        ...
      7586c850
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v6.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · 360a348f
      Linus Torvalds authored
      Pull gpio fixes from Bartosz Golaszewski:
      
       - use -ENOTSUPP consistently in Intel GPIO drivers
      
       - don't include dt-bindings headers in gpio-swnode code
      
       - add missing of device table to gpio-lpc32xx and fix autoloading
      
      * tag 'gpio-fixes-for-v6.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpiolib: swnode: Remove wrong header inclusion
        gpio: lpc32xx: fix module autoloading
        gpio: crystalcove: Use -ENOTSUPP consistently
        gpio: wcove: Use -ENOTSUPP consistently
      360a348f
    • Siddharth Vadapalli's avatar
      net: ethernet: ti: am65-cpsw-nuss: cleanup DMA Channels before using them · c24cd679
      Siddharth Vadapalli authored
      The TX and RX DMA Channels used by the driver to exchange data with CPSW
      are not guaranteed to be in a clean state during driver initialization.
      The Bootloader could have used the same DMA Channels without cleaning them
      up in the event of failure. Thus, reset and disable the DMA Channels to
      ensure that they are in a clean state before using them.
      
      Fixes: 93a76530 ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver")
      Reported-by: default avatarSchuyler Patton <spatton@ti.com>
      Signed-off-by: default avatarSiddharth Vadapalli <s-vadapalli@ti.com>
      Reviewed-by: default avatarRoger Quadros <rogerq@kernel.org>
      Link: https://lore.kernel.org/r/20240417095425.2253876-1-s-vadapalli@ti.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c24cd679
    • Jose Ignacio Tornos Martinez's avatar
      net: usb: ax88179_178a: avoid writing the mac address before first reading · 56f78615
      Jose Ignacio Tornos Martinez authored
      After the commit d2689b6a ("net: usb: ax88179_178a: avoid two
      consecutive device resets"), reset operation, in which the default mac
      address from the device is read, is not executed from bind operation and
      the random address, that is pregenerated just in case, is direclty written
      the first time in the device, so the default one from the device is not
      even read. This writing is not dangerous because is volatile and the
      default mac address is not missed.
      
      In order to avoid this and keep the simplification to have only one
      reset and reduce the delays, restore the reset from bind operation and
      remove the reset that is commanded from open operation. The behavior is
      the same but everything is ready for usbnet_probe.
      
      Tested with ASIX AX88179 USB Gigabit Ethernet devices.
      Restore the old behavior for the rest of possible devices because I don't
      have the hardware to test.
      
      cc: stable@vger.kernel.org # 6.6+
      Fixes: d2689b6a ("net: usb: ax88179_178a: avoid two consecutive device resets")
      Reported-by: default avatarJarkko Palviainen <jarkko.palviainen@gmail.com>
      Signed-off-by: default avatarJose Ignacio Tornos Martinez <jtornosm@redhat.com>
      Link: https://lore.kernel.org/r/20240417085524.219532-1-jtornosm@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      56f78615
    • Linus Torvalds's avatar
      Merge tag 'random-6.9-rc5-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random · e4add020
      Linus Torvalds authored
      Pull random number generator fixes from Jason Donenfeld:
      
       - The input subsystem contributes entropy in some places where a
         spinlock is held, but the entropy accounting code only handled
         callers being in an interrupt or non-atomic process context, but not
         atomic process context. We fix this by removing an optimization and
         just calling queue_work() unconditionally.
      
       - Greg accidently sent up a patch not intended for his tree and that
         had been nack'd, so that's now reverted.
      
      * tag 'random-6.9-rc5-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
        Revert "vmgenid: emit uevent when VMGENID updates"
        random: handle creditable entropy from atomic process context
      e4add020
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.9-3' of... · c2d88559
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Ilpo Järvinen:
      
       - amd/pmf: Add SPS notifications quirk (+ quirk support)
      
       - amd/pmf: Lower Smart PC check message severity
      
       - x86/ISST: New HW support
      
       - x86/intel-uncore-freq: Bump minor version to avoid "unsupported" message
      
       - amd/pmc: New BIOS version still needs Spurious IRQ1 quirk
      
      * tag 'platform-drivers-x86-v6.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86/amd/pmc: Extend Framework 13 quirk to more BIOSes
        platform/x86/intel-uncore-freq: Increase minor number support
        platform/x86: ISST: Add Granite Rapids-D to HPM CPU list
        platform/x86/amd: pmf: Add quirk for ROG Zephyrus G14
        platform/x86/amd: pmf: Add infrastructure for quirking supported funcs
        platform/x86/amd: pmf: Decrease error message to debug
      c2d88559
    • Jason A. Donenfeld's avatar
      Revert "vmgenid: emit uevent when VMGENID updates" · 3aadf100
      Jason A. Donenfeld authored
      This reverts commit ad6bcdad. I had
      nak'd it, and Greg said on the thread that it links that he wasn't going
      to take it either, especially since it's not his code or his tree, but
      then, seemingly accidentally, it got pushed up some months later, in
      what looks like a mistake, with no further discussion in the linked
      thread. So revert it, since it's clearly not intended.
      
      Fixes: ad6bcdad ("vmgenid: emit uevent when VMGENID updates")
      Cc: stable@vger.kernel.org
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20230531095119.11202-2-bchalios@amazon.esSigned-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      3aadf100
    • Paolo Abeni's avatar
      Merge tag 'nf-24-04-18' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · ac1a21db
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      Patch #1 amends a missing spot where the set iterator type is unset.
      	 This is fixing a issue in the previous pull request.
      
      Patch #2 fixes the delete set command abort path by restoring state
               of the elements. Reverse logic for the activate (abort) case
      	 otherwise element state is not restored, this requires to move
      	 the check for active/inactive elements to the set iterator
      	 callback. From the deactivate path, toggle the next generation
      	 bit and from the activate (abort) path, clear the next generation
      	 bitmask.
      
      Patch #3 skips elements already restored by delete set command from the
      	 abort path in case there is a previous delete element command in
      	 the batch. Check for the next generation bit just like it is done
      	 via set iteration to restore maps.
      
      netfilter pull request 24-04-18
      
      * tag 'nf-24-04-18' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: fix memleak in map from abort path
        netfilter: nf_tables: restore set elements when delete set fails
        netfilter: nf_tables: missing iterator type in lookup walk
      ====================
      
      Link: https://lore.kernel.org/r/20240418010948.3332346-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ac1a21db