1. 09 Feb, 2024 26 commits
  2. 08 Feb, 2024 14 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 1f719a2f
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from WiFi and netfilter.
      
        Current release - regressions:
      
         - nic: intel: fix old compiler regressions
      
         - netfilter: ipset: missing gc cancellations fixed
      
        Current release - new code bugs:
      
         - netfilter: ctnetlink: fix filtering for zone 0
      
        Previous releases - regressions:
      
         - core: fix from address in memcpy_to_iter_csum()
      
         - netfilter: nfnetlink_queue: un-break NF_REPEAT
      
         - af_unix: fix memory leak for dead unix_(sk)->oob_skb in GC.
      
         - devlink: avoid potential loop in devlink_rel_nested_in_notify_work()
      
         - iwlwifi:
             - mvm: fix a battery life regression
             - fix double-free bug
      
         - mac80211: fix waiting for beacons logic
      
         - nic: nfp: flower: prevent re-adding mac index for bonded port
      
        Previous releases - always broken:
      
         - rxrpc: fix generation of serial numbers to skip zero
      
         - tipc: check the bearer type before calling tipc_udp_nl_bearer_add()
      
         - tunnels: fix out of bounds access when building IPv6 PMTU error
      
         - nic: hv_netvsc: register VF in netvsc_probe if NET_DEVICE_REGISTER
           missed
      
         - nic: atlantic: fix DMA mapping for PTP hwts ring
      
        Misc:
      
         - selftests: more fixes to deal with very slow hosts"
      
      * tag 'net-6.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (80 commits)
        netfilter: nft_set_pipapo: remove scratch_aligned pointer
        netfilter: nft_set_pipapo: add helper to release pcpu scratch area
        netfilter: nft_set_pipapo: store index in scratch maps
        netfilter: nft_set_rbtree: skip end interval element from gc
        netfilter: nfnetlink_queue: un-break NF_REPEAT
        netfilter: nf_tables: use timestamp to check for set element timeout
        netfilter: nft_ct: reject direction for ct id
        netfilter: ctnetlink: fix filtering for zone 0
        s390/qeth: Fix potential loss of L3-IP@ in case of network issues
        netfilter: ipset: Missing gc cancellations fixed
        octeontx2-af: Initialize maps.
        net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio
        net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio
        netfilter: nft_set_pipapo: remove static in nft_pipapo_get()
        netfilter: nft_compat: restrict match/target protocol to u16
        netfilter: nft_compat: reject unused compat flag
        netfilter: nft_compat: narrow down revision to unsigned 8-bits
        net: intel: fix old compiler regressions
        MAINTAINERS: Maintainer change for rds
        selftests: cmsg_ipv6: repeat the exact packet
        ...
      1f719a2f
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · b0d5d0f7
      Linus Torvalds authored
      Pull pinctrl fix from Linus Walleij:
       "A single fix for the AMD driver which affects developer laptops, the
        pinctrl/GPIO driver won't probe on some systems"
      
      * tag 'pinctrl-v6.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: amd: Add IRQF_ONESHOT to the interrupt request
      b0d5d0f7
    • Paolo Abeni's avatar
      Merge tag 'nf-24-02-08' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 63e4b9d6
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Narrow down target/match revision to u8 in nft_compat.
      
      2) Bail out with unused flags in nft_compat.
      
      3) Restrict layer 4 protocol to u16 in nft_compat.
      
      4) Remove static in pipapo get command that slipped through when
         reducing set memory footprint.
      
      5) Follow up incremental fix for the ipset performance regression,
         this includes the missing gc cancellation, from Jozsef Kadlecsik.
      
      6) Allow to filter by zone 0 in ctnetlink, do not interpret zone 0
         as no filtering, from Felix Huettner.
      
      7) Reject direction for NFT_CT_ID.
      
      8) Use timestamp to check for set element expiration while transaction
         is handled to prevent garbage collection from removing set elements
         that were just added by this transaction. Packet path and netlink
         dump/get path still use current time to check for expiration.
      
      9) Restore NF_REPEAT in nfnetlink_queue, from Florian Westphal.
      
      10) map_index needs to be percpu and per-set, not just percpu.
          At this time its possible for a pipapo set to fill the all-zero part
          with ones and take the 'might have bits set' as 'start-from-zero' area.
          From Florian Westphal. This includes three patches:
      
          - Change scratchpad area to a structure that provides space for a
            per-set-and-cpu toggle and uses it of the percpu one.
      
          - Add a new free helper to prepare for the next patch.
      
          - Remove the scratch_aligned pointer and makes AVX2 implementation
            use the exact same memory addresses for read/store of the matching
            state.
      
      netfilter pull request 24-02-08
      
      * tag 'nf-24-02-08' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nft_set_pipapo: remove scratch_aligned pointer
        netfilter: nft_set_pipapo: add helper to release pcpu scratch area
        netfilter: nft_set_pipapo: store index in scratch maps
        netfilter: nft_set_rbtree: skip end interval element from gc
        netfilter: nfnetlink_queue: un-break NF_REPEAT
        netfilter: nf_tables: use timestamp to check for set element timeout
        netfilter: nft_ct: reject direction for ct id
        netfilter: ctnetlink: fix filtering for zone 0
        netfilter: ipset: Missing gc cancellations fixed
        netfilter: nft_set_pipapo: remove static in nft_pipapo_get()
        netfilter: nft_compat: restrict match/target protocol to u16
        netfilter: nft_compat: reject unused compat flag
        netfilter: nft_compat: narrow down revision to unsigned 8-bits
      ====================
      
      Link: https://lore.kernel.org/r/20240208112834.1433-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      63e4b9d6
    • Florian Westphal's avatar
      netfilter: nft_set_pipapo: remove scratch_aligned pointer · 5a8cdf6f
      Florian Westphal authored
      use ->scratch for both avx2 and the generic implementation.
      
      After previous change the scratch->map member is always aligned properly
      for AVX2, so we can just use scratch->map in AVX2 too.
      
      The alignoff delta is stored in the scratchpad so we can reconstruct
      the correct address to free the area again.
      
      Fixes: 7400b063 ("nft_set_pipapo: Introduce AVX2-based lookup implementation")
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      5a8cdf6f
    • Florian Westphal's avatar
      netfilter: nft_set_pipapo: add helper to release pcpu scratch area · 47b1c03c
      Florian Westphal authored
      After next patch simple kfree() is not enough anymore, so add
      a helper for it.
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      47b1c03c
    • Florian Westphal's avatar
      netfilter: nft_set_pipapo: store index in scratch maps · 76313d1a
      Florian Westphal authored
      Pipapo needs a scratchpad area to keep state during matching.
      This state can be large and thus cannot reside on stack.
      
      Each set preallocates percpu areas for this.
      
      On each match stage, one scratchpad half starts with all-zero and the other
      is inited to all-ones.
      
      At the end of each stage, the half that starts with all-ones is
      always zero.  Before next field is tested, pointers to the two halves
      are swapped, i.e.  resmap pointer turns into fill pointer and vice versa.
      
      After the last field has been processed, pipapo stashes the
      index toggle in a percpu variable, with assumption that next packet
      will start with the all-zero half and sets all bits in the other to 1.
      
      This isn't reliable.
      
      There can be multiple sets and we can't be sure that the upper
      and lower half of all set scratch map is always in sync (lookups
      can be conditional), so one set might have swapped, but other might
      not have been queried.
      
      Thus we need to keep the index per-set-and-cpu, just like the
      scratchpad.
      
      Note that this bug fix is incomplete, there is a related issue.
      
      avx2 and normal implementation might use slightly different areas of the
      map array space due to the avx2 alignment requirements, so
      m->scratch (generic/fallback implementation) and ->scratch_aligned
      (avx) may partially overlap. scratch and scratch_aligned are not distinct
      objects, the latter is just the aligned address of the former.
      
      After this change, write to scratch_align->map_index may write to
      scratch->map, so this issue becomes more prominent, we can set to 1
      a bit in the supposedly-all-zero area of scratch->map[].
      
      A followup patch will remove the scratch_aligned and makes generic and
      avx code use the same (aligned) area.
      
      Its done in a separate change to ease review.
      
      Fixes: 3c4287f6 ("nf_tables: Add set type for arbitrary concatenation of ranges")
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      76313d1a
    • Pablo Neira Ayuso's avatar
      netfilter: nft_set_rbtree: skip end interval element from gc · 60c0c230
      Pablo Neira Ayuso authored
      rbtree lazy gc on insert might collect an end interval element that has
      been just added in this transactions, skip end interval elements that
      are not yet active.
      
      Fixes: f718863a ("netfilter: nft_set_rbtree: fix overlap expiration walk")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarlonial con <kongln9170@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      60c0c230
    • Florian Westphal's avatar
      netfilter: nfnetlink_queue: un-break NF_REPEAT · f82777e8
      Florian Westphal authored
      Only override userspace verdict if the ct hook returns something
      other than ACCEPT.
      
      Else, this replaces NF_REPEAT (run all hooks again) with NF_ACCEPT
      (move to next hook).
      
      Fixes: 6291b3a6 ("netfilter: conntrack: convert nf_conntrack_update to netfilter verdicts")
      Reported-by: l.6diay@passmail.com
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f82777e8
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: use timestamp to check for set element timeout · 7395dfac
      Pablo Neira Ayuso authored
      Add a timestamp field at the beginning of the transaction, store it
      in the nftables per-netns area.
      
      Update set backend .insert, .deactivate and sync gc path to use the
      timestamp, this avoids that an element expires while control plane
      transaction is still unfinished.
      
      .lookup and .update, which are used from packet path, still use the
      current time to check if the element has expired. And .get path and dump
      also since this runs lockless under rcu read size lock. Then, there is
      async gc which also needs to check the current time since it runs
      asynchronously from a workqueue.
      
      Fixes: c3e1b005 ("netfilter: nf_tables: add set element timeout support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7395dfac
    • Pablo Neira Ayuso's avatar
      netfilter: nft_ct: reject direction for ct id · 38ed1c70
      Pablo Neira Ayuso authored
      Direction attribute is ignored, reject it in case this ever needs to be
      supported
      
      Fixes: 3087c3f7 ("netfilter: nft_ct: Add ct id support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      38ed1c70
    • Felix Huettner's avatar
      netfilter: ctnetlink: fix filtering for zone 0 · fa173a1b
      Felix Huettner authored
      previously filtering for the default zone would actually skip the zone
      filter and flush all zones.
      
      Fixes: eff3c558 ("netfilter: ctnetlink: support filtering by zone")
      Reported-by: default avatarIlya Maximets <i.maximets@ovn.org>
      Closes: https://lore.kernel.org/netdev/2032238f-31ac-4106-8f22-522e76df5a12@ovn.org/Signed-off-by: default avatarFelix Huettner <felix.huettner@mail.schwarz>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      fa173a1b
    • Alexandra Winter's avatar
      s390/qeth: Fix potential loss of L3-IP@ in case of network issues · 2fe8a236
      Alexandra Winter authored
      Symptom:
      In case of a bad cable connection (e.g. dirty optics) a fast sequence of
      network DOWN-UP-DOWN-UP could happen. UP triggers recovery of the qeth
      interface. In case of a second DOWN while recovery is still ongoing, it
      can happen that the IP@ of a Layer3 qeth interface is lost and will not
      be recovered by the second UP.
      
      Problem:
      When registration of IP addresses with Layer 3 qeth devices fails, (e.g.
      because of bad address format) the respective IP address is deleted from
      its hash-table in the driver. If registration fails because of a ENETDOWN
      condition, the address should stay in the hashtable, so a subsequent
      recovery can restore it.
      
      3caa4af8 ("qeth: keep ip-address after LAN_OFFLINE failure")
      fixes this for registration failures during normal operation, but not
      during recovery.
      
      Solution:
      Keep L3-IP address in case of ENETDOWN in qeth_l3_recover_ip(). For
      consistency with qeth_l3_add_ip() we also keep it in case of EADDRINUSE,
      i.e. for some reason the card already/still has this address registered.
      
      Fixes: 4a71df50 ("qeth: new qeth device driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Link: https://lore.kernel.org/r/20240206085849.2902775-1-wintera@linux.ibm.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      2fe8a236
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: Missing gc cancellations fixed · 27c5a095
      Jozsef Kadlecsik authored
      The patch fdb8e12cc2cc ("netfilter: ipset: fix performance regression
      in swap operation") missed to add the calls to gc cancellations
      at the error path of create operations and at module unload. Also,
      because the half of the destroy operations now executed by a
      function registered by call_rcu(), neither NFNL_SUBSYS_IPSET mutex
      or rcu read lock is held and therefore the checking of them results
      false warnings.
      
      Fixes: 97f7cf1c ("netfilter: ipset: fix performance regression in swap operation")
      Reported-by: syzbot+52bbc0ad036f6f0d4a25@syzkaller.appspotmail.com
      Reported-by: default avatarBrad Spengler <spender@grsecurity.net>
      Reported-by: default avatarСтас Ничипорович <stasn77@gmail.com>
      Tested-by: default avatarBrad Spengler <spender@grsecurity.net>
      Tested-by: default avatarСтас Ничипорович <stasn77@gmail.com>
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      27c5a095
    • Ratheesh Kannoth's avatar
      octeontx2-af: Initialize maps. · db010ff6
      Ratheesh Kannoth authored
      kmalloc_array() without __GFP_ZERO flag does not initialize
      memory to zero. This causes issues. Use kcalloc() for maps and
      bitmap_zalloc() for bitmaps.
      
      Fixes: dd784287 ("octeontx2-af: Add new devlink param to configure maximum usable NIX block LFs")
      Signed-off-by: default avatarRatheesh Kannoth <rkannoth@marvell.com>
      Reviewed-by: default avatarBrett Creeley <bcreeley@amd.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240206024000.1070260-1-rkannoth@marvell.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      db010ff6