1. 18 Aug, 2021 4 commits
  2. 17 Aug, 2021 4 commits
  3. 16 Aug, 2021 10 commits
    • Lahav Schlesinger's avatar
      vrf: Reset skb conntrack connection on VRF rcv · 09e856d5
      Lahav Schlesinger authored
      To fix the "reverse-NAT" for replies.
      
      When a packet is sent over a VRF, the POST_ROUTING hooks are called
      twice: Once from the VRF interface, and once from the "actual"
      interface the packet will be sent from:
      1) First SNAT: l3mdev_l3_out() -> vrf_l3_out() -> .. -> vrf_output_direct()
           This causes the POST_ROUTING hooks to run.
      2) Second SNAT: 'ip_output()' calls POST_ROUTING hooks again.
      
      Similarly for replies, first ip_rcv() calls PRE_ROUTING hooks, and
      second vrf_l3_rcv() calls them again.
      
      As an example, consider the following SNAT rule:
      > iptables -t nat -A POSTROUTING -p udp -m udp --dport 53 -j SNAT --to-source 2.2.2.2 -o vrf_1
      
      In this case sending over a VRF will create 2 conntrack entries.
      The first is from the VRF interface, which performs the IP SNAT.
      The second will run the SNAT, but since the "expected reply" will remain
      the same, conntrack randomizes the source port of the packet:
      e..g With a socket bound to 1.1.1.1:10000, sending to 3.3.3.3:53, the conntrack
      rules are:
      udp      17 29 src=2.2.2.2 dst=3.3.3.3 sport=10000 dport=53 packets=1 bytes=68 [UNREPLIED] src=3.3.3.3 dst=2.2.2.2 sport=53 dport=61033 packets=0 bytes=0 mark=0 use=1
      udp      17 29 src=1.1.1.1 dst=3.3.3.3 sport=10000 dport=53 packets=1 bytes=68 [UNREPLIED] src=3.3.3.3 dst=2.2.2.2 sport=53 dport=10000 packets=0 bytes=0 mark=0 use=1
      
      i.e. First SNAT IP from 1.1.1.1 --> 2.2.2.2, and second the src port is
      SNAT-ed from 10000 --> 61033.
      
      But when a reply is sent (3.3.3.3:53 -> 2.2.2.2:61033) only the later
      conntrack entry is matched:
      udp      17 29 src=2.2.2.2 dst=3.3.3.3 sport=10000 dport=53 packets=1 bytes=68 src=3.3.3.3 dst=2.2.2.2 sport=53 dport=61033 packets=1 bytes=49 mark=0 use=1
      udp      17 28 src=1.1.1.1 dst=3.3.3.3 sport=10000 dport=53 packets=1 bytes=68 [UNREPLIED] src=3.3.3.3 dst=2.2.2.2 sport=53 dport=10000 packets=0 bytes=0 mark=0 use=1
      
      And a "port 61033 unreachable" ICMP packet is sent back.
      
      The issue is that when PRE_ROUTING hooks are called from vrf_l3_rcv(),
      the skb already has a conntrack flow attached to it, which means
      nf_conntrack_in() will not resolve the flow again.
      
      This means only the dest port is "reverse-NATed" (61033 -> 10000) but
      the dest IP remains 2.2.2.2, and since the socket is bound to 1.1.1.1 it's
      not received.
      This can be verified by logging the 4-tuple of the packet in '__udp4_lib_rcv()'.
      
      The fix is then to reset the flow when skb is received on a VRF, to let
      conntrack resolve the flow again (which now will hit the earlier flow).
      
      To reproduce: (Without the fix "Got pkt_to_nat_port" will not be printed by
        running 'bash ./repro'):
        $ cat run_in_A1.py
        import logging
        logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
        from scapy.all import *
        import argparse
      
        def get_packet_to_send(udp_dst_port, msg_name):
            return Ether(src='11:22:33:44:55:66', dst=iface_mac)/ \
                IP(src='3.3.3.3', dst='2.2.2.2')/ \
                UDP(sport=53, dport=udp_dst_port)/ \
                Raw(f'{msg_name}\x0012345678901234567890')
      
        parser = argparse.ArgumentParser()
        parser.add_argument('-iface_mac', dest="iface_mac", type=str, required=True,
                            help="From run_in_A3.py")
        parser.add_argument('-socket_port', dest="socket_port", type=str,
                            required=True, help="From run_in_A3.py")
        parser.add_argument('-v1_mac', dest="v1_mac", type=str, required=True,
                            help="From script")
      
        args, _ = parser.parse_known_args()
        iface_mac = args.iface_mac
        socket_port = int(args.socket_port)
        v1_mac = args.v1_mac
      
        print(f'Source port before NAT: {socket_port}')
      
        while True:
            pkts = sniff(iface='_v0', store=True, count=1, timeout=10)
            if 0 == len(pkts):
                print('Something failed, rerun the script :(', flush=True)
                break
            pkt = pkts[0]
            if not pkt.haslayer('UDP'):
                continue
      
            pkt_sport = pkt.getlayer('UDP').sport
            print(f'Source port after NAT: {pkt_sport}', flush=True)
      
            pkt_to_send = get_packet_to_send(pkt_sport, 'pkt_to_nat_port')
            sendp(pkt_to_send, '_v0', verbose=False) # Will not be received
      
            pkt_to_send = get_packet_to_send(socket_port, 'pkt_to_socket_port')
            sendp(pkt_to_send, '_v0', verbose=False)
            break
      
        $ cat run_in_A2.py
        import socket
        import netifaces
      
        print(f"{netifaces.ifaddresses('e00000')[netifaces.AF_LINK][0]['addr']}",
              flush=True)
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        s.setsockopt(socket.SOL_SOCKET, socket.SO_BINDTODEVICE,
                     str('vrf_1' + '\0').encode('utf-8'))
        s.connect(('3.3.3.3', 53))
        print(f'{s. getsockname()[1]}', flush=True)
        s.settimeout(5)
      
        while True:
            try:
                # Periodically send in order to keep the conntrack entry alive.
                s.send(b'a'*40)
                resp = s.recvfrom(1024)
                msg_name = resp[0].decode('utf-8').split('\0')[0]
                print(f"Got {msg_name}", flush=True)
            except Exception as e:
                pass
      
        $ cat repro.sh
        ip netns del A1 2> /dev/null
        ip netns del A2 2> /dev/null
        ip netns add A1
        ip netns add A2
      
        ip -n A1 link add _v0 type veth peer name _v1 netns A2
        ip -n A1 link set _v0 up
      
        ip -n A2 link add e00000 type bond
        ip -n A2 link add lo0 type dummy
        ip -n A2 link add vrf_1 type vrf table 10001
        ip -n A2 link set vrf_1 up
        ip -n A2 link set e00000 master vrf_1
      
        ip -n A2 addr add 1.1.1.1/24 dev e00000
        ip -n A2 link set e00000 up
        ip -n A2 link set _v1 master e00000
        ip -n A2 link set _v1 up
        ip -n A2 link set lo0 up
        ip -n A2 addr add 2.2.2.2/32 dev lo0
      
        ip -n A2 neigh add 1.1.1.10 lladdr 77:77:77:77:77:77 dev e00000
        ip -n A2 route add 3.3.3.3/32 via 1.1.1.10 dev e00000 table 10001
      
        ip netns exec A2 iptables -t nat -A POSTROUTING -p udp -m udp --dport 53 -j \
      	SNAT --to-source 2.2.2.2 -o vrf_1
      
        sleep 5
        ip netns exec A2 python3 run_in_A2.py > x &
        XPID=$!
        sleep 5
      
        IFACE_MAC=`sed -n 1p x`
        SOCKET_PORT=`sed -n 2p x`
        V1_MAC=`ip -n A2 link show _v1 | sed -n 2p | awk '{print $2'}`
        ip netns exec A1 python3 run_in_A1.py -iface_mac ${IFACE_MAC} -socket_port \
                ${SOCKET_PORT} -v1_mac ${SOCKET_PORT}
        sleep 5
      
        kill -9 $XPID
        wait $XPID 2> /dev/null
        ip netns del A1
        ip netns del A2
        tail x -n 2
        rm x
        set +x
      
      Fixes: 73e20b76 ("net: vrf: Add support for PREROUTING rules on vrf device")
      Signed-off-by: default avatarLahav Schlesinger <lschlesinger@drivenets.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20210815120002.2787653-1-lschlesinger@drivenets.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      09e856d5
    • Dan Carpenter's avatar
      net: iosm: Prevent underflow in ipc_chnl_cfg_get() · 4f3f2e3f
      Dan Carpenter authored
      The bounds check on "index" doesn't catch negative values.  Using
      ARRAY_SIZE() directly is more readable and more robust because it prevents
      negative values for "index".  Fortunately we only pass valid values to
      ipc_chnl_cfg_get() so this patch does not affect runtime.
      Reported-by: default avatarSolomon Ucko <solly.ucko@gmail.com>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarM Chetan Kumar <m.chetan.kumar@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f3f2e3f
    • David S. Miller's avatar
      Merge branch 'bnxt_en-fixes' · 517c54d2
      David S. Miller authored
      Michael Chan says:
      
      ====================
      bnxt_en: 2 bug fixes
      
      The first one disables aRFS/NTUPLE on an older broken firmware version.
      The second one adds missing memory barriers related to completion ring
      handling.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      517c54d2
    • Michael Chan's avatar
      bnxt_en: Add missing DMA memory barriers · 828affc2
      Michael Chan authored
      Each completion ring entry has a valid bit to indicate that the entry
      contains a valid completion event.  The driver's main poll loop
      __bnxt_poll_work() has the proper dma_rmb() to make sure the valid
      bit of the next entry has been checked before proceeding further.
      But when we call bnxt_rx_pkt() to process the RX event, the RX
      completion event consists of two completion entries and only the
      first entry has been checked to be valid.  We need the same barrier
      after checking the next completion entry.  Add missing dma_rmb()
      barriers in bnxt_rx_pkt() and other similar locations.
      
      Fixes: 67a95e20 ("bnxt_en: Need memory barrier when processing the completion ring.")
      Reported-by: default avatarLance Richardson <lance.richardson@broadcom.com>
      Reviewed-by: default avatarAndy Gospodarek <gospo@broadcom.com>
      Reviewed-by: default avatarLance Richardson <lance.richardson@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      828affc2
    • Michael Chan's avatar
      bnxt_en: Disable aRFS if running on 212 firmware · 976e52b7
      Michael Chan authored
      212 firmware broke aRFS, so disable it.  Traffic may stop after ntuple
      filters are inserted and deleted by the 212 firmware.
      
      Fixes: ae10ae74 ("bnxt_en: Add new hardware RFS mode.")
      Reviewed-by: default avatarPavan Chebbi <pavan.chebbi@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      976e52b7
    • Shai Malin's avatar
      qed: Fix null-pointer dereference in qed_rdma_create_qp() · d33d19d3
      Shai Malin authored
      Fix a possible null-pointer dereference in qed_rdma_create_qp().
      
      Changes from V2:
      - Revert checkpatch fixes.
      Reported-by: default avatarTOTE Robot <oslab@tsinghua.edu.cn>
      Signed-off-by: default avatarAriel Elior <aelior@marvell.com>
      Signed-off-by: default avatarShai Malin <smalin@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d33d19d3
    • Shai Malin's avatar
      qed: qed ll2 race condition fixes · 37110237
      Shai Malin authored
      Avoiding qed ll2 race condition and NULL pointer dereference as part
      of the remove and recovery flows.
      
      Changes form V1:
      - Change (!p_rx->set_prod_addr).
      - qed_ll2.c checkpatch fixes.
      
      Change from V2:
      - Revert "qed_ll2.c checkpatch fixes".
      Signed-off-by: default avatarAriel Elior <aelior@marvell.com>
      Signed-off-by: default avatarShai Malin <smalin@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      37110237
    • Xin Long's avatar
      tipc: call tipc_wait_for_connect only when dlen is not 0 · 7387a72c
      Xin Long authored
      __tipc_sendmsg() is called to send SYN packet by either tipc_sendmsg()
      or tipc_connect(). The difference is in tipc_connect(), it will call
      tipc_wait_for_connect() after __tipc_sendmsg() to wait until connecting
      is done. So there's no need to wait in __tipc_sendmsg() for this case.
      
      This patch is to fix it by calling tipc_wait_for_connect() only when dlen
      is not 0 in __tipc_sendmsg(), which means it's called by tipc_connect().
      
      Note this also fixes the failure in tipcutils/test/ptts/:
      
        # ./tipcTS &
        # ./tipcTC 9
        (hang)
      
      Fixes: 36239dab6da7 ("tipc: fix implicit-connect for SYN+")
      Reported-by: default avatarShuang Li <shuali@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7387a72c
    • Andy Shevchenko's avatar
      ptp_pch: Restore dependency on PCI · 55c8fca1
      Andy Shevchenko authored
      During the swap dependency on PCH_GBE to selection PTP_1588_CLOCK_PCH
      incidentally dropped the implicit dependency on the PCI. Restore it.
      
      Fixes: 18d359ce ("pch_gbe, ptp_pch: Fix the dependency direction between these drivers")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      55c8fca1
    • Pavel Skripkin's avatar
      net: 6pack: fix slab-out-of-bounds in decode_data · 19d1532a
      Pavel Skripkin authored
      Syzbot reported slab-out-of bounds write in decode_data().
      The problem was in missing validation checks.
      
      Syzbot's reproducer generated malicious input, which caused
      decode_data() to be called a lot in sixpack_decode(). Since
      rx_count_cooked is only 400 bytes and noone reported before,
      that 400 bytes is not enough, let's just check if input is malicious
      and complain about buffer overrun.
      
      Fail log:
      ==================================================================
      BUG: KASAN: slab-out-of-bounds in drivers/net/hamradio/6pack.c:843
      Write of size 1 at addr ffff888087c5544e by task kworker/u4:0/7
      
      CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.6.0-rc3-syzkaller #0
      ...
      Workqueue: events_unbound flush_to_ldisc
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:641
       __asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137
       decode_data.part.0+0x23b/0x270 drivers/net/hamradio/6pack.c:843
       decode_data drivers/net/hamradio/6pack.c:965 [inline]
       sixpack_decode drivers/net/hamradio/6pack.c:968 [inline]
      
      Reported-and-tested-by: syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      19d1532a
  4. 14 Aug, 2021 1 commit
  5. 13 Aug, 2021 8 commits
    • Jakub Kicinski's avatar
      Merge branch 'bnxt-tx-napi-disabling-resiliency-improvements' · 9d5e6a70
      Jakub Kicinski authored
      Jakub Kicinski says:
      
      ====================
      bnxt: Tx NAPI disabling resiliency improvements
      
      A lockdep warning was triggered by netpoll because napi poll
      was taking the xmit lock. Fix that and a couple more issues
      noticed while reading the code.
      ====================
      
      Link: https://lore.kernel.org/r/20210812214242.578039-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9d5e6a70
    • Jakub Kicinski's avatar
      bnxt: count Tx drops · fb9f7190
      Jakub Kicinski authored
      Drivers should count packets they are dropping.
      
      Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.")
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Reviewed-by: default avatarEdwin Peer <edwin.peer@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fb9f7190
    • Jakub Kicinski's avatar
      bnxt: make sure xmit_more + errors does not miss doorbells · e8d8c5d8
      Jakub Kicinski authored
      skbs are freed on error and not put on the ring. We may, however,
      be in a situation where we're freeing the last skb of a batch,
      and there is a doorbell ring pending because of xmit_more() being
      true earlier. Make sure we ring the door bell in such situations.
      
      Since errors are rare don't pay attention to xmit_more() and just
      always flush the pending frames.
      
      The busy case should be safe to be left alone because it can
      only happen if start_xmit races with completions and they
      both enable the queue. In that case the kick can't be pending.
      
      Noticed while reading the code.
      
      Fixes: 4d172f21 ("bnxt_en: Implement xmit_more.")
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Reviewed-by: default avatarEdwin Peer <edwin.peer@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e8d8c5d8
    • Jakub Kicinski's avatar
      bnxt: disable napi before canceling DIM · 01cca6b9
      Jakub Kicinski authored
      napi schedules DIM, napi has to be disabled first,
      then DIM canceled.
      
      Noticed while reading the code.
      
      Fixes: 0bc0b97f ("bnxt_en: cleanup DIM work on device shutdown")
      Fixes: 6a8788f2 ("bnxt_en: add support for software dynamic interrupt moderation")
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Reviewed-by: default avatarEdwin Peer <edwin.peer@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      01cca6b9
    • Jakub Kicinski's avatar
      bnxt: don't lock the tx queue from napi poll · 3c603136
      Jakub Kicinski authored
      We can't take the tx lock from the napi poll routine, because
      netpoll can poll napi at any moment, including with the tx lock
      already held.
      
      The tx lock is protecting against two paths - the disable
      path, and (as Michael points out) the NETDEV_TX_BUSY case
      which may occur if NAPI completions race with start_xmit
      and both decide to re-enable the queue.
      
      For the disable/ifdown path use synchronize_net() to make sure
      closing the device does not race we restarting the queues.
      Annotate accesses to dev_state against data races.
      
      For the NAPI cleanup vs start_xmit path - appropriate barriers
      are already in place in the main spot where Tx queue is stopped
      but we need to do the same careful dance in the TX_BUSY case.
      
      Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.")
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Reviewed-by: default avatarEdwin Peer <edwin.peer@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3c603136
    • Linus Torvalds's avatar
      Merge tag 'net-5.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · f8e6dfc6
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes, including fixes from netfilter, bpf, can and
        ieee802154.
      
        The size of this is pretty normal, but we got more fixes for 5.14
        changes this week than last week. Nothing major but the trend is the
        opposite of what we like. We'll see how the next week goes..
      
        Current release - regressions:
      
         - r8169: fix ASPM-related link-up regressions
      
         - bridge: fix flags interpretation for extern learn fdb entries
      
         - phy: micrel: fix link detection on ksz87xx switch
      
         - Revert "tipc: Return the correct errno code"
      
         - ptp: fix possible memory leak caused by invalid cast
      
        Current release - new code bugs:
      
         - bpf: add missing bpf_read_[un]lock_trace() for syscall program
      
         - bpf: fix potentially incorrect results with bpf_get_local_storage()
      
         - page_pool: mask the page->signature before the checking, avoid dma
           mapping leaks
      
         - netfilter: nfnetlink_hook: 5 fixes to information in netlink dumps
      
         - bnxt_en: fix firmware interface issues with PTP
      
         - mlx5: Bridge, fix ageing time
      
        Previous releases - regressions:
      
         - linkwatch: fix failure to restore device state across
           suspend/resume
      
         - bareudp: fix invalid read beyond skb's linear data
      
        Previous releases - always broken:
      
         - bpf: fix integer overflow involving bucket_size
      
         - ppp: fix issues when desired interface name is specified via
           netlink
      
         - wwan: mhi_wwan_ctrl: fix possible deadlock
      
         - dsa: microchip: ksz8795: fix number of VLAN related bugs
      
         - dsa: drivers: fix broken backpressure in .port_fdb_dump
      
         - dsa: qca: ar9331: make proper initial port defaults
      
        Misc:
      
         - bpf: add lockdown check for probe_write_user helper
      
         - netfilter: conntrack: remove offload_pickup sysctl before 5.14 is
           out
      
         - netfilter: conntrack: collect all entries in one cycle,
           heuristically slow down garbage collection scans on idle systems to
           prevent frequent wake ups"
      
      * tag 'net-5.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (87 commits)
        vsock/virtio: avoid potential deadlock when vsock device remove
        wwan: core: Avoid returning NULL from wwan_create_dev()
        net: dsa: sja1105: unregister the MDIO buses during teardown
        Revert "tipc: Return the correct errno code"
        net: mscc: Fix non-GPL export of regmap APIs
        net: igmp: increase size of mr_ifc_count
        MAINTAINERS: switch to my OMP email for Renesas Ethernet drivers
        tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets
        net: pcs: xpcs: fix error handling on failed to allocate memory
        net: linkwatch: fix failure to restore device state across suspend/resume
        net: bridge: fix memleak in br_add_if()
        net: switchdev: zero-initialize struct switchdev_notifier_fdb_info emitted by drivers towards the bridge
        net: bridge: fix flags interpretation for extern learn fdb entries
        net: dsa: sja1105: fix broken backpressure in .port_fdb_dump
        net: dsa: lantiq: fix broken backpressure in .port_fdb_dump
        net: dsa: lan9303: fix broken backpressure in .port_fdb_dump
        net: dsa: hellcreek: fix broken backpressure in .port_fdb_dump
        bpf, core: Fix kernel-doc notation
        net: igmp: fix data-race in igmp_ifc_timer_expire()
        net: Fix memory leak in ieee802154_raw_deliver
        ...
      f8e6dfc6
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-5.14-rc6' of git://github.com/ceph/ceph-client · 3a03c67d
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "A patch to avoid a soft lockup in ceph_check_delayed_caps() from Luis
        and a reference handling fix from Jeff that should address some memory
        corruption reports in the snaprealm area.
      
        Both marked for stable"
      
      * tag 'ceph-for-5.14-rc6' of git://github.com/ceph/ceph-client:
        ceph: take snap_empty_lock atomically with snaprealm refcount change
        ceph: reduce contention in ceph_check_delayed_caps()
      3a03c67d
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2021-08-13' of git://anongit.freedesktop.org/drm/drm · 82cce5f4
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Another week, another set of pretty regular fixes, nothing really
        stands out too much.
      
        amdgpu:
         - Yellow carp update
         - RAS EEPROM fixes
         - BACO/BOCO fixes
         - Fix a memory leak in an error path
         - Freesync fix
         - VCN harvesting fix
         - Display fixes
      
        i915:
         - GVT fix for Windows VM hang.
         - Display fix of 12 BPC bits for display 12 and newer.
         - Don't try to access some media register for fused off domains.
         - Fix kerneldoc build warnings.
      
        mediatek:
         - Fix dpi bridge bug.
         - Fix cursor plane no update.
      
        meson:
         - Fix colors when booting with HDR"
      
      * tag 'drm-fixes-2021-08-13' of git://anongit.freedesktop.org/drm/drm:
        drm/doc/rfc: drop lmem uapi section
        drm/i915: Only access SFC_DONE when media domain is not fused off
        drm/i915/display: Fix the 12 BPC bits for PIPE_MISC reg
        drm/amd/display: use GFP_ATOMIC in amdgpu_dm_irq_schedule_work
        drm/amd/display: Remove invalid assert for ODM + MPC case
        drm/amd/pm: bug fix for the runtime pm BACO
        drm/amdgpu: handle VCN instances when harvesting (v2)
        drm/meson: fix colour distortion from HDR set during vendor u-boot
        drm/i915/gvt: Fix cached atomics setting for Windows VM
        drm/amdgpu: Add preferred mode in modeset when freesync video mode's enabled.
        drm/amd/pm: Fix a memory leak in an error handling path in 'vangogh_tables_init()'
        drm/amdgpu: don't enable baco on boco platforms in runpm
        drm/amdgpu: set RAS EEPROM address from VBIOS
        drm/amd/pm: update smu v13.0.1 firmware header
        drm/mediatek: Fix cursor plane no update
        drm/mediatek: mtk-dpi: Set out_fmt from config if not the last bridge
        drm/mediatek: dpi: Fix NULL dereference in mtk_dpi_bridge_atomic_check
      82cce5f4
  6. 12 Aug, 2021 13 commits