1. 12 Jun, 2023 3 commits
  2. 10 Jun, 2023 23 commits
  3. 09 Jun, 2023 8 commits
  4. 08 Jun, 2023 6 commits
    • Wei Fang's avatar
      net: enetc: correct the indexes of highest and 2nd highest TCs · 21225873
      Wei Fang authored
      For ENETC hardware, the TCs are numbered from 0 to N-1, where N
      is the number of TCs. Numerically higher TC has higher priority.
      It's obvious that the highest priority TC index should be N-1 and
      the 2nd highest priority TC index should be N-2.
      
      However, the previous logic uses netdev_get_prio_tc_map() to get
      the indexes of highest priority and 2nd highest priority TCs, it
      does not make sense and is incorrect to give a "tc" argument to
      netdev_get_prio_tc_map(). So the driver may get the wrong indexes
      of the two highest priotiry TCs which would lead to failed to set
      the CBS for the two highest priotiry TCs.
      
      e.g.
      $ tc qdisc add dev eno0 parent root handle 100: mqprio num_tc 6 \
      	map 0 0 1 1 2 3 4 5 queues 1@0 1@1 1@2 1@3 2@4 2@6 hw 1
      $ tc qdisc replace dev eno0 parent 100:6 cbs idleslope 100000 \
      	sendslope -900000 hicredit 12 locredit -113 offload 1
      $ Error: Specified device failed to setup cbs hardware offload.
        ^^^^^
      
      In this example, the previous logic deems the indexes of the two
      highest priotiry TCs should be 3 and 2. Actually, the indexes are
      5 and 4, because the number of TCs is 6. So it would be failed to
      configure the CBS for the two highest priority TCs.
      
      Fixes: c431047c ("enetc: add support Credit Based Shaper(CBS) for hardware offload")
      Signed-off-by: default avatarWei Fang <wei.fang@nxp.com>
      Reviewed-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21225873
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE · 1240eb93
      Pablo Neira Ayuso authored
      In case of error when adding a new rule that refers to an anonymous set,
      deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE.
      Thus, the lookup expression marks anonymous sets as inactive in the next
      generation to ensure it is not reachable in this transaction anymore and
      decrement the set refcount as introduced by c1592a89 ("netfilter:
      nf_tables: deactivate anonymous set from preparation phase"). The abort
      step takes care of undoing the anonymous set.
      
      This is also consistent with rule deletion, where NFT_TRANS_PREPARE is
      used. Note that this error path is exercised in the preparation step of
      the commit protocol. This patch replaces nf_tables_rule_release() by the
      deactivate and destroy calls, this time with NFT_TRANS_PREPARE.
      
      Due to this incorrect error handling, it is possible to access a
      dangling pointer to the anonymous set that remains in the transaction
      list.
      
      [1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables]
      [1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110
      [1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256
      [1009.379128] Call Trace:
      [1009.379132]  <TASK>
      [1009.379135]  dump_stack_lvl+0x33/0x50
      [1009.379146]  ? nft_set_lookup_global+0x147/0x1a0 [nf_tables]
      [1009.379191]  print_address_description.constprop.0+0x27/0x300
      [1009.379201]  kasan_report+0x107/0x120
      [1009.379210]  ? nft_set_lookup_global+0x147/0x1a0 [nf_tables]
      [1009.379255]  nft_set_lookup_global+0x147/0x1a0 [nf_tables]
      [1009.379302]  nft_lookup_init+0xa5/0x270 [nf_tables]
      [1009.379350]  nf_tables_newrule+0x698/0xe50 [nf_tables]
      [1009.379397]  ? nf_tables_rule_release+0xe0/0xe0 [nf_tables]
      [1009.379441]  ? kasan_unpoison+0x23/0x50
      [1009.379450]  nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink]
      [1009.379470]  ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink]
      [1009.379485]  ? __alloc_skb+0xb8/0x1e0
      [1009.379493]  ? __alloc_skb+0xb8/0x1e0
      [1009.379502]  ? entry_SYSCALL_64_after_hwframe+0x46/0xb0
      [1009.379509]  ? unwind_get_return_address+0x2a/0x40
      [1009.379517]  ? write_profile+0xc0/0xc0
      [1009.379524]  ? avc_lookup+0x8f/0xc0
      [1009.379532]  ? __rcu_read_unlock+0x43/0x60
      
      Fixes: 958bee14 ("netfilter: nf_tables: use new transaction infrastructure to handle sets")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1240eb93
    • Kamil Maziarz's avatar
      ice: Fix XDP memory leak when NIC is brought up and down · 78c50d69
      Kamil Maziarz authored
      Fix the buffer leak that occurs while switching
      the port up and down with traffic and XDP by
      checking for an active XDP program and freeing all empty TX buffers.
      
      Fixes: efc2214b ("ice: Add support for XDP")
      Signed-off-by: default avatarKamil Maziarz <kamil.maziarz@intel.com>
      Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
      Acked-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      78c50d69
    • Linus Torvalds's avatar
      Merge tag 'net-6.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 25041a4c
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from can, wifi, netfilter, bluetooth and ebpf.
      
        Current release - regressions:
      
         - bpf: sockmap: avoid potential NULL dereference in
           sk_psock_verdict_data_ready()
      
         - wifi: iwlwifi: fix -Warray-bounds bug in iwl_mvm_wait_d3_notif()
      
         - phylink: actually fix ksettings_set() ethtool call
      
         - eth: dwmac-qcom-ethqos: fix a regression on EMAC < 3
      
        Current release - new code bugs:
      
         - wifi: mt76: fix possible NULL pointer dereference in
           mt7996_mac_write_txwi()
      
        Previous releases - regressions:
      
         - netfilter: fix NULL pointer dereference in nf_confirm_cthelper
      
         - wifi: rtw88/rtw89: correct PS calculation for SUPPORTS_DYNAMIC_PS
      
         - openvswitch: fix upcall counter access before allocation
      
         - bluetooth:
            - fix use-after-free in hci_remove_ltk/hci_remove_irk
            - fix l2cap_disconnect_req deadlock
      
         - nic: bnxt_en: prevent kernel panic when receiving unexpected
           PHC_UPDATE event
      
        Previous releases - always broken:
      
         - core: annotate rfs lockless accesses
      
         - sched: fq_pie: ensure reasonable TCA_FQ_PIE_QUANTUM values
      
         - netfilter: add null check for nla_nest_start_noflag() in
           nft_dump_basechain_hook()
      
         - bpf: fix UAF in task local storage
      
         - ipv4: ping_group_range: allow GID from 2147483648 to 4294967294
      
         - ipv6: rpl: fix route of death.
      
         - tcp: gso: really support BIG TCP
      
         - mptcp: fixes for user-space PM address advertisement
      
         - smc: avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT
      
         - can: avoid possible use-after-free when j1939_can_rx_register fails
      
         - batman-adv: fix UaF while rescheduling delayed work
      
         - eth: qede: fix scheduling while atomic
      
         - eth: ice: make writes to /dev/gnssX synchronous"
      
      * tag 'net-6.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (83 commits)
        bnxt_en: Implement .set_port / .unset_port UDP tunnel callbacks
        bnxt_en: Prevent kernel panic when receiving unexpected PHC_UPDATE event
        bnxt_en: Skip firmware fatal error recovery if chip is not accessible
        bnxt_en: Query default VLAN before VNIC setup on a VF
        bnxt_en: Don't issue AP reset during ethtool's reset operation
        bnxt_en: Fix bnxt_hwrm_update_rss_hash_cfg()
        net: bcmgenet: Fix EEE implementation
        eth: ixgbe: fix the wake condition
        eth: bnxt: fix the wake condition
        lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release()
        bpf: Add extra path pointer check to d_path helper
        net: sched: fix possible refcount leak in tc_chain_tmplt_add()
        net: sched: act_police: fix sparse errors in tcf_police_dump()
        net: openvswitch: fix upcall counter access before allocation
        net: sched: move rtm_tca_policy declaration to include file
        ice: make writes to /dev/gnssX synchronous
        net: sched: add rcu annotations around qdisc->qdisc_sleeping
        rfs: annotate lockless accesses to RFS sock flow table
        rfs: annotate lockless accesses to sk->sk_rxhash
        virtio_net: use control_buf for coalesce params
        ...
      25041a4c
    • Linus Torvalds's avatar
      Merge tag 'xfs-6.4-rc5-fixes' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 79b6fad5
      Linus Torvalds authored
      Pull xfs fixes from Dave Chinner:
       "These are a set of regression fixes discovered on recent kernels. I
        was hoping to send this to you a week and half ago, but events out of
        my control delayed finalising the changes until early this week.
      
        Whilst the diffstat looks large for this stage of the merge window, a
        large chunk of it comes from moving the guts of one function from one
        file to another i.e. it's the same code, it is just run in a different
        context where it is safe to hold a specific lock. Otherwise the
        individual changes are relatively small and straigtht forward.
      
        Summary:
      
         - Propagate unlinked inode list corruption back up to log recovery
           (regression fix)
      
         - improve corruption detection for AGFL entries, AGFL indexes and
           XEFI extents (syzkaller fuzzer oops report)
      
         - Avoid double perag reference release (regression fix)
      
         - Improve extent merging detection in scrub (regression fix)
      
         - Fix a new undefined high bit shift (regression fix)
      
         - Fix for AGF vs inode cluster buffer deadlock (regression fix)"
      
      * tag 'xfs-6.4-rc5-fixes' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: collect errors from inodegc for unlinked inode recovery
        xfs: validate block number being freed before adding to xefi
        xfs: validity check agbnos on the AGFL
        xfs: fix agf/agfl verification on v4 filesystems
        xfs: fix double xfs_perag_rele() in xfs_filestream_pick_ag()
        xfs: fix broken logic when detecting mergeable bmap records
        xfs: Fix undefined behavior of shift into sign bit
        xfs: fix AGF vs inode cluster buffer deadlock
        xfs: defered work could create precommits
        xfs: restore allocation trylock iteration
        xfs: buffer pins need to hold a buffer reference
      79b6fad5
    • Simon Horman's avatar
      ice: Don't dereference NULL in ice_gnss_read error path · 05a1308a
      Simon Horman authored
      If pf is NULL in ice_gnss_read() then it will be dereferenced
      in the error path by a call to dev_dbg(ice_pf_to_dev(pf), ...).
      
      Avoid this by simply returning in this case.
      If logging is desired an alternate approach might be to
      use pr_err() before returning.
      
      Flagged by Smatch as:
      
        .../ice_gnss.c:196 ice_gnss_read() error: we previously assumed 'pf' could be null (see line 131)
      
      Fixes: 43113ff7 ("ice: add TTY for GNSS module for E810T device")
      Signed-off-by: default avatarSimon Horman <horms@kernel.org>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      05a1308a