1. 22 Aug, 2022 7 commits
    • Eli Cohen's avatar
      net/mlx5: LAG, fix logic over MLX5_LAG_FLAG_NDEVS_READY · a6e675a6
      Eli Cohen authored
      Only set MLX5_LAG_FLAG_NDEVS_READY if both netdevices are registered.
      Doing so guarantees that both ldev->pf[MLX5_LAG_P0].dev and
      ldev->pf[MLX5_LAG_P1].dev have valid pointers when
      MLX5_LAG_FLAG_NDEVS_READY is set.
      
      The core issue is asymmetry in setting MLX5_LAG_FLAG_NDEVS_READY and
      clearing it. Setting it is done wrongly when both
      ldev->pf[MLX5_LAG_P0].dev and ldev->pf[MLX5_LAG_P1].dev are set;
      clearing it is done right when either of ldev->pf[i].netdev is cleared.
      
      Consider the following scenario:
      1. PF0 loads and sets ldev->pf[MLX5_LAG_P0].dev to a valid pointer
      2. PF1 loads and sets both ldev->pf[MLX5_LAG_P1].dev and
         ldev->pf[MLX5_LAG_P1].netdev with valid pointers. This results in
         MLX5_LAG_FLAG_NDEVS_READY is set.
      3. PF0 is unloaded before setting dev->pf[MLX5_LAG_P0].netdev.
         MLX5_LAG_FLAG_NDEVS_READY remains set.
      
      Further execution of mlx5_do_bond() will result in null pointer
      dereference when calling mlx5_lag_is_multipath()
      
      This patch fixes the following call trace actually encountered:
      
      [ 1293.475195] BUG: kernel NULL pointer dereference, address: 00000000000009a8
      [ 1293.478756] #PF: supervisor read access in kernel mode
      [ 1293.481320] #PF: error_code(0x0000) - not-present page
      [ 1293.483686] PGD 0 P4D 0
      [ 1293.484434] Oops: 0000 [#1] SMP PTI
      [ 1293.485377] CPU: 1 PID: 23690 Comm: kworker/u16:2 Not tainted 5.18.0-rc5_for_upstream_min_debug_2022_05_05_10_13 #1
      [ 1293.488039] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      [ 1293.490836] Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core]
      [ 1293.492448] RIP: 0010:mlx5_lag_is_multipath+0x5/0x50 [mlx5_core]
      [ 1293.494044] Code: e8 70 40 ff e0 48 8b 14 24 48 83 05 5c 1a 1b 00 01 e9 19 ff ff ff 48 83 05 47 1a 1b 00 01 eb d7 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 87 a8 09 00 00 48 85 c0 74 26 48 83 05 a7 1b 1b 00 01 41 b8
      [ 1293.498673] RSP: 0018:ffff88811b2fbe40 EFLAGS: 00010202
      [ 1293.500152] RAX: ffff88818a94e1c0 RBX: ffff888165eca6c0 RCX: 0000000000000000
      [ 1293.501841] RDX: 0000000000000001 RSI: ffff88818a94e1c0 RDI: 0000000000000000
      [ 1293.503585] RBP: 0000000000000000 R08: ffff888119886740 R09: ffff888165eca73c
      [ 1293.505286] R10: 0000000000000018 R11: 0000000000000018 R12: ffff88818a94e1c0
      [ 1293.506979] R13: ffff888112729800 R14: 0000000000000000 R15: ffff888112729858
      [ 1293.508753] FS:  0000000000000000(0000) GS:ffff88852cc40000(0000) knlGS:0000000000000000
      [ 1293.510782] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1293.512265] CR2: 00000000000009a8 CR3: 00000001032d4002 CR4: 0000000000370ea0
      [ 1293.514001] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1293.515806] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      Fixes: 8a66e458 ("net/mlx5: Change ownership model for lag")
      Signed-off-by: default avatarEli Cohen <elic@nvidia.com>
      Reviewed-by: default avatarMaor Dickman <maord@nvidia.com>
      Reviewed-by: default avatarMark Bloch <mbloch@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      a6e675a6
    • Vlad Buslov's avatar
      net/mlx5e: Properly disable vlan strip on non-UL reps · f37044fd
      Vlad Buslov authored
      When querying mlx5 non-uplink representors capabilities with ethtool
      rx-vlan-offload is marked as "off [fixed]". However, it is actually always
      enabled because mlx5e_params->vlan_strip_disable is 0 by default when
      initializing struct mlx5e_params instance. Fix the issue by explicitly
      setting the vlan_strip_disable to 'true' for non-uplink representors.
      
      Fixes: cb67b832 ("net/mlx5e: Introduce SRIOV VF representors")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      f37044fd
    • Duoming Zhou's avatar
      nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout · f1e941db
      Duoming Zhou authored
      When the pn532 uart device is detaching, the pn532_uart_remove()
      is called. But there are no functions in pn532_uart_remove() that
      could delete the cmd_timeout timer, which will cause use-after-free
      bugs. The process is shown below:
      
          (thread 1)                  |        (thread 2)
                                      |  pn532_uart_send_frame
      pn532_uart_remove               |    mod_timer(&pn532->cmd_timeout,...)
        ...                           |    (wait a time)
        kfree(pn532) //FREE           |    pn532_cmd_timeout
                                      |      pn532_uart_send_frame
                                      |        pn532->... //USE
      
      This patch adds del_timer_sync() in pn532_uart_remove() in order to
      prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc()
      is well synchronized, it sets nfc_dev->shutting_down to true and there
      are no syscalls could restart the cmd_timeout timer.
      
      Fixes: c656aa4c ("nfc: pn533: add UART phy driver")
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f1e941db
    • David S. Miller's avatar
      Merge branch 'r8152-fixes' · 6e10001c
      David S. Miller authored
      Hayes Wang says:
      
      ====================
      r8152: fix flow control settings
      
      These patches fix the settings of RX FIFO about flow control.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e10001c
    • Hayes Wang's avatar
      r8152: fix the RX FIFO settings when suspending · b75d6120
      Hayes Wang authored
      The RX FIFO would be changed when suspending, so the related settings
      have to be modified, too. Otherwise, the flow control would work
      abnormally.
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216333Reported-by: default avatarMark Blakeney <mark.blakeney@bullet-systems.net>
      Fixes: cdf0b86b ("r8152: fix a WOL issue")
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b75d6120
    • Hayes Wang's avatar
      r8152: fix the units of some registers for RTL8156A · 6dc4df12
      Hayes Wang authored
      The units of PLA_RX_FIFO_FULL and PLA_RX_FIFO_EMPTY are 16 bytes.
      
      Fixes: 195aae32 ("r8152: support new chips")
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6dc4df12
    • Bernard Pidoux's avatar
      rose: check NULL rose_loopback_neigh->loopback · 3c53cd65
      Bernard Pidoux authored
      Commit 3b3fd068 added NULL check for
      `rose_loopback_neigh->dev` in rose_loopback_timer() but omitted to
      check rose_loopback_neigh->loopback.
      
      It thus prevents *all* rose connect.
      
      The reason is that a special rose_neigh loopback has a NULL device.
      
      /proc/net/rose_neigh illustrates it via rose_neigh_show() function :
      [...]
      seq_printf(seq, "%05d %-9s %-4s   %3d %3d  %3s     %3s %3lu %3lu",
      	   rose_neigh->number,
      	   (rose_neigh->loopback) ? "RSLOOP-0" : ax2asc(buf, &rose_neigh->callsign),
      	   rose_neigh->dev ? rose_neigh->dev->name : "???",
      	   rose_neigh->count,
      
      /proc/net/rose_neigh displays special rose_loopback_neigh->loopback as
      callsign RSLOOP-0:
      
      addr  callsign  dev  count use mode restart  t0  tf digipeaters
      00001 RSLOOP-0  ???      1   2  DCE     yes   0   0
      
      By checking rose_loopback_neigh->loopback, rose_rx_call_request() is called
      even in case rose_loopback_neigh->dev is NULL. This repairs rose connections.
      
      Verification with rose client application FPAC:
      
      FPAC-Node v 4.1.3 (built Aug  5 2022) for LINUX (help = h)
      F6BVP-4 (Commands = ?) : u
      Users - AX.25 Level 2 sessions :
      Port   Callsign     Callsign  AX.25 state  ROSE state  NetRom status
      axudp  F6BVP-5   -> F6BVP-9   Connected    Connected   ---------
      
      Fixes: 3b3fd068 ("rose: Fix Null pointer dereference in rose_send_frame()")
      Signed-off-by: default avatarBernard Pidoux <f6bvp@free.fr>
      Suggested-by: default avatarFrancois Romieu <romieu@fr.zoreil.com>
      Cc: Thomas DL9SAU Osterried <thomas@osterried.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3c53cd65
  2. 19 Aug, 2022 5 commits
    • Sabrina Dubroca's avatar
      Revert "net: macsec: update SCI upon MAC address change." · e82c649e
      Sabrina Dubroca authored
      This reverts commit 6fc498bc.
      
      Commit 6fc498bc states:
      
          SCI should be updated, because it contains MAC in its first 6
          octets.
      
      That's not entirely correct. The SCI can be based on the MAC address,
      but doesn't have to be. We can also use any 64-bit number as the
      SCI. When the SCI based on the MAC address, it uses a 16-bit "port
      number" provided by userspace, which commit 6fc498bc overwrites
      with 1.
      
      In addition, changing the SCI after macsec has been setup can just
      confuse the receiver. If we configure the RXSC on the peer based on
      the original SCI, we should keep the same SCI on TX.
      
      When the macsec device is being managed by a userspace key negotiation
      daemon such as wpa_supplicant, commit 6fc498bc would also
      overwrite the SCI defined by userspace.
      
      Fixes: 6fc498bc ("net: macsec: update SCI upon MAC address change.")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Link: https://lore.kernel.org/r/9b1a9d28327e7eb54550a92eebda45d25e54dd0d.1660667033.git.sd@queasysnail.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e82c649e
    • Sean Anderson's avatar
      net: dpaa: Fix <1G ethernet on LS1046ARDB · 9dbdfd4a
      Sean Anderson authored
      As discussed in commit 73a21fa8 ("dpaa_eth: support all modes with
      rate adapting PHYs"), we must add a workaround for Aquantia phys with
      in-tree support in order to keep 1G support working. Update this
      workaround for the AQR113C phy found on revision C LS1046ARDB boards.
      
      Fixes: 12cf1b89 ("net: phy: Add support for AQR113C EPHY")
      Signed-off-by: default avatarSean Anderson <sean.anderson@seco.com>
      Acked-by: default avatarCamelia Groza <camelia.groza@nxp.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20220818164029.2063293-1-sean.anderson@seco.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9dbdfd4a
    • Linus Torvalds's avatar
      Merge tag 'net-6.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 4c2d0b03
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter.
      
        Current release - regressions:
      
         - tcp: fix cleanup and leaks in tcp_read_skb() (the new way BPF
           socket maps get data out of the TCP stack)
      
         - tls: rx: react to strparser initialization errors
      
         - netfilter: nf_tables: fix scheduling-while-atomic splat
      
         - net: fix suspicious RCU usage in bpf_sk_reuseport_detach()
      
        Current release - new code bugs:
      
         - mlxsw: ptp: fix a couple of races, static checker warnings and
           error handling
      
        Previous releases - regressions:
      
         - netfilter:
            - nf_tables: fix possible module reference underflow in error path
            - make conntrack helpers deal with BIG TCP (skbs > 64kB)
            - nfnetlink: re-enable conntrack expectation events
      
         - net: fix potential refcount leak in ndisc_router_discovery()
      
        Previous releases - always broken:
      
         - sched: cls_route: disallow handle of 0
      
         - neigh: fix possible local DoS due to net iface start/stop loop
      
         - rtnetlink: fix module refcount leak in rtnetlink_rcv_msg
      
         - sched: fix adding qlen to qcpu->backlog in gnet_stats_add_queue_cpu
      
         - virtio_net: fix endian-ness for RSS
      
         - dsa: mv88e6060: prevent crash on an unused port
      
         - fec: fix timer capture timing in `fec_ptp_enable_pps()`
      
         - ocelot: stats: fix races, integer wrapping and reading incorrect
           registers (the change of register definitions here accounts for
           bulk of the changed LoC in this PR)"
      
      * tag 'net-6.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (77 commits)
        net: moxa: MAC address reading, generating, validity checking
        tcp: handle pure FIN case correctly
        tcp: refactor tcp_read_skb() a bit
        tcp: fix tcp_cleanup_rbuf() for tcp_read_skb()
        tcp: fix sock skb accounting in tcp_read_skb()
        igb: Add lock to avoid data race
        dt-bindings: Fix incorrect "the the" corrections
        net: genl: fix error path memory leak in policy dumping
        stmmac: intel: Add a missing clk_disable_unprepare() call in intel_eth_pci_remove()
        net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_xdp_run
        net/mlx5e: Allocate flow steering storage during uplink initialization
        net: mscc: ocelot: report ndo_get_stats64 from the wraparound-resistant ocelot->stats
        net: mscc: ocelot: keep ocelot_stat_layout by reg address, not offset
        net: mscc: ocelot: make struct ocelot_stat_layout array indexable
        net: mscc: ocelot: fix race between ndo_get_stats64 and ocelot_check_stats_work
        net: mscc: ocelot: turn stats_lock into a spinlock
        net: mscc: ocelot: fix address of SYS_COUNT_TX_AGING counter
        net: mscc: ocelot: fix incorrect ndo_get_stats64 packet counters
        net: dsa: felix: fix ethtool 256-511 and 512-1023 TX packet counters
        net: dsa: don't warn in dsa_port_set_state_now() when driver doesn't support it
        ...
      4c2d0b03
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-next-6.0-rc2' of... · 90b6b686
      Linus Torvalds authored
      Merge tag 'linux-kselftest-next-6.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull Kselftest fix from Shuah Khan:
      
       - fix landlock test build regression
      
      * tag 'linux-kselftest-next-6.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests/landlock: fix broken include of linux/landlock.h
      90b6b686
    • Linus Torvalds's avatar
      Merge tag 'trace-rtla-v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 0de277d4
      Linus Torvalds authored
      Pull rtla tool fixes from Steven Rostedt:
       "Fixes for the Real-Time Linux Analysis tooling:
      
         - Fix tracer name in comments and prints
      
         - Fix setting up symlinks
      
         - Allow extra flags to be set in build
      
         - Consolidate and show all necessary libraries not found in build
           error"
      
      * tag 'trace-rtla-v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        rtla: Consolidate and show all necessary libraries that failed for building
        tools/rtla: Build with EXTRA_{C,LD}FLAGS
        tools/rtla: Fix command symlinks
        rtla: Fix tracer name
      0de277d4
  3. 18 Aug, 2022 26 commits
  4. 17 Aug, 2022 2 commits
    • David Howells's avatar
      net: Fix suspicious RCU usage in bpf_sk_reuseport_detach() · fc4aaf9f
      David Howells authored
      bpf_sk_reuseport_detach() calls __rcu_dereference_sk_user_data_with_flags()
      to obtain the value of sk->sk_user_data, but that function is only usable
      if the RCU read lock is held, and neither that function nor any of its
      callers hold it.
      
      Fix this by adding a new helper, __locked_read_sk_user_data_with_flags()
      that checks to see if sk->sk_callback_lock() is held and use that here
      instead.
      
      Alternatively, making __rcu_dereference_sk_user_data_with_flags() use
      rcu_dereference_checked() might suffice.
      
      Without this, the following warning can be occasionally observed:
      
      =============================
      WARNING: suspicious RCU usage
      6.0.0-rc1-build2+ #563 Not tainted
      -----------------------------
      include/net/sock.h:592 suspicious rcu_dereference_check() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      5 locks held by locktest/29873:
       #0: ffff88812734b550 (&sb->s_type->i_mutex_key#9){+.+.}-{3:3}, at: __sock_release+0x77/0x121
       #1: ffff88812f5621b0 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_close+0x1c/0x70
       #2: ffff88810312f5c8 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_unhash+0x76/0x1c0
       #3: ffffffff83768bb8 (reuseport_lock){+...}-{2:2}, at: reuseport_detach_sock+0x18/0xdd
       #4: ffff88812f562438 (clock-AF_INET){++..}-{2:2}, at: bpf_sk_reuseport_detach+0x24/0xa4
      
      stack backtrace:
      CPU: 1 PID: 29873 Comm: locktest Not tainted 6.0.0-rc1-build2+ #563
      Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
      Call Trace:
       <TASK>
       dump_stack_lvl+0x4c/0x5f
       bpf_sk_reuseport_detach+0x6d/0xa4
       reuseport_detach_sock+0x75/0xdd
       inet_unhash+0xa5/0x1c0
       tcp_set_state+0x169/0x20f
       ? lockdep_sock_is_held+0x3a/0x3a
       ? __lock_release.isra.0+0x13e/0x220
       ? reacquire_held_locks+0x1bb/0x1bb
       ? hlock_class+0x31/0x96
       ? mark_lock+0x9e/0x1af
       __tcp_close+0x50/0x4b6
       tcp_close+0x28/0x70
       inet_release+0x8e/0xa7
       __sock_release+0x95/0x121
       sock_close+0x14/0x17
       __fput+0x20f/0x36a
       task_work_run+0xa3/0xcc
       exit_to_user_mode_prepare+0x9c/0x14d
       syscall_exit_to_user_mode+0x18/0x44
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: cf8c1e96 ("net: refactor bpf_sk_reuseport_detach()")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Hawkins Jiawei <yin31149@gmail.com>
      Link: https://lore.kernel.org/r/166064248071.3502205.10036394558814861778.stgit@warthog.procyon.org.ukSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fc4aaf9f
    • Linus Torvalds's avatar
      Merge tag 'ntfs3_for_6.0' of https://github.com/Paragon-Software-Group/linux-ntfs3 · 3b06a275
      Linus Torvalds authored
      Pull ntfs3 updates from Konstantin Komarov:
      
       - implement FALLOC_FL_INSERT_RANGE
      
       - fix some logic errors
      
       - fixed xfstests (tested on x86_64): generic/064 generic/213
         generic/300 generic/361 generic/449 generic/485
      
       - some dead code removed or refactored
      
      * tag 'ntfs3_for_6.0' of https://github.com/Paragon-Software-Group/linux-ntfs3: (39 commits)
        fs/ntfs3: uninitialized variable in ntfs_set_acl_ex()
        fs/ntfs3: Remove unused function wnd_bits
        fs/ntfs3: Make ni_ins_new_attr return error
        fs/ntfs3: Create MFT zone only if length is large enough
        fs/ntfs3: Refactoring attr_insert_range to restore after errors
        fs/ntfs3: Refactoring attr_punch_hole to restore after errors
        fs/ntfs3: Refactoring attr_set_size to restore after errors
        fs/ntfs3: New function ntfs_bad_inode
        fs/ntfs3: Make MFT zone less fragmented
        fs/ntfs3: Check possible errors in run_pack in advance
        fs/ntfs3: Added comments to frecord functions
        fs/ntfs3: Fill duplicate info in ni_add_name
        fs/ntfs3: Make static function attr_load_runs
        fs/ntfs3: Add new argument is_mft to ntfs_mark_rec_free
        fs/ntfs3: Remove unused mi_mark_free
        fs/ntfs3: Fix very fragmented case in attr_punch_hole
        fs/ntfs3: Fix work with fragmented xattr
        fs/ntfs3: Make ntfs_fallocate return -ENOSPC instead of -EFBIG
        fs/ntfs3: extend ni_insert_nonresident to return inserted ATTR_LIST_ENTRY
        fs/ntfs3: Check reserved size for maximum allowed
        ...
      3b06a275