1. 12 Sep, 2023 6 commits
  2. 08 Sep, 2023 3 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 73be7fb1
      Linus Torvalds authored
      Pull networking updates from Jakub Kicinski:
       "Including fixes from netfilter and bpf.
      
        Current release - regressions:
      
         - eth: stmmac: fix failure to probe without MAC interface specified
      
        Current release - new code bugs:
      
         - docs: netlink: fix missing classic_netlink doc reference
      
        Previous releases - regressions:
      
         - deal with integer overflows in kmalloc_reserve()
      
         - use sk_forward_alloc_get() in sk_get_meminfo()
      
         - bpf_sk_storage: fix the missing uncharge in sk_omem_alloc
      
         - fib: avoid warn splat in flow dissector after packet mangling
      
         - skb_segment: call zero copy functions before using skbuff frags
      
         - eth: sfc: check for zero length in EF10 RX prefix
      
        Previous releases - always broken:
      
         - af_unix: fix msg_controllen test in scm_pidfd_recv() for
           MSG_CMSG_COMPAT
      
         - xsk: fix xsk_build_skb() dereferencing possible ERR_PTR()
      
         - netfilter:
            - nft_exthdr: fix non-linear header modification
            - xt_u32, xt_sctp: validate user space input
            - nftables: exthdr: fix 4-byte stack OOB write
            - nfnetlink_osf: avoid OOB read
            - one more fix for the garbage collection work from last release
      
         - igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
      
         - bpf, sockmap: fix preempt_rt splat when using raw_spin_lock_t
      
         - handshake: fix null-deref in handshake_nl_done_doit()
      
         - ip: ignore dst hint for multipath routes to ensure packets are
           hashed across the nexthops
      
         - phy: micrel:
            - correct bit assignments for cable test errata
            - disable EEE according to the KSZ9477 errata
      
        Misc:
      
         - docs/bpf: document compile-once-run-everywhere (CO-RE) relocations
      
         - Revert "net: macsec: preserve ingress frame ordering", it appears
           to have been developed against an older kernel, problem doesn't
           exist upstream"
      
      * tag 'net-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (95 commits)
        net: enetc: distinguish error from valid pointers in enetc_fixup_clear_rss_rfs()
        Revert "net: team: do not use dynamic lockdep key"
        net: hns3: remove GSO partial feature bit
        net: hns3: fix the port information display when sfp is absent
        net: hns3: fix invalid mutex between tc qdisc and dcb ets command issue
        net: hns3: fix debugfs concurrency issue between kfree buffer and read
        net: hns3: fix byte order conversion issue in hclge_dbg_fd_tcam_read()
        net: hns3: Support query tx timeout threshold by debugfs
        net: hns3: fix tx timeout issue
        net: phy: Provide Module 4 KSZ9477 errata (DS80000754C)
        netfilter: nf_tables: Unbreak audit log reset
        netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
        netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
        netfilter: nf_tables: uapi: Describe NFTA_RULE_CHAIN_ID
        netfilter: nfnetlink_osf: avoid OOB read
        netfilter: nftables: exthdr: fix 4-byte stack OOB write
        selftests/bpf: Check bpf_sk_storage has uncharged sk_omem_alloc
        bpf: bpf_sk_storage: Fix the missing uncharge in sk_omem_alloc
        bpf: bpf_sk_storage: Fix invalid wait context lockdep report
        s390/bpf: Pass through tail call counter in trampolines
        ...
      73be7fb1
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-6.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 2ab35ce2
      Linus Torvalds authored
      Pull more devicetree updates from Rob Herring:
       "A couple of conversions which didn't get picked up by the subsystems
        and one fix:
      
         - Convert st,stih407-irq-syscfg and Omnivision OV7251 bindings to DT
           schema
      
         - Merge Omnivision OV5695 into OV5693 binding
      
         - Fix of_overlay_fdt_apply prototype when !CONFIG_OF_OVERLAY"
      
      * tag 'devicetree-fixes-for-6.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        dt-bindings: irqchip: convert st,stih407-irq-syscfg to DT schema
        media: dt-bindings: Convert Omnivision OV7251 to DT schema
        media: dt-bindings: Merge OV5695 into OV5693 binding
        of: overlay: Fix of_overlay_fdt_apply prototype when !CONFIG_OF_OVERLAY
      2ab35ce2
    • Linus Torvalds's avatar
      Merge tag 'pwm/for-6.6-rc1' of... · 8d844b35
      Linus Torvalds authored
      Merge tag 'pwm/for-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm
      
      Pull pwm updates from Thierry Reding:
       "Various cleanups and fixes across the board"
      
      * tag 'pwm/for-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm: (31 commits)
        pwm: lpc32xx: Remove handling of PWM channels
        pwm: atmel: Simplify using devm functions
        dt-bindings: pwm: brcm,kona-pwm: convert to YAML
        pwm: stmpe: Handle errors when disabling the signal
        pwm: stm32: Simplify using devm_pwmchip_add()
        pwm: stm32: Don't modify HW state in .remove() callback
        pwm: Fix order of freeing resources in pwmchip_remove()
        pwm: ntxec: Use device_set_of_node_from_dev()
        pwm: ntxec: Drop a write-only variable from driver data
        pwm: pxa: Don't reimplement of_device_get_match_data()
        pwm: lpc18xx-sct: Simplify using devm_clk_get_enabled()
        pwm: atmel-tcb: Don't track polarity in driver data
        pwm: atmel-tcb: Unroll atmel_tcb_pwm_set_polarity() into only caller
        pwm: atmel-tcb: Put per-channel data into driver data
        pwm: atmel-tcb: Fix resource freeing in error path and remove
        pwm: atmel-tcb: Harmonize resource allocation order
        pwm: Drop unused #include <linux/radix-tree.h>
        pwm: rz-mtu3: Fix build warning 'num_channel_ios' not described
        pwm: Remove outdated documentation for pwmchip_remove()
        pwm: atmel: Enable clk when pwm already enabled in bootloader
        ...
      8d844b35
  3. 07 Sep, 2023 23 commits
    • Linus Torvalds's avatar
      Merge tag 'rtc-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux · ff6e6ded
      Linus Torvalds authored
      Pull RTC updates from Alexandre Belloni:
       "Subsystem:
      
         - Add a way for drivers to tell the core the supported alarm range is
           smaller than the date range. This is not used yet but will be
           useful for the alarmtimers in the next release.
      
         - fix Wvoid-pointer-to-enum-cast warnings
      
         - remove redundant of_match_ptr()
      
         - stop warning for invalid alarms when the alarm is disabled
      
        Drivers:
      
         - isl12022: allow setting the trip level for battery level detection
      
         - pcf2127: add support for PCF2131 and multiple timestamps
      
         - stm32: time precision improvement, many fixes
      
         - twl: NVRAM support"
      
      * tag 'rtc-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux: (73 commits)
        dt-bindings: rtc: ds3231: Remove text binding
        rtc: wm8350: remove unnecessary messages
        rtc: twl: remove unnecessary messages
        rtc: sun6i: remove unnecessary message
        rtc: stop warning for invalid alarms when the alarm is disabled
        rtc: twl: add NVRAM support
        rtc: pcf85363: Allow to wake up system without IRQ
        rtc: m48t86: add DT support for m48t86
        dt-bindings: rtc: Add ST M48T86
        rtc: pcf2127: remove useless check
        rtc: rzn1: Report maximum alarm limit to rtc core
        rtc: ds1305: Report maximum alarm limit to rtc core
        rtc: tps6586x: Report maximum alarm limit to rtc core
        rtc: cmos: Report supported alarm limit to rtc infrastructure
        rtc: cros-ec: Detect and report supported alarm window size
        rtc: Add support for limited alarm timer offsets
        rtc: isl1208: Fix incorrect logic in isl1208_set_xtoscb()
        MAINTAINERS: remove obsolete pattern in RTC SUBSYSTEM section
        rtc: tps65910: Remove redundant dev_warn() and do not check for 0 return after calling platform_get_irq()
        rtc: omap: Do not check for 0 return after calling platform_get_irq()
        ...
      ff6e6ded
    • Linus Torvalds's avatar
      Merge tag 'i3c/for-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux · e59a698b
      Linus Torvalds authored
      Pull i3c updates from Alexandre Belloni:
       "Core:
         - Fix SETDASA when static and dynamic adress are equal
         - Fix cmd_v1 DAA exit criteria
      
        Drivers:
         - svc: allow probing without any device"
      
      * tag 'i3c/for-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux:
        i3c: master: svc: fix probe failure when no i3c device exist
        i3c: master: Fix SETDASA process
        dt-bindings: i3c: Fix description for assigned-address
        i3c: master: svc: Describe member 'saved_regs'
        i3c: master: svc: Do not check for 0 return after calling platform_get_irq()
        i3c/master: cmd_v1: Fix the exit criteria for the daa procedure
        i3c: Explicitly include correct DT includes
      e59a698b
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v6.6-merge-window' of... · d9b9ea58
      Linus Torvalds authored
      Merge tag 'regulator-fix-v6.6-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fixes from Mark Brown:
       "A couple of fixes that came in during the merge window, both driver
        specific - one for a bug that came up in testing, one for a bug due
        to a misreading of the datasheet"
      
      * tag 'regulator-fix-v6.6-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: tps6594-regulator: Fix random kernel crash
        regulator: tps6287x: Fix n_voltages
      d9b9ea58
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v6.6-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 32904dec
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A couple of fixes for the sun6i driver. The patch to reduce DMA RX to
        single byte width all the time is *hopefully* excessively cautious but
        it's unclear which SoCs are affected so the fix just covers everything
        for safety"
      
      * tag 'spi-fix-v6.6-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain
        spi: sun6i: reduce DMA RX transfer width to single byte
      32904dec
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 0c021834
      Linus Torvalds authored
      Pull kvm updates from Paolo Bonzini:
       "ARM:
      
         - Clean up vCPU targets, always returning generic v8 as the preferred
           target
      
         - Trap forwarding infrastructure for nested virtualization (used for
           traps that are taken from an L2 guest and are needed by the L1
           hypervisor)
      
         - FEAT_TLBIRANGE support to only invalidate specific ranges of
           addresses when collapsing a table PTE to a block PTE. This avoids
           that the guest refills the TLBs again for addresses that aren't
           covered by the table PTE.
      
         - Fix vPMU issues related to handling of PMUver.
      
         - Don't unnecessary align non-stack allocations in the EL2 VA space
      
         - Drop HCR_VIRT_EXCP_MASK, which was never used...
      
         - Don't use smp_processor_id() in kvm_arch_vcpu_load(), but the cpu
           parameter instead
      
         - Drop redundant call to kvm_set_pfn_accessed() in user_mem_abort()
      
         - Remove prototypes without implementations
      
        RISC-V:
      
         - Zba, Zbs, Zicntr, Zicsr, Zifencei, and Zihpm support for guest
      
         - Added ONE_REG interface for SATP mode
      
         - Added ONE_REG interface to enable/disable multiple ISA extensions
      
         - Improved error codes returned by ONE_REG interfaces
      
         - Added KVM_GET_REG_LIST ioctl() implementation for KVM RISC-V
      
         - Added get-reg-list selftest for KVM RISC-V
      
        s390:
      
         - PV crypto passthrough enablement (Tony, Steffen, Viktor, Janosch)
      
           Allows a PV guest to use crypto cards. Card access is governed by
           the firmware and once a crypto queue is "bound" to a PV VM every
           other entity (PV or not) looses access until it is not bound
           anymore. Enablement is done via flags when creating the PV VM.
      
         - Guest debug fixes (Ilya)
      
        x86:
      
         - Clean up KVM's handling of Intel architectural events
      
         - Intel bugfixes
      
         - Add support for SEV-ES DebugSwap, allowing SEV-ES guests to use
           debug registers and generate/handle #DBs
      
         - Clean up LBR virtualization code
      
         - Fix a bug where KVM fails to set the target pCPU during an IRTE
           update
      
         - Fix fatal bugs in SEV-ES intrahost migration
      
         - Fix a bug where the recent (architecturally correct) change to
           reinject #BP and skip INT3 broke SEV guests (can't decode INT3 to
           skip it)
      
         - Retry APIC map recalculation if a vCPU is added/enabled
      
         - Overhaul emergency reboot code to bring SVM up to par with VMX, tie
           the "emergency disabling" behavior to KVM actually being loaded,
           and move all of the logic within KVM
      
         - Fix user triggerable WARNs in SVM where KVM incorrectly assumes the
           TSC ratio MSR cannot diverge from the default when TSC scaling is
           disabled up related code
      
         - Add a framework to allow "caching" feature flags so that KVM can
           check if the guest can use a feature without needing to search
           guest CPUID
      
         - Rip out the ancient MMU_DEBUG crud and replace the useful bits with
           CONFIG_KVM_PROVE_MMU
      
         - Fix KVM's handling of !visible guest roots to avoid premature
           triple fault injection
      
         - Overhaul KVM's page-track APIs, and KVMGT's usage, to reduce the
           API surface that is needed by external users (currently only
           KVMGT), and fix a variety of issues in the process
      
        Generic:
      
         - Wrap kvm_{gfn,hva}_range.pte in a union to allow mmu_notifier
           events to pass action specific data without needing to constantly
           update the main handlers.
      
         - Drop unused function declarations
      
        Selftests:
      
         - Add testcases to x86's sync_regs_test for detecting KVM TOCTOU bugs
      
         - Add support for printf() in guest code and covert all guest asserts
           to use printf-based reporting
      
         - Clean up the PMU event filter test and add new testcases
      
         - Include x86 selftests in the KVM x86 MAINTAINERS entry"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (279 commits)
        KVM: x86/mmu: Include mmu.h in spte.h
        KVM: x86/mmu: Use dummy root, backed by zero page, for !visible guest roots
        KVM: x86/mmu: Disallow guest from using !visible slots for page tables
        KVM: x86/mmu: Harden TDP MMU iteration against root w/o shadow page
        KVM: x86/mmu: Harden new PGD against roots without shadow pages
        KVM: x86/mmu: Add helper to convert root hpa to shadow page
        drm/i915/gvt: Drop final dependencies on KVM internal details
        KVM: x86/mmu: Handle KVM bookkeeping in page-track APIs, not callers
        KVM: x86/mmu: Drop @slot param from exported/external page-track APIs
        KVM: x86/mmu: Bug the VM if write-tracking is used but not enabled
        KVM: x86/mmu: Assert that correct locks are held for page write-tracking
        KVM: x86/mmu: Rename page-track APIs to reflect the new reality
        KVM: x86/mmu: Drop infrastructure for multiple page-track modes
        KVM: x86/mmu: Use page-track notifiers iff there are external users
        KVM: x86/mmu: Move KVM-only page-track declarations to internal header
        KVM: x86: Remove the unused page-track hook track_flush_slot()
        drm/i915/gvt: switch from ->track_flush_slot() to ->track_remove_region()
        KVM: x86: Add a new page-track hook to handle memslot deletion
        drm/i915/gvt: Don't bother removing write-protection on to-be-deleted slot
        KVM: x86: Reject memslot MOVE operations if KVMGT is attached
        ...
      0c021834
    • Vladimir Oltean's avatar
      net: enetc: distinguish error from valid pointers in enetc_fixup_clear_rss_rfs() · 1b36955c
      Vladimir Oltean authored
      enetc_psi_create() returns an ERR_PTR() or a valid station interface
      pointer, but checking for the non-NULL quality of the return code blurs
      that difference away. So if enetc_psi_create() fails, we call
      enetc_psi_destroy() when we shouldn't. This will likely result in
      crashes, since enetc_psi_create() cleans up everything after itself when
      it returns an ERR_PTR().
      
      Fixes: f0168042 ("net: enetc: reimplement RFS/RSS memory clearing as PCI quirk")
      Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Closes: https://lore.kernel.org/netdev/582183ef-e03b-402b-8e2d-6d9bb3c83bd9@moroto.mountain/Suggested-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20230906141609.247579-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1b36955c
    • Jakub Kicinski's avatar
      Revert "net: team: do not use dynamic lockdep key" · 6afcf0fb
      Jakub Kicinski authored
      This reverts commit 39285e12.
      
      Looks like the change has unintended consequences in exposing
      objects before they are initialized. Let's drop this patch
      and try again in net-next.
      
      Reported-by: syzbot+44ae022028805f4600fc@syzkaller.appspotmail.com
      Fixes: 39285e12 ("net: team: do not use dynamic lockdep key")
      Link: https://lore.kernel.org/all/20230907103124.6adb7256@kernel.org/Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6afcf0fb
    • Linus Torvalds's avatar
      Merge tag 's390-6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 4a0fc73d
      Linus Torvalds authored
      Pull more s390 updates from Heiko Carstens:
      
       - A couple of virtual vs physical address confusion fixes
      
       - Rework locking in dcssblk driver to address a lockdep warning
      
       - Remove support for "noexec" kernel command line option since there is
         no use case where it would make sense
      
       - Simplify kernel mapping setup and get rid of quite a bit of code
      
       - Add architecture specific __set_memory_yy() functions which allow us
         to modify kernel mappings. Unlike the set_memory_xx() variants they
         take void pointer start and end parameters, which allows using them
         without the usual casts, and also to use them on areas larger than
         8TB.
      
         Note that the set_memory_xx() family comes with an int num_pages
         parameter which overflows with 8TB. This could be addressed by
         changing the num_pages parameter to unsigned long, however requires
         to change all architectures, since the module code expects an int
         parameter (see module_set_memory()).
      
         This was indeed an issue since for debug_pagealloc() we call
         set_memory_4k() on the whole identity mapping. Therefore address this
         for now with the __set_memory_yy() variant, and address common code
         later
      
       - Use dev_set_name() and also fix memory leak in zcrypt driver error
         handling
      
       - Remove unused lsi_mask from airq_struct
      
       - Add warning for invalid kernel mapping requests
      
      * tag 's390-6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/vmem: do not silently ignore mapping limit
        s390/zcrypt: utilize dev_set_name() ability to use a formatted string
        s390/zcrypt: don't leak memory if dev_set_name() fails
        s390/mm: fix MAX_DMA_ADDRESS physical vs virtual confusion
        s390/airq: remove lsi_mask from airq_struct
        s390/mm: use __set_memory() variants where useful
        s390/set_memory: add __set_memory() variant
        s390/set_memory: generate all set_memory() functions
        s390/mm: improve description of mapping permissions of prefix pages
        s390/amode31: change type of __samode31, __eamode31, etc
        s390/mm: simplify kernel mapping setup
        s390: remove "noexec" option
        s390/vmem: fix virtual vs physical address confusion
        s390/dcssblk: fix lockdep warning
        s390/monreader: fix virtual vs physical address confusion
      4a0fc73d
    • Linus Torvalds's avatar
      Merge tag 'mips_6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · ac2224a4
      Linus Torvalds authored
      Pull MIPS updates from Thomas Bogendoerfer:
       "Just cleanups and fixes"
      
      * tag 'mips_6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: TXx9: Do PCI error checks on own line
        arch/mips/configs/*_defconfig cleanup
        MIPS: VDSO: Conditionally export __vdso_gettimeofday()
        Mips: loongson3_defconfig: Enable ast drm driver by default
        mips: remove <asm/export.h>
        mips: replace #include <asm/export.h> with #include <linux/export.h>
        mips: remove unneeded #include <asm/export.h>
        MIPS: Loongson64: Fix more __iomem attributes
        MIPS: loongson32: Remove regs-rtc.h
        MIPS: loongson32: Remove regs-clk.h
        MIPS: More explicit DT include clean-ups
        MIPS: Fixup explicit DT include clean-up
        Revert MIPS: Loongson: Fix build error when make modules_install
        MIPS: Only fiddle with CHECKFLAGS if `need-compiler'
        MIPS: Fix CONFIG_CPU_DADDI_WORKAROUNDS `modules_install' regression
        MIPS: Explicitly include correct DT includes
      ac2224a4
    • Linus Torvalds's avatar
      Merge tag 'xtensa-20230905' of https://github.com/jcmvbkbc/linux-xtensa · dd1386dd
      Linus Torvalds authored
      Pull xtensa updates from Max Filippov:
      
       - enable MTD XIP support
      
       - fix base address of the xtensa perf module in newer hardware
      
      * tag 'xtensa-20230905' of https://github.com/jcmvbkbc/linux-xtensa:
        xtensa: add XIP-aware MTD support
        xtensa: PMU: fix base address for the newer hardware
      dd1386dd
    • Christian Brauner's avatar
      ntfs3: drop inode references in ntfs_put_super() · 78a06688
      Christian Brauner authored
      Recently we moved most cleanup from ntfs_put_super() into
      ntfs3_kill_sb() as part of a bigger cleanup.  This accidently also moved
      dropping inode references stashed in ntfs3's sb->s_fs_info from
      @sb->put_super() to @sb->kill_sb().  But generic_shutdown_super()
      verifies that there are no busy inodes past sb->put_super().  Fix this
      and disentangle dropping inode references from freeing @sb->s_fs_info.
      
      Fixes: a4f64a30 ("ntfs3: free the sbi in ->kill_sb") # mainline only
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      78a06688
    • Linus Torvalds's avatar
      vfs: mostly undo glibc turning 'fstat()' into 'fstatat(AT_EMPTY_PATH)' · 9013c51c
      Linus Torvalds authored
      Mateusz reports that glibc turns 'fstat()' calls into 'fstatat()', and
      that seems to have been going on for quite a long time due to glibc
      having tried to simplify its stat logic into just one point.
      
      This turns out to cause completely unnecessary overhead, where we then
      go off and allocate the kernel side pathname, and actually look up the
      empty path.  Sure, our path lookup is quite optimized, but it still
      causes a fair bit of allocation overhead and a couple of completely
      unnecessary rounds of lockref accesses etc.
      
      This is all hopefully getting fixed in user space, and there is a patch
      floating around for just having glibc use the native fstat() system
      call.  But even with the current situation we can at least improve on
      things by catching the situation and short-circuiting it.
      
      Note that this is still measurably slower than just a plain 'fstat()',
      since just checking that the filename is actually empty is somewhat
      expensive due to inevitable user space access overhead from the kernel
      (ie verifying pointers, and SMAP on x86).  But it's still quite a bit
      faster than actually looking up the path for real.
      
      To quote numers from Mateusz:
       "Sapphire Rapids, will-it-scale, ops/s
      
        stock fstat	5088199
        patched fstat	7625244	(+49%)
        real fstat	8540383	(+67% / +12%)"
      
      where that 'stock fstat' is the glibc translation of fstat into
      fstatat() with an empty path, the 'patched fstat' is with this short
      circuiting of the path lookup, and the 'real fstat' is the actual native
      fstat() system call with none of this overhead.
      
      Link: https://lore.kernel.org/lkml/20230903204858.lv7i3kqvw6eamhgz@f/Reported-by: default avatarMateusz Guzik <mjguzik@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9013c51c
    • Paolo Abeni's avatar
      Merge tag 'nf-23-09-06' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 7153a404
      Paolo Abeni authored
      Florian Westphal says:
      
      ====================
      netfilter updates for net
      
      This PR contains nf_tables updates for your *net* tree.
      This time almost all fixes are for old bugs:
      
      First patch fixes a 4-byte stack OOB write, from myself.
      This was broken ever since nftables was switches from 128 to 32bit
      register addressing in v4.1.
      
      2nd patch fixes an out-of-bounds read.
      This has been broken ever since xt_osf got added in 2.6.31, the bug
      was then just moved around during refactoring, from Wander Lairson Costa.
      
      3rd patch adds a missing enum description, from Phil Sutter.
      
      4th patch fixes a UaF inftables that occurs when userspace adds
      elements with a timeout so small that expiration happens while the
      transaction is still in progress.  Fix from Pablo Neira Ayuso.
      
      Patch 5 fixes a memory out of bounds access, this was
      broken since v4.20. Patch from Kyle Zeng and Jozsef Kadlecsik.
      
      Patch 6 fixes another bogus memory access when building audit
      record. Bug added in the previous pull request, fix from Pablo.
      
      netfilter pull request 2023-09-06
      
      * tag 'nf-23-09-06' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: Unbreak audit log reset
        netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
        netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
        netfilter: nf_tables: uapi: Describe NFTA_RULE_CHAIN_ID
        netfilter: nfnetlink_osf: avoid OOB read
        netfilter: nftables: exthdr: fix 4-byte stack OOB write
      ====================
      
      Link: https://lore.kernel.org/r/20230906162525.11079-1-fw@strlen.deSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7153a404
    • Paolo Abeni's avatar
      Merge branch 'there-are-some-bugfix-for-the-hns3-ethernet-driver' · 35494b0d
      Paolo Abeni authored
      Jijie Shao says:
      
      ====================
      There are some bugfix for the HNS3 ethernet driver
      ====================
      
      Link: https://lore.kernel.org/r/20230906072018.3020671-1-shaojijie@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      35494b0d
    • Jie Wang's avatar
      net: hns3: remove GSO partial feature bit · 60326634
      Jie Wang authored
      HNS3 NIC does not support GSO partial packets segmentation. Actually tunnel
      packets for example NvGRE packets segment offload and checksum offload is
      already supported. There is no need to keep gso partial feature bit. So
      this patch removes it.
      
      Fixes: 76ad4f0e ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
      Signed-off-by: default avatarJie Wang <wangjie125@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      60326634
    • Yisen Zhuang's avatar
      net: hns3: fix the port information display when sfp is absent · 674d9591
      Yisen Zhuang authored
      When sfp is absent or unidentified, the port type should be
      displayed as PORT_OTHERS, rather than PORT_FIBRE.
      
      Fixes: 88d10bd6 ("net: hns3: add support for multiple media type")
      Signed-off-by: default avatarYisen Zhuang <yisen.zhuang@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      674d9591
    • Jijie Shao's avatar
      net: hns3: fix invalid mutex between tc qdisc and dcb ets command issue · fa556494
      Jijie Shao authored
      We hope that tc qdisc and dcb ets commands can not be used crosswise.
      If we want to use any of the commands to configure tc,
      We must use the other command to clear the existing configuration.
      
      However, when we configure a single tc with tc qdisc,
      we can still configure it with dcb ets.
      Because we use mqprio_active as the tag of tc qdisc configuration,
      but with dcb ets, we do not check mqprio_active.
      
      This patch fix this issue by check mqprio_active before
      executing the dcb ets command. and add dcb_ets_active to
      replace HCLGE_FLAG_DCB_ENABLE and HCLGE_FLAG_MQPRIO_ENABLE
      at the hclge layer,
      
      Fixes: cacde272 ("net: hns3: Add hclge_dcb module for the support of DCB feature")
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      fa556494
    • Hao Chen's avatar
      net: hns3: fix debugfs concurrency issue between kfree buffer and read · c295160b
      Hao Chen authored
      Now in hns3_dbg_uninit(), there may be concurrency between
      kfree buffer and read, it may result in memory error.
      
      Moving debugfs_remove_recursive() in front of kfree buffer to ensure
      they don't happen at the same time.
      
      Fixes: 5e69ea7e ("net: hns3: refactor the debugfs process")
      Signed-off-by: default avatarHao Chen <chenhao418@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c295160b
    • Hao Chen's avatar
      net: hns3: fix byte order conversion issue in hclge_dbg_fd_tcam_read() · efccf655
      Hao Chen authored
      req1->tcam_data is defined as "u8 tcam_data[8]", and we convert it as
      (u32 *) without considerring byte order conversion,
      it may result in printing wrong data for tcam_data.
      
      Convert tcam_data to (__le32 *) first to fix it.
      
      Fixes: b5a0b70d ("net: hns3: refactor dump fd tcam of debugfs")
      Signed-off-by: default avatarHao Chen <chenhao418@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      efccf655
    • Jijie Shao's avatar
      net: hns3: Support query tx timeout threshold by debugfs · dd2bbc2e
      Jijie Shao authored
      support query tx timeout threshold by debugfs
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      dd2bbc2e
    • Jian Shen's avatar
      net: hns3: fix tx timeout issue · 61a1deac
      Jian Shen authored
      Currently, the driver knocks the ring doorbell before updating
      the ring->last_to_use in tx flow. if the hardware transmiting
      packet and napi poll scheduling are fast enough, it may get
      the old ring->last_to_use in drivers' napi poll.
      In this case, the driver will think the tx is not completed, and
      return directly without clear the flag __QUEUE_STATE_STACK_XOFF,
      which may cause tx timeout.
      
      Fixes: 20d06ca2 ("net: hns3: optimize the tx clean process")
      Signed-off-by: default avatarJian Shen <shenjian15@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      61a1deac
    • Lukasz Majewski's avatar
      net: phy: Provide Module 4 KSZ9477 errata (DS80000754C) · 08c6d8ba
      Lukasz Majewski authored
      The KSZ9477 errata points out (in 'Module 4') the link up/down problems
      when EEE (Energy Efficient Ethernet) is enabled in the device to which
      the KSZ9477 tries to auto negotiate.
      
      The suggested workaround is to clear advertisement of EEE for PHYs in
      this chip driver.
      
      To avoid regressions with other switch ICs the new MICREL_NO_EEE flag
      has been introduced.
      
      Moreover, the in-register disablement of MMD_DEVICE_ID_EEE_ADV.MMD_EEE_ADV
      MMD register is removed, as this code is both; now executed too late
      (after previous rework of the PHY and DSA for KSZ switches) and not
      required as setting all members of eee_broken_modes bit field prevents
      the KSZ9477 from advertising EEE.
      
      Fixes: 69d3b36c ("net: dsa: microchip: enable EEE support") # for KSZ9477
      Signed-off-by: default avatarLukasz Majewski <lukma@denx.de>
      Tested-by: Oleksij Rempel <o.rempel@pengutronix.de> # Confirmed disabled EEE with oscilloscope.
      Reviewed-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/20230905093315.784052-1-lukma@denx.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      08c6d8ba
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · f16d411c
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2023-09-06
      
      We've added 9 non-merge commits during the last 6 day(s) which contain
      a total of 12 files changed, 189 insertions(+), 44 deletions(-).
      
      The main changes are:
      
      1) Fix bpf_sk_storage to address an invalid wait context lockdep
         report and another one to address missing omem uncharge,
         from Martin KaFai Lau.
      
      2) Two BPF recursion detection related fixes,
         from Sebastian Andrzej Siewior.
      
      3) Fix tailcall limit enforcement in trampolines for s390 JIT,
         from Ilya Leoshkevich.
      
      4) Fix a sockmap refcount race where skbs in sk_psock_backlog can
         be referenced after user space side has already skb_consumed them,
         from John Fastabend.
      
      5) Fix BPF CI flake/race wrt sockmap vsock write test where
         the transport endpoint is not connected, from Xu Kuohai.
      
      6) Follow-up doc fix to address a cross-link warning,
         from Eduard Zingerman.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        selftests/bpf: Check bpf_sk_storage has uncharged sk_omem_alloc
        bpf: bpf_sk_storage: Fix the missing uncharge in sk_omem_alloc
        bpf: bpf_sk_storage: Fix invalid wait context lockdep report
        s390/bpf: Pass through tail call counter in trampolines
        bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check.
        bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in kern_sys_bpf().
        bpf, sockmap: Fix skb refcnt race after locking changes
        docs/bpf: Fix "file doesn't exist" warnings in {llvm_reloc,btf}.rst
        selftests/bpf: Fix a CI failure caused by vsock write
      ====================
      
      Link: https://lore.kernel.org/r/20230906095117.16941-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f16d411c
  4. 06 Sep, 2023 8 commits
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-6.6-rc1' of https://github.com/ceph/ceph-client · 7ba2090c
      Linus Torvalds authored
      Pull ceph updates from Ilya Dryomov:
       "Mixed with some fixes and cleanups, this brings in reasonably complete
        fscrypt support to CephFS! The list of things which don't work with
        encryption should be fairly short, mostly around the edges: fallocate
        (not supported well in CephFS to begin with), copy_file_range
        (requires re-encryption), non-default striping patterns.
      
        This was a multi-year effort principally by Jeff Layton with
        assistance from Xiubo Li, Luís Henriques and others, including several
        dependant changes in the MDS, netfs helper library and fscrypt
        framework itself"
      
      * tag 'ceph-for-6.6-rc1' of https://github.com/ceph/ceph-client: (53 commits)
        ceph: make num_fwd and num_retry to __u32
        ceph: make members in struct ceph_mds_request_args_ext a union
        rbd: use list_for_each_entry() helper
        libceph: do not include crypto/algapi.h
        ceph: switch ceph_lookup/atomic_open() to use new fscrypt helper
        ceph: fix updating i_truncate_pagecache_size for fscrypt
        ceph: wait for OSD requests' callbacks to finish when unmounting
        ceph: drop messages from MDS when unmounting
        ceph: update documentation regarding snapshot naming limitations
        ceph: prevent snapshot creation in encrypted locked directories
        ceph: add support for encrypted snapshot names
        ceph: invalidate pages when doing direct/sync writes
        ceph: plumb in decryption during reads
        ceph: add encryption support to writepage and writepages
        ceph: add read/modify/write to ceph_sync_write
        ceph: align data in pages in ceph_sync_write
        ceph: don't use special DIO path for encrypted inodes
        ceph: add truncate size handling support for fscrypt
        ceph: add object version support for sync read
        libceph: allow ceph_osdc_new_request to accept a multi-op read
        ...
      7ba2090c
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.6-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 744a7594
      Linus Torvalds authored
      Pull input updates from Dmitry Torokhov:
      
       - a new driver for Azoteq IQS7210A/7211A/E touch controllers
      
       - support for Azoteq IQS7222D variant added to iqs7222 driver
      
       - support for touch keys functionality added to Melfas MMS114 driver
      
       - new hardware IDs added to exc3000 and Goodix drivers
      
       - xpad driver gained support for GameSir T4 Kaleid Controller
      
       - a fix for xpad driver to properly support some third-party
         controllers that need a magic packet to start properly
      
       - a fix for psmouse driver to more reliably switch to RMI4 mode on
         devices that use native RMI4/SMbus protocol
      
       - a quirk for i8042 for TUXEDO Gemini 17 Gen1/Clevo PD70PN laptops
      
       - multiple drivers have been updated to make use of devm and other
         newer APIs such as dev_err_probe(), devm_regulator_get_enable(), and
         others.
      
      * tag 'input-for-v6.6-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: (83 commits)
        Input: goodix - add support for ACPI ID GDX9110
        Input: rpckbd - fix the return value handle for platform_get_irq()
        Input: tca6416-keypad - switch to using input core's polling features
        Input: tca6416-keypad - convert to use devm_* api
        Input: tca6416-keypad - fix interrupt enable disbalance
        Input: tca6416-keypad - rely on I2C core to set up suspend/resume
        Input: tca6416-keypad - always expect proper IRQ number in i2c client
        Input: lm8323 - convert to use devm_* api
        Input: lm8323 - rely on device core to create kp_disable attribute
        Input: qt2160 - convert to use devm_* api
        Input: qt2160 - do not hard code interrupt trigger
        Input: qt2160 - switch to using threaded interrupt handler
        Input: qt2160 - tweak check for i2c adapter functionality
        Input: psmouse - add delay when deactivating for SMBus mode
        Input: mcs-touchkey - fix uninitialized use of error in mcs_touchkey_probe()
        Input: qt1070 - convert to use devm_* api
        Input: mcs-touchkey - convert to use devm_* api
        Input: amikbd - convert to use devm_* api
        Input: lm8333 - convert to use devm_* api
        Input: mms114 - add support for touch keys
        ...
      744a7594
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-6.6-rc1' of git://www.linux-watchdog.org/linux-watchdog · 29057cc5
      Linus Torvalds authored
      Pull watchdog updates from Wim Van Sebroeck:
      
       - add marvell GTI watchdog driver
      
       - add support for Amlogic-T7 SoCs
      
       - document the IPQ5018 watchdog compatible
      
       - enable COMPILE_TEST for more watchdog device drivers
      
       - core: stop watchdog when executing poweroff command
      
       - other small improvements and fixes
      
      * tag 'linux-watchdog-6.6-rc1' of git://www.linux-watchdog.org/linux-watchdog: (21 commits)
        watchdog: Add support for Amlogic-T7 SoCs
        watchdog: Add a new struct for Amlogic-GXBB driver
        dt-bindings: watchdog: Add support for Amlogic-T7 SoCs
        dt-bindings: watchdog: qcom-wdt: document IPQ5018
        watchdog: imx2_wdt: Improve dev_crit() message
        watchdog: stm32: Drop unnecessary of_match_ptr()
        watchdog: sama5d4: readout initial state
        watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
        watchdog: core: stop watchdog when executing poweroff command
        watchdog: pm8916_wdt: Remove redundant of_match_ptr()
        watchdog: xilinx_wwdt: Use div_u64() in xilinx_wwdt_start()
        watchdog: starfive: Remove #ifdef guards for PM related functions
        watchdog: s3c2410: Fix potential deadlock on &wdt->lock
        watchdog:rit_wdt: Add support for WDIOF_CARDRESET
        dt-bindings: watchdog: ti,rti-wdt: Add support for WDIOF_CARDRESET
        watchdog: Enable COMPILE_TEST for more drivers
        watchdog: advantech_ec_wdt: fix Kconfig dependencies
        watchdog: Explicitly include correct DT includes
        Watchdog: Add marvell GTI watchdog driver
        dt-bindings: watchdog: marvell GTI system watchdog driver
        ...
      29057cc5
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: Unbreak audit log reset · 9b5ba5c9
      Pablo Neira Ayuso authored
      Deliver audit log from __nf_tables_dump_rules(), table dereference at
      the end of the table list loop might point to the list head, leading to
      this crash.
      
      [ 4137.407349] BUG: unable to handle page fault for address: 00000000001f3c50
      [ 4137.407357] #PF: supervisor read access in kernel mode
      [ 4137.407359] #PF: error_code(0x0000) - not-present page
      [ 4137.407360] PGD 0 P4D 0
      [ 4137.407363] Oops: 0000 [#1] PREEMPT SMP PTI
      [ 4137.407365] CPU: 4 PID: 500177 Comm: nft Not tainted 6.5.0+ #277
      [ 4137.407369] RIP: 0010:string+0x49/0xd0
      [ 4137.407374] Code: ff 77 36 45 89 d1 31 f6 49 01 f9 66 45 85 d2 75 19 eb 1e 49 39 f8 76 02 88 07 48 83 c7 01 83 c6 01 48 83 c2 01 4c 39 cf 74 07 <0f> b6 02 84 c0 75 e2 4c 89 c2 e9 58 e5 ff ff 48 c7 c0 0e b2 ff 81
      [ 4137.407377] RSP: 0018:ffff8881179737f0 EFLAGS: 00010286
      [ 4137.407379] RAX: 00000000001f2c50 RBX: ffff888117973848 RCX: ffff0a00ffffff04
      [ 4137.407380] RDX: 00000000001f3c50 RSI: 0000000000000000 RDI: 0000000000000000
      [ 4137.407381] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000ffffffff
      [ 4137.407383] R10: ffffffffffffffff R11: ffff88813584d200 R12: 0000000000000000
      [ 4137.407384] R13: ffffffffa15cf709 R14: 0000000000000000 R15: ffffffffa15cf709
      [ 4137.407385] FS:  00007fcfc18bb580(0000) GS:ffff88840e700000(0000) knlGS:0000000000000000
      [ 4137.407387] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 4137.407388] CR2: 00000000001f3c50 CR3: 00000001055b2001 CR4: 00000000001706e0
      [ 4137.407390] Call Trace:
      [ 4137.407392]  <TASK>
      [ 4137.407393]  ? __die+0x1b/0x60
      [ 4137.407397]  ? page_fault_oops+0x6b/0xa0
      [ 4137.407399]  ? exc_page_fault+0x60/0x120
      [ 4137.407403]  ? asm_exc_page_fault+0x22/0x30
      [ 4137.407408]  ? string+0x49/0xd0
      [ 4137.407410]  vsnprintf+0x257/0x4f0
      [ 4137.407414]  kvasprintf+0x3e/0xb0
      [ 4137.407417]  kasprintf+0x3e/0x50
      [ 4137.407419]  nf_tables_dump_rules+0x1c0/0x360 [nf_tables]
      [ 4137.407439]  ? __alloc_skb+0xc3/0x170
      [ 4137.407442]  netlink_dump+0x170/0x330
      [ 4137.407447]  __netlink_dump_start+0x227/0x300
      [ 4137.407449]  nf_tables_getrule+0x205/0x390 [nf_tables]
      
      Deliver audit log only once at the end of the rule dump+reset for
      consistency with the set dump+reset.
      
      Ensure audit reset access to table under rcu read side lock. The table
      list iteration holds rcu read lock side, but recent audit code
      dereferences table object out of the rcu read lock side.
      
      Fixes: ea078ae9 ("netfilter: nf_tables: Audit log rule reset")
      Fixes: 7e9be112 ("netfilter: nf_tables: Audit log setelem reset")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Acked-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      9b5ba5c9
    • Kyle Zeng's avatar
      netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c · 050d91c0
      Kyle Zeng authored
      The missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can
      lead to the use of wrong `CIDR_POS(c)` for calculating array offsets,
      which can lead to integer underflow. As a result, it leads to slab
      out-of-bound access.
      This patch adds back the IP_SET_HASH_WITH_NET0 macro to
      ip_set_hash_netportnet to address the issue.
      
      Fixes: 886503f3 ("netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net")
      Suggested-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarKyle Zeng <zengyhkyle@gmail.com>
      Acked-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      050d91c0
    • Pablo Neira Ayuso's avatar
      netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction · 2ee52ae9
      Pablo Neira Ayuso authored
      New elements in this transaction might expired before such transaction
      ends. Skip sync GC for such elements otherwise commit path might walk
      over an already released object. Once transaction is finished, async GC
      will collect such expired element.
      
      Fixes: f6c383b8 ("netfilter: nf_tables: adapt set backend to use GC transaction API")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      2ee52ae9
    • Phil Sutter's avatar
      netfilter: nf_tables: uapi: Describe NFTA_RULE_CHAIN_ID · fdc04cc2
      Phil Sutter authored
      Add a brief description to the enum's comment.
      
      Fixes: 837830a4 ("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute")
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      fdc04cc2
    • Wander Lairson Costa's avatar
      netfilter: nfnetlink_osf: avoid OOB read · f4f8a780
      Wander Lairson Costa authored
      The opt_num field is controlled by user mode and is not currently
      validated inside the kernel. An attacker can take advantage of this to
      trigger an OOB read and potentially leak information.
      
      BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
      Read of size 2 at addr ffff88804bc64272 by task poc/6431
      
      CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
      Call Trace:
       nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
       nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281
       nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47
       expr_call_ops_eval net/netfilter/nf_tables_core.c:214
       nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264
       nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23
       [..]
      
      Also add validation to genre, subtype and version fields.
      
      Fixes: 11eeef41 ("netfilter: passive OS fingerprint xtables match")
      Reported-by: default avatarLucas Leong <wmliang@infosec.exchange>
      Signed-off-by: default avatarWander Lairson Costa <wander@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      f4f8a780