1. 28 Mar, 2023 7 commits
  2. 27 Mar, 2023 11 commits
    • Ivan Orlov's avatar
      can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write · 2b4c99f7
      Ivan Orlov authored
      Syzkaller reported the following issue:
      
      =====================================================
      BUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline]
      BUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600
       aio_rw_done fs/aio.c:1520 [inline]
       aio_write+0x899/0x950 fs/aio.c:1600
       io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
       __do_sys_io_submit fs/aio.c:2078 [inline]
       __se_sys_io_submit+0x293/0x770 fs/aio.c:2048
       __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Uninit was created at:
       slab_post_alloc_hook mm/slab.h:766 [inline]
       slab_alloc_node mm/slub.c:3452 [inline]
       __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491
       __do_kmalloc_node mm/slab_common.c:967 [inline]
       __kmalloc+0x11d/0x3b0 mm/slab_common.c:981
       kmalloc_array include/linux/slab.h:636 [inline]
       bcm_tx_setup+0x80e/0x29d0 net/can/bcm.c:930
       bcm_sendmsg+0x3a2/0xce0 net/can/bcm.c:1351
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg net/socket.c:734 [inline]
       sock_write_iter+0x495/0x5e0 net/socket.c:1108
       call_write_iter include/linux/fs.h:2189 [inline]
       aio_write+0x63a/0x950 fs/aio.c:1600
       io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
       __do_sys_io_submit fs/aio.c:2078 [inline]
       __se_sys_io_submit+0x293/0x770 fs/aio.c:2048
       __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      CPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
      =====================================================
      
      We can follow the call chain and find that 'bcm_tx_setup' function
      calls 'memcpy_from_msg' to copy some content to the newly allocated
      frame of 'op->frames'. After that the 'len' field of copied structure
      being compared with some constant value (64 or 8). However, if
      'memcpy_from_msg' returns an error, we will compare some uninitialized
      memory. This triggers 'uninit-value' issue.
      
      This patch will add 'memcpy_from_msg' possible errors processing to
      avoid uninit-value issue.
      
      Tested via syzkaller
      
      Reported-by: syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com
      Link: https://syzkaller.appspot.com/bug?id=47f897f8ad958bbde5790ebf389b5e7e0a345089Signed-off-by: default avatarIvan Orlov <ivan.orlov0322@gmail.com>
      Fixes: 6f3b911d ("can: bcm: add support for CAN FD frames")
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Link: https://lore.kernel.org/all/20230314120445.12407-1-ivan.orlov0322@gmail.comSigned-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      2b4c99f7
    • Vladimir Oltean's avatar
      net: stmmac: don't reject VLANs when IFF_PROMISC is set · a7602e73
      Vladimir Oltean authored
      The blamed commit has introduced the following tests to
      dwmac4_add_hw_vlan_rx_fltr(), called from stmmac_vlan_rx_add_vid():
      
      	if (hw->promisc) {
      		netdev_err(dev,
      			   "Adding VLAN in promisc mode not supported\n");
      		return -EPERM;
      	}
      
      "VLAN promiscuous" mode is keyed in this driver to IFF_PROMISC, and so,
      vlan_vid_add() and vlan_vid_del() calls cannot take place in IFF_PROMISC
      mode. I have the following 2 arguments that this restriction is.... hm,
      how shall I put it nicely... unproductive :)
      
      First, take the case of a Linux bridge. If the kernel is compiled with
      CONFIG_BRIDGE_VLAN_FILTERING=y, then this bridge shall have a VLAN
      database. The bridge shall try to call vlan_add_vid() on its bridge
      ports for each VLAN in the VLAN table. It will do this irrespectively of
      whether that port is *currently* VLAN-aware or not. So it will do this
      even when the bridge was created with vlan_filtering 0.
      But the Linux bridge, in VLAN-unaware mode, configures its ports in
      promiscuous (IFF_PROMISC) mode, so that they accept packets with any
      MAC DA (a switch must do this in order to forward those packets which
      are not directly targeted to its MAC address).
      
      As a result, the stmmac driver does not work as a bridge port, when the
      kernel is compiled with CONFIG_BRIDGE_VLAN_FILTERING=y.
      
      $ ip link add br0 type bridge && ip link set br0 up
      $ ip link set eth0 master br0 && ip link set eth0 up
      [ 2333.943296] br0: port 1(eth0) entered blocking state
      [ 2333.943381] br0: port 1(eth0) entered disabled state
      [ 2333.943782] device eth0 entered promiscuous mode
      [ 2333.944080] 4033c000.ethernet eth0: Adding VLAN in promisc mode not supported
      [ 2333.976509] 4033c000.ethernet eth0: failed to initialize vlan filtering on this port
      RTNETLINK answers: Operation not permitted
      
      Secondly, take the case of stmmac as DSA master. Some switch tagging
      protocols are based on 802.1Q VLANs (tag_sja1105.c), and as such,
      tag_8021q.c uses vlan_vid_add() to work with VLAN-filtering DSA masters.
      But also, when a DSA port becomes promiscuous (for example when it joins
      a bridge), the DSA framework also makes the DSA master promiscuous.
      
      Moreover, for every VLAN that a DSA switch sends to the CPU, DSA also
      programs a VLAN filter on the DSA master, because if the the DSA switch
      uses a tail tag, then the hardware frame parser of the DSA master will
      see VLAN as VLAN, and might filter them out, for being unknown.
      
      Due to the above 2 reasons, my belief is that the stmmac driver does not
      get to choose to not accept vlan_vid_add() calls while IFF_PROMISC is
      enabled, because the 2 are completely independent and there are code
      paths in the network stack which directly lead to this situation
      occurring, without the user's direct input.
      
      In fact, my belief is that "VLAN promiscuous" mode should have never
      been keyed on IFF_PROMISC in the first place, but rather, on the
      NETIF_F_HW_VLAN_CTAG_FILTER feature flag which can be toggled by the
      user through ethtool -k, when present in netdev->hw_features.
      
      In the stmmac driver, NETIF_F_HW_VLAN_CTAG_FILTER is only present in
      "features", making this feature "on [fixed]".
      
      I have this belief because I am unaware of any definition of promiscuity
      which implies having an effect on anything other than MAC DA (therefore
      not VLAN). However, I seem to be rather alone in having this opinion,
      looking back at the disagreements from this discussion:
      https://lore.kernel.org/netdev/20201110153958.ci5ekor3o2ekg3ky@ipetronik.com/
      
      In any case, to remove the vlan_vid_add() dependency on !IFF_PROMISC,
      one would need to remove the check and see what fails. I guess the test
      was there because of the way in which dwmac4_vlan_promisc_enable() is
      implemented.
      
      For context, the dwmac4 supports Perfect Filtering for a limited number
      of VLANs - dwmac4_get_num_vlan(), priv->hw->num_vlan, with a fallback on
      Hash Filtering - priv->dma_cap.vlhash - see stmmac_vlan_update(), also
      visible in cat /sys/kernel/debug/stmmaceth/eth0/dma_cap | grep 'VLAN
      Hash Filtering'.
      
      The perfect filtering is based on MAC_VLAN_Tag_Filter/MAC_VLAN_Tag_Data
      registers, accessed in the driver through dwmac4_write_vlan_filter().
      
      The hash filtering is based on the MAC_VLAN_Hash_Table register, named
      GMAC_VLAN_HASH_TABLE in the driver and accessed by dwmac4_update_vlan_hash().
      The control bit for enabling hash filtering is GMAC_VLAN_VTHM
      (MAC_VLAN_Tag_Ctrl bit VTHM: VLAN Tag Hash Table Match Enable).
      
      Now, the description of dwmac4_vlan_promisc_enable() is that it iterates
      through the driver's cache of perfect filter entries (hw->vlan_filter[i],
      added by dwmac4_add_hw_vlan_rx_fltr()), and evicts them from hardware by
      unsetting their GMAC_VLAN_TAG_DATA_VEN (MAC_VLAN_Tag_Data bit VEN - VLAN
      Tag Enable) bit. Then it unsets the GMAC_VLAN_VTHM bit, which disables
      hash matching.
      
      This leaves the MAC, according to table "VLAN Match Status" from the
      documentation, to always enter these data paths:
      
      VID    |VLAN Perfect Filter |VTHM Bit |VLAN Hash Filter |Final VLAN Match
             |Match Result        |         |Match Result     |Status
      -------|--------------------|---------|-----------------|----------------
      VID!=0 |Fail                |0        |don't care       |Pass
      
      So, dwmac4_vlan_promisc_enable() does its job, but by unsetting
      GMAC_VLAN_VTHM, it conflicts with the other code path which controls
      this bit: dwmac4_update_vlan_hash(), called through stmmac_update_vlan_hash()
      from stmmac_vlan_rx_add_vid() and from stmmac_vlan_rx_kill_vid().
      This is, I guess, why dwmac4_add_hw_vlan_rx_fltr() is not allowed to run
      after dwmac4_vlan_promisc_enable() has unset GMAC_VLAN_VTHM: because if
      it did, then dwmac4_update_vlan_hash() would set GMAC_VLAN_VTHM again,
      breaking the "VLAN promiscuity".
      
      It turns out that dwmac4_vlan_promisc_enable() is way too complicated
      for what needs to be done. The MAC_Packet_Filter register also has the
      VTFE bit (VLAN Tag Filter Enable), which simply controls whether VLAN
      tagged packets which don't match the filtering tables (either perfect or
      hash) are dropped or not. At the moment, this driver unconditionally
      sets GMAC_PACKET_FILTER_VTFE if NETIF_F_HW_VLAN_CTAG_FILTER was detected
      through the priv->dma_cap.vlhash capability bits of the device, in
      stmmac_dvr_probe().
      
      I would suggest deleting the unnecessarily complex logic from
      dwmac4_vlan_promisc_enable(), and simply unsetting GMAC_PACKET_FILTER_VTFE
      when becoming IFF_PROMISC, which has the same effect of allowing packets
      with any VLAN tags, but has the additional benefit of being able to run
      concurrently with stmmac_vlan_rx_add_vid() and stmmac_vlan_rx_kill_vid().
      
      As much as I believe that the VTFE bit should have been exclusively
      controlled by NETIF_F_HW_VLAN_CTAG_FILTER through ethtool, and not by
      IFF_PROMISC, changing that is not a punctual fix to the problem, and it
      would probably break the VFFQ feature added by the later commit
      e0f9956a ("net: stmmac: Add option for VLAN filter fail queue
      enable"). From the commit description, VFFQ needs IFF_PROMISC=on and
      VTFE=off in order to work (and this change respects that). But if VTFE
      was changed to be controlled through ethtool -k, then a user-visible
      change would have been introduced in Intel's scripts (a need to run
      "ethtool -k eth0 rx-vlan-filter off" which did not exist before).
      
      The patch was tested with this set of commands:
      
        ip link set eth0 up
        ip link add link eth0 name eth0.100 type vlan id 100
        ip addr add 192.168.100.2/24 dev eth0.100 && ip link set eth0.100 up
        ip link set eth0 promisc on
        ip link add link eth0 name eth0.101 type vlan id 101
        ip addr add 192.168.101.2/24 dev eth0.101 && ip link set eth0.101 up
        ip link set eth0 promisc off
        ping -c 5 192.168.100.1
        ping -c 5 192.168.101.1
        ip link set eth0 promisc on
        ping -c 5 192.168.100.1
        ping -c 5 192.168.101.1
        ip link del eth0.100
        ip link del eth0.101
        # Wait for VLAN-tagged pings from the other end...
        # Check with "tcpdump -i eth0 -e -n -p" and we should see them
        ip link set eth0 promisc off
        # Wait for VLAN-tagged pings from the other end...
        # Check with "tcpdump -i eth0 -e -n -p" and we shouldn't see them
        # anymore, but remove the "-p" argument from tcpdump and they're there.
      
      Fixes: c89f44ff ("net: stmmac: Add support for VLAN promiscuous mode")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7602e73
    • Oleksij Rempel's avatar
      can: j1939: prevent deadlock by moving j1939_sk_errqueue() · d1366b28
      Oleksij Rempel authored
      This commit addresses a deadlock situation that can occur in certain
      scenarios, such as when running data TP/ETP transfer and subscribing to
      the error queue while receiving a net down event. The deadlock involves
      locks in the following order:
      
      3
        j1939_session_list_lock ->  active_session_list_lock
        j1939_session_activate
        ...
        j1939_sk_queue_activate_next -> sk_session_queue_lock
        ...
        j1939_xtp_rx_eoma_one
      
      2
        j1939_sk_queue_drop_all  ->  sk_session_queue_lock
        ...
        j1939_sk_netdev_event_netdown -> j1939_socks_lock
        j1939_netdev_notify
      
      1
        j1939_sk_errqueue -> j1939_socks_lock
        __j1939_session_cancel -> active_session_list_lock
        j1939_tp_rxtimer
      
             CPU0                    CPU1
             ----                    ----
        lock(&priv->active_session_list_lock);
                                     lock(&jsk->sk_session_queue_lock);
                                     lock(&priv->active_session_list_lock);
        lock(&priv->j1939_socks_lock);
      
      The solution implemented in this commit is to move the
      j1939_sk_errqueue() call out of the active_session_list_lock context,
      thus preventing the deadlock situation.
      
      Reported-by: syzbot+ee1cd780f69483a8616b@syzkaller.appspotmail.com
      Fixes: 5b9272e9 ("can: j1939: extend UAPI to notify about RX status")
      Co-developed-by: default avatarHillf Danton <hdanton@sina.com>
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Link: https://lore.kernel.org/all/20230324130141.2132787-1-o.rempel@pengutronix.de
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      d1366b28
    • Álvaro Fernández Rojas's avatar
      net: dsa: b53: mmap: add phy ops · 45977e58
      Álvaro Fernández Rojas authored
      Implement phy_read16() and phy_write16() ops for B53 MMAP to avoid accessing
      B53_PORT_MII_PAGE registers which hangs the device.
      This access should be done through the MDIO Mux bus controller.
      Signed-off-by: default avatarÁlvaro Fernández Rojas <noltari@gmail.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45977e58
    • Oleksij Rempel's avatar
      net: phy: micrel: correct KSZ9131RNX EEE capabilities and advertisement · f2e9d083
      Oleksij Rempel authored
      The KSZ9131RNX incorrectly shows EEE capabilities in its registers.
      Although the "EEE control and capability 1" (Register 3.20) is set to 0,
      indicating no EEE support, the "EEE advertisement 1" (Register 7.60) is
      set to 0x6, advertising EEE support for 1000BaseT/Full and
      100BaseT/Full.
      This inconsistency causes PHYlib to assume there is no EEE support,
      preventing control over EEE advertisement, which is enabled by default.
      
      This patch resolves the issue by utilizing the ksz9477_get_features()
      function to correctly set the EEE capabilities for the KSZ9131RNX. This
      adjustment allows proper control over EEE advertisement and ensures
      accurate representation of the device's capabilities.
      
      Fixes: 8b68710a ("net: phy: start using genphy_c45_ethtool_get/set_eee()")
      Reported-by: default avatarMarek Vasut <marex@denx.de>
      Tested-by: default avatarMarek Vasut <marex@denx.de>
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f2e9d083
    • Stefano Garzarella's avatar
      vsock/loopback: use only sk_buff_head.lock to protect the packet queue · b465518d
      Stefano Garzarella authored
      pkt_list_lock was used before commit 71dc9ec9 ("virtio/vsock:
      replace virtio_vsock_pkt with sk_buff") to protect the packet queue.
      After that commit we switched to sk_buff and we are using
      sk_buff_head.lock in almost every place to protect the packet queue
      except in vsock_loopback_work() when we call skb_queue_splice_init().
      
      As reported by syzbot, this caused unlocked concurrent access to the
      packet queue between vsock_loopback_work() and
      vsock_loopback_cancel_pkt() since it is not holding pkt_list_lock.
      
      With the introduction of sk_buff_head, pkt_list_lock is redundant and
      can cause confusion, so let's remove it and use sk_buff_head.lock
      everywhere to protect the packet queue access.
      
      Fixes: 71dc9ec9 ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
      Cc: bobby.eshleman@bytedance.com
      Reported-and-tested-by: syzbot+befff0a9536049e7902e@syzkaller.appspotmail.com
      Signed-off-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Reviewed-by: default avatarBobby Eshleman <bobby.eshleman@bytedance.com>
      Reviewed-by: default avatarArseniy Krasnov <AVKrasnov@sberdevices.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b465518d
    • David S. Miller's avatar
      Merge branch 'constify-sfp-phy-nodes' · 62203584
      David S. Miller authored
      Russell King says:
      
      ====================
      Constify a few sfp/phy fwnodes
      
      This series constifies a bunch of fwnode_handle pointers that are only
      used to refer to but not modify the contents of the fwnode structures.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62203584
    • Russell King (Oracle)'s avatar
      net: phy: constify fwnode_get_phy_node() fwnode argument · 4a0faa02
      Russell King (Oracle) authored
      fwnode_get_phy_node() does not motify the fwnode structure, so make
      the argument const,
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4a0faa02
    • Russell King (Oracle)'s avatar
      net: sfp: constify sfp-bus internal fwnode uses · 850a8d2d
      Russell King (Oracle) authored
      Constify sfp-bus internal fwnode uses, since we do not modify the
      fwnode structures.
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      850a8d2d
    • Russell King (Oracle)'s avatar
      net: sfp: make sfp_bus_find_fwnode() take a const fwnode · a90ac762
      Russell King (Oracle) authored
      sfp_bus_find_fwnode() does not write to the fwnode, so let's make it
      const.
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a90ac762
    • Faicker Mo's avatar
      net/net_failover: fix txq exceeding warning · e3cbdcb0
      Faicker Mo authored
      The failover txq is inited as 16 queues.
      when a packet is transmitted from the failover device firstly,
      the failover device will select the queue which is returned from
      the primary device if the primary device is UP and running.
      If the primary device txq is bigger than the default 16,
      it can lead to the following warning:
      eth0 selects TX queue 18, but real number of TX queues is 16
      
      The warning backtrace is:
      [   32.146376] CPU: 18 PID: 9134 Comm: chronyd Tainted: G            E      6.2.8-1.el7.centos.x86_64 #1
      [   32.147175] Hardware name: Red Hat KVM, BIOS 1.10.2-3.el7_4.1 04/01/2014
      [   32.147730] Call Trace:
      [   32.147971]  <TASK>
      [   32.148183]  dump_stack_lvl+0x48/0x70
      [   32.148514]  dump_stack+0x10/0x20
      [   32.148820]  netdev_core_pick_tx+0xb1/0xe0
      [   32.149180]  __dev_queue_xmit+0x529/0xcf0
      [   32.149533]  ? __check_object_size.part.0+0x21c/0x2c0
      [   32.149967]  ip_finish_output2+0x278/0x560
      [   32.150327]  __ip_finish_output+0x1fe/0x2f0
      [   32.150690]  ip_finish_output+0x2a/0xd0
      [   32.151032]  ip_output+0x7a/0x110
      [   32.151337]  ? __pfx_ip_finish_output+0x10/0x10
      [   32.151733]  ip_local_out+0x5e/0x70
      [   32.152054]  ip_send_skb+0x19/0x50
      [   32.152366]  udp_send_skb.isra.0+0x163/0x3a0
      [   32.152736]  udp_sendmsg+0xba8/0xec0
      [   32.153060]  ? __folio_memcg_unlock+0x25/0x60
      [   32.153445]  ? __pfx_ip_generic_getfrag+0x10/0x10
      [   32.153854]  ? sock_has_perm+0x85/0xa0
      [   32.154190]  inet_sendmsg+0x6d/0x80
      [   32.154508]  ? inet_sendmsg+0x6d/0x80
      [   32.154838]  sock_sendmsg+0x62/0x70
      [   32.155152]  ____sys_sendmsg+0x134/0x290
      [   32.155499]  ___sys_sendmsg+0x81/0xc0
      [   32.155828]  ? _get_random_bytes.part.0+0x79/0x1a0
      [   32.156240]  ? ip4_datagram_release_cb+0x5f/0x1e0
      [   32.156649]  ? get_random_u16+0x69/0xf0
      [   32.156989]  ? __fget_light+0xcf/0x110
      [   32.157326]  __sys_sendmmsg+0xc4/0x210
      [   32.157657]  ? __sys_connect+0xb7/0xe0
      [   32.157995]  ? __audit_syscall_entry+0xce/0x140
      [   32.158388]  ? syscall_trace_enter.isra.0+0x12c/0x1a0
      [   32.158820]  __x64_sys_sendmmsg+0x24/0x30
      [   32.159171]  do_syscall_64+0x38/0x90
      [   32.159493]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      Fix that by reducing txq number as the non-existent primary-dev does.
      
      Fixes: cfc80d9a ("net: Introduce net_failover driver")
      Signed-off-by: default avatarFaicker Mo <faicker.mo@ucloud.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3cbdcb0
  3. 25 Mar, 2023 11 commits
  4. 24 Mar, 2023 6 commits
    • Josua Mayer's avatar
      net: phy: dp83869: fix default value for tx-/rx-internal-delay · 82e2c39f
      Josua Mayer authored
      dp83869 internally uses a look-up table for mapping supported delays in
      nanoseconds to register values.
      When specific delays are defined in device-tree, phy_get_internal_delay
      does the lookup automatically returning an index.
      
      The default case wrongly assigns the nanoseconds value from the lookup
      table, resulting in numeric value 2000 applied to delay configuration
      register, rather than the expected index values 0-7 (7 for 2000).
      Ultimately this issue broke RX for 1Gbps links.
      
      Fix default delay configuration by assigning the intended index value
      directly.
      
      Cc: stable@vger.kernel.org
      Fixes: 736b25af ("net: dp83869: Add RGMII internal delay configuration")
      Co-developed-by: default avatarYazan Shhady <yazan.shhady@solid-run.com>
      Signed-off-by: default avatarYazan Shhady <yazan.shhady@solid-run.com>
      Signed-off-by: default avatarJosua Mayer <josua@solid-run.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230323102536.31988-1-josua@solid-run.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      82e2c39f
    • Íñigo Huguet's avatar
      sfc: ef10: don't overwrite offload features at NIC reset · ca4a80e4
      Íñigo Huguet authored
      At NIC reset, some offload features related to encapsulated traffic
      might have changed (this mainly happens if the firmware-variant is
      changed with the sfboot userspace tool). Because of this, features are
      checked and set again at reset time.
      
      However, this was not done right, and some features were improperly
      overwritten at NIC reset:
      - Tunneled IPv6 segmentation was always disabled
      - Features disabled with ethtool were reenabled
      - Features that becomes unsupported after the reset were not disabled
      
      Also, checking if the device supports IPV6_CSUM to enable TSO6 is no
      longer necessary because all currently supported devices support it.
      Additionally, move the assignment of some other features to the
      EF10_OFFLOAD_FEATURES macro, like it is done in ef100, leaving the
      selection of features in efx_pci_probe_post_io a bit cleaner.
      
      Fixes: ffffd245 ("sfc: correctly advertise tunneled IPv6 segmentation")
      Fixes: 24b2c375 ("sfc: advertise encapsulated offloads on EF10")
      Reported-by: default avatarTianhao Zhao <tizhao@redhat.com>
      Suggested-by: default avatarJonathan Cooper <jonathan.s.cooper@amd.com>
      Tested-by: default avatarJonathan Cooper <jonathan.s.cooper@amd.com>
      Signed-off-by: default avatarÍñigo Huguet <ihuguet@redhat.com>
      Acked-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Link: https://lore.kernel.org/r/20230323083417.7345-1-ihuguet@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ca4a80e4
    • Jiawen Wu's avatar
      net: wangxun: Fix vector length of interrupt cause · 59513714
      Jiawen Wu authored
      There is 64-bit interrupt cause register for txgbe. Fix to clear upper
      32 bits.
      
      Fixes: 3f703186 ("net: libwx: Add irq flow functions")
      Signed-off-by: default avatarJiawen Wu <jiawenwu@trustnetic.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Link: https://lore.kernel.org/r/20230322103632.132011-1-jiawenwu@trustnetic.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      59513714
    • Linus Torvalds's avatar
      Merge tag 'net-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 608f1b13
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf, wifi and bluetooth.
      
        Current release - regressions:
      
         - wifi: mt76: mt7915: add back 160MHz channel width support for
           MT7915
      
         - libbpf: revert poisoning of strlcpy, it broke uClibc-ng
      
        Current release - new code bugs:
      
         - bpf: improve the coverage of the "allow reads from uninit stack"
           feature to fix verification complexity problems
      
         - eth: am65-cpts: reset PPS genf adj settings on enable
      
        Previous releases - regressions:
      
         - wifi: mac80211: serialize ieee80211_handle_wake_tx_queue()
      
         - wifi: mt76: do not run mt76_unregister_device() on unregistered hw,
           fix null-deref
      
         - Bluetooth: btqcomsmd: fix command timeout after setting BD address
      
         - eth: igb: revert rtnl_lock() that causes a deadlock
      
         - dsa: mscc: ocelot: fix device specific statistics
      
        Previous releases - always broken:
      
         - xsk: add missing overflow check in xdp_umem_reg()
      
         - wifi: mac80211:
            - fix QoS on mesh interfaces
            - fix mesh path discovery based on unicast packets
      
         - Bluetooth:
            - ISO: fix timestamped HCI ISO data packet parsing
            - remove "Power-on" check from Mesh feature
      
         - usbnet: more fixes to drivers trusting packet length
      
         - wifi: iwlwifi: mvm: fix mvmtxq->stopped handling
      
         - Bluetooth: btintel: iterate only bluetooth device ACPI entries
      
         - eth: iavf: fix inverted Rx hash condition leading to disabled hash
      
         - eth: igc: fix the validation logic for taprio's gate list
      
         - dsa: tag_brcm: legacy: fix daisy-chained switches
      
        Misc:
      
         - bpf: adjust insufficient default bpf_jit_limit to account for
           growth of BPF use over the last 5 years
      
         - xdp: bpf_xdp_metadata() use EOPNOTSUPP as unique errno indicating
           no driver support"
      
      * tag 'net-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits)
        Bluetooth: HCI: Fix global-out-of-bounds
        Bluetooth: mgmt: Fix MGMT add advmon with RSSI command
        Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work
        Bluetooth: L2CAP: Fix responding with wrong PDU type
        Bluetooth: btqcomsmd: Fix command timeout after setting BD address
        Bluetooth: btinel: Check ACPI handle for NULL before accessing
        net: mdio: thunder: Add missing fwnode_handle_put()
        net: dsa: mt7530: move setting ssc_delta to PHY_INTERFACE_MODE_TRGMII case
        net: dsa: mt7530: move lowering TRGMII driving to mt7530_setup()
        net: dsa: mt7530: move enabling disabling core clock to mt7530_pll_setup()
        net: asix: fix modprobe "sysfs: cannot create duplicate filename"
        gve: Cache link_speed value from device
        tools: ynl: Fix genlmsg header encoding formats
        net: enetc: fix aggregate RMON counters not showing the ranges
        Bluetooth: Remove "Power-on" check from Mesh feature
        Bluetooth: Fix race condition in hci_cmd_sync_clear
        Bluetooth: btintel: Iterate only bluetooth device ACPI entries
        Bluetooth: ISO: fix timestamped HCI ISO data packet parsing
        Bluetooth: btusb: Remove detection of ISO packets over bulk
        Bluetooth: hci_core: Detect if an ACL packet is in fact an ISO packet
        ...
      608f1b13
    • Linus Torvalds's avatar
      Merge tag 'for-6.3-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 28506304
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "A few more fixes, the zoned accounting fix is spread across a few
        patches, preparatory and the actual fixes:
      
         - zoned mode:
            - fix accounting of unusable zone space
            - fix zone activation condition for DUP profile
            - preparatory patches
      
         - improved error handling of missing chunks
      
         - fix compiler warning"
      
      * tag 'for-6.3-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: zoned: drop space_info->active_total_bytes
        btrfs: zoned: count fresh BG region as zone unusable
        btrfs: use temporary variable for space_info in btrfs_update_block_group
        btrfs: rename BTRFS_FS_NO_OVERCOMMIT to BTRFS_FS_ACTIVE_ZONE_TRACKING
        btrfs: zoned: fix btrfs_can_activate_zone() to support DUP profile
        btrfs: fix compiler warning on SPARC/PA-RISC handling fscrypt_setup_filename
        btrfs: handle missing chunk mapping more gracefully
      28506304
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 6dd74c51
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Four small fixes, three in drivers.
      
        The core fix adds a UFS device to an existing quirk to avoid a huge
        delay on boot"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
        scsi: qla2xxx: Synchronize the IOCB count to be in order
        scsi: qla2xxx: Perform lockless command completion in abort path
        scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
      6dd74c51
  5. 23 Mar, 2023 5 commits
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 1b4ae19e
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2023-03-23
      
      We've added 8 non-merge commits during the last 13 day(s) which contain
      a total of 21 files changed, 238 insertions(+), 161 deletions(-).
      
      The main changes are:
      
      1) Fix verification issues in some BPF programs due to their stack usage
         patterns, from Eduard Zingerman.
      
      2) Fix to add missing overflow checks in xdp_umem_reg and return an error
         in such case, from Kal Conley.
      
      3) Fix and undo poisoning of strlcpy in libbpf given it broke builds for
         libcs which provided the former like uClibc-ng, from Jesus Sanchez-Palencia.
      
      4) Fix insufficient bpf_jit_limit default to avoid users running into hard
         to debug seccomp BPF errors, from Daniel Borkmann.
      
      5) Fix driver return code when they don't support a bpf_xdp_metadata kfunc
         to make it unambiguous from other errors, from Jesper Dangaard Brouer.
      
      6) Two BPF selftest fixes to address compilation errors from recent changes
         in kernel structures, from Alexei Starovoitov.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        xdp: bpf_xdp_metadata use EOPNOTSUPP for no driver support
        bpf: Adjust insufficient default bpf_jit_limit
        xsk: Add missing overflow check in xdp_umem_reg
        selftests/bpf: Fix progs/test_deny_namespace.c issues.
        selftests/bpf: Fix progs/find_vma_fail1.c build error.
        libbpf: Revert poisoning of strlcpy
        selftests/bpf: Tests for uninitialized stack reads
        bpf: Allow reads from uninit stack
      ====================
      
      Link: https://lore.kernel.org/r/20230323225221.6082-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1b4ae19e
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 2e63a2df
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Fix MGMT add advmon with RSSI command
       - L2CAP: Fix responding with wrong PDU type
       - Fix race condition in hci_cmd_sync_clear
       - ISO: Fix timestamped HCI ISO data packet parsing
       - HCI: Fix global-out-of-bounds
       - hci_sync: Resume adv with no RPA when active scan
      
      * tag 'for-net-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: HCI: Fix global-out-of-bounds
        Bluetooth: mgmt: Fix MGMT add advmon with RSSI command
        Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work
        Bluetooth: L2CAP: Fix responding with wrong PDU type
        Bluetooth: btqcomsmd: Fix command timeout after setting BD address
        Bluetooth: btinel: Check ACPI handle for NULL before accessing
        Bluetooth: Remove "Power-on" check from Mesh feature
        Bluetooth: Fix race condition in hci_cmd_sync_clear
        Bluetooth: btintel: Iterate only bluetooth device ACPI entries
        Bluetooth: ISO: fix timestamped HCI ISO data packet parsing
        Bluetooth: btusb: Remove detection of ISO packets over bulk
        Bluetooth: hci_core: Detect if an ACL packet is in fact an ISO packet
        Bluetooth: hci_sync: Resume adv with no RPA when active scan
      ====================
      
      Link: https://lore.kernel.org/r/20230323202335.3380841-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2e63a2df
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 4f44d326
      Jakub Kicinski authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v6.3
      
      Third set of fixes for v6.3. mt76 has two kernel crash fixes and
      adding back 160 MHz channel support for mt7915. mac80211 has fixes for
      a race in transmit path and two mesh related fixes. iwlwifi also has
      fixes for races.
      
      * tag 'wireless-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: mac80211: fix mesh path discovery based on unicast packets
        wifi: mac80211: fix qos on mesh interfaces
        wifi: iwlwifi: mvm: protect TXQ list manipulation
        wifi: iwlwifi: mvm: fix mvmtxq->stopped handling
        wifi: mac80211: Serialize ieee80211_handle_wake_tx_queue()
        wifi: mwifiex: mark OF related data as maybe unused
        wifi: mt76: connac: do not check WED status for non-mmio devices
        wifi: mt76: mt7915: add back 160MHz channel width support for MT7915
        wifi: mt76: do not run mt76_unregister_device() on unregistered hw
      ====================
      
      Link: https://lore.kernel.org/r/20230323110332.C4FE4C433D2@smtp.kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4f44d326
    • Linus Torvalds's avatar
      Merge tag 'gfs2-v6.3-rc3-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 · 1e760fa3
      Linus Torvalds authored
      Pull gfs2 fix from Andreas Gruenbacher:
      
       - Reinstate commit 970343cd ("GFS2: free disk inode which is
         deleted by remote node -V2") as reverting that commit could cause
         gfs2_put_super() to hang.
      
      * tag 'gfs2-v6.3-rc3-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2:
        Reinstate "GFS2: free disk inode which is deleted by remote node -V2"
      1e760fa3
    • Sungwoo Kim's avatar
      Bluetooth: HCI: Fix global-out-of-bounds · bce56405
      Sungwoo Kim authored
      To loop a variable-length array, hci_init_stage_sync(stage) considers
      that stage[i] is valid as long as stage[i-1].func is valid.
      Thus, the last element of stage[].func should be intentionally invalid
      as hci_init0[], le_init2[], and others did.
      However, amp_init1[] and amp_init2[] have no invalid element, letting
      hci_init_stage_sync() keep accessing amp_init1[] over its valid range.
      This patch fixes this by adding {} in the last of amp_init1[] and
      amp_init2[].
      
      ==================================================================
      BUG: KASAN: global-out-of-bounds in hci_dev_open_sync (
      /v6.2-bzimage/net/bluetooth/hci_sync.c:3154
      /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
      /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
      /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
      /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      Read of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032
      CPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04
      Workqueue: hci1 hci_power_on
      Call Trace:
       <TASK>
      dump_stack_lvl (/v6.2-bzimage/lib/dump_stack.c:107 (discriminator 1))
      print_report (/v6.2-bzimage/mm/kasan/report.c:307
        /v6.2-bzimage/mm/kasan/report.c:417)
      ? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
        /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      kasan_report (/v6.2-bzimage/mm/kasan/report.c:184
        /v6.2-bzimage/mm/kasan/report.c:519)
      ? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
        /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
        /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      ? __pfx_hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:4635)
      ? mutex_lock (/v6.2-bzimage/./arch/x86/include/asm/atomic64_64.h:190
        /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443
        /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781
        /v6.2-bzimage/kernel/locking/mutex.c:171
        /v6.2-bzimage/kernel/locking/mutex.c:285)
      ? __pfx_mutex_lock (/v6.2-bzimage/kernel/locking/mutex.c:282)
      hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:485
        /v6.2-bzimage/net/bluetooth/hci_core.c:984)
      ? __pfx_hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:969)
      ? read_word_at_a_time (/v6.2-bzimage/./include/asm-generic/rwonce.h:85)
      ? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62
        /v6.2-bzimage/lib/string.c:161)
      process_one_work (/v6.2-bzimage/kernel/workqueue.c:2294)
      worker_thread (/v6.2-bzimage/./include/linux/list.h:292
        /v6.2-bzimage/kernel/workqueue.c:2437)
      ? __pfx_worker_thread (/v6.2-bzimage/kernel/workqueue.c:2379)
      kthread (/v6.2-bzimage/kernel/kthread.c:376)
      ? __pfx_kthread (/v6.2-bzimage/kernel/kthread.c:331)
      ret_from_fork (/v6.2-bzimage/arch/x86/entry/entry_64.S:314)
       </TASK>
      The buggy address belongs to the variable:
      amp_init1+0x30/0x60
      The buggy address belongs to the physical page:
      page:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia
      flags: 0x200000000001000(reserved|node=0|zone=2)
      raw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000
      raw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000
      page dumped because: kasan: bad access detected
      Memory state around the buggy address:
       ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
       ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
      >ffffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
                                                                   ^
       ffffffffaed1ab80: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 f9
       ffffffffaed1ac00: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 02 f9
      
      This bug is found by FuzzBT, a modified version of Syzkaller.
      Other contributors for this bug are Ruoyu Wu and Peng Hui.
      
      Fixes: d0b13706 ("Bluetooth: hci_sync: Rework init stages")
      Signed-off-by: default avatarSungwoo Kim <iam@sung-woo.kim>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      bce56405