1. 27 May, 2024 12 commits
    • Willem de Bruijn's avatar
      net: gro: initialize network_offset in network layer · be008726
      Willem de Bruijn authored
      Syzkaller was able to trigger
      
          kernel BUG at net/core/gro.c:424 !
          RIP: 0010:gro_pull_from_frag0 net/core/gro.c:424 [inline]
          RIP: 0010:gro_try_pull_from_frag0 net/core/gro.c:446 [inline]
          RIP: 0010:dev_gro_receive+0x242f/0x24b0 net/core/gro.c:571
      
      Due to using an incorrect NAPI_GRO_CB(skb)->network_offset.
      
      The referenced commit sets this offset to 0 in skb_gro_reset_offset.
      That matches the expected case in dev_gro_receive:
      
              pp = INDIRECT_CALL_INET(ptype->callbacks.gro_receive,
                                      ipv6_gro_receive, inet_gro_receive,
                                      &gro_list->list, skb);
      
      But syzkaller injected an skb with protocol ETH_P_TEB into an ip6gre
      device (by writing the IP6GRE encapsulated version to a TAP device).
      The result was a first call to eth_gro_receive, and thus an extra
      ETH_HLEN in network_offset that should not be there. First issue hit
      is when computing offset from network header in ipv6_gro_pull_exthdrs.
      
      Initialize both offsets in the network layer gro_receive.
      
      This pairs with all reads in gro_receive, which use
      skb_gro_receive_network_offset().
      
      Fixes: 186b1ea7 ("net: gro: use cb instead of skb->network_header")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      CC: Richard Gobert <richardbgobert@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20240523141434.1752483-1-willemdebruijn.kernel@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      be008726
    • Ido Schimmel's avatar
      ipv4: Fix address dump when IPv4 is disabled on an interface · 7b05ab85
      Ido Schimmel authored
      Cited commit started returning an error when user space requests to dump
      the interface's IPv4 addresses and IPv4 is disabled on the interface.
      Restore the previous behavior and do not return an error.
      
      Before cited commit:
      
       # ip address show dev dummy1
       10: dummy1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
           link/ether e2:40:68:98:d0:18 brd ff:ff:ff:ff:ff:ff
           inet6 fe80::e040:68ff:fe98:d018/64 scope link proto kernel_ll
              valid_lft forever preferred_lft forever
       # ip link set dev dummy1 mtu 67
       # ip address show dev dummy1
       10: dummy1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 67 qdisc noqueue state UNKNOWN group default qlen 1000
           link/ether e2:40:68:98:d0:18 brd ff:ff:ff:ff:ff:ff
      
      After cited commit:
      
       # ip address show dev dummy1
       10: dummy1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
           link/ether 32:2d:69:f2:9c:99 brd ff:ff:ff:ff:ff:ff
           inet6 fe80::302d:69ff:fef2:9c99/64 scope link proto kernel_ll
              valid_lft forever preferred_lft forever
       # ip link set dev dummy1 mtu 67
       # ip address show dev dummy1
       RTNETLINK answers: No such device
       Dump terminated
      
      With this patch:
      
       # ip address show dev dummy1
       10: dummy1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
           link/ether de:17:56:bb:57:c0 brd ff:ff:ff:ff:ff:ff
           inet6 fe80::dc17:56ff:febb:57c0/64 scope link proto kernel_ll
              valid_lft forever preferred_lft forever
       # ip link set dev dummy1 mtu 67
       # ip address show dev dummy1
       10: dummy1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 67 qdisc noqueue state UNKNOWN group default qlen 1000
           link/ether de:17:56:bb:57:c0 brd ff:ff:ff:ff:ff:ff
      
      I fixed the exact same issue for IPv6 in commit c04f7dfe ("ipv6: Fix
      address dump when IPv6 is disabled on an interface"), but noted [1] that
      I am not doing the change for IPv4 because I am not aware of a way to
      disable IPv4 on an interface other than unregistering it. I clearly
      missed the above case.
      
      [1] https://lore.kernel.org/netdev/20240321173042.2151756-1-idosch@nvidia.com/
      
      Fixes: cdb2f80f ("inet: use xa_array iterator to implement inet_dump_ifaddr()")
      Reported-by: default avatarCarolina Jubran <cjubran@nvidia.com>
      Reported-by: default avatarYamen Safadi <ysafadi@nvidia.com>
      Tested-by: default avatarCarolina Jubran <cjubran@nvidia.com>
      Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20240523110257.334315-1-idosch@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7b05ab85
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 2786ae33
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2024-05-27
      
      We've added 15 non-merge commits during the last 7 day(s) which contain
      a total of 18 files changed, 583 insertions(+), 55 deletions(-).
      
      The main changes are:
      
      1) Fix broken BPF multi-uprobe PID filtering logic which filtered by thread
         while the promise was to filter by process, from Andrii Nakryiko.
      
      2) Fix the recent influx of syzkaller reports to sockmap which triggered
         a locking rule violation by performing a map_delete, from Jakub Sitnicki.
      
      3) Fixes to netkit driver in particular on skb->pkt_type override upon pass
         verdict, from Daniel Borkmann.
      
      4) Fix an integer overflow in resolve_btfids which can wrongly trigger build
         failures, from Friedrich Vock.
      
      5) Follow-up fixes for ARC JIT reported by static analyzers,
         from Shahab Vahedi.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        selftests/bpf: Cover verifier checks for mutating sockmap/sockhash
        Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete elem"
        bpf: Allow delete from sockmap/sockhash only if update is allowed
        selftests/bpf: Add netkit test for pkt_type
        selftests/bpf: Add netkit tests for mac address
        netkit: Fix pkt_type override upon netkit pass verdict
        netkit: Fix setting mac address in l2 mode
        ARC, bpf: Fix issues reported by the static analyzers
        selftests/bpf: extend multi-uprobe tests with USDTs
        selftests/bpf: extend multi-uprobe tests with child thread case
        libbpf: detect broken PID filtering logic for multi-uprobe
        bpf: remove unnecessary rcu_read_{lock,unlock}() in multi-uprobe attach logic
        bpf: fix multi-uprobe PID filtering logic
        bpf: Fix potential integer overflow in resolve_btfids
        MAINTAINERS: Add myself as reviewer of ARM64 BPF JIT
      ====================
      
      Link: https://lore.kernel.org/r/20240527203551.29712-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2786ae33
    • Jakub Sitnicki's avatar
      selftests/bpf: Cover verifier checks for mutating sockmap/sockhash · a63bf556
      Jakub Sitnicki authored
      Verifier enforces that only certain program types can mutate sock{map,hash}
      maps, that is update it or delete from it. Add test coverage for these
      checks so we don't regress.
      Signed-off-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/bpf/20240527-sockmap-verify-deletes-v1-3-944b372f2101@cloudflare.com
      a63bf556
    • Jakub Sitnicki's avatar
      Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete elem" · 3b9ce049
      Jakub Sitnicki authored
      This reverts commit ff910599.
      
      This check is no longer needed. BPF programs attached to tracepoints are
      now rejected by the verifier when they attempt to delete from a
      sockmap/sockhash maps.
      Signed-off-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/bpf/20240527-sockmap-verify-deletes-v1-2-944b372f2101@cloudflare.com
      3b9ce049
    • Jakub Sitnicki's avatar
      bpf: Allow delete from sockmap/sockhash only if update is allowed · 98e948fb
      Jakub Sitnicki authored
      We have seen an influx of syzkaller reports where a BPF program attached to
      a tracepoint triggers a locking rule violation by performing a map_delete
      on a sockmap/sockhash.
      
      We don't intend to support this artificial use scenario. Extend the
      existing verifier allowed-program-type check for updating sockmap/sockhash
      to also cover deleting from a map.
      
      From now on only BPF programs which were previously allowed to update
      sockmap/sockhash can delete from these map types.
      
      Fixes: ff910599 ("bpf, sockmap: Prevent lock inversion deadlock in map delete elem")
      Reported-by: default avatarTetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Reported-by: syzbot+ec941d6e24f633a59172@syzkaller.appspotmail.com
      Signed-off-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Tested-by: syzbot+ec941d6e24f633a59172@syzkaller.appspotmail.com
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Closes: https://syzkaller.appspot.com/bug?extid=ec941d6e24f633a59172
      Link: https://lore.kernel.org/bpf/20240527-sockmap-verify-deletes-v1-1-944b372f2101@cloudflare.com
      98e948fb
    • Parthiban Veerasooran's avatar
      net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM · 52a2f060
      Parthiban Veerasooran authored
      LED Select (LED_SEL) bit in the LED General Purpose IO Configuration
      register is used to determine the functionality of external LED pins
      (Speed Indicator, Link and Activity Indicator, Full Duplex Link
      Indicator). The default value for this bit is 0 when no EEPROM is
      present. If a EEPROM is present, the default value is the value of the
      LED Select bit in the Configuration Flags of the EEPROM. A USB Reset or
      Lite Reset (LRST) will cause this bit to be restored to the image value
      last loaded from EEPROM, or to be set to 0 if no EEPROM is present.
      
      While configuring the dual purpose GPIO/LED pins to LED outputs in the
      LED General Purpose IO Configuration register, the LED_SEL bit is changed
      as 0 and resulting the configured value from the EEPROM is cleared. The
      issue is fixed by using read-modify-write approach.
      
      Fixes: f293501c ("smsc95xx: configure LED outputs")
      Signed-off-by: default avatarParthiban Veerasooran <Parthiban.Veerasooran@microchip.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Reviewed-by: default avatarWoojung Huh <woojung.huh@microchip.com>
      Link: https://lore.kernel.org/r/20240523085314.167650-1-Parthiban.Veerasooran@microchip.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      52a2f060
    • Hariprasad Kelam's avatar
      Octeontx2-pf: Free send queue buffers incase of leaf to inner · 16848421
      Hariprasad Kelam authored
      There are two type of classes. "Leaf classes" that are  the
      bottom of the class hierarchy. "Inner classes" that are neither
      the root class nor leaf classes. QoS rules can only specify leaf
      classes as targets for traffic.
      
      			 Root
      		        /  \
      		       /    \
                            1      2
                                   /\
                                  /  \
                                 4    5
                     classes 1,4 and 5 are leaf classes.
                     class 2 is a inner class.
      
      When a leaf class made as inner, or vice versa, resources associated
      with send queue (send queue buffers and transmit schedulers) are not
      getting freed.
      
      Fixes: 5e6808b4 ("octeontx2-pf: Add support for HTB offload")
      Signed-off-by: default avatarHariprasad Kelam <hkelam@marvell.com>
      Link: https://lore.kernel.org/r/20240523073626.4114-1-hkelam@marvell.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      16848421
    • Kuniyuki Iwashima's avatar
      af_unix: Read sk->sk_hash under bindlock during bind(). · 51d1b25a
      Kuniyuki Iwashima authored
      syzkaller reported data-race of sk->sk_hash in unix_autobind() [0],
      and the same ones exist in unix_bind_bsd() and unix_bind_abstract().
      
      The three bind() functions prefetch sk->sk_hash locklessly and
      use it later after validating that unix_sk(sk)->addr is NULL under
      unix_sk(sk)->bindlock.
      
      The prefetched sk->sk_hash is the hash value of unbound socket set
      in unix_create1() and does not change until bind() completes.
      
      There could be a chance that sk->sk_hash changes after the lockless
      read.  However, in such a case, non-NULL unix_sk(sk)->addr is visible
      under unix_sk(sk)->bindlock, and bind() returns -EINVAL without using
      the prefetched value.
      
      The KCSAN splat is false-positive, but let's silence it by reading
      sk->sk_hash under unix_sk(sk)->bindlock.
      
      [0]:
      BUG: KCSAN: data-race in unix_autobind / unix_autobind
      
      write to 0xffff888034a9fb88 of 4 bytes by task 4468 on cpu 0:
       __unix_set_addr_hash net/unix/af_unix.c:331 [inline]
       unix_autobind+0x47a/0x7d0 net/unix/af_unix.c:1185
       unix_dgram_connect+0x7e3/0x890 net/unix/af_unix.c:1373
       __sys_connect_file+0xd7/0xe0 net/socket.c:2048
       __sys_connect+0x114/0x140 net/socket.c:2065
       __do_sys_connect net/socket.c:2075 [inline]
       __se_sys_connect net/socket.c:2072 [inline]
       __x64_sys_connect+0x40/0x50 net/socket.c:2072
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x46/0x4e
      
      read to 0xffff888034a9fb88 of 4 bytes by task 4465 on cpu 1:
       unix_autobind+0x28/0x7d0 net/unix/af_unix.c:1134
       unix_dgram_connect+0x7e3/0x890 net/unix/af_unix.c:1373
       __sys_connect_file+0xd7/0xe0 net/socket.c:2048
       __sys_connect+0x114/0x140 net/socket.c:2065
       __do_sys_connect net/socket.c:2075 [inline]
       __se_sys_connect net/socket.c:2072 [inline]
       __x64_sys_connect+0x40/0x50 net/socket.c:2072
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x46/0x4e
      
      value changed: 0x000000e4 -> 0x000001e3
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 4465 Comm: syz-executor.0 Not tainted 6.8.0-12822-gcd51db110a7e #12
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      
      Fixes: afd20b92 ("af_unix: Replace the big lock with small locks.")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240522154218.78088-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      51d1b25a
    • Kuniyuki Iwashima's avatar
      af_unix: Annotate data-race around unix_sk(sk)->addr. · 97e1db06
      Kuniyuki Iwashima authored
      Once unix_sk(sk)->addr is assigned under net->unx.table.locks and
      unix_sk(sk)->bindlock, *(unix_sk(sk)->addr) and unix_sk(sk)->path are
      fully set up, and unix_sk(sk)->addr is never changed.
      
      unix_getname() and unix_copy_addr() access the two fields locklessly,
      and commit ae3b5641 ("missing barriers in some of unix_sock ->addr
      and ->path accesses") added smp_store_release() and smp_load_acquire()
      pairs.
      
      In other functions, we still read unix_sk(sk)->addr locklessly to check
      if the socket is bound, and KCSAN complains about it.  [0]
      
      Given these functions have no dependency for *(unix_sk(sk)->addr) and
      unix_sk(sk)->path, READ_ONCE() is enough to annotate the data-race.
      
      Note that it is safe to access unix_sk(sk)->addr locklessly if the socket
      is found in the hash table.  For example, the lockless read of otheru->addr
      in unix_stream_connect() is safe.
      
      Note also that newu->addr there is of the child socket that is still not
      accessible from userspace, and smp_store_release() publishes the address
      in case the socket is accept()ed and unix_getname() / unix_copy_addr()
      is called.
      
      [0]:
      BUG: KCSAN: data-race in unix_bind / unix_listen
      
      write (marked) to 0xffff88805f8d1840 of 8 bytes by task 13723 on cpu 0:
       __unix_set_addr_hash net/unix/af_unix.c:329 [inline]
       unix_bind_bsd net/unix/af_unix.c:1241 [inline]
       unix_bind+0x881/0x1000 net/unix/af_unix.c:1319
       __sys_bind+0x194/0x1e0 net/socket.c:1847
       __do_sys_bind net/socket.c:1858 [inline]
       __se_sys_bind net/socket.c:1856 [inline]
       __x64_sys_bind+0x40/0x50 net/socket.c:1856
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x46/0x4e
      
      read to 0xffff88805f8d1840 of 8 bytes by task 13724 on cpu 1:
       unix_listen+0x72/0x180 net/unix/af_unix.c:734
       __sys_listen+0xdc/0x160 net/socket.c:1881
       __do_sys_listen net/socket.c:1890 [inline]
       __se_sys_listen net/socket.c:1888 [inline]
       __x64_sys_listen+0x2e/0x40 net/socket.c:1888
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x46/0x4e
      
      value changed: 0x0000000000000000 -> 0xffff88807b5b1b40
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 13724 Comm: syz-executor.4 Not tainted 6.8.0-12822-gcd51db110a7e #12
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240522154002.77857-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      97e1db06
    • Geliang Tang's avatar
      selftests: hsr: Fix "File exists" errors for hsr_ping · 21a22ed6
      Geliang Tang authored
      The hsr_ping test reports the following errors:
      
       INFO: preparing interfaces for HSRv0.
       INFO: Initial validation ping.
       INFO: Longer ping test.
       INFO: Cutting one link.
       INFO: Delay the link and drop a few packages.
       INFO: All good.
       INFO: preparing interfaces for HSRv1.
       RTNETLINK answers: File exists
       RTNETLINK answers: File exists
       RTNETLINK answers: File exists
       RTNETLINK answers: File exists
       RTNETLINK answers: File exists
       RTNETLINK answers: File exists
       Error: ipv4: Address already assigned.
       Error: ipv6: address already assigned.
       Error: ipv4: Address already assigned.
       Error: ipv6: address already assigned.
       Error: ipv4: Address already assigned.
       Error: ipv6: address already assigned.
       INFO: Initial validation ping.
      
      That is because the cleanup code for the 2nd round test before
      "setup_hsr_interfaces 1" is removed incorrectly in commit 680fda4f
      ("test: hsr: Remove script code already implemented in lib.sh").
      
      This patch fixes it by re-setup the namespaces using
      
      	setup_ns ns1 ns2 ns3
      
      command before "setup_hsr_interfaces 1". It deletes previous namespaces
      and create new ones.
      
      Fixes: 680fda4f ("test: hsr: Remove script code already implemented in lib.sh")
      Reviewed-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarGeliang Tang <tanggeliang@kylinos.cn>
      Link: https://lore.kernel.org/r/6485d3005f467758d49f0f313c8c009759ba6b05.1716374462.git.tanggeliang@kylinos.cnSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      21a22ed6
    • Roded Zats's avatar
      enic: Validate length of nl attributes in enic_set_vf_port · e8021b94
      Roded Zats authored
      enic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE
      is of length PORT_PROFILE_MAX and that the nl attributes
      IFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.
      These attributes are validated (in the function do_setlink in rtnetlink.c)
      using the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE
      as NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and
      IFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation
      using the policy is for the max size of the attributes and not on exact
      size so the length of these attributes might be less than the sizes that
      enic_set_vf_port expects. This might cause an out of bands
      read access in the memcpys of the data of these
      attributes in enic_set_vf_port.
      
      Fixes: f8bd9091 ("net: Add ndo_{set|get}_vf_port support for enic dynamic vnics")
      Signed-off-by: default avatarRoded Zats <rzats@paloaltonetworks.com>
      Link: https://lore.kernel.org/r/20240522073044.33519-1-rzats@paloaltonetworks.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e8021b94
  2. 25 May, 2024 11 commits
  3. 24 May, 2024 12 commits
  4. 23 May, 2024 5 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 66ad4829
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Quite smaller than usual. Notably it includes the fix for the unix
        regression from the past weeks. The TCP window fix will require some
        follow-up, already queued.
      
        Current release - regressions:
      
         - af_unix: fix garbage collection of embryos
      
        Previous releases - regressions:
      
         - af_unix: fix race between GC and receive path
      
         - ipv6: sr: fix missing sk_buff release in seg6_input_core
      
         - tcp: remove 64 KByte limit for initial tp->rcv_wnd value
      
         - eth: r8169: fix rx hangup
      
         - eth: lan966x: remove ptp traps in case the ptp is not enabled
      
         - eth: ixgbe: fix link breakage vs cisco switches
      
         - eth: ice: prevent ethtool from corrupting the channels
      
        Previous releases - always broken:
      
         - openvswitch: set the skbuff pkt_type for proper pmtud support
      
         - tcp: Fix shift-out-of-bounds in dctcp_update_alpha()
      
        Misc:
      
         - a bunch of selftests stabilization patches"
      
      * tag 'net-6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (25 commits)
        r8169: Fix possible ring buffer corruption on fragmented Tx packets.
        idpf: Interpret .set_channels() input differently
        ice: Interpret .set_channels() input differently
        nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
        net: relax socket state check at accept time.
        tcp: remove 64 KByte limit for initial tp->rcv_wnd value
        net: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe()
        tls: fix missing memory barrier in tls_init
        net: fec: avoid lock evasion when reading pps_enable
        Revert "ixgbe: Manual AN-37 for troublesome link partners for X550 SFI"
        testing: net-drv: use stats64 for testing
        net: mana: Fix the extra HZ in mana_hwc_send_request
        net: lan966x: Remove ptp traps in case the ptp is not enabled.
        openvswitch: Set the skbuff pkt_type for proper pmtud support.
        selftest: af_unix: Make SCM_RIGHTS into OOB data.
        af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS
        tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
        selftests/net: use tc rule to filter the na packet
        ipv6: sr: fix memleak in seg6_hmac_init_algo
        af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.
        ...
      66ad4829
    • Linus Torvalds's avatar
      Merge tag 'trace-fixes-v6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 404001dd
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Minor last minute fixes:
      
         - Fix a very tight race between the ring buffer readers and resizing
           the ring buffer
      
         - Correct some stale comments in the ring buffer code
      
         - Fix kernel-doc in the rv code
      
         - Add a MODULE_DESCRIPTION to preemptirq_delay_test"
      
      * tag 'trace-fixes-v6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        rv: Update rv_en(dis)able_monitor doc to match kernel-doc
        tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test
        ring-buffer: Fix a race between readers and resize checks
        ring-buffer: Correct stale comments related to non-consuming readers
      404001dd
    • Linus Torvalds's avatar
      Merge tag 'trace-tools-v6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · e82d2af5
      Linus Torvalds authored
      Pull tracing tool fix from Steven Rostedt:
       "Fix printf format warnings in latency-collector.
      
        Use the printf format string with %s to take a string instead of
        taking in a string directly"
      
      * tag 'trace-tools-v6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tools/latency-collector: Fix -Wformat-security compile warns
      e82d2af5
    • Linus Torvalds's avatar
      Merge tag 'trace-assign-str-v6.10' of... · d6a326d6
      Linus Torvalds authored
      Merge tag 'trace-assign-str-v6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
      
      Pull tracing cleanup from Steven Rostedt:
       "Remove second argument of __assign_str()
      
        The __assign_str() macro logic of the TRACE_EVENT() macro was
        optimized so that it no longer needs the second argument. The
        __assign_str() is always matched with __string() field that takes a
        field name and the source for that field:
      
          __string(field, source)
      
        The TRACE_EVENT() macro logic will save off the source value and then
        use that value to copy into the ring buffer via the __assign_str().
      
        Before commit c1fa617c ("tracing: Rework __assign_str() and
        __string() to not duplicate getting the string"), the __assign_str()
        needed the second argument which would perform the same logic as the
        __string() source parameter did. Not only would this add overhead, but
        it was error prone as if the __assign_str() source produced something
        different, it may not have allocated enough for the string in the ring
        buffer (as the __string() source was used to determine how much to
        allocate)
      
        Now that the __assign_str() just uses the same string that was used in
        __string() it no longer needs the source parameter. It can now be
        removed"
      
      * tag 'trace-assign-str-v6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing/treewide: Remove second parameter of __assign_str()
      d6a326d6
    • Linus Torvalds's avatar
      Merge tag 'sparc-for-6.10-tag1' of... · bca2a25d
      Linus Torvalds authored
      Merge tag 'sparc-for-6.10-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/alarsson/linux-sparc
      
      Pull sparc updates from Andreas Larsson:
      
       - Avoid on-stack cpumask variables in a number of places
      
       - Move struct termio to asm/termios.h, matching other architectures and
         allowing certain user space applications to build also for sparc
      
       - Fix missing prototype warnings for sparc64
      
       - Fix version generation warnings for sparc32
      
       - Fix bug where non-consecutive CPU IDs lead to some CPUs not starting
      
       - Simplification using swap and cleanup using NULL for pointer
      
       - Convert sparc parport and chmc drivers to use remove callbacks
         returning void
      
      * tag 'sparc-for-6.10-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/alarsson/linux-sparc:
        sparc/leon: Remove on-stack cpumask var
        sparc/pci_msi: Remove on-stack cpumask var
        sparc/of: Remove on-stack cpumask var
        sparc/irq: Remove on-stack cpumask var
        sparc/srmmu: Remove on-stack cpumask var
        sparc: chmc: Convert to platform remove callback returning void
        sparc: parport: Convert to platform remove callback returning void
        sparc: Compare pointers to NULL instead of 0
        sparc: Use swap() to fix Coccinelle warning
        sparc32: Fix version generation failed warnings
        sparc64: Fix number of online CPUs
        sparc64: Fix prototype warning for sched_clock
        sparc64: Fix prototype warnings in adi_64.c
        sparc64: Fix prototype warning for dma_4v_iotsb_bind
        sparc64: Fix prototype warning for uprobe_trap
        sparc64: Fix prototype warning for alloc_irqstack_bootmem
        sparc64: Fix prototype warning for vmemmap_free
        sparc64: Fix prototype warnings in traps_64.c
        sparc64: Fix prototype warning for init_vdso_image
        sparc: move struct termio to asm/termios.h
      bca2a25d