1. 01 Feb, 2024 7 commits
    • Brett Creeley's avatar
      pds_core: Cancel AQ work on teardown · d321067e
      Brett Creeley authored
      There is a small window where pdsc_work_thread()
      calls pdsc_process_adminq() and pdsc_process_adminq()
      passes the PDSC_S_STOPPING_DRIVER check and starts
      to process adminq/notifyq work and then the driver
      starts a fw_down cycle. This could cause some
      undefined behavior if the notifyqcq/adminqcq are
      free'd while pdsc_process_adminq() is running. Use
      cancel_work_sync() on the adminqcq's work struct
      to make sure any pending work items are cancelled
      and any in progress work items are completed.
      
      Also, make sure to not call cancel_work_sync() if
      the work item has not be initialized. Without this,
      traces will happen in cases where a reset fails and
      teardown is called again or if reset fails and the
      driver is removed.
      
      Fixes: 01ba61b5 ("pds_core: Add adminq processing and commands")
      Signed-off-by: default avatarBrett Creeley <brett.creeley@amd.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Link: https://lore.kernel.org/r/20240129234035.69802-3-brett.creeley@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d321067e
    • Brett Creeley's avatar
      pds_core: Prevent health thread from running during reset/remove · d9407ff1
      Brett Creeley authored
      The PCIe reset handlers can run at the same time as the
      health thread. This can cause the health thread to
      stomp on the PCIe reset. Fix this by preventing the
      health thread from running while a PCIe reset is happening.
      
      As part of this use timer_shutdown_sync() during reset and
      remove to make sure the timer doesn't ever get rearmed.
      
      Fixes: ffa55858 ("pds_core: implement pci reset handlers")
      Signed-off-by: default avatarBrett Creeley <brett.creeley@amd.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Link: https://lore.kernel.org/r/20240129234035.69802-2-brett.creeley@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d9407ff1
    • Eric Dumazet's avatar
      af_unix: fix lockdep positive in sk_diag_dump_icons() · 4d322dce
      Eric Dumazet authored
      syzbot reported a lockdep splat [1].
      
      Blamed commit hinted about the possible lockdep
      violation, and code used unix_state_lock_nested()
      in an attempt to silence lockdep.
      
      It is not sufficient, because unix_state_lock_nested()
      is already used from unix_state_double_lock().
      
      We need to use a separate subclass.
      
      This patch adds a distinct enumeration to make things
      more explicit.
      
      Also use swap() in unix_state_double_lock() as a clean up.
      
      v2: add a missing inline keyword to unix_state_lock_nested()
      
      [1]
      WARNING: possible circular locking dependency detected
      6.8.0-rc1-syzkaller-00356-g8a696a29 #0 Not tainted
      
      syz-executor.1/2542 is trying to acquire lock:
       ffff88808b5df9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
      
      but task is already holding lock:
       ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&u->lock/1){+.+.}-{2:2}:
              lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
              _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
              sk_diag_dump_icons net/unix/diag.c:87 [inline]
              sk_diag_fill+0x6ea/0xfe0 net/unix/diag.c:157
              sk_diag_dump net/unix/diag.c:196 [inline]
              unix_diag_dump+0x3e9/0x630 net/unix/diag.c:220
              netlink_dump+0x5c1/0xcd0 net/netlink/af_netlink.c:2264
              __netlink_dump_start+0x5d7/0x780 net/netlink/af_netlink.c:2370
              netlink_dump_start include/linux/netlink.h:338 [inline]
              unix_diag_handler_dump+0x1c3/0x8f0 net/unix/diag.c:319
             sock_diag_rcv_msg+0xe3/0x400
              netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2543
              sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280
              netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
              netlink_unicast+0x7e6/0x980 net/netlink/af_netlink.c:1367
              netlink_sendmsg+0xa37/0xd70 net/netlink/af_netlink.c:1908
              sock_sendmsg_nosec net/socket.c:730 [inline]
              __sock_sendmsg net/socket.c:745 [inline]
              sock_write_iter+0x39a/0x520 net/socket.c:1160
              call_write_iter include/linux/fs.h:2085 [inline]
              new_sync_write fs/read_write.c:497 [inline]
              vfs_write+0xa74/0xca0 fs/read_write.c:590
              ksys_write+0x1a0/0x2c0 fs/read_write.c:643
              do_syscall_x64 arch/x86/entry/common.c:52 [inline]
              do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
             entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      -> #0 (rlock-AF_UNIX){+.+.}-{2:2}:
              check_prev_add kernel/locking/lockdep.c:3134 [inline]
              check_prevs_add kernel/locking/lockdep.c:3253 [inline]
              validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869
              __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
              lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
              __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
              _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
              skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
              unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112
              sock_sendmsg_nosec net/socket.c:730 [inline]
              __sock_sendmsg net/socket.c:745 [inline]
              ____sys_sendmsg+0x592/0x890 net/socket.c:2584
              ___sys_sendmsg net/socket.c:2638 [inline]
              __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
              __do_sys_sendmmsg net/socket.c:2753 [inline]
              __se_sys_sendmmsg net/socket.c:2750 [inline]
              __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
              do_syscall_x64 arch/x86/entry/common.c:52 [inline]
              do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
             entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      other info that might help us debug this:
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(&u->lock/1);
                                     lock(rlock-AF_UNIX);
                                     lock(&u->lock/1);
        lock(rlock-AF_UNIX);
      
       *** DEADLOCK ***
      
      1 lock held by syz-executor.1/2542:
        #0: ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089
      
      stack backtrace:
      CPU: 1 PID: 2542 Comm: syz-executor.1 Not tainted 6.8.0-rc1-syzkaller-00356-g8a696a29 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
      Call Trace:
       <TASK>
        __dump_stack lib/dump_stack.c:88 [inline]
        dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
        check_noncircular+0x366/0x490 kernel/locking/lockdep.c:2187
        check_prev_add kernel/locking/lockdep.c:3134 [inline]
        check_prevs_add kernel/locking/lockdep.c:3253 [inline]
        validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869
        __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
        lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
        __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
        _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
        skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
        unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112
        sock_sendmsg_nosec net/socket.c:730 [inline]
        __sock_sendmsg net/socket.c:745 [inline]
        ____sys_sendmsg+0x592/0x890 net/socket.c:2584
        ___sys_sendmsg net/socket.c:2638 [inline]
        __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
        __do_sys_sendmmsg net/socket.c:2753 [inline]
        __se_sys_sendmmsg net/socket.c:2750 [inline]
        __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      RIP: 0033:0x7f26d887cda9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f26d95a60c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
      RAX: ffffffffffffffda RBX: 00007f26d89abf80 RCX: 00007f26d887cda9
      RDX: 000000000000003e RSI: 00000000200bd000 RDI: 0000000000000004
      RBP: 00007f26d88c947a R08: 0000000000000000 R09: 0000000000000000
      R10: 00000000000008c0 R11: 0000000000000246 R12: 0000000000000000
      R13: 000000000000000b R14: 00007f26d89abf80 R15: 00007ffcfe081a68
      
      Fixes: 2aac7a2c ("unix_diag: Pending connections IDs NLA")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240130184235.1620738-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4d322dce
    • Jakub Kicinski's avatar
      Merge branch 'selftests-net-a-couple-of-typos-fixes-in-key-management-rst-tests' · 15b87e26
      Jakub Kicinski authored
      Dmitry Safonov says:
      
      ====================
      selftests/net: A couple of typos fixes in key-management/rst tests
      
      Two typo fixes, noticed by Mohammad's review.
      And a fix for an issue that got uncovered.
      
      v1: https://lore.kernel.org/r/20240118-tcp-ao-test-key-mgmt-v1-0-3583ca147113@arista.comSigned-off-by: default avatarDmitry Safonov <dima@arista.com>
      ====================
      
      Link: https://lore.kernel.org/r/20240130-tcp-ao-test-key-mgmt-v2-0-d190430a6c60@arista.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      15b87e26
    • Dmitry Safonov's avatar
      selftests/net: Repair RST passive reset selftest · 6caf3adc
      Dmitry Safonov authored
      Currently, the test is racy and seems to not pass anymore.
      
      In order to rectify it, aim on TCP_TW_RST.
      Doesn't seem way too good with this sleep() part, but it seems as
      a reasonable compromise for the test. There is a plan in-line comment on
      how-to improve it, going to do it on the top, at this moment I want it
      to run on netdev/patchwork selftests dashboard.
      
      It also slightly changes tcp_ao-lib in order to get SO_ERROR propagated
      to test_client_verify() return value.
      
      Fixes: c6df7b23 ("selftests/net: Add TCP-AO RST test")
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Link: https://lore.kernel.org/r/20240130-tcp-ao-test-key-mgmt-v2-3-d190430a6c60@arista.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6caf3adc
    • Dmitry Safonov's avatar
      selftests/net: Rectify key counters checks · 384aa16d
      Dmitry Safonov authored
      As the names of (struct test_key) members didn't reflect whether the key
      was used for TX or RX, the verification for the counters was done
      incorrectly for asymmetrical selftests.
      
      Rename these with _tx appendix and fix checks in verify_counters().
      While at it, as the checks are now correct, introduce skip_counters_checks,
      which is intended for tests where it's expected that a key that was set
      with setsockopt(sk, IPPROTO_TCP, TCP_AO_INFO, ...) might had no chance
      of getting used on the wire.
      
      Fixes the following failures, exposed by the previous commit:
      > not ok 51 server: Check current != rnext keys set before connect(): Counter pkt_good was expected to increase 0 => 0 for key 132:5
      > not ok 52 server: Check current != rnext keys set before connect(): Counter pkt_good was not expected to increase 0 => 21 for key 137:10
      >
      > not ok 63 server: Check current flapping back on peer's RnextKey request: Counter pkt_good was expected to increase 0 => 0 for key 132:5
      > not ok 64 server: Check current flapping back on peer's RnextKey request: Counter pkt_good was not expected to increase 0 => 40 for key 137:10
      
      Cc: Mohammad Nassiri <mnassiri@ciena.com>
      Fixes: 3c3ead55 ("selftests/net: Add TCP-AO key-management test")
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Link: https://lore.kernel.org/r/20240130-tcp-ao-test-key-mgmt-v2-2-d190430a6c60@arista.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      384aa16d
    • Mohammad Nassiri's avatar
      selftests/net: Argument value mismatch when calling verify_counters() · d8f5df1f
      Mohammad Nassiri authored
      The end_server() function only operates in the server thread
      and always takes an accept socket instead of a listen socket as
      its input argument. To align with this, invert the boolean values
      used when calling verify_counters() within the end_server() function.
      
      As a result of this typo, the test didn't correctly check for
      the non-symmetrical scenario, where i.e. peer-A uses a key <100:200>
      to send data, but peer-B uses another key <105:205> to send its data.
      So, in simple words, different keys for TX and RX.
      
      Fixes: 3c3ead55 ("selftests/net: Add TCP-AO key-management test")
      Signed-off-by: default avatarMohammad Nassiri <mnassiri@ciena.com>
      Link: https://lore.kernel.org/all/934627c5-eebb-4626-be23-cfb134c01d1a@arista.com/
      [amended 'Fixes' tag, added the issue description and carried-over to lkml]
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Link: https://lore.kernel.org/r/20240130-tcp-ao-test-key-mgmt-v2-1-d190430a6c60@arista.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d8f5df1f
  2. 31 Jan, 2024 8 commits
  3. 30 Jan, 2024 7 commits
    • Eric Dumazet's avatar
      llc: call sock_orphan() at release time · aa2b2eb3
      Eric Dumazet authored
      syzbot reported an interesting trace [1] caused by a stale sk->sk_wq
      pointer in a closed llc socket.
      
      In commit ff7b11aa ("net: socket: set sock->sk to NULL after
      calling proto_ops::release()") Eric Biggers hinted that some protocols
      are missing a sock_orphan(), we need to perform a full audit.
      
      In net-next, I plan to clear sock->sk from sock_orphan() and
      amend Eric patch to add a warning.
      
      [1]
       BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]
       BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]
       BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]
       BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468
      Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27
      
      CPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87e #0
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
      Call Trace:
       <TASK>
        __dump_stack lib/dump_stack.c:88 [inline]
        dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
        print_address_description mm/kasan/report.c:377 [inline]
        print_report+0xc4/0x620 mm/kasan/report.c:488
        kasan_report+0xda/0x110 mm/kasan/report.c:601
        list_empty include/linux/list.h:373 [inline]
        waitqueue_active include/linux/wait.h:127 [inline]
        sock_def_write_space_wfree net/core/sock.c:3384 [inline]
        sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468
        skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080
        skb_release_all net/core/skbuff.c:1092 [inline]
        napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404
        e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970
        e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]
        e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801
        __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576
        napi_poll net/core/dev.c:6645 [inline]
        net_rx_action+0x956/0xe90 net/core/dev.c:6778
        __do_softirq+0x21a/0x8de kernel/softirq.c:553
        run_ksoftirqd kernel/softirq.c:921 [inline]
        run_ksoftirqd+0x31/0x60 kernel/softirq.c:913
        smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164
        kthread+0x2c6/0x3a0 kernel/kthread.c:388
        ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
        ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
       </TASK>
      
      Allocated by task 5167:
        kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
        kasan_save_track+0x14/0x30 mm/kasan/common.c:68
        unpoison_slab_object mm/kasan/common.c:314 [inline]
        __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340
        kasan_slab_alloc include/linux/kasan.h:201 [inline]
        slab_post_alloc_hook mm/slub.c:3813 [inline]
        slab_alloc_node mm/slub.c:3860 [inline]
        kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879
        alloc_inode_sb include/linux/fs.h:3019 [inline]
        sock_alloc_inode+0x25/0x1c0 net/socket.c:308
        alloc_inode+0x5d/0x220 fs/inode.c:260
        new_inode_pseudo+0x16/0x80 fs/inode.c:1005
        sock_alloc+0x40/0x270 net/socket.c:634
        __sock_create+0xbc/0x800 net/socket.c:1535
        sock_create net/socket.c:1622 [inline]
        __sys_socket_create net/socket.c:1659 [inline]
        __sys_socket+0x14c/0x260 net/socket.c:1706
        __do_sys_socket net/socket.c:1720 [inline]
        __se_sys_socket net/socket.c:1718 [inline]
        __x64_sys_socket+0x72/0xb0 net/socket.c:1718
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Freed by task 0:
        kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
        kasan_save_track+0x14/0x30 mm/kasan/common.c:68
        kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640
        poison_slab_object mm/kasan/common.c:241 [inline]
        __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257
        kasan_slab_free include/linux/kasan.h:184 [inline]
        slab_free_hook mm/slub.c:2121 [inline]
        slab_free mm/slub.c:4299 [inline]
        kmem_cache_free+0x129/0x350 mm/slub.c:4363
        i_callback+0x43/0x70 fs/inode.c:249
        rcu_do_batch kernel/rcu/tree.c:2158 [inline]
        rcu_core+0x819/0x1680 kernel/rcu/tree.c:2433
        __do_softirq+0x21a/0x8de kernel/softirq.c:553
      
      Last potentially related work creation:
        kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
        __kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:586
        __call_rcu_common.constprop.0+0x9a/0x7b0 kernel/rcu/tree.c:2683
        destroy_inode+0x129/0x1b0 fs/inode.c:315
        iput_final fs/inode.c:1739 [inline]
        iput.part.0+0x560/0x7b0 fs/inode.c:1765
        iput+0x5c/0x80 fs/inode.c:1755
        dentry_unlink_inode+0x292/0x430 fs/dcache.c:400
        __dentry_kill+0x1ca/0x5f0 fs/dcache.c:603
        dput.part.0+0x4ac/0x9a0 fs/dcache.c:845
        dput+0x1f/0x30 fs/dcache.c:835
        __fput+0x3b9/0xb70 fs/file_table.c:384
        task_work_run+0x14d/0x240 kernel/task_work.c:180
        exit_task_work include/linux/task_work.h:38 [inline]
        do_exit+0xa8a/0x2ad0 kernel/exit.c:871
        do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
        __do_sys_exit_group kernel/exit.c:1031 [inline]
        __se_sys_exit_group kernel/exit.c:1029 [inline]
        __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      The buggy address belongs to the object at ffff88802f4fc800
       which belongs to the cache sock_inode_cache of size 1408
      The buggy address is located 128 bytes inside of
       freed 1408-byte region [ffff88802f4fc800, ffff88802f4fcd80)
      
      The buggy address belongs to the physical page:
      page:ffffea0000bd3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2f4f8
      head:ffffea0000bd3e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
      page_type: 0xffffffff()
      raw: 00fff00000000840 ffff888013b06b40 0000000000000000 0000000000000001
      raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 4956, tgid 4956 (sshd), ts 31423924727, free_ts 0
        set_page_owner include/linux/page_owner.h:31 [inline]
        post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1533
        prep_new_page mm/page_alloc.c:1540 [inline]
        get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
        __alloc_pages+0x22f/0x2440 mm/page_alloc.c:4567
        __alloc_pages_node include/linux/gfp.h:238 [inline]
        alloc_pages_node include/linux/gfp.h:261 [inline]
        alloc_slab_page mm/slub.c:2190 [inline]
        allocate_slab mm/slub.c:2354 [inline]
        new_slab+0xcc/0x3a0 mm/slub.c:2407
        ___slab_alloc+0x4af/0x19a0 mm/slub.c:3540
        __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3625
        __slab_alloc_node mm/slub.c:3678 [inline]
        slab_alloc_node mm/slub.c:3850 [inline]
        kmem_cache_alloc_lru+0x379/0x6f0 mm/slub.c:3879
        alloc_inode_sb include/linux/fs.h:3019 [inline]
        sock_alloc_inode+0x25/0x1c0 net/socket.c:308
        alloc_inode+0x5d/0x220 fs/inode.c:260
        new_inode_pseudo+0x16/0x80 fs/inode.c:1005
        sock_alloc+0x40/0x270 net/socket.c:634
        __sock_create+0xbc/0x800 net/socket.c:1535
        sock_create net/socket.c:1622 [inline]
        __sys_socket_create net/socket.c:1659 [inline]
        __sys_socket+0x14c/0x260 net/socket.c:1706
        __do_sys_socket net/socket.c:1720 [inline]
        __se_sys_socket net/socket.c:1718 [inline]
        __x64_sys_socket+0x72/0xb0 net/socket.c:1718
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      page_owner free stack trace missing
      
      Memory state around the buggy address:
       ffff88802f4fc780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff88802f4fc800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff88802f4fc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
       ffff88802f4fc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff88802f4fc980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: 43815482 ("net: sock_def_readable() and friends RCU conversion")
      Reported-and-tested-by: syzbot+32b89eaa102b372ff76d@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Eric Biggers <ebiggers@google.com>
      Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240126165532.3396702-1-edumazet@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      aa2b2eb3
    • Paolo Abeni's avatar
      Merge branch 'net-stmmac-dwmac-imx-time-based-scheduling-support' · f8affba7
      Paolo Abeni authored
      Esben Haabendal says:
      
      ====================
      net: stmmac: dwmac-imx: Time Based Scheduling support
      
      This small patch series allows using TBS support of the i.MX Ethernet QOS
      controller for etf qdisc offload.
      It achieves this in a similar manner that it is done in dwmac-intel.c,
      dwmac-mediatek.c and stmmac_pci.c.
      
      Changes since v1:
      
      - Simplified for loop by starting at index 1.
      - Fixed problem with indentation.
      ====================
      
      Link: https://lore.kernel.org/r/cover.1706256158.git.esben@geanix.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f8affba7
    • Esben Haabendal's avatar
      net: stmmac: dwmac-imx: set TSO/TBS TX queues default settings · 3b12ec8f
      Esben Haabendal authored
      TSO and TBS cannot coexist. For now we set i.MX Ethernet QOS controller to
      use the first TX queue with TSO and the rest for TBS.
      
      TX queues with TBS can support etf qdisc hw offload.
      Signed-off-by: default avatarEsben Haabendal <esben@geanix.com>
      Reviewed-by: Kurt Kanzenbach's avatarKurt Kanzenbach <kurt@linutronix.de>
      Reviewed-by: default avatarVadim Fedorenko <vadim.fedorenko@linux.dev>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      3b12ec8f
    • Esben Haabendal's avatar
      net: stmmac: do not clear TBS enable bit on link up/down · 4896bb7c
      Esben Haabendal authored
      With the dma conf being reallocated on each call to stmmac_open(), any
      information in there is lost, unless we specifically handle it.
      
      The STMMAC_TBS_EN bit is set when adding an etf qdisc, and the etf qdisc
      therefore would stop working when link was set down and then back up.
      
      Fixes: ba39b344 ("net: ethernet: stmicro: stmmac: generate stmmac dma conf before open")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEsben Haabendal <esben@geanix.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4896bb7c
    • Helge Deller's avatar
      ipv6: Ensure natural alignment of const ipv6 loopback and router addresses · 60365049
      Helge Deller authored
      On a parisc64 kernel I sometimes notice this kernel warning:
      Kernel unaligned access to 0x40ff8814 at ndisc_send_skb+0xc0/0x4d8
      
      The address 0x40ff8814 points to the in6addr_linklocal_allrouters
      variable and the warning simply means that some ipv6 function tries to
      read a 64-bit word directly from the not-64-bit aligned
      in6addr_linklocal_allrouters variable.
      
      Unaligned accesses are non-critical as the architecture or exception
      handlers usually will fix it up at runtime. Nevertheless it may trigger
      a performance penality for some architectures. For details read the
      "unaligned-memory-access" kernel documentation.
      
      The patch below ensures that the ipv6 loopback and router addresses will
      always be naturally aligned. This prevents the unaligned accesses for
      all architectures.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Fixes: 034dfc5d ("ipv6: export in6addr_loopback to modules")
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/ZbNuFM1bFqoH-UoY@p100Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      60365049
    • Jakub Kicinski's avatar
      selftests: net: add missing config for nftables-backed iptables · 59c93583
      Jakub Kicinski authored
      Modern OSes use iptables implementation with nf_tables as a backend,
      e.g.:
      
      $ iptables -V
      iptables v1.8.8 (nf_tables)
      
      Pablo points out that we need CONFIG_NFT_COMPAT to make that work,
      otherwise we see a lot of:
      
        Warning: Extension DNAT revision 0 not supported, missing kernel module?
      
      with DNAT being just an example here, other modules we need
      include udp, TTL, length etc.
      
      Link: https://lore.kernel.org/r/20240126201308.2903602-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      59c93583
    • Michal Vokáč's avatar
      net: dsa: qca8k: fix illegal usage of GPIO · c44fc98f
      Michal Vokáč authored
      When working with GPIO, its direction must be set either when the GPIO is
      requested by gpiod_get*() or later on by one of the gpiod_direction_*()
      functions. Neither of this is done here which results in undefined
      behavior on some systems.
      
      As the reset GPIO is used right after it is requested here, it makes sense
      to configure it as GPIOD_OUT_HIGH right away. With that, the following
      gpiod_set_value_cansleep(1) becomes redundant and can be safely
      removed.
      
      Fixes: a653f2f5 ("net: dsa: qca8k: introduce reset via gpio feature")
      Signed-off-by: default avatarMichal Vokáč <michal.vokac@ysoft.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/1706266175-3408-1-git-send-email-michal.vokac@ysoft.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c44fc98f
  4. 29 Jan, 2024 5 commits
    • Christophe JAILLET's avatar
      ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550() · bbc404d2
      Christophe JAILLET authored
      All error handling paths, except this one, go to 'out' where
      release_swfw_sync() is called.
      This call balances the acquire_swfw_sync() call done at the beginning of
      the function.
      
      Branch to the error handling path in order to correctly release some
      resources in case of error.
      
      Fixes: ae14a1d8 ("ixgbe: Fix IOSF SB access issues")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      bbc404d2
    • Jacob Keller's avatar
      e1000e: correct maximum frequency adjustment values · f1f6a6b1
      Jacob Keller authored
      The e1000e driver supports hardware with a variety of different clock
      speeds, and thus a variety of different increment values used for
      programming its PTP hardware clock.
      
      The values currently programmed in e1000e_ptp_init are incorrect. In
      particular, only two maximum adjustments are used: 24000000 - 1, and
      600000000 - 1. These were originally intended to be used with the 96 MHz
      clock and the 25 MHz clock.
      
      Both of these values are actually slightly too high. For the 96 MHz clock,
      the actual maximum value that can safely be programmed is 23,999,938. For
      the 25 MHz clock, the maximum value is 599,999,904.
      
      Worse, several devices use a 24 MHz clock or a 38.4 MHz clock. These parts
      are incorrectly assigned one of either the 24million or 600million values.
      For the 24 MHz clock, this is not a significant issue: its current
      increment value can support an adjustment up to 7billion in the positive
      direction. However, the 38.4 KHz clock uses an increment value which can
      only support up to 230,769,157 before it starts overflowing.
      
      To understand where these values come from, consider that frequency
      adjustments have the form of:
      
      new_incval = base_incval + (base_incval * adjustment) / (unit of adjustment)
      
      The maximum adjustment is reported in terms of parts per billion:
      new_incval = base_incval + (base_incval * adjustment) / 1 billion
      
      The largest possible adjustment is thus given by the following:
      max_incval = base_incval + (base_incval * max_adj) / 1 billion
      
      Re-arranging to solve for max_adj:
      max_adj = (max_incval - base_incval) * 1 billion / base_incval
      
      We also need to ensure that negative adjustments cannot underflow. This can
      be achieved simply by ensuring max_adj is always less than 1 billion.
      
      Introduce new macros in e1000.h codifying the maximum adjustment in PPB for
      each frequency given its associated increment values. Also clarify where
      these values come from by commenting about the above equations.
      
      Replace the switch statement in e1000e_ptp_init with one which mirrors the
      increment value switch statement from e1000e_get_base_timinica. For each
      device, assign the appropriate maximum adjustment based on its frequency.
      Some parts can have one of two frequency modes as determined by
      E1000_TSYNCRXCTL_SYSCFI.
      
      Since the new flow directly matches the assignments in
      e1000e_get_base_timinca, and uses well defined macro names, it is much
      easier to verify that the resulting maximum adjustments are correct. It
      also avoids difficult to parse construction such as the "hw->mac.type <
      e1000_phc_lpt", and the use of fallthrough which was especially confusing
      when combined with a conditional block.
      
      Note that I believe the current increment value configuration used for
      24MHz clocks is sub-par, as it leaves at least 3 extra bits available in
      the INCVALUE register. However, fixing that requires more careful review of
      the clock rate and associated values.
      Reported-by: default avatarTrey Harrison <harrisondigitalmedia@gmail.com>
      Fixes: 68fe1d5d ("e1000e: Add Support for 38.4MHZ frequency")
      Fixes: d89777bf ("e1000e: add support for IEEE-1588 PTP")
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Tested-by: default avatarNaama Meir <naamax.meir@linux.intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      f1f6a6b1
    • Eric Dumazet's avatar
      tcp: add sanity checks to rx zerocopy · 577e4432
      Eric Dumazet authored
      TCP rx zerocopy intent is to map pages initially allocated
      from NIC drivers, not pages owned by a fs.
      
      This patch adds to can_map_frag() these additional checks:
      
      - Page must not be a compound one.
      - page->mapping must be NULL.
      
      This fixes the panic reported by ZhangPeng.
      
      syzbot was able to loopback packets built with sendfile(),
      mapping pages owned by an ext4 file to TCP rx zerocopy.
      
      r3 = socket$inet_tcp(0x2, 0x1, 0x0)
      mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)
      r4 = socket$inet_tcp(0x2, 0x1, 0x0)
      bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)
      connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)
      r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
          0x181e42, 0x0)
      fallocate(r5, 0x0, 0x0, 0x85b8)
      sendfile(r4, r5, 0x0, 0x8ba0)
      getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,
          &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,
          0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)
      r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
          0x181e42, 0x0)
      
      Fixes: 93ab6cc6 ("tcp: implement mmap() for zero copy receive")
      Link: https://lore.kernel.org/netdev/5106a58e-04da-372a-b836-9d3d0bd2507b@huawei.com/T/Reported-and-bisected-by: default avatarZhangPeng <zhangpeng362@huawei.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Arjun Roy <arjunroy@google.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: linux-mm@vger.kernel.org
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      577e4432
    • Fedor Pchelkin's avatar
      nfc: nci: free rx_data_reassembly skb on NCI device cleanup · bfb007ae
      Fedor Pchelkin authored
      rx_data_reassembly skb is stored during NCI data exchange for processing
      fragmented packets. It is dropped only when the last fragment is processed
      or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.
      However, the NCI device may be deallocated before that which leads to skb
      leak.
      
      As by design the rx_data_reassembly skb is bound to the NCI device and
      nothing prevents the device to be freed before the skb is processed in
      some way and cleaned, free it on the NCI device cleanup.
      
      Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
      
      Fixes: 6a2968aa ("NFC: basic NCI protocol implementation")
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+6b7c68d9c21e4ee4251b@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/lkml/000000000000f43987060043da7b@google.com/Signed-off-by: default avatarFedor Pchelkin <pchelkin@ispras.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bfb007ae
    • Nikita Zhandarovich's avatar
      net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame() · 37e8c97e
      Nikita Zhandarovich authored
      Syzkaller reported [1] hitting a warning after failing to allocate
      resources for skb in hsr_init_skb(). Since a WARN_ONCE() call will
      not help much in this case, it might be prudent to switch to
      netdev_warn_once(). At the very least it will suppress syzkaller
      reports such as [1].
      
      Just in case, use netdev_warn_once() in send_prp_supervision_frame()
      for similar reasons.
      
      [1]
      HSR: Could not send supervision frame
      WARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
      RIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294
      ...
      Call Trace:
       <IRQ>
       hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382
       call_timer_fn+0x193/0x590 kernel/time/timer.c:1700
       expire_timers kernel/time/timer.c:1751 [inline]
       __run_timers+0x764/0xb20 kernel/time/timer.c:2022
       run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
       __do_softirq+0x21a/0x8de kernel/softirq.c:553
       invoke_softirq kernel/softirq.c:427 [inline]
       __irq_exit_rcu kernel/softirq.c:632 [inline]
       irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
       sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
       </IRQ>
       <TASK>
       asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
      ...
      
      This issue is also found in older kernels (at least up to 5.10).
      
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+3ae0a3f42c84074b7c8e@syzkaller.appspotmail.com
      Fixes: 121c33b0 ("net: hsr: introduce common code for skb initialization")
      Signed-off-by: default avatarNikita Zhandarovich <n.zhandarovich@fintech.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      37e8c97e
  5. 27 Jan, 2024 3 commits
    • Horatiu Vultur's avatar
      net: lan966x: Fix port configuration when using SGMII interface · 62b42481
      Horatiu Vultur authored
      In case the interface between the MAC and the PHY is SGMII, then the bit
      GIGA_MODE on the MAC side needs to be set regardless of the speed at
      which it is running.
      
      Fixes: d28d6d2e ("net: lan966x: add port module support")
      Signed-off-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Reviewed-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62b42481
    • Simon Horman's avatar
      MAINTAINERS: Add connector headers to NETWORKING DRIVERS · 586e40aa
      Simon Horman authored
      Commit 46cf789b ("connector: Move maintainence under networking
      drivers umbrella.") moved the connector maintenance but did not include
      the connector header files.
      
      It seems that it has always been implied that these headers were
      maintained along with the rest of the connector code, both before and
      after the cited commit. Make this explicit.
      Signed-off-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      586e40aa
    • Nicolas Dichtel's avatar
      ipmr: fix kernel panic when forwarding mcast packets · e622502c
      Nicolas Dichtel authored
      The stacktrace was:
      [   86.305548] BUG: kernel NULL pointer dereference, address: 0000000000000092
      [   86.306815] #PF: supervisor read access in kernel mode
      [   86.307717] #PF: error_code(0x0000) - not-present page
      [   86.308624] PGD 0 P4D 0
      [   86.309091] Oops: 0000 [#1] PREEMPT SMP NOPTI
      [   86.309883] CPU: 2 PID: 3139 Comm: pimd Tainted: G     U             6.8.0-6wind-knet #1
      [   86.311027] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
      [   86.312728] RIP: 0010:ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)
      [ 86.313399] Code: f9 1f 0f 87 85 03 00 00 48 8d 04 5b 48 8d 04 83 49 8d 44 c5 00 48 8b 40 70 48 39 c2 0f 84 d9 00 00 00 49 8b 46 58 48 83 e0 fe <80> b8 92 00 00 00 00 0f 84 55 ff ff ff 49 83 47 38 01 45 85 e4 0f
      [   86.316565] RSP: 0018:ffffad21c0583ae0 EFLAGS: 00010246
      [   86.317497] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      [   86.318596] RDX: ffff9559cb46c000 RSI: 0000000000000000 RDI: 0000000000000000
      [   86.319627] RBP: ffffad21c0583b30 R08: 0000000000000000 R09: 0000000000000000
      [   86.320650] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
      [   86.321672] R13: ffff9559c093a000 R14: ffff9559cc00b800 R15: ffff9559c09c1d80
      [   86.322873] FS:  00007f85db661980(0000) GS:ffff955a79d00000(0000) knlGS:0000000000000000
      [   86.324291] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   86.325314] CR2: 0000000000000092 CR3: 000000002f13a000 CR4: 0000000000350ef0
      [   86.326589] Call Trace:
      [   86.327036]  <TASK>
      [   86.327434] ? show_regs (/build/work/knet/arch/x86/kernel/dumpstack.c:479)
      [   86.328049] ? __die (/build/work/knet/arch/x86/kernel/dumpstack.c:421 /build/work/knet/arch/x86/kernel/dumpstack.c:434)
      [   86.328508] ? page_fault_oops (/build/work/knet/arch/x86/mm/fault.c:707)
      [   86.329107] ? do_user_addr_fault (/build/work/knet/arch/x86/mm/fault.c:1264)
      [   86.329756] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)
      [   86.330350] ? __irq_work_queue_local (/build/work/knet/kernel/irq_work.c:111 (discriminator 1))
      [   86.331013] ? exc_page_fault (/build/work/knet/./arch/x86/include/asm/paravirt.h:693 /build/work/knet/arch/x86/mm/fault.c:1515 /build/work/knet/arch/x86/mm/fault.c:1563)
      [   86.331702] ? asm_exc_page_fault (/build/work/knet/./arch/x86/include/asm/idtentry.h:570)
      [   86.332468] ? ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)
      [   86.333183] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)
      [   86.333920] ipmr_mfc_add (/build/work/knet/./include/linux/rcupdate.h:782 /build/work/knet/net/ipv4/ipmr.c:1009 /build/work/knet/net/ipv4/ipmr.c:1273)
      [   86.334583] ? __pfx_ipmr_hash_cmp (/build/work/knet/net/ipv4/ipmr.c:363)
      [   86.335357] ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470)
      [   86.336135] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)
      [   86.336854] ? ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470)
      [   86.337679] do_ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:944)
      [   86.338408] ? __pfx_unix_stream_read_actor (/build/work/knet/net/unix/af_unix.c:2862)
      [   86.339232] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)
      [   86.339809] ? aa_sk_perm (/build/work/knet/security/apparmor/include/cred.h:153 /build/work/knet/security/apparmor/net.c:181)
      [   86.340342] ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:1415)
      [   86.340859] raw_setsockopt (/build/work/knet/net/ipv4/raw.c:836)
      [   86.341408] ? security_socket_setsockopt (/build/work/knet/security/security.c:4561 (discriminator 13))
      [   86.342116] sock_common_setsockopt (/build/work/knet/net/core/sock.c:3716)
      [   86.342747] do_sock_setsockopt (/build/work/knet/net/socket.c:2313)
      [   86.343363] __sys_setsockopt (/build/work/knet/./include/linux/file.h:32 /build/work/knet/net/socket.c:2336)
      [   86.344020] __x64_sys_setsockopt (/build/work/knet/net/socket.c:2340)
      [   86.344766] do_syscall_64 (/build/work/knet/arch/x86/entry/common.c:52 /build/work/knet/arch/x86/entry/common.c:83)
      [   86.345433] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)
      [   86.346161] ? syscall_exit_work (/build/work/knet/./include/linux/audit.h:357 /build/work/knet/kernel/entry/common.c:160)
      [   86.346938] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)
      [   86.347657] ? syscall_exit_to_user_mode (/build/work/knet/kernel/entry/common.c:215)
      [   86.348538] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)
      [   86.349262] ? do_syscall_64 (/build/work/knet/./arch/x86/include/asm/cpufeature.h:171 /build/work/knet/arch/x86/entry/common.c:98)
      [   86.349971] entry_SYSCALL_64_after_hwframe (/build/work/knet/arch/x86/entry/entry_64.S:129)
      
      The original packet in ipmr_cache_report() may be queued and then forwarded
      with ip_mr_forward(). This last function has the assumption that the skb
      dst is set.
      
      After the below commit, the skb dst is dropped by ipv4_pktinfo_prepare(),
      which causes the oops.
      
      Fixes: bb740365 ("ipmr: support IP_PKTINFO on cache report IGMP msg")
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20240125141847.1931933-1-nicolas.dichtel@6wind.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e622502c
  6. 26 Jan, 2024 10 commits