1. 06 Dec, 2023 2 commits
    • Jiri Olsa's avatar
      selftests/bpf: Add test for early update in prog_array_map_poke_run · ffed24ef
      Jiri Olsa authored
      Adding test that tries to trigger the BUG_IN during early map update
      in prog_array_map_poke_run function.
      
      The idea is to share prog array map between thread that constantly
      updates it and another one loading a program that uses that prog
      array.
      
      Eventually we will hit a place where the program is ok to be updated
      (poke->tailcall_target_stable check) but the address is still not
      registered in kallsyms, so the bpf_arch_text_poke returns -EINVAL
      and cause imbalance for the next tail call update check, which will
      fail with -EBUSY in bpf_arch_text_poke as described in previous fix.
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarIlya Leoshkevich <iii@linux.ibm.com>
      Link: https://lore.kernel.org/bpf/20231206083041.1306660-3-jolsa@kernel.org
      ffed24ef
    • Jiri Olsa's avatar
      bpf: Fix prog_array_map_poke_run map poke update · 4b7de801
      Jiri Olsa authored
      Lee pointed out issue found by syscaller [0] hitting BUG in prog array
      map poke update in prog_array_map_poke_run function due to error value
      returned from bpf_arch_text_poke function.
      
      There's race window where bpf_arch_text_poke can fail due to missing
      bpf program kallsym symbols, which is accounted for with check for
      -EINVAL in that BUG_ON call.
      
      The problem is that in such case we won't update the tail call jump
      and cause imbalance for the next tail call update check which will
      fail with -EBUSY in bpf_arch_text_poke.
      
      I'm hitting following race during the program load:
      
        CPU 0                             CPU 1
      
        bpf_prog_load
          bpf_check
            do_misc_fixups
              prog_array_map_poke_track
      
                                          map_update_elem
                                            bpf_fd_array_map_update_elem
                                              prog_array_map_poke_run
      
                                                bpf_arch_text_poke returns -EINVAL
      
          bpf_prog_kallsyms_add
      
      After bpf_arch_text_poke (CPU 1) fails to update the tail call jump, the next
      poke update fails on expected jump instruction check in bpf_arch_text_poke
      with -EBUSY and triggers the BUG_ON in prog_array_map_poke_run.
      
      Similar race exists on the program unload.
      
      Fixing this by moving the update to bpf_arch_poke_desc_update function which
      makes sure we call __bpf_arch_text_poke that skips the bpf address check.
      
      Each architecture has slightly different approach wrt looking up bpf address
      in bpf_arch_text_poke, so instead of splitting the function or adding new
      'checkip' argument in previous version, it seems best to move the whole
      map_poke_run update as arch specific code.
      
        [0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810
      
      Fixes: ebf7d1f5 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
      Reported-by: syzbot+97a4fe20470e9bc30810@syzkaller.appspotmail.com
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarYonghong Song <yonghong.song@linux.dev>
      Cc: Lee Jones <lee@kernel.org>
      Cc: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
      Link: https://lore.kernel.org/bpf/20231206083041.1306660-2-jolsa@kernel.org
      4b7de801
  2. 05 Dec, 2023 1 commit
  3. 01 Dec, 2023 5 commits
  4. 30 Nov, 2023 16 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 6172a518
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bpf and wifi.
      
        Current release - regressions:
      
         - neighbour: fix __randomize_layout crash in struct neighbour
      
         - r8169: fix deadlock on RTL8125 in jumbo mtu mode
      
        Previous releases - regressions:
      
         - wifi:
             - mac80211: fix warning at station removal time
             - cfg80211: fix CQM for non-range use
      
         - tools: ynl-gen: fix unexpected response handling
      
         - octeontx2-af: fix possible buffer overflow
      
         - dpaa2: recycle the RX buffer only after all processing done
      
         - rswitch: fix missing dev_kfree_skb_any() in error path
      
        Previous releases - always broken:
      
         - ipv4: fix uaf issue when receiving igmp query packet
      
         - wifi: mac80211: fix debugfs deadlock at device removal time
      
         - bpf:
             - sockmap: af_unix stream sockets need to hold ref for pair sock
             - netdevsim: don't accept device bound programs
      
         - selftests: fix a char signedness issue
      
         - dsa: mv88e6xxx: fix marvell 6350 probe crash
      
         - octeontx2-pf: restore TC ingress police rules when interface is up
      
         - wangxun: fix memory leak on msix entry
      
         - ravb: keep reverse order of operations in ravb_remove()"
      
      * tag 'net-6.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (51 commits)
        net: ravb: Keep reverse order of operations in ravb_remove()
        net: ravb: Stop DMA in case of failures on ravb_open()
        net: ravb: Start TX queues after HW initialization succeeded
        net: ravb: Make write access to CXR35 first before accessing other EMAC registers
        net: ravb: Use pm_runtime_resume_and_get()
        net: ravb: Check return value of reset_control_deassert()
        net: libwx: fix memory leak on msix entry
        ice: Fix VF Reset paths when interface in a failed over aggregate
        bpf, sockmap: Add af_unix test with both sockets in map
        bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
        tools: ynl-gen: always construct struct ynl_req_state
        ethtool: don't propagate EOPNOTSUPP from dumps
        ravb: Fix races between ravb_tx_timeout_work() and net related ops
        r8169: prevent potential deadlock in rtl8169_close
        r8169: fix deadlock on RTL8125 in jumbo mtu mode
        neighbour: Fix __randomize_layout crash in struct neighbour
        octeontx2-pf: Restore TC ingress police rules when interface is up
        octeontx2-pf: Fix adding mbox work queue entry when num_vfs > 64
        net: stmmac: xgmac: Disable FPE MMC interrupts
        octeontx2-af: Fix possible buffer overflow
        ...
      6172a518
    • Linus Torvalds's avatar
      Merge tag 'pmdomain-v6.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm · e8f60209
      Linus Torvalds authored
      Pull pmdomain fix from Ulf Hansson:
      
       - Avoid polling for the scmi_perf_domain on arm
      
      * tag 'pmdomain-v6.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
        pmdomain: arm: Avoid polling for scmi_perf_domain
      e8f60209
    • Linus Torvalds's avatar
      Merge tag 'mmc-v6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 09443a14
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC core:
         - Fix CQE error recovery path
      
        MMC host:
         - cqhci: Fix CQE error recovery path
         - sdhci-pci-gli: Fix initialization of LPM
         - sdhci-sprd: Fix enabling/disabling of the vqmmc regulator"
      
      * tag 'mmc-v6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled
        mmc: sdhci-pci-gli: Disable LPM during initialization
        mmc: cqhci: Fix task clearing in CQE error recovery
        mmc: cqhci: Warn of halt or task clear failure
        mmc: block: Retry commands in CQE error recovery
        mmc: block: Be sure to wait while busy in CQE error recovery
        mmc: cqhci: Increase recovery halt timeout
        mmc: block: Do not lose cache flush during CQE error recovery
      09443a14
    • Linus Torvalds's avatar
      Merge tag 'leds-fixes-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds · 16864755
      Linus Torvalds authored
      Pull LED fix from Lee Jones:
      
       - Remove duplicate sysfs entry 'color' from LEDs class
      
      * tag 'leds-fixes-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds:
        leds: class: Don't expose color sysfs entry
      16864755
    • Linus Torvalds's avatar
      Merge tag 'efi-urgent-for-v6.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi · 9d3eac3c
      Linus Torvalds authored
      Pull EFI fix from Ard Biesheuvel:
      
       - Fix for EFI unaccepted memory handling
      
      * tag 'efi-urgent-for-v6.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi:
        efi/unaccepted: Fix off-by-one when checking for overlapping ranges
      9d3eac3c
    • Paolo Abeni's avatar
      Merge branch 'net-ravb-fixes-for-the-ravb-driver' · 777f245e
      Paolo Abeni authored
      Claudiu Beznea says:
      
      ====================
      net: ravb: Fixes for the ravb driver
      
      This series adds some fixes for ravb driver. Patches in this series
      were initilly part of series at [1].
      
      Changes in v2:
      - in description of patch 1/6 documented the addition of
        out_free_netdev goto label
      - collected tags
      - s/out_runtime_disable/out_rpm_disable in patch 2/6
      - fixed typos in description of patch 6/6
      
      Changes since [1]:
      - addressed review comments
      - added patch 6/6
      
      [1] https://lore.kernel.org/all/20231120084606.4083194-1-claudiu.beznea.uj@bp.renesas.com/
      ====================
      
      Link: https://lore.kernel.org/r/20231128080439.852467-1-claudiu.beznea.uj@bp.renesas.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      777f245e
    • Claudiu Beznea's avatar
      net: ravb: Keep reverse order of operations in ravb_remove() · edf9bc39
      Claudiu Beznea authored
      On RZ/G3S SMARC Carrier II board having RGMII connections b/w Ethernet
      MACs and PHYs it has been discovered that doing unbind/bind for ravb
      driver in a loop leads to wrong speed and duplex for Ethernet links and
      broken connectivity (the connectivity cannot be restored even with
      bringing interface down/up). Before doing unbind/bind the Ethernet
      interfaces were configured though systemd. The sh instructions used to
      do unbind/bind were:
      
      $ cd /sys/bus/platform/drivers/ravb/
      $ while :; do echo 11c30000.ethernet > unbind ; \
        echo 11c30000.ethernet > bind; done
      
      It has been discovered that there is a race b/w IOCTLs initialized by
      systemd at the response of success binding and the
      "ravb_write(ndev, CCC_OPC_RESET, CCC)" call in ravb_remove() as
      follows:
      
      1/ as a result of bind success the user space open/configures the
         interfaces tough an IOCTL; the following stack trace has been
         identified on RZ/G3S:
      
      Call trace:
      dump_backtrace+0x9c/0x100
      show_stack+0x20/0x38
      dump_stack_lvl+0x48/0x60
      dump_stack+0x18/0x28
      ravb_open+0x70/0xa58
      __dev_open+0xf4/0x1e8
      __dev_change_flags+0x198/0x218
      dev_change_flags+0x2c/0x80
      devinet_ioctl+0x640/0x708
      inet_ioctl+0x1e4/0x200
      sock_do_ioctl+0x50/0x108
      sock_ioctl+0x240/0x358
      __arm64_sys_ioctl+0xb0/0x100
      invoke_syscall+0x50/0x128
      el0_svc_common.constprop.0+0xc8/0xf0
      do_el0_svc+0x24/0x38
      el0_svc+0x34/0xb8
      el0t_64_sync_handler+0xc0/0xc8
      el0t_64_sync+0x190/0x198
      
      2/ this call may execute concurrently with ravb_remove() as the
         unbind/bind operation was executed in a loop
      3/ if the operation mode is changed to RESET (through
         ravb_write(ndev, CCC_OPC_RESET, CCC) call in ravb_remove())
         while the above ravb_open() is in progress it may lead to MAC
         (or PHY, or MAC-PHY connection, the right point hasn't been identified
         at the moment) to be broken, thus the Ethernet connectivity fails to
         restore.
      
      The simple fix for this is to move ravb_write(ndev, CCC_OPC_RESET, CCC))
      after unregister_netdev() to avoid resetting the controller while the
      netdev interface is still registered.
      
      To avoid future issues in ravb_remove(), the patch follows the proper order
      of operations in ravb_remove(): reverse order compared with ravb_probe().
      This avoids described races as the IOCTLs as well as unregister_netdev()
      (called now at the beginning of ravb_remove()) calls rtnl_lock() before
      continuing and IOCTLs check (though devinet_ioctl()) if device is still
      registered just after taking the lock:
      
      int devinet_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr)
      {
      	// ...
      
              rtnl_lock();
      
              ret = -ENODEV;
              dev = __dev_get_by_name(net, ifr->ifr_name);
              if (!dev)
                      goto done;
      
      	// ...
      done:
              rtnl_unlock();
      out:
              return ret;
      }
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Signed-off-by: default avatarClaudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      edf9bc39
    • Claudiu Beznea's avatar
      net: ravb: Stop DMA in case of failures on ravb_open() · eac16a73
      Claudiu Beznea authored
      In case ravb_phy_start() returns with error the settings applied in
      ravb_dmac_init() are not reverted (e.g. config mode). For this call
      ravb_stop_dma() on failure path of ravb_open().
      
      Fixes: a0d2f206 ("Renesas Ethernet AVB PTP clock driver")
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Signed-off-by: default avatarClaudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      eac16a73
    • Claudiu Beznea's avatar
      net: ravb: Start TX queues after HW initialization succeeded · 6f32c086
      Claudiu Beznea authored
      ravb_phy_start() may fail. If that happens, the TX queues will remain
      started. Thus, move the netif_tx_start_all_queues() after PHY is
      successfully initialized.
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Signed-off-by: default avatarClaudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
      Reviewed-by: default avatarKalesh AP <kalesh-anakkur.purayil@broadcom.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      6f32c086
    • Claudiu Beznea's avatar
      net: ravb: Make write access to CXR35 first before accessing other EMAC registers · d78c0ced
      Claudiu Beznea authored
      Hardware manual of RZ/G3S (and RZ/G2L) specifies the following on the
      description of CXR35 register (chapter "PHY interface select register
      (CXR35)"): "After release reset, make write-access to this register before
      making write-access to other registers (except MDIOMOD). Even if not need
      to change the value of this register, make write-access to this register
      at least one time. Because RGMII/MII MODE is recognized by accessing this
      register".
      
      The setup procedure for EMAC module (chapter "Setup procedure" of RZ/G3S,
      RZ/G2L manuals) specifies the E-MAC.CXR35 register is the first EMAC
      register that is to be configured.
      
      Note [A] from chapter "PHY interface select register (CXR35)" specifies
      the following:
      [A] The case which CXR35 SEL_XMII is used for the selection of RGMII/MII
      in APB Clock 100 MHz.
      (1) To use RGMII interface, Set ‘H’03E8_0000’ to this register.
      (2) To use MII interface, Set ‘H’03E8_0002’ to this register.
      
      Take into account these indication.
      
      Fixes: 1089877a ("ravb: Add RZ/G2L MII interface support")
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Signed-off-by: default avatarClaudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d78c0ced
    • Claudiu Beznea's avatar
      net: ravb: Use pm_runtime_resume_and_get() · 88b74831
      Claudiu Beznea authored
      pm_runtime_get_sync() may return an error. In case it returns with an error
      dev->power.usage_count needs to be decremented. pm_runtime_resume_and_get()
      takes care of this. Thus use it.
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Signed-off-by: default avatarClaudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      88b74831
    • Claudiu Beznea's avatar
      net: ravb: Check return value of reset_control_deassert() · d8eb6ea4
      Claudiu Beznea authored
      reset_control_deassert() could return an error. Some devices cannot work
      if reset signal de-assert operation fails. To avoid this check the return
      code of reset_control_deassert() in ravb_probe() and take proper action.
      
      Along with it, the free_netdev() call from the error path was moved after
      reset_control_assert() on its own label (out_free_netdev) to free
      netdev in case reset_control_deassert() fails.
      
      Fixes: 0d13a1a4 ("ravb: Add reset support")
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Reviewed-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: default avatarClaudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d8eb6ea4
    • Jiawen Wu's avatar
      net: libwx: fix memory leak on msix entry · 91fdb30d
      Jiawen Wu authored
      Since pci_free_irq_vectors() set pdev->msix_enabled as 0 in the
      calling of pci_msix_shutdown(), wx->msix_entries is never freed.
      Reordering the lines to fix the memory leak.
      
      Cc: stable@vger.kernel.org
      Fixes: 3f703186 ("net: libwx: Add irq flow functions")
      Signed-off-by: default avatarJiawen Wu <jiawenwu@trustnetic.com>
      Reviewed-by: default avatarKalesh AP <kalesh-anakkur.purayil@broadcom.com>
      Link: https://lore.kernel.org/r/20231128095928.1083292-1-jiawenwu@trustnetic.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      91fdb30d
    • Dave Ertman's avatar
      ice: Fix VF Reset paths when interface in a failed over aggregate · 9f74a3df
      Dave Ertman authored
      There is an error when an interface has the following conditions:
      - PF is in an aggregate (bond)
      - PF has VFs created on it
      - bond is in a state where it is failed-over to the secondary interface
      - A VF reset is issued on one or more of those VFs
      
      The issue is generated by the originating PF trying to rebuild or
      reconfigure the VF resources.  Since the bond is failed over to the
      secondary interface the queue contexts are in a modified state.
      
      To fix this issue, have the originating interface reclaim its resources
      prior to the tear-down and rebuild or reconfigure.  Then after the process
      is complete, move the resources back to the currently active interface.
      
      There are multiple paths that can be used depending on what triggered the
      event, so create a helper function to move the queues and use paired calls
      to the helper (back to origin, process, then move back to active interface)
      under the same lag_mutex lock.
      
      Fixes: 1e0f9881 ("ice: Flesh out implementation of support for SRIOV on bonded interface")
      Signed-off-by: default avatarDave Ertman <david.m.ertman@intel.com>
      Tested-by: default avatarSujai Buvaneswaran <sujai.buvaneswaran@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Link: https://lore.kernel.org/r/20231127212340.1137657-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9f74a3df
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2023-11-29' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 300fbb24
      Jakub Kicinski authored
      Johannes Berg says:
      
      ====================
      wireless fixes:
       - debugfs had a deadlock (removal vs. use of files),
         fixes going through wireless ACKed by Greg
       - support for HT STAs on 320 MHz channels, even if it's
         not clear that should ever happen (that's 6 GHz), best
         not to WARN()
       - fix for the previous CQM fix that broke most cases
       - various wiphy locking fixes
       - various small driver fixes
      
      * tag 'wireless-2023-11-29' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: mac80211: use wiphy locked debugfs for sdata/link
        wifi: mac80211: use wiphy locked debugfs helpers for agg_status
        wifi: cfg80211: add locked debugfs wrappers
        debugfs: add API to allow debugfs operations cancellation
        debugfs: annotate debugfs handlers vs. removal with lockdep
        debugfs: fix automount d_fsdata usage
        wifi: mac80211: handle 320 MHz in ieee80211_ht_cap_ie_to_sta_ht_cap
        wifi: avoid offset calculation on NULL pointer
        wifi: cfg80211: hold wiphy mutex for send_interface
        wifi: cfg80211: lock wiphy mutex for rfkill poll
        wifi: cfg80211: fix CQM for non-range use
        wifi: mac80211: do not pass AP_VLAN vif pointer to drivers during flush
        wifi: iwlwifi: mvm: fix an error code in iwl_mvm_mld_add_sta()
        wifi: mt76: mt7925: fix typo in mt7925_init_he_caps
        wifi: mt76: mt7921: fix 6GHz disabled by the missing default CLC config
      ====================
      
      Link: https://lore.kernel.org/r/20231129150809.31083-3-johannes@sipsolutions.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      300fbb24
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 0d47fa5c
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2023-11-30
      
      We've added 5 non-merge commits during the last 7 day(s) which contain
      a total of 10 files changed, 66 insertions(+), 15 deletions(-).
      
      The main changes are:
      
      1) Fix AF_UNIX splat from use after free in BPF sockmap,
         from John Fastabend.
      
      2) Fix a syzkaller splat in netdevsim by properly handling offloaded
         programs (and not device-bound ones), from Stanislav Fomichev.
      
      3) Fix bpf_mem_cache_alloc_flags() to initialize the allocation hint,
         from Hou Tao.
      
      4) Fix netkit by rejecting IFLA_NETKIT_PEER_INFO in changelink,
         from Daniel Borkmann.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf, sockmap: Add af_unix test with both sockets in map
        bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
        netkit: Reject IFLA_NETKIT_PEER_INFO in netkit_change_link
        bpf: Add missed allocation hint for bpf_mem_cache_alloc_flags()
        netdevsim: Don't accept device bound programs
      ====================
      
      Link: https://lore.kernel.org/r/20231129234916.16128-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0d47fa5c
  5. 29 Nov, 2023 6 commits
    • John Fastabend's avatar
      bpf, sockmap: Add af_unix test with both sockets in map · 51354f70
      John Fastabend authored
      This adds a test where both pairs of a af_unix paired socket are put into a
      BPF map. This ensures that when we tear down the af_unix pair we don't have
      any issues on sockmap side with ordering and reference counting.
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Link: https://lore.kernel.org/bpf/20231129012557.95371-3-john.fastabend@gmail.com
      51354f70
    • John Fastabend's avatar
      bpf, sockmap: af_unix stream sockets need to hold ref for pair sock · 8866730a
      John Fastabend authored
      AF_UNIX stream sockets are a paired socket. So sending on one of the pairs
      will lookup the paired socket as part of the send operation. It is possible
      however to put just one of the pairs in a BPF map. This currently increments
      the refcnt on the sock in the sockmap to ensure it is not free'd by the
      stack before sockmap cleans up its state and stops any skbs being sent/recv'd
      to that socket.
      
      But we missed a case. If the peer socket is closed it will be free'd by the
      stack. However, the paired socket can still be referenced from BPF sockmap
      side because we hold a reference there. Then if we are sending traffic through
      BPF sockmap to that socket it will try to dereference the free'd pair in its
      send logic creating a use after free. And following splat:
      
         [59.900375] BUG: KASAN: slab-use-after-free in sk_wake_async+0x31/0x1b0
         [59.901211] Read of size 8 at addr ffff88811acbf060 by task kworker/1:2/954
         [...]
         [59.905468] Call Trace:
         [59.905787]  <TASK>
         [59.906066]  dump_stack_lvl+0x130/0x1d0
         [59.908877]  print_report+0x16f/0x740
         [59.910629]  kasan_report+0x118/0x160
         [59.912576]  sk_wake_async+0x31/0x1b0
         [59.913554]  sock_def_readable+0x156/0x2a0
         [59.914060]  unix_stream_sendmsg+0x3f9/0x12a0
         [59.916398]  sock_sendmsg+0x20e/0x250
         [59.916854]  skb_send_sock+0x236/0xac0
         [59.920527]  sk_psock_backlog+0x287/0xaa0
      
      To fix let BPF sockmap hold a refcnt on both the socket in the sockmap and its
      paired socket. It wasn't obvious how to contain the fix to bpf_unix logic. The
      primarily problem with keeping this logic in bpf_unix was: In the sock close()
      we could handle the deref by having a close handler. But, when we are destroying
      the psock through a map delete operation we wouldn't have gotten any signal
      thorugh the proto struct other than it being replaced. If we do the deref from
      the proto replace its too early because we need to deref the sk_pair after the
      backlog worker has been stopped.
      
      Given all this it seems best to just cache it at the end of the psock and eat 8B
      for the af_unix and vsock users. Notice dgram sockets are OK because they handle
      locking already.
      
      Fixes: 94531cfc ("af_unix: Add unix_stream_proto for sockmap")
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Link: https://lore.kernel.org/bpf/20231129012557.95371-2-john.fastabend@gmail.com
      8866730a
    • Jakub Kicinski's avatar
      tools: ynl-gen: always construct struct ynl_req_state · 83f2df9d
      Jakub Kicinski authored
      struct ynl_req_state carries reply-related info from generated code
      into generic YNL code. While we don't need reply info to execute
      a request without a reply, we still need to pass in the struct, because
      it's also where we get the pointer to struct ynl_sock from. Passing NULL
      results in crashes if kernel returns an error or an unexpected reply.
      
      Fixes: dc0956c9 ("tools: ynl-gen: move the response reading logic into YNL")
      Link: https://lore.kernel.org/r/20231126225858.2144136-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      83f2df9d
    • Jakub Kicinski's avatar
      ethtool: don't propagate EOPNOTSUPP from dumps · cbeb989e
      Jakub Kicinski authored
      The default dump handler needs to clear ret before returning.
      Otherwise if the last interface returns an inconsequential
      error this error will propagate to user space.
      
      This may confuse user space (ethtool CLI seems to ignore it,
      but YNL doesn't). It will also terminate the dump early
      for mutli-skb dump, because netlink core treats EOPNOTSUPP
      as a real error.
      
      Fixes: 728480f1 ("ethtool: default handlers for GET requests")
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20231126225806.2143528-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cbeb989e
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 3b47bc03
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
      
       - Fix a really interesting potential core bug in the list iterator
         requireing the use of READ_ONCE() discovered when testing kernel
         compiles with clang.
      
       - Check devm_kcalloc() return value and an array bounds in the STM32
         driver.
      
       - Fix an exotic string truncation issue in the s32cc driver, found by
         the kernel test robot (impressive!)
      
       - Fix an undocumented struct member in the cy8c95x0 driver.
      
       - Fix a symbol overlap with MIPS in the Lochnagar driver, MIPS defines
         a global symbol "RST" which is a bit too generic and collide with
         stuff. OK this one should be renamed too, we will fix that as well.
      
       - Fix erroneous branch taking in the Realtek driver.
      
       - Fix the mail address in MAINTAINERS for the s32g2 driver.
      
      * tag 'pinctrl-v6.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        dt-bindings: pinctrl: s32g2: change a maintainer email address
        pinctrl: realtek: Fix logical error when finding descriptor
        pinctrl: lochnagar: Don't build on MIPS
        pinctrl: avoid reload of p state in list iteration
        pinctrl: cy8c95x0: Fix doc warning
        pinctrl: s32cc: Avoid possible string truncation
        pinctrl: stm32: fix array read out of bound
        pinctrl: stm32: Add check for devm_kcalloc
      3b47bc03
    • Yoshihiro Shimoda's avatar
      ravb: Fix races between ravb_tx_timeout_work() and net related ops · 9870257a
      Yoshihiro Shimoda authored
      Fix races between ravb_tx_timeout_work() and functions of net_device_ops
      and ethtool_ops by using rtnl_trylock() and rtnl_unlock(). Note that
      since ravb_close() is under the rtnl lock and calls cancel_work_sync(),
      ravb_tx_timeout_work() should calls rtnl_trylock(). Otherwise, a deadlock
      may happen in ravb_tx_timeout_work() like below:
      
      CPU0			CPU1
      			ravb_tx_timeout()
      			schedule_work()
      ...
      __dev_close_many()
      // Under rtnl lock
      ravb_close()
      cancel_work_sync()
      // Waiting
      			ravb_tx_timeout_work()
      			rtnl_lock()
      			// This is possible to cause a deadlock
      
      If rtnl_trylock() fails, rescheduling the work with sleep for 1 msec.
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Link: https://lore.kernel.org/r/20231127122420.3706751-1-yoshihiro.shimoda.uh@renesas.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9870257a
  6. 28 Nov, 2023 10 commits