1. 08 Apr, 2022 30 commits
  2. 07 Apr, 2022 7 commits
    • Linus Torvalds's avatar
      Merge tag 'hyperv-fixes-signed-20220407' of... · 42e7a03d
      Linus Torvalds authored
      Merge tag 'hyperv-fixes-signed-20220407' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux
      
      Pull hyperv fixes from Wei Liu:
      
       - Correctly propagate coherence information for VMbus devices (Michael
         Kelley)
      
       - Disable balloon and memory hot-add on ARM64 temporarily (Boqun Feng)
      
       - Use barrier to prevent reording when reading ring buffer (Michael
         Kelley)
      
       - Use virt_store_mb in favour of smp_store_mb (Andrea Parri)
      
       - Fix VMbus device object initialization (Andrea Parri)
      
       - Deactivate sysctl_record_panic_msg on isolated guest (Andrea Parri)
      
       - Fix a crash when unloading VMbus module (Guilherme G. Piccoli)
      
      * tag 'hyperv-fixes-signed-20220407' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
        Drivers: hv: vmbus: Replace smp_store_mb() with virt_store_mb()
        Drivers: hv: balloon: Disable balloon and hot-add accordingly
        Drivers: hv: balloon: Support status report for larger page sizes
        Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
        PCI: hv: Propagate coherence from VMbus device to PCI device
        Drivers: hv: vmbus: Propagate VMbus coherence to each VMbus device
        Drivers: hv: vmbus: Fix potential crash on module unload
        Drivers: hv: vmbus: Fix initialization of device object in vmbus_device_register()
        Drivers: hv: vmbus: Deactivate sysctl_record_panic_msg by default in isolated guests
      42e7a03d
    • Linus Torvalds's avatar
      Merge tag 'random-5.18-rc2-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random · 3638bd90
      Linus Torvalds authored
      Pull random number generator fixes from Jason Donenfeld:
      
       - Another fixup to the fast_init/crng_init split, this time in how much
         entropy is being credited, from Jan Varho.
      
       - As discussed, we now opportunistically call try_to_generate_entropy()
         in /dev/urandom reads, as a replacement for the reverted commit. I
         opted to not do the more invasive wait_for_random_bytes() change at
         least for now, preferring to do something smaller and more obvious
         for the time being, but maybe that can be revisited as things evolve
         later.
      
       - Userspace can use FUSE or userfaultfd or simply move a process to
         idle priority in order to make a read from the random device never
         complete, which breaks forward secrecy, fixed by overwriting
         sensitive bytes early on in the function.
      
       - Jann Horn noticed that /dev/urandom reads were only checking for
         pending signals if need_resched() was true, a bug going back to the
         genesis commit, now fixed by always checking for signal_pending() and
         calling cond_resched(). This explains various noticeable signal
         delivery delays I've seen in programs over the years that do long
         reads from /dev/urandom.
      
       - In order to be more like other devices (e.g. /dev/zero) and to
         mitigate the impact of fixing the above bug, which has been around
         forever (users have never really needed to check the return value of
         read() for medium-sized reads and so perhaps many didn't), we now
         move signal checking to the bottom part of the loop, and do so every
         PAGE_SIZE-bytes.
      
      * tag 'random-5.18-rc2-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
        random: check for signals every PAGE_SIZE chunk of /dev/[u]random
        random: check for signal_pending() outside of need_resched() check
        random: do not allow user to keep crng key around on stack
        random: opportunistically initialize on /dev/urandom reads
        random: do not split fast init input in add_hwgenerator_randomness()
      3638bd90
    • Linus Torvalds's avatar
      Merge tag 'ata-5.18-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · 640b5037
      Linus Torvalds authored
      Pull ata fixes from Damien Le Moal:
      
       - Fix a compilation warning due to an uninitialized variable in
         ata_sff_lost_interrupt(), from me.
      
       - Fix invalid internal command tag handling in the sata_dwc_460ex
         driver, from Christian.
      
       - Disable READ LOG DMA EXT with Samsung 840 EVO SSDs as this command
         causes the drives to hang, from Christian.
      
       - Change the config option CONFIG_SATA_LPM_POLICY back to its original
         name CONFIG_SATA_LPM_MOBILE_POLICY to avoid potential problems with
         users losing their configuration (as discussed during the merge
         window), from Mario.
      
      * tag 'ata-5.18-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: ahci: Rename CONFIG_SATA_LPM_POLICY configuration item back
        ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
        ata: sata_dwc_460ex: Fix crash due to OOB write
        ata: libata-sff: Fix compilation warning in ata_sff_lost_interrupt()
      640b5037
    • Duoming Zhou's avatar
      drivers: net: slip: fix NPD bug in sl_tx_timeout() · ec4eb8a8
      Duoming Zhou authored
      When a slip driver is detaching, the slip_close() will act to
      cleanup necessary resources and sl->tty is set to NULL in
      slip_close(). Meanwhile, the packet we transmit is blocked,
      sl_tx_timeout() will be called. Although slip_close() and
      sl_tx_timeout() use sl->lock to synchronize, we don`t judge
      whether sl->tty equals to NULL in sl_tx_timeout() and the
      null pointer dereference bug will happen.
      
         (Thread 1)                 |      (Thread 2)
                                    | slip_close()
                                    |   spin_lock_bh(&sl->lock)
                                    |   ...
      ...                           |   sl->tty = NULL //(1)
      sl_tx_timeout()               |   spin_unlock_bh(&sl->lock)
        spin_lock(&sl->lock);       |
        ...                         |   ...
        tty_chars_in_buffer(sl->tty)|
          if (tty->ops->..) //(2)   |
          ...                       |   synchronize_rcu()
      
      We set NULL to sl->tty in position (1) and dereference sl->tty
      in position (2).
      
      This patch adds check in sl_tx_timeout(). If sl->tty equals to
      NULL, sl_tx_timeout() will goto out.
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Reviewed-by: default avatarJiri Slaby <jirislaby@kernel.org>
      Link: https://lore.kernel.org/r/20220405132206.55291-1-duoming@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ec4eb8a8
    • Volodymyr Mytnyk's avatar
      prestera: acl: add action hw_stats support · e8bd7025
      Volodymyr Mytnyk authored
      Currently, when user adds a tc action and the action gets offloaded,
      the user expects the HW stats to be counted also. This limits the
      amount of supported offloaded filters, as HW counter resources may
      be quite limited. Without counter assigned, the HW is capable to
      carry much more filters.
      
      To resolve the issue above, the following types of HW stats are
      offloaded and supported by the driver:
      
      any       - current default, user does not care about the type.
      delayed   - polled from HW periodically.
      disabled  - no HW stats needed.
      immediate - not supported.
      
      Example:
        tc filter add dev PORT ingress proto ip flower skip_sw ip_proto 0x11 \
          action drop
        tc filter add dev PORT ingress proto ip flower skip_sw ip_proto 0x12 \
          action drop hw_stats disabled
        tc filter add dev sw1p1 ingress proto ip flower skip_sw ip_proto 0x14 \
          action drop hw_stats delayed
      Signed-off-by: default avatarVolodymyr Mytnyk <vmytnyk@marvell.com>
      Link: https://lore.kernel.org/r/1649164814-18731-1-git-send-email-volodymyr.mytnyk@plvision.euSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e8bd7025
    • Niels Dossche's avatar
      ipv6: fix locking issues with loops over idev->addr_list · 51454ea4
      Niels Dossche authored
      idev->addr_list needs to be protected by idev->lock. However, it is not
      always possible to do so while iterating and performing actions on
      inet6_ifaddr instances. For example, multiple functions (like
      addrconf_{join,leave}_anycast) eventually call down to other functions
      that acquire the idev->lock. The current code temporarily unlocked the
      idev->lock during the loops, which can cause race conditions. Moving the
      locks up is also not an appropriate solution as the ordering of lock
      acquisition will be inconsistent with for example mc_lock.
      
      This solution adds an additional field to inet6_ifaddr that is used
      to temporarily add the instances to a temporary list while holding
      idev->lock. The temporary list can then be traversed without holding
      idev->lock. This change was done in two places. In addrconf_ifdown, the
      list_for_each_entry_safe variant of the list loop is also no longer
      necessary as there is no deletion within that specific loop.
      Suggested-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarNiels Dossche <dossche.niels@gmail.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20220403231523.45843-1-dossche.niels@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      51454ea4
    • Jakub Kicinski's avatar
      Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 8e9d0d7a
      Jakub Kicinski authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2022-04-06
      
      We've added 8 non-merge commits during the last 8 day(s) which contain
      a total of 9 files changed, 139 insertions(+), 36 deletions(-).
      
      The main changes are:
      
      1) rethook related fixes, from Jiri and Masami.
      
      2) Fix the case when tracing bpf prog is attached to struct_ops, from Martin.
      
      3) Support dual-stack sockets in bpf_tcp_check_syncookie, from Maxim.
      
      * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf: Adjust bpf_tcp_check_syncookie selftest to test dual-stack sockets
        bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
        bpf: selftests: Test fentry tracing a struct_ops program
        bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT
        rethook: Fix to use WRITE_ONCE() for rethook:: Handler
        selftests/bpf: Fix warning comparing pointer to 0
        bpf: Fix sparse warnings in kprobe_multi_resolve_syms
        bpftool: Explicit errno handling in skeletons
      ====================
      
      Link: https://lore.kernel.org/r/20220407031245.73026-1-alexei.starovoitov@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8e9d0d7a
  3. 06 Apr, 2022 3 commits
    • Jason A. Donenfeld's avatar
      random: check for signals every PAGE_SIZE chunk of /dev/[u]random · e3c1c4fd
      Jason A. Donenfeld authored
      In 1448769c ("random: check for signal_pending() outside of
      need_resched() check"), Jann pointed out that we previously were only
      checking the TIF_NOTIFY_SIGNAL and TIF_SIGPENDING flags if the process
      had TIF_NEED_RESCHED set, which meant in practice, super long reads to
      /dev/[u]random would delay signal handling by a long time. I tried this
      using the below program, and indeed I wasn't able to interrupt a
      /dev/urandom read until after several megabytes had been read. The bug
      he fixed has always been there, and so code that reads from /dev/urandom
      without checking the return value of read() has mostly worked for a long
      time, for most sizes, not just for <= 256.
      
      Maybe it makes sense to keep that code working. The reason it was so
      small prior, ignoring the fact that it didn't work anyway, was likely
      because /dev/random used to block, and that could happen for pretty
      large lengths of time while entropy was gathered. But now, it's just a
      chacha20 call, which is extremely fast and is just operating on pure
      data, without having to wait for some external event. In that sense,
      /dev/[u]random is a lot more like /dev/zero.
      
      Taking a page out of /dev/zero's read_zero() function, it always returns
      at least one chunk, and then checks for signals after each chunk. Chunk
      sizes there are of length PAGE_SIZE. Let's just copy the same thing for
      /dev/[u]random, and check for signals and cond_resched() for every
      PAGE_SIZE amount of data. This makes the behavior more consistent with
      expectations, and should mitigate the impact of Jann's fix for the
      age-old signal check bug.
      
      ---- test program ----
      
        #include <unistd.h>
        #include <signal.h>
        #include <stdio.h>
        #include <sys/random.h>
      
        static unsigned char x[~0U];
      
        static void handle(int) { }
      
        int main(int argc, char *argv[])
        {
          pid_t pid = getpid(), child;
          signal(SIGUSR1, handle);
          if (!(child = fork())) {
            for (;;)
              kill(pid, SIGUSR1);
          }
          pause();
          printf("interrupted after reading %zd bytes\n", getrandom(x, sizeof(x), 0));
          kill(child, SIGTERM);
          return 0;
        }
      
      Cc: Jann Horn <jannh@google.com>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      e3c1c4fd
    • Borislav Petkov's avatar
      bnx2x: Fix undefined behavior due to shift overflowing the constant · 8dd7cdb0
      Borislav Petkov authored
      Fix:
      
        drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c: In function ‘bnx2x_check_blocks_with_parity3’:
        drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c:4917:4: error: case label does not reduce to an integer constant
            case AEU_INPUTS_ATTN_BITS_MCP_LATCHED_SCPAD_PARITY:
            ^~~~
      
      See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory
      details as to why it triggers with older gccs only.
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Ariel Elior <aelior@marvell.com>
      Cc: Sudarsana Kalluru <skalluru@marvell.com>
      Cc: Manish Chopra <manishc@marvell.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20220405151517.29753-4-bp@alien8.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8dd7cdb0
    • Eric Dumazet's avatar
      tcp: add accessors to read/set tp->snd_cwnd · 40570375
      Eric Dumazet authored
      We had various bugs over the years with code
      breaking the assumption that tp->snd_cwnd is greater
      than zero.
      
      Lately, syzbot reported the WARN_ON_ONCE(!tp->prior_cwnd) added
      in commit 8b8a321f ("tcp: fix zero cwnd in tcp_cwnd_reduction")
      can trigger, and without a repro we would have to spend
      considerable time finding the bug.
      
      Instead of complaining too late, we want to catch where
      and when tp->snd_cwnd is set to an illegal value.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Suggested-by: default avatarYuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Link: https://lore.kernel.org/r/20220405233538.947344-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      40570375