1. 15 Dec, 2023 11 commits
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.7-2023-12-15' of git://git.kernel.dk/linux · 3bd7d748
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "Just two minor fixes:
      
         - Fix for the io_uring socket option commands using the wrong value
           on some archs (Al)
      
         - Tweak to the poll lazy wake enable (me)"
      
      * tag 'io_uring-6.7-2023-12-15' of git://git.kernel.dk/linux:
        io_uring/cmd: fix breakage in SOCKET_URING_OP_SIOC* implementation
        io_uring/poll: don't enable lazy wake for POLLEXCLUSIVE
      3bd7d748
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2023-12-15-07-11' of... · a62aa88b
      Linus Torvalds authored
      Merge tag 'mm-hotfixes-stable-2023-12-15-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
      
      Pull misc fixes from Andrew Morton:
       "17 hotfixes. 8 are cc:stable and the other 9 pertain to post-6.6
        issues"
      
      * tag 'mm-hotfixes-stable-2023-12-15-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
        mm/mglru: reclaim offlined memcgs harder
        mm/mglru: respect min_ttl_ms with memcgs
        mm/mglru: try to stop at high watermarks
        mm/mglru: fix underprotected page cache
        mm/shmem: fix race in shmem_undo_range w/THP
        Revert "selftests: error out if kernel header files are not yet built"
        crash_core: fix the check for whether crashkernel is from high memory
        x86, kexec: fix the wrong ifdeffery CONFIG_KEXEC
        sh, kexec: fix the incorrect ifdeffery and dependency of CONFIG_KEXEC
        mips, kexec: fix the incorrect ifdeffery and dependency of CONFIG_KEXEC
        m68k, kexec: fix the incorrect ifdeffery and build dependency of CONFIG_KEXEC
        loongarch, kexec: change dependency of object files
        mm/damon/core: make damon_start() waits until kdamond_fn() starts
        selftests/mm: cow: print ksft header before printing anything else
        mm: fix VMA heap bounds checking
        riscv: fix VMALLOC_START definition
        kexec: drop dependency on ARCH_SUPPORTS_KEXEC from CRASH_DUMP
      a62aa88b
    • Linus Torvalds's avatar
      Merge tag 'sound-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 26e7a301
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of HD-audio quirks for TAS2781 codec and device-specific
        workarounds"
      
      * tag 'sound-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/tas2781: reset the amp before component_add
        ALSA: hda/tas2781: call cleanup functions only once
        ALSA: hda/tas2781: handle missing EFI calibration data
        ALSA: hda/tas2781: leave hda_component in usable state
        ALSA: hda/realtek: Apply mute LED quirk for HP15-db
        ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants
        ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB
      26e7a301
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-12-15' of git://anongit.freedesktop.org/drm/drm · 595609b2
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "More regular fixes, amdgpu, i915, mediatek and nouveau are most of
        them this week. Nothing too major, then a few misc bits and pieces in
        core, panel and ivpu.
      
        drm:
         - fix uninit problems in crtc
         - fix fd ownership check
         - edid: add modes in fallback paths
      
        panel:
         - move LG panel into DSI yaml
         - ltk050h3146w: set burst mode
      
        mediatek:
         - mtk_disp_gamma: Fix breakage due to merge issue
         - fix kernel oops if no crtc is found
         - Add spinlock for setting vblank event in atomic_begin
         - Fix access violation in mtk_drm_crtc_dma_dev_get
      
        i915:
         - Fix selftest engine reset count storage for multi-tile
         - Fix out-of-bounds reads for engine reset counts
         - Fix ADL+ remapped stride with CCS
         - Fix intel_atomic_setup_scalers() plane_state handling
         - Fix ADL+ tiled plane stride when the POT stride is smaller than the original
         - Fix eDP 1.4 rate select method link configuration
      
        amdgpu:
         - Fix suspend fix that got accidently mangled last week
         - Fix OD regression
         - PSR fixes
         - OLED Backlight regression fix
         - JPEG 4.0.5 fix
         - Misc display fixes
         - SDMA 5.2 fix
         - SDMA 2.4 regression fix
         - GPUVM race fix
      
        nouveau:
         - fix gk20a instobj hierarchy
         - fix headless iors inheritance regression
      
        ivpu:
         - fix WA initialisation"
      
      * tag 'drm-fixes-2023-12-15' of git://anongit.freedesktop.org/drm/drm: (31 commits)
        drm/nouveau/kms/nv50-: Don't allow inheritance of headless iors
        drm/nouveau: Fixup gk20a instobj hierarchy
        drm/amdgpu: warn when there are still mappings when a BO is destroyed v2
        drm/amdgpu: fix tear down order in amdgpu_vm_pt_free
        drm/amd: Fix a probing order problem on SDMA 2.4
        drm/amdgpu/sdma5.2: add begin/end_use ring callbacks
        drm/panel: ltk050h3146w: Set burst mode for ltk050h3148w
        dt-bindings: panel-simple-dsi: move LG 5" HD TFT LCD panel into DSI yaml
        drm/amd/display: Disable PSR-SU on Parade 0803 TCON again
        drm/amd/display: Populate dtbclk from bounding box
        drm/amd/display: Revert "Fix conversions between bytes and KB"
        drm/amdgpu/jpeg: configure doorbell for each playback
        drm/amd/display: Restore guard against default backlight value < 1 nit
        drm/amd/display: fix hw rotated modes when PSR-SU is enabled
        drm/amd/pm: fix pp_*clk_od typo
        drm/amdgpu: fix buffer funcs setting order on suspend harder
        drm/mediatek: Fix access violation in mtk_drm_crtc_dma_dev_get
        drm/edid: also call add modes in EDID connector update fallback
        drm/i915/edp: don't write to DP_LINK_BW_SET when using rate select
        drm/i915: Fix ADL+ tiled plane stride when the POT stride is smaller than the original
        ...
      595609b2
    • Lyude Paul's avatar
      drm/nouveau/kms/nv50-: Don't allow inheritance of headless iors · 7ba84cbf
      Lyude Paul authored
      Turns out we made a silly mistake when coming up with OR inheritance on
      nouveau. On pre-DCB 4.1, iors are statically routed to output paths via the
      DCB. On later generations iors are only routed to an output path if they're
      actually being used. Unfortunately, it appears with NVIF_OUTP_INHERIT_V0 we
      make the mistake of assuming the later is true on all generations, which is
      currently leading us to return bogus ior -> head assignments through nvif,
      which causes WARN_ON().
      
      So - fix this by verifying that we actually know that there's a head
      assigned to an ior before allowing it to be inherited through nvif. This
      -should- hopefully fix the WARN_ON on GT218 reported by Borislav.
      Signed-off-by: default avatarLyude Paul <lyude@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Reported-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
      Tested-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20231214004359.1028109-1-lyude@redhat.com
      7ba84cbf
    • Thierry Reding's avatar
      drm/nouveau: Fixup gk20a instobj hierarchy · 46dec616
      Thierry Reding authored
      Commit 12c9b05d ("drm/nouveau/imem: support allocations not
      preserved across suspend") uses container_of() to cast from struct
      nvkm_memory to struct nvkm_instobj, assuming that all instance objects
      are derived from struct nvkm_instobj. For the gk20a family that's not
      the case and they are derived from struct nvkm_memory instead. This
      causes some subtle data corruption (nvkm_instobj.preserve ends up
      mapping to gk20a_instobj.vaddr) that causes a NULL pointer dereference
      in gk20a_instobj_acquire_iommu() (and possibly elsewhere) and also
      prevents suspend/resume from working.
      
      Fix this by making struct gk20a_instobj derive from struct nvkm_instobj
      instead.
      
      Fixes: 12c9b05d ("drm/nouveau/imem: support allocations not preserved across suspend")
      Reported-by: default avatarJonathan Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
      Tested-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20231208104653.1917055-1-thierry.reding@gmail.com
      46dec616
    • Linus Torvalds's avatar
      Merge tag '6.7-rc5-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 3f716859
      Linus Torvalds authored
      Pull smb client fixes from Steve French:
       "Address OOBs and NULL dereference found by Dr. Morris's recent
        analysis and fuzzing.
      
        All marked for stable as well"
      
      * tag '6.7-rc5-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        smb: client: fix OOB in smb2_query_reparse_point()
        smb: client: fix NULL deref in asn1_ber_decoder()
        smb: client: fix potential OOBs in smb2_parse_contexts()
        smb: client: fix OOB in receive_encrypted_standard()
      3f716859
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2023-12-14' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · f8678a33
      Dave Airlie authored
      drm-misc-fixes for v6.7-rc6:
      - Fix regression for checking if FD is master capable.
      - Fix uninitialized variables in drm/crtc.
      - Fix ivpu w/a.
      - Refresh modes correctly when updating EDID.
      - Small panel fixes.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/2d46b68f-c5a4-45e5-beb4-411569f4aac8@linux.intel.com
      f8678a33
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-6.7-2023-12-13' of... · 7beae483
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-6.7-2023-12-13' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.7-2023-12-13:
      
      amdgpu:
      - Fix suspend fix that got accidently mangled last week
      - Fix OD regression
      - PSR fixes
      - OLED Backlight regression fix
      - JPEG 4.0.5 fix
      - Misc display fixes
      - SDMA 5.2 fix
      - SDMA 2.4 regression fix
      - GPUVM race fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20231213221122.4937-1-alexander.deucher@amd.com
      7beae483
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.7-4' of... · 976600c6
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Ilpo Järvinen:
      
       - tablet-mode-switch events fix
      
       - kernel-doc warning fixes
      
      * tag 'platform-drivers-x86-v6.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86: intel_ips: fix kernel-doc formatting
        platform/x86: thinkpad_acpi: fix kernel-doc warnings
        platform/x86: intel-vbtn: Fix missing tablet-mode-switch events
      976600c6
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2023-12-13' of... · 51af5563
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2023-12-13' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      drm/i915 fixes for v6.7-rc6:
      - Fix selftest engine reset count storage for multi-tile
      - Fix out-of-bounds reads for engine reset counts
      - Fix ADL+ remapped stride with CCS
      - Fix intel_atomic_setup_scalers() plane_state handling
      - Fix ADL+ tiled plane stride when the POT stride is smaller than the original
      - Fix eDP 1.4 rate select method link configuration
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Jani Nikula <jani.nikula@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/871qbqw4rw.fsf@intel.com
      51af5563
  2. 14 Dec, 2023 15 commits
    • Al Viro's avatar
      io_uring/cmd: fix breakage in SOCKET_URING_OP_SIOC* implementation · 1ba0e9d6
      Al Viro authored
      	In 8e9fad0e "io_uring: Add io_uring command support for sockets"
      you've got an include of asm-generic/ioctls.h done in io_uring/uring_cmd.c.
      That had been done for the sake of this chunk -
      +               ret = prot->ioctl(sk, SIOCINQ, &arg);
      +               if (ret)
      +                       return ret;
      +               return arg;
      +       case SOCKET_URING_OP_SIOCOUTQ:
      +               ret = prot->ioctl(sk, SIOCOUTQ, &arg);
      
      SIOC{IN,OUT}Q are defined to symbols (FIONREAD and TIOCOUTQ) that come from
      ioctls.h, all right, but the values vary by the architecture.
      
      FIONREAD is
      	0x467F on mips
      	0x4004667F on alpha, powerpc and sparc
      	0x8004667F on sh and xtensa
      	0x541B everywhere else
      TIOCOUTQ is
      	0x7472 on mips
      	0x40047473 on alpha, powerpc and sparc
      	0x80047473 on sh and xtensa
      	0x5411 everywhere else
      
      ->ioctl() expects the same values it would've gotten from userland; all
      places where we compare with SIOC{IN,OUT}Q are using asm/ioctls.h, so
      they pick the correct values.  io_uring_cmd_sock(), OTOH, ends up
      passing the default ones.
      
      Fixes: 8e9fad0e ("io_uring: Add io_uring command support for sockets")
      Cc:  <stable@vger.kernel.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Link: https://lore.kernel.org/r/20231214213408.GT1674809@ZenIVSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      1ba0e9d6
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · c7402612
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
      "Current release - regressions:
      
         - tcp: fix tcp_disordered_ack() vs usec TS resolution
      
        Current release - new code bugs:
      
         - dpll: sanitize possible null pointer dereference in
           dpll_pin_parent_pin_set()
      
         - eth: octeon_ep: initialise control mbox tasks before using APIs
      
        Previous releases - regressions:
      
         - io_uring/af_unix: disable sending io_uring over sockets
      
         - eth: mlx5e:
             - TC, don't offload post action rule if not supported
             - fix possible deadlock on mlx5e_tx_timeout_work
      
         - eth: iavf: fix iavf_shutdown to call iavf_remove instead iavf_close
      
         - eth: bnxt_en: fix skb recycling logic in bnxt_deliver_skb()
      
         - eth: ena: fix DMA syncing in XDP path when SWIOTLB is on
      
         - eth: team: fix use-after-free when an option instance allocation
           fails
      
        Previous releases - always broken:
      
         - neighbour: don't let neigh_forced_gc() disable preemption for long
      
         - net: prevent mss overflow in skb_segment()
      
         - ipv6: support reporting otherwise unknown prefix flags in
           RTM_NEWPREFIX
      
         - tcp: remove acked SYN flag from packet in the transmit queue
           correctly
      
         - eth: octeontx2-af:
             - fix a use-after-free in rvu_nix_register_reporters
             - fix promisc mcam entry action
      
         - eth: dwmac-loongson: make sure MDIO is initialized before use
      
         - eth: atlantic: fix double free in ring reinit logic"
      
      * tag 'net-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (62 commits)
        net: atlantic: fix double free in ring reinit logic
        appletalk: Fix Use-After-Free in atalk_ioctl
        net: stmmac: Handle disabled MDIO busses from devicetree
        net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX
        dpaa2-switch: do not ask for MDB, VLAN and FDB replay
        dpaa2-switch: fix size of the dma_unmap
        net: prevent mss overflow in skb_segment()
        vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
        Revert "tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set"
        MIPS: dts: loongson: drop incorrect dwmac fallback compatible
        stmmac: dwmac-loongson: drop useless check for compatible fallback
        stmmac: dwmac-loongson: Make sure MDIO is initialized before use
        tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set
        dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
        net: ena: Fix XDP redirection error
        net: ena: Fix DMA syncing in XDP path when SWIOTLB is on
        net: ena: Fix xdp drops handling due to multibuf packets
        net: ena: Destroy correct number of xdp queues upon failure
        net: Remove acked SYN flag from packet in the transmit queue correctly
        qed: Fix a potential use-after-free in qed_cxt_tables_alloc
        ...
      c7402612
    • Linus Torvalds's avatar
      Merge tag 'for-6.7-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · bdb2701f
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
        "Some fixes to quota accounting code, mostly around error handling and
         correctness:
      
         - free reserves on various error paths, after IO errors or
           transaction abort
      
         - don't clear reserved range at the folio release time, it'll be
           properly cleared after final write
      
         - fix integer overflow due to int used when passing around size of
           freed reservations
      
         - fix a regression in squota accounting that missed some cases with
           delayed refs"
      
      * tag 'for-6.7-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: ensure releasing squota reserve on head refs
        btrfs: don't clear qgroup reserved bit in release_folio
        btrfs: free qgroup pertrans reserve on transaction abort
        btrfs: fix qgroup_free_reserved_data int overflow
        btrfs: free qgroup reserve when ORDERED_IOERR is set
      bdb2701f
    • Igor Russkikh's avatar
      net: atlantic: fix double free in ring reinit logic · 7bb26ea7
      Igor Russkikh authored
      Driver has a logic leak in ring data allocation/free,
      where double free may happen in aq_ring_free if system is under
      stress and driver init/deinit is happening.
      
      The probability is higher to get this during suspend/resume cycle.
      
      Verification was done simulating same conditions with
      
          stress -m 2000 --vm-bytes 20M --vm-hang 10 --backoff 1000
          while true; do sudo ifconfig enp1s0 down; sudo ifconfig enp1s0 up; done
      
      Fixed by explicitly clearing pointers to NULL on deallocation
      
      Fixes: 018423e9 ("net: ethernet: aquantia: Add ring support code")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Closes: https://lore.kernel.org/netdev/CAHk-=wiZZi7FcvqVSUirHBjx0bBUZ4dFrMDVLc3+3HCrtq0rBA@mail.gmail.com/Signed-off-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Link: https://lore.kernel.org/r/20231213094044.22988-1-irusskikh@marvell.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7bb26ea7
    • Gergo Koteles's avatar
      ALSA: hda/tas2781: reset the amp before component_add · 315deab2
      Gergo Koteles authored
      Calling component_add starts loading the firmware, the callback function
      writes the program to the amplifiers. If the module resets the
      amplifiers after component_add, it happens that one of the amplifiers
      does not work because the reset and program writing are interleaving.
      
      Call tas2781_reset before component_add to ensure reliable
      initialization.
      
      Fixes: 5be27f1e ("ALSA: hda/tas2781: Add tas2781 HDA driver")
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarGergo Koteles <soyer@irl.hu>
      Link: https://lore.kernel.org/r/4d23bf58558e23ee8097de01f70f1eb8d9de2d15.1702511246.git.soyer@irl.huSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      315deab2
    • Gergo Koteles's avatar
      ALSA: hda/tas2781: call cleanup functions only once · 6c6fa264
      Gergo Koteles authored
      If the module can load the RCA but not the firmware binary, it will call
      the cleanup functions. Then unloading the module causes general
      protection fault due to double free.
      
      Do not call the cleanup functions in tasdev_fw_ready.
      
      general protection fault, probably for non-canonical address
      0x6f2b8a2bff4c8fec: 0000 [#1] PREEMPT SMP NOPTI
      Call Trace:
       <TASK>
       ? die_addr+0x36/0x90
       ? exc_general_protection+0x1c5/0x430
       ? asm_exc_general_protection+0x26/0x30
       ? tasdevice_config_info_remove+0x6d/0xd0 [snd_soc_tas2781_fmwlib]
       tas2781_hda_unbind+0xaa/0x100 [snd_hda_scodec_tas2781_i2c]
       component_unbind+0x2e/0x50
       component_unbind_all+0x92/0xa0
       component_del+0xa8/0x140
       tas2781_hda_remove.isra.0+0x32/0x60 [snd_hda_scodec_tas2781_i2c]
       i2c_device_remove+0x26/0xb0
      
      Fixes: 5be27f1e ("ALSA: hda/tas2781: Add tas2781 HDA driver")
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarGergo Koteles <soyer@irl.hu>
      Link: https://lore.kernel.org/r/1a0885c424bb21172702d254655882b59ef6477a.1702510018.git.soyer@irl.huSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      6c6fa264
    • Hyunwoo Kim's avatar
      appletalk: Fix Use-After-Free in atalk_ioctl · 189ff167
      Hyunwoo Kim authored
      Because atalk_ioctl() accesses sk->sk_receive_queue
      without holding a sk->sk_receive_queue.lock, it can
      cause a race with atalk_recvmsg().
      A use-after-free for skb occurs with the following flow.
      ```
      atalk_ioctl() -> skb_peek()
      atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
      ```
      Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarHyunwoo Kim <v4bel@theori.io>
      Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-AXSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      189ff167
    • Andrew Halaney's avatar
      net: stmmac: Handle disabled MDIO busses from devicetree · e23c0d21
      Andrew Halaney authored
      Many hardware configurations have the MDIO bus disabled, and are instead
      using some other MDIO bus to talk to the MAC's phy.
      
      of_mdiobus_register() returns -ENODEV in this case. Let's handle it
      gracefully instead of failing to probe the MAC.
      
      Fixes: 47dd7a54 ("net: add support for STMicroelectronics Ethernet controllers.")
      Signed-off-by: default avatarAndrew Halaney <ahalaney@redhat.com>
      Reviewed-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Link: https://lore.kernel.org/r/20231212-b4-stmmac-handle-mdio-enodev-v2-1-600171acf79f@redhat.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e23c0d21
    • Sneh Shah's avatar
      net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX · 981d947b
      Sneh Shah authored
      In 10M SGMII mode all the packets are being dropped due to wrong Rx clock.
      SGMII 10MBPS mode needs RX clock divider programmed to avoid drops in Rx.
      Update configure SGMII function with Rx clk divider programming.
      
      Fixes: 463120c3 ("net: stmmac: dwmac-qcom-ethqos: add support for SGMII")
      Tested-by: default avatarAndrew Halaney <ahalaney@redhat.com>
      Signed-off-by: default avatarSneh Shah <quic_snehshah@quicinc.com>
      Reviewed-by: default avatarBjorn Andersson <quic_bjorande@quicinc.com>
      Link: https://lore.kernel.org/r/20231212092208.22393-1-quic_snehshah@quicinc.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      981d947b
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 89e0c646
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-12-12 (iavf)
      
      This series contains updates to iavf driver only.
      
      Piotr reworks Flow Director states to deal with issues in restoring
      filters.
      
      Slawomir fixes shutdown processing as it was missing needed calls.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        iavf: Fix iavf_shutdown to call iavf_remove instead iavf_close
        iavf: Handle ntuple on/off based on new state machines for flow director
        iavf: Introduce new state machines for flow director
      ====================
      
      Link: https://lore.kernel.org/r/20231212203613.513423-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      89e0c646
    • Jakub Kicinski's avatar
      Merge branch 'dpaa2-switch-various-fixes' · dc84bb19
      Jakub Kicinski authored
      Ioana Ciornei says:
      
      ====================
      dpaa2-switch: various fixes
      
      The first patch fixes the size passed to two dma_unmap_single() calls
      which was wrongly put as the size of the pointer.
      
      The second patch is new to this series and reverts the behavior of the
      dpaa2-switch driver to not ask for object replay upon offloading so that
      we avoid the errors encountered when a VLAN is installed multiple times
      on the same port.
      ====================
      
      Link: https://lore.kernel.org/r/20231212164326.2753457-1-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dc84bb19
    • Ioana Ciornei's avatar
      dpaa2-switch: do not ask for MDB, VLAN and FDB replay · f24a49a3
      Ioana Ciornei authored
      Starting with commit 4e51bf44 ("net: bridge: move the switchdev
      object replay helpers to "push" mode") the switchdev_bridge_port_offload()
      helper was extended with the intention to provide switchdev drivers easy
      access to object addition and deletion replays. This works by calling
      the replay helpers with non-NULL notifier blocks.
      
      In the same commit, the dpaa2-switch driver was updated so that it
      passes valid notifier blocks to the helper. At that moment, no
      regression was identified through testing.
      
      In the meantime, the blamed commit changed the behavior in terms of
      which ports get hit by the replay. Before this commit, only the initial
      port which identified itself as offloaded through
      switchdev_bridge_port_offload() got a replay of all port objects and
      FDBs. After this, the newly joining port will trigger a replay of
      objects on all bridge ports and on the bridge itself.
      
      This behavior leads to errors in dpaa2_switch_port_vlans_add() when a
      VLAN gets installed on the same interface multiple times.
      
      The intended mechanism to address this is to pass a non-NULL ctx to the
      switchdev_bridge_port_offload() helper and then check it against the
      port's private structure. But since the driver does not have any use for
      the replayed port objects and FDBs until it gains support for LAG
      offload, it's better to fix the issue by reverting the dpaa2-switch
      driver to not ask for replay. The pointers will be added back when we
      are prepared to ignore replays on unrelated ports.
      
      Fixes: b28d580e ("net: bridge: switchdev: replay all VLAN groups")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Link: https://lore.kernel.org/r/20231212164326.2753457-3-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f24a49a3
    • Ioana Ciornei's avatar
      dpaa2-switch: fix size of the dma_unmap · 2aad7d41
      Ioana Ciornei authored
      The size of the DMA unmap was wrongly put as a sizeof of a pointer.
      Change the value of the DMA unmap to be the actual macro used for the
      allocation and the DMA map.
      
      Fixes: 1110318d ("dpaa2-switch: add tc flower hardware offload on ingress traffic")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Link: https://lore.kernel.org/r/20231212164326.2753457-2-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2aad7d41
    • Eric Dumazet's avatar
      net: prevent mss overflow in skb_segment() · 23d05d56
      Eric Dumazet authored
      Once again syzbot is able to crash the kernel in skb_segment() [1]
      
      GSO_BY_FRAGS is a forbidden value, but unfortunately the following
      computation in skb_segment() can reach it quite easily :
      
      	mss = mss * partial_segs;
      
      65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to
      a bad final result.
      
      Make sure to limit segmentation so that the new mss value is smaller
      than GSO_BY_FRAGS.
      
      [1]
      
      general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
      CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3c #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
      RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
      Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
      RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
      RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
      RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
      R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
      R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
      FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109
      ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120
      skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53
      __skb_gso_segment+0x339/0x710 net/core/gso.c:124
      skb_gso_segment include/net/gso.h:83 [inline]
      validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626
      __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338
      dev_queue_xmit include/linux/netdevice.h:3134 [inline]
      packet_xmit+0x257/0x380 net/packet/af_packet.c:276
      packet_snd net/packet/af_packet.c:3087 [inline]
      packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      __do_sys_sendto net/socket.c:2202 [inline]
      __se_sys_sendto net/socket.c:2198 [inline]
      __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      RIP: 0033:0x7f8692032aa9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9
      RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003
      RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480
      R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003
      </TASK>
      Modules linked in:
      ---[ end trace 0000000000000000 ]---
      RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
      Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
      RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
      RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
      RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
      R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
      R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
      FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      Fixes: 3953c46c ("sk_buff: allow segmenting based on frag sizes")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://lore.kernel.org/r/20231212164621.4131800-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      23d05d56
    • Nikolay Kuratov's avatar
      vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() · 60316d7f
      Nikolay Kuratov authored
      We need to do signed arithmetic if we expect condition
      `if (bytes < 0)` to be possible
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE
      
      Fixes: 06a8fc78 ("VSOCK: Introduce virtio_vsock_common.ko")
      Signed-off-by: default avatarNikolay Kuratov <kniv@yandex-team.ru>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Link: https://lore.kernel.org/r/20231211162317.4116625-1-kniv@yandex-team.ruSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      60316d7f
  3. 13 Dec, 2023 14 commits