1. 03 Jun, 2023 12 commits
  2. 02 Jun, 2023 11 commits
  3. 01 Jun, 2023 17 commits
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · a03a91bd
      Jakub Kicinski authored
      Cross-merge networking fixes after downstream PR.
      
      No conflicts.
      
      Adjacent changes:
      
      drivers/net/ethernet/sfc/tc.c
        622ab656 ("sfc: fix error unwinds in TC offload")
        b6583d5e ("sfc: support TC decap rules matching on enc_src_port")
      
      net/mptcp/protocol.c
        5b825727 ("mptcp: add annotations around msk->subflow accesses")
        e76c8ef5 ("mptcp: refactor mptcp_stream_accept()")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a03a91bd
    • Linus Torvalds's avatar
      Merge tag 'net-6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 714069da
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Happy Wear a Dress Day.
      
        Fairly standard-sized batch of fixes, accounting for the lack of
        sub-tree submissions this week. The mlx5 IRQ fixes are notable, people
        were complaining about that. No fires burning.
      
        Current release - regressions:
      
         - eth: mlx5e:
            - multiple fixes for dynamic IRQ allocation
            - prevent encap offload when neigh update is running
      
         - eth: mana: fix perf regression: remove rx_cqes, tx_cqes counters
      
        Current release - new code bugs:
      
         - eth: mlx5e: DR, add missing mutex init/destroy in pattern manager
      
        Previous releases - always broken:
      
         - tcp: deny tcp_disconnect() when threads are waiting
      
         - sched: prevent ingress Qdiscs from getting installed in random
           locations in the hierarchy and moving around
      
         - sched: flower: fix possible OOB write in fl_set_geneve_opt()
      
         - netlink: fix NETLINK_LIST_MEMBERSHIPS length report
      
         - udp6: fix race condition in udp6_sendmsg & connect
      
         - tcp: fix mishandling when the sack compression is deferred
      
         - rtnetlink: validate link attributes set at creation time
      
         - mptcp: fix connect timeout handling
      
         - eth: stmmac: fix call trace when stmmac_xdp_xmit() is invoked
      
         - eth: amd-xgbe: fix the false linkup in xgbe_phy_status
      
         - eth: mlx5e:
            - fix corner cases in internal buffer configuration
            - drain health before unregistering devlink
      
         - usb: qmi_wwan: set DTR quirk for BroadMobi BM818
      
        Misc:
      
         - tcp: return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if
           user_mss set"
      
      * tag 'net-6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (71 commits)
        mptcp: fix active subflow finalization
        mptcp: add annotations around sk->sk_shutdown accesses
        mptcp: fix data race around msk->first access
        mptcp: consolidate passive msk socket initialization
        mptcp: add annotations around msk->subflow accesses
        mptcp: fix connect timeout handling
        rtnetlink: add the missing IFLA_GRO_ tb check in validate_linkmsg
        rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg
        rtnetlink: call validate_linkmsg in rtnl_create_link
        ice: recycle/free all of the fragments from multi-buffer frame
        net: phy: mxl-gpy: extend interrupt fix to all impacted variants
        net: renesas: rswitch: Fix return value in error path of xmit
        net: dsa: mv88e6xxx: Increase wait after reset deactivation
        net: ipa: Use correct value for IPA_STATUS_SIZE
        tcp: fix mishandling when the sack compression is deferred.
        net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
        sfc: fix error unwinds in TC offload
        net/mlx5: Read embedded cpu after init bit cleared
        net/mlx5e: Fix error handling in mlx5e_refresh_tirs
        net/mlx5: Ensure af_desc.mask is properly initialized
        ...
      714069da
    • Mike Christie's avatar
      fork, vhost: Use CLONE_THREAD to fix freezer/ps regression · f9010dbd
      Mike Christie authored
      When switching from kthreads to vhost_tasks two bugs were added:
      1. The vhost worker tasks's now show up as processes so scripts doing
      ps or ps a would not incorrectly detect the vhost task as another
      process.  2. kthreads disabled freeze by setting PF_NOFREEZE, but
      vhost tasks's didn't disable or add support for them.
      
      To fix both bugs, this switches the vhost task to be thread in the
      process that does the VHOST_SET_OWNER ioctl, and has vhost_worker call
      get_signal to support SIGKILL/SIGSTOP and freeze signals. Note that
      SIGKILL/STOP support is required because CLONE_THREAD requires
      CLONE_SIGHAND which requires those 2 signals to be supported.
      
      This is a modified version of the patch written by Mike Christie
      <michael.christie@oracle.com> which was a modified version of patch
      originally written by Linus.
      
      Much of what depended upon PF_IO_WORKER now depends on PF_USER_WORKER.
      Including ignoring signals, setting up the register state, and having
      get_signal return instead of calling do_group_exit.
      
      Tidied up the vhost_task abstraction so that the definition of
      vhost_task only needs to be visible inside of vhost_task.c.  Making
      it easier to review the code and tell what needs to be done where.
      As part of this the main loop has been moved from vhost_worker into
      vhost_task_fn.  vhost_worker now returns true if work was done.
      
      The main loop has been updated to call get_signal which handles
      SIGSTOP, freezing, and collects the message that tells the thread to
      exit as part of process exit.  This collection clears
      __fatal_signal_pending.  This collection is not guaranteed to
      clear signal_pending() so clear that explicitly so the schedule()
      sleeps.
      
      For now the vhost thread continues to exist and run work until the
      last file descriptor is closed and the release function is called as
      part of freeing struct file.  To avoid hangs in the coredump
      rendezvous and when killing threads in a multi-threaded exec.  The
      coredump code and de_thread have been modified to ignore vhost threads.
      
      Remvoing the special case for exec appears to require teaching
      vhost_dev_flush how to directly complete transactions in case
      the vhost thread is no longer running.
      
      Removing the special case for coredump rendezvous requires either the
      above fix needed for exec or moving the coredump rendezvous into
      get_signal.
      
      Fixes: 6e890c5d ("vhost: use vhost_tasks for worker threads")
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Co-developed-by: default avatarMike Christie <michael.christie@oracle.com>
      Signed-off-by: default avatarMike Christie <michael.christie@oracle.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f9010dbd
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2023-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · a451b8eb
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2023-05-31
      
      This series provides bug fixes to mlx5 driver.
      
      * tag 'mlx5-fixes-2023-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5: Read embedded cpu after init bit cleared
        net/mlx5e: Fix error handling in mlx5e_refresh_tirs
        net/mlx5: Ensure af_desc.mask is properly initialized
        net/mlx5: Fix setting of irq->map.index for static IRQ case
        net/mlx5: Remove rmap also in case dynamic MSIX not supported
      ====================
      
      Link: https://lore.kernel.org/r/20230601031051.131529-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a451b8eb
    • Jakub Kicinski's avatar
      Merge branch 'mptcp-fixes-for-connect-timeout-access-annotations-and-subflow-init' · 66dd1014
      Jakub Kicinski authored
      Mat Martineau says:
      
      ====================
      mptcp: Fixes for connect timeout, access annotations, and subflow init
      
      Patch 1 allows the SO_SNDTIMEO sockopt to correctly change the connect
      timeout on MPTCP sockets.
      
      Patches 2-5 add READ_ONCE()/WRITE_ONCE() annotations to fix KCSAN issues.
      
      Patch 6 correctly initializes some subflow fields on outgoing connections.
      ====================
      
      Link: https://lore.kernel.org/r/20230531-send-net-20230531-v1-0-47750c420571@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      66dd1014
    • Paolo Abeni's avatar
      mptcp: fix active subflow finalization · 55b47ca7
      Paolo Abeni authored
      Active subflow are inserted into the connection list at creation time.
      When the MPJ handshake completes successfully, a new subflow creation
      netlink event is generated correctly, but the current code wrongly
      avoid initializing a couple of subflow data.
      
      The above will cause misbehavior on a few exceptional events: unneeded
      mptcp-level retransmission on msk-level sequence wrap-around and infinite
      mapping fallback even when a MPJ socket is present.
      
      Address the issue factoring out the needed initialization in a new helper
      and invoking the latter from __mptcp_finish_join() time for passive
      subflow and from mptcp_finish_join() for active ones.
      
      Fixes: 0530020a ("mptcp: track and update contiguous data status")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      55b47ca7
    • Paolo Abeni's avatar
      mptcp: add annotations around sk->sk_shutdown accesses · 6b9831bf
      Paolo Abeni authored
      Christoph reported the mptcp variant of a recently addressed plain
      TCP issue. Similar to commit e14cadfd ("tcp: add annotations around
      sk->sk_shutdown accesses") add READ/WRITE ONCE annotations to silence
      KCSAN reports around lockless sk_shutdown access.
      
      Fixes: 71ba088c ("mptcp: cleanup accept and poll")
      Reported-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/401Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6b9831bf
    • Paolo Abeni's avatar
      mptcp: fix data race around msk->first access · 1b1b43ee
      Paolo Abeni authored
      The first subflow socket is accessed outside the msk socket lock
      by mptcp_subflow_fail(), we need to annotate each write access
      with WRITE_ONCE, but a few spots still lacks it.
      
      Fixes: 76a13b31 ("mptcp: invoke MP_FAIL response when needed")
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1b1b43ee
    • Paolo Abeni's avatar
      mptcp: consolidate passive msk socket initialization · 7e8b88ec
      Paolo Abeni authored
      When the msk socket is cloned at MPC handshake time, a few
      fields are initialized in a racy way outside mptcp_sk_clone()
      and the msk socket lock.
      
      The above is due historical reasons: before commit a88d0092
      ("mptcp: simplify subflow_syn_recv_sock()") as the first subflow socket
      carrying all the needed date was not available yet at msk creation
      time
      
      We can now refactor the code moving the missing initialization bit
      under the socket lock, removing the init race and avoiding some
      code duplication.
      
      This will also simplify the next patch, as all msk->first write
      access are now under the msk socket lock.
      
      Fixes: 0397c6d8 ("mptcp: keep unaccepted MPC subflow into join list")
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7e8b88ec
    • Paolo Abeni's avatar
      mptcp: add annotations around msk->subflow accesses · 5b825727
      Paolo Abeni authored
      The MPTCP can access the first subflow socket in a few spots
      outside the socket lock scope. That is actually safe, as MPTCP
      will delete the socket itself only after the msk sock close().
      
      Still the such accesses causes a few KCSAN splats, as reported
      by Christoph. Silence the harmless warning adding a few annotation
      around the relevant accesses.
      
      Fixes: 71ba088c ("mptcp: cleanup accept and poll")
      Reported-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/402Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5b825727
    • Paolo Abeni's avatar
      mptcp: fix connect timeout handling · 786fc124
      Paolo Abeni authored
      Ondrej reported a functional issue WRT timeout handling on connect
      with a nice reproducer.
      
      The problem is that the current mptcp connect waits for both the
      MPTCP socket level timeout, and the first subflow socket timeout.
      The latter is not influenced/touched by the exposed setsockopt().
      
      Overall the above makes the SO_SNDTIMEO a no-op on connect.
      
      Since mptcp_connect is invoked via inet_stream_connect and the
      latter properly handle the MPTCP level timeout, we can address the
      issue making the nested subflow level connect always unblocking.
      
      This also allow simplifying a bit the code, dropping an ugly hack
      to handle the fastopen and custom proto_ops connect.
      
      The issues predates the blamed commit below, but the current resolution
      requires the infrastructure introduced there.
      
      Fixes: 54f1944e ("mptcp: factor out mptcp_connect()")
      Reported-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/399
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      786fc124
    • Jakub Kicinski's avatar
      Merge branch 'rtnetlink-a-couple-of-fixes-in-linkmsg-validation' · 3021dbfe
      Jakub Kicinski authored
      Xin Long says:
      
      ====================
      rtnetlink: a couple of fixes in linkmsg validation
      
      validate_linkmsg() was introduced to do linkmsg validation for existing
      links. However, the new created links also need this linkmsg validation.
      
      Add validate_linkmsg() check for link creating in Patch 1, and add more
      tb checks into validate_linkmsg() in Patch 2 and 3.
      ====================
      
      Link: https://lore.kernel.org/r/cover.1685548598.git.lucien.xin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3021dbfe
    • Xin Long's avatar
      rtnetlink: add the missing IFLA_GRO_ tb check in validate_linkmsg · 65d6914e
      Xin Long authored
      This fixes the issue that dev gro_max_size and gso_ipv4_max_size
      can be set to a huge value:
      
        # ip link add dummy1 type dummy
        # ip link set dummy1 gro_max_size 4294967295
        # ip -d link show dummy1
          dummy addrgenmode eui64 ... gro_max_size 4294967295
      
      Fixes: 0fe79f28 ("net: allow gro_max_size to exceed 65536")
      Fixes: 9eefedd5 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")
      Reported-by: default avatarXiumei Mu <xmu@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      65d6914e
    • Xin Long's avatar
      rtnetlink: move IFLA_GSO_ tb check to validate_linkmsg · fef5b228
      Xin Long authored
      These IFLA_GSO_* tb check should also be done for the new created link,
      otherwise, they can be set to a huge value when creating links:
      
        # ip link add dummy1 gso_max_size 4294967295 type dummy
        # ip -d link show dummy1
          dummy addrgenmode eui64 ... gso_max_size 4294967295
      
      Fixes: 46e6b992 ("rtnetlink: allow GSO maximums to be set on device creation")
      Fixes: 9eefedd5 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fef5b228
    • Xin Long's avatar
      rtnetlink: call validate_linkmsg in rtnl_create_link · b0ad3c17
      Xin Long authored
      validate_linkmsg() was introduced by commit 1840bb13 ("[RTNL]:
      Validate hardware and broadcast address attribute for RTM_NEWLINK")
      to validate tb[IFLA_ADDRESS/BROADCAST] for existing links. The same
      check should also be done for newly created links.
      
      This patch adds validate_linkmsg() call in rtnl_create_link(), to
      avoid the invalid address set when creating some devices like:
      
        # ip link add dummy0 type dummy
        # ip link add link dummy0 name mac0 address 01:02 type macsec
      
      Fixes: 0e06877c ("[RTNETLINK]: rtnl_link: allow specifying initial device address")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b0ad3c17
    • Maciej Fijalkowski's avatar
      ice: recycle/free all of the fragments from multi-buffer frame · abaf8d51
      Maciej Fijalkowski authored
      The ice driver caches next_to_clean value at the beginning of
      ice_clean_rx_irq() in order to remember the first buffer that has to be
      freed/recycled after main Rx processing loop. The end boundary is
      indicated by first descriptor of frame that Rx processing loop has ended
      its duties. Note that if mentioned loop ended in the middle of gathering
      multi-buffer frame, next_to_clean would be pointing to the descriptor in
      the middle of the frame BUT freeing/recycling stage will stop at the
      first descriptor. This means that next iteration of ice_clean_rx_irq()
      will miss the (first_desc, next_to_clean - 1) entries.
      
       When running various 9K MTU workloads, such splats were observed:
      
      [  540.780716] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [  540.787787] #PF: supervisor read access in kernel mode
      [  540.793002] #PF: error_code(0x0000) - not-present page
      [  540.798218] PGD 0 P4D 0
      [  540.800801] Oops: 0000 [#1] PREEMPT SMP NOPTI
      [  540.805231] CPU: 18 PID: 3984 Comm: xskxceiver Tainted: G        W          6.3.0-rc7+ #96
      [  540.813619] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
      [  540.824209] RIP: 0010:ice_clean_rx_irq+0x2b6/0xf00 [ice]
      [  540.829678] Code: 74 24 10 e9 aa 00 00 00 8b 55 78 41 31 57 10 41 09 c4 4d 85 ff 0f 84 83 00 00 00 49 8b 57 08 41 8b 4f 1c 65 8b 35 1a fa 4b 3f <48> 8b 02 48 c1 e8 3a 39 c6 0f 85 a2 00 00 00 f6 42 08 02 0f 85 98
      [  540.848717] RSP: 0018:ffffc9000f42fc50 EFLAGS: 00010282
      [  540.854029] RAX: 0000000000000004 RBX: 0000000000000002 RCX: 000000000000fffe
      [  540.861272] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff
      [  540.868519] RBP: ffff88984a05ac00 R08: 0000000000000000 R09: dead000000000100
      [  540.875760] R10: ffff88983fffcd00 R11: 000000000010f2b8 R12: 0000000000000004
      [  540.883008] R13: 0000000000000003 R14: 0000000000000800 R15: ffff889847a10040
      [  540.890253] FS:  00007f6ddf7fe640(0000) GS:ffff88afdf800000(0000) knlGS:0000000000000000
      [  540.898465] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  540.904299] CR2: 0000000000000000 CR3: 000000010d3da001 CR4: 00000000007706e0
      [  540.911542] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  540.918789] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  540.926032] PKRU: 55555554
      [  540.928790] Call Trace:
      [  540.931276]  <TASK>
      [  540.933418]  ice_napi_poll+0x4ca/0x6d0 [ice]
      [  540.937804]  ? __pfx_ice_napi_poll+0x10/0x10 [ice]
      [  540.942716]  napi_busy_loop+0xd7/0x320
      [  540.946537]  xsk_recvmsg+0x143/0x170
      [  540.950178]  sock_recvmsg+0x99/0xa0
      [  540.953729]  __sys_recvfrom+0xa8/0x120
      [  540.957543]  ? do_futex+0xbd/0x1d0
      [  540.961008]  ? __x64_sys_futex+0x73/0x1d0
      [  540.965083]  __x64_sys_recvfrom+0x20/0x30
      [  540.969155]  do_syscall_64+0x38/0x90
      [  540.972796]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
      [  540.977934] RIP: 0033:0x7f6de5f27934
      
      To fix this, set cached_ntc to first_desc so that at the end, when
      freeing/recycling buffers, descriptors from first to ntc are not missed.
      
      Fixes: 2fba7dc5 ("ice: Add support for XDP multi-buffer on Rx side")
      Signed-off-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Link: https://lore.kernel.org/r/20230531154457.3216621-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      abaf8d51
    • Xu Liang's avatar
      net: phy: mxl-gpy: extend interrupt fix to all impacted variants · 519d6487
      Xu Liang authored
      The interrupt fix in commit 97a89ed1 should be applied on all variants
      of GPY2xx PHY and GPY115C.
      
      Fixes: 97a89ed1 ("net: phy: mxl-gpy: disable interrupts on GPY215 by default")
      Signed-off-by: default avatarXu Liang <lxu@maxlinear.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230531074822.39136-1-lxu@maxlinear.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      519d6487