1. 29 Mar, 2024 7 commits
  2. 28 Mar, 2024 15 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 50108c35
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bpf, WiFi and netfilter.
      
        Current release - regressions:
      
         - ipv6: fix address dump when IPv6 is disabled on an interface
      
        Current release - new code bugs:
      
         - bpf: temporarily disable atomic operations in BPF arena
      
         - nexthop: fix uninitialized variable in nla_put_nh_group_stats()
      
        Previous releases - regressions:
      
         - bpf: protect against int overflow for stack access size
      
         - hsr: fix the promiscuous mode in offload mode
      
         - wifi: don't always use FW dump trig
      
         - tls: adjust recv return with async crypto and failed copy to
           userspace
      
         - tcp: properly terminate timers for kernel sockets
      
         - ice: fix memory corruption bug with suspend and rebuild
      
         - at803x: fix kernel panic with at8031_probe
      
         - qeth: handle deferred cc1
      
        Previous releases - always broken:
      
         - bpf: fix bug in BPF_LDX_MEMSX
      
         - netfilter: reject table flag and netdev basechain updates
      
         - inet_defrag: prevent sk release while still in use
      
         - wifi: pick the version of SESSION_PROTECTION_NOTIF
      
         - wwan: t7xx: split 64bit accesses to fix alignment issues
      
         - mlxbf_gige: call request_irq() after NAPI initialized
      
         - hns3: fix kernel crash when devlink reload during pf
           initialization"
      
      * tag 'net-6.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (81 commits)
        inet: inet_defrag: prevent sk release while still in use
        Octeontx2-af: fix pause frame configuration in GMP mode
        net: lan743x: Add set RFE read fifo threshold for PCI1x1x chips
        net: bcmasp: Remove phy_{suspend/resume}
        net: bcmasp: Bring up unimac after PHY link up
        net: phy: qcom: at803x: fix kernel panic with at8031_probe
        netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c
        netfilter: nf_tables: skip netdev hook unregistration if table is dormant
        netfilter: nf_tables: reject table flag and netdev basechain updates
        netfilter: nf_tables: reject destroy command to remove basechain hooks
        bpf: update BPF LSM designated reviewer list
        bpf: Protect against int overflow for stack access size
        bpf: Check bloom filter map value size
        bpf: fix warning for crash_kexec
        selftests: netdevsim: set test timeout to 10 minutes
        net: wan: framer: Add missing static inline qualifiers
        mlxbf_gige: call request_irq() after NAPI initialized
        tls: get psock ref after taking rxlock to avoid leak
        selftests: tls: add test with a partially invalid iov
        tls: adjust recv return with async crypto and failed copy to userspace
        ...
      50108c35
    • Florian Westphal's avatar
      inet: inet_defrag: prevent sk release while still in use · 18685451
      Florian Westphal authored
      ip_local_out() and other functions can pass skb->sk as function argument.
      
      If the skb is a fragment and reassembly happens before such function call
      returns, the sk must not be released.
      
      This affects skb fragments reassembled via netfilter or similar
      modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.
      
      Eric Dumazet made an initial analysis of this bug.  Quoting Eric:
        Calling ip_defrag() in output path is also implying skb_orphan(),
        which is buggy because output path relies on sk not disappearing.
      
        A relevant old patch about the issue was :
        8282f274 ("inet: frag: Always orphan skbs inside ip_defrag()")
      
        [..]
      
        net/ipv4/ip_output.c depends on skb->sk being set, and probably to an
        inet socket, not an arbitrary one.
      
        If we orphan the packet in ipvlan, then downstream things like FQ
        packet scheduler will not work properly.
      
        We need to change ip_defrag() to only use skb_orphan() when really
        needed, ie whenever frag_list is going to be used.
      
      Eric suggested to stash sk in fragment queue and made an initial patch.
      However there is a problem with this:
      
      If skb is refragmented again right after, ip_do_fragment() will copy
      head->sk to the new fragments, and sets up destructor to sock_wfree.
      IOW, we have no choice but to fix up sk_wmem accouting to reflect the
      fully reassembled skb, else wmem will underflow.
      
      This change moves the orphan down into the core, to last possible moment.
      As ip_defrag_offset is aliased with sk_buff->sk member, we must move the
      offset into the FRAG_CB, else skb->sk gets clobbered.
      
      This allows to delay the orphaning long enough to learn if the skb has
      to be queued or if the skb is completing the reasm queue.
      
      In the former case, things work as before, skb is orphaned.  This is
      safe because skb gets queued/stolen and won't continue past reasm engine.
      
      In the latter case, we will steal the skb->sk reference, reattach it to
      the head skb, and fix up wmem accouting when inet_frag inflates truesize.
      
      Fixes: 7026b1dd ("netfilter: Pass socket pointer down through okfn().")
      Diagnosed-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarxingwei lee <xrivendell7@gmail.com>
      Reported-by: default avataryue sun <samsun1006219@gmail.com>
      Reported-by: syzbot+e5167d7144a62715044c@syzkaller.appspotmail.com
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20240326101845.30836-1-fw@strlen.deSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      18685451
    • Hariprasad Kelam's avatar
      Octeontx2-af: fix pause frame configuration in GMP mode · 40d4b480
      Hariprasad Kelam authored
      The Octeontx2 MAC block (CGX) has separate data paths (SMU and GMP) for
      different speeds, allowing for efficient data transfer.
      
      The previous patch which added pause frame configuration has a bug due
      to which pause frame feature is not working in GMP mode.
      
      This patch fixes the issue by configurating appropriate registers.
      
      Fixes: f7e086e7 ("octeontx2-af: Pause frame configuration at cgx")
      Signed-off-by: default avatarHariprasad Kelam <hkelam@marvell.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240326052720.4441-1-hkelam@marvell.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      40d4b480
    • Raju Lakkaraju's avatar
      net: lan743x: Add set RFE read fifo threshold for PCI1x1x chips · e4a58989
      Raju Lakkaraju authored
      PCI11x1x Rev B0 devices might drop packets when receiving back to back frames
      at 2.5G link speed. Change the B0 Rev device's Receive filtering Engine FIFO
      threshold parameter from its hardware default of 4 to 3 dwords to prevent the
      problem. Rev C0 and later hardware already defaults to 3 dwords.
      
      Fixes: bb4f6bff ("net: lan743x: Add PCI11010 / PCI11414 device IDs")
      Signed-off-by: default avatarRaju Lakkaraju <Raju.Lakkaraju@microchip.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240326065805.686128-1-Raju.Lakkaraju@microchip.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e4a58989
    • Paolo Abeni's avatar
      Merge branch 'net-bcmasp-phy-managements-fixes' · eb67cdb3
      Paolo Abeni authored
      Justin Chen says:
      
      ====================
      net: bcmasp: phy managements fixes
      
      Fix two issues.
      
      - The unimac may be put in a bad state if PHY RX clk doesn't exist
        during reset. Work around this by bringing the unimac out of reset
        during phy up.
      
      - Remove redundant phy_{suspend/resume}
      ====================
      
      Link: https://lore.kernel.org/r/20240325193025.1540737-1-justin.chen@broadcom.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      eb67cdb3
    • Justin Chen's avatar
      net: bcmasp: Remove phy_{suspend/resume} · 4494c10e
      Justin Chen authored
      phy_{suspend/resume} is redundant. It gets called from phy_{stop/start}.
      
      Fixes: 490cb412 ("net: bcmasp: Add support for ASP2.0 Ethernet controller")
      Signed-off-by: default avatarJustin Chen <justin.chen@broadcom.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4494c10e
    • Justin Chen's avatar
      net: bcmasp: Bring up unimac after PHY link up · dfd222e2
      Justin Chen authored
      The unimac requires the PHY RX clk during reset or it may be put
      into a bad state. Bring up the unimac after link up to ensure the
      PHY RX clk exists.
      
      Fixes: 490cb412 ("net: bcmasp: Add support for ASP2.0 Ethernet controller")
      Signed-off-by: default avatarJustin Chen <justin.chen@broadcom.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      dfd222e2
    • Christian Marangi's avatar
      net: phy: qcom: at803x: fix kernel panic with at8031_probe · 6a4aee27
      Christian Marangi authored
      On reworking and splitting the at803x driver, in splitting function of
      at803x PHYs it was added a NULL dereference bug where priv is referenced
      before it's actually allocated and then is tried to write to for the
      is_1000basex and is_fiber variables in the case of at8031, writing on
      the wrong address.
      
      Fix this by correctly setting priv local variable only after
      at803x_probe is called and actually allocates priv in the phydev struct.
      Reported-by: default avatarWilliam Wortel <wwortel@dorpstraat.com>
      Cc: <stable@vger.kernel.org>
      Fixes: 25d2ba94 ("net: phy: at803x: move specific at8031 probe mode check to dedicated probe")
      Signed-off-by: default avatarChristian Marangi <ansuelsmth@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20240325190621.2665-1-ansuelsmth@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      6a4aee27
    • Paolo Abeni's avatar
      Merge tag 'nf-24-03-28' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 005e528c
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      Patch #1 reject destroy chain command to delete device hooks in netdev
               family, hence, only delchain commands are allowed.
      
      Patch #2 reject table flag update interference with netdev basechain
      	 hook updates, this can leave hooks in inconsistent
      	 registration/unregistration state.
      
      Patch #3 do not unregister netdev basechain hooks if table is dormant.
      	 Otherwise, splat with double unregistration is possible.
      
      Patch #4 fixes Kconfig to allow to restore IP_NF_ARPTABLES,
      	 from Kuniyuki Iwashima.
      
      There are a more fixes still in progress on my side that need more work.
      
      * tag 'nf-24-03-28' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c
        netfilter: nf_tables: skip netdev hook unregistration if table is dormant
        netfilter: nf_tables: reject table flag and netdev basechain updates
        netfilter: nf_tables: reject destroy command to remove basechain hooks
      ====================
      
      Link: https://lore.kernel.org/r/20240328031855.2063-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      005e528c
    • Paolo Abeni's avatar
      Merge tag 'for-net' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 7e6f4b2a
      Paolo Abeni authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2024-03-27
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 4 non-merge commits during the last 1 day(s) which contain
      a total of 5 files changed, 26 insertions(+), 3 deletions(-).
      
      The main changes are:
      
      1) Fix bloom filter value size validation and protect the verifier
         against such mistakes, from Andrei.
      
      2) Fix build due to CONFIG_KEXEC_CORE/CRASH_DUMP split, from Hari.
      
      3) Update bpf_lsm maintainers entry, from Matt.
      
      * tag 'for-net' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf: update BPF LSM designated reviewer list
        bpf: Protect against int overflow for stack access size
        bpf: Check bloom filter map value size
        bpf: fix warning for crash_kexec
      ====================
      
      Link: https://lore.kernel.org/r/20240328012938.24249-1-alexei.starovoitov@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7e6f4b2a
    • Linus Torvalds's avatar
      Merge tag 'erofs-for-6.9-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs · 8d025e20
      Linus Torvalds authored
      Pull erofs fixes from Gao Xiang:
      
       - Add a new reviewer Sandeep Dhavale to build a healthier community
      
       - Drop experimental warning for FSDAX
      
      * tag 'erofs-for-6.9-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
        MAINTAINERS: erofs: add myself as reviewer
        erofs: drop experimental warning for FSDAX
      8d025e20
    • Kuniyuki Iwashima's avatar
      netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c · 15fba562
      Kuniyuki Iwashima authored
      syzkaller started to report a warning below [0] after consuming the
      commit 4654467d ("netfilter: arptables: allow xtables-nft only
      builds").
      
      The change accidentally removed the dependency on NETFILTER_FAMILY_ARP
      from IP_NF_ARPTABLES.
      
      If NF_TABLES_ARP is not enabled on Kconfig, NETFILTER_FAMILY_ARP will
      be removed and some code necessary for arptables will not be compiled.
      
        $ grep -E "(NETFILTER_FAMILY_ARP|IP_NF_ARPTABLES|NF_TABLES_ARP)" .config
        CONFIG_NETFILTER_FAMILY_ARP=y
        # CONFIG_NF_TABLES_ARP is not set
        CONFIG_IP_NF_ARPTABLES=y
      
        $ make olddefconfig
      
        $ grep -E "(NETFILTER_FAMILY_ARP|IP_NF_ARPTABLES|NF_TABLES_ARP)" .config
        # CONFIG_NF_TABLES_ARP is not set
        CONFIG_IP_NF_ARPTABLES=y
      
      So, when nf_register_net_hooks() is called for arptables, it will
      trigger the splat below.
      
      Now IP_NF_ARPTABLES is only enabled by IP_NF_ARPFILTER, so let's
      restore the dependency on NETFILTER_FAMILY_ARP in IP_NF_ARPFILTER.
      
      [0]:
      WARNING: CPU: 0 PID: 242 at net/netfilter/core.c:316 nf_hook_entry_head+0x1e1/0x2c0 net/netfilter/core.c:316
      Modules linked in:
      CPU: 0 PID: 242 Comm: syz-executor.0 Not tainted 6.8.0-12821-g537c2e91 #10
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      RIP: 0010:nf_hook_entry_head+0x1e1/0x2c0 net/netfilter/core.c:316
      Code: 83 fd 04 0f 87 bc 00 00 00 e8 5b 84 83 fd 4d 8d ac ec a8 0b 00 00 e8 4e 84 83 fd 4c 89 e8 5b 5d 41 5c 41 5d c3 e8 3f 84 83 fd <0f> 0b e8 38 84 83 fd 45 31 ed 5b 5d 4c 89 e8 41 5c 41 5d c3 e8 26
      RSP: 0018:ffffc90000b8f6e8 EFLAGS: 00010293
      RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff83c42164
      RDX: ffff888106851180 RSI: ffffffff83c42321 RDI: 0000000000000005
      RBP: 0000000000000000 R08: 0000000000000005 R09: 000000000000000a
      R10: 0000000000000003 R11: ffff8881055c2f00 R12: ffff888112b78000
      R13: 0000000000000000 R14: ffff8881055c2f00 R15: ffff8881055c2f00
      FS:  00007f377bd78800(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000496068 CR3: 000000011298b003 CR4: 0000000000770ef0
      PKRU: 55555554
      Call Trace:
       <TASK>
       __nf_register_net_hook+0xcd/0x7a0 net/netfilter/core.c:428
       nf_register_net_hook+0x116/0x170 net/netfilter/core.c:578
       nf_register_net_hooks+0x5d/0xc0 net/netfilter/core.c:594
       arpt_register_table+0x250/0x420 net/ipv4/netfilter/arp_tables.c:1553
       arptable_filter_table_init+0x41/0x60 net/ipv4/netfilter/arptable_filter.c:39
       xt_find_table_lock+0x2e9/0x4b0 net/netfilter/x_tables.c:1260
       xt_request_find_table_lock+0x2b/0xe0 net/netfilter/x_tables.c:1285
       get_info+0x169/0x5c0 net/ipv4/netfilter/arp_tables.c:808
       do_arpt_get_ctl+0x3f9/0x830 net/ipv4/netfilter/arp_tables.c:1444
       nf_getsockopt+0x76/0xd0 net/netfilter/nf_sockopt.c:116
       ip_getsockopt+0x17d/0x1c0 net/ipv4/ip_sockglue.c:1777
       tcp_getsockopt+0x99/0x100 net/ipv4/tcp.c:4373
       do_sock_getsockopt+0x279/0x360 net/socket.c:2373
       __sys_getsockopt+0x115/0x1e0 net/socket.c:2402
       __do_sys_getsockopt net/socket.c:2412 [inline]
       __se_sys_getsockopt net/socket.c:2409 [inline]
       __x64_sys_getsockopt+0xbd/0x150 net/socket.c:2409
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x46/0x4e
      RIP: 0033:0x7f377beca6fe
      Code: 1f 44 00 00 48 8b 15 01 97 0a 00 f7 d8 64 89 02 b8 ff ff ff ff eb b8 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 c9
      RSP: 002b:00000000005df728 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
      RAX: ffffffffffffffda RBX: 00000000004966e0 RCX: 00007f377beca6fe
      RDX: 0000000000000060 RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 000000000042938a R08: 00000000005df73c R09: 00000000005df800
      R10: 00000000004966e8 R11: 0000000000000246 R12: 0000000000000003
      R13: 0000000000496068 R14: 0000000000000003 R15: 00000000004bc9d8
       </TASK>
      
      Fixes: 4654467d ("netfilter: arptables: allow xtables-nft only builds")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      15fba562
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: skip netdev hook unregistration if table is dormant · 216e7bf7
      Pablo Neira Ayuso authored
      Skip hook unregistration when adding or deleting devices from an
      existing netdev basechain. Otherwise, commit/abort path try to
      unregister hooks which not enabled.
      
      Fixes: b9703ed4 ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
      Fixes: 7d937b10 ("netfilter: nf_tables: support for deleting devices in an existing netdev chain")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      216e7bf7
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: reject table flag and netdev basechain updates · 1e1fb6f0
      Pablo Neira Ayuso authored
      netdev basechain updates are stored in the transaction object hook list.
      When setting on the table dormant flag, it iterates over the existing
      hooks in the basechain. Thus, skipping the hooks that are being
      added/deleted in this transaction, which leaves hook registration in
      inconsistent state.
      
      Reject table flag updates in combination with netdev basechain updates
      in the same batch:
      
      - Update table flags and add/delete basechain: Check from basechain update
        path if there are pending flag updates for this table.
      - add/delete basechain and update table flags: Iterate over the transaction
        list to search for basechain updates from the table update path.
      
      In both cases, the batch is rejected. Based on suggestion from Florian Westphal.
      
      Fixes: b9703ed4 ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
      Fixes: 7d937b10 ("netfilter: nf_tables: support for deleting devices in an existing netdev chain")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1e1fb6f0
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: reject destroy command to remove basechain hooks · b32ca27f
      Pablo Neira Ayuso authored
      Report EOPNOTSUPP if NFT_MSG_DESTROYCHAIN is used to delete hooks in an
      existing netdev basechain, thus, only NFT_MSG_DELCHAIN is allowed.
      
      Fixes: 7d937b10 ("netfilter: nf_tables: support for deleting devices in an existing netdev chain")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b32ca27f
  3. 27 Mar, 2024 18 commits
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2024-03-27' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 56d2f48e
      Jakub Kicinski authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v6.9-rc2
      
      The first fixes for v6.9. Ping-Ke Shih now maintains a separate tree
      for Realtek drivers, document that in the MAINTAINERS. Plenty of fixes
      for both to stack and iwlwifi. Our kunit tests were working only on um
      architecture but that's fixed now.
      
      * tag 'wireless-2024-03-27' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: (21 commits)
        MAINTAINERS: wifi: mwifiex: add Francesco as reviewer
        kunit: fix wireless test dependencies
        wifi: iwlwifi: mvm: include link ID when releasing frames
        wifi: iwlwifi: mvm: handle debugfs names more carefully
        wifi: iwlwifi: mvm: guard against invalid STA ID on removal
        wifi: iwlwifi: read txq->read_ptr under lock
        wifi: iwlwifi: fw: don't always use FW dump trig
        wifi: iwlwifi: mvm: rfi: fix potential response leaks
        wifi: mac80211: correctly set active links upon TTLM
        wifi: iwlwifi: mvm: Configure the link mapping for non-MLD FW
        wifi: iwlwifi: mvm: consider having one active link
        wifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF
        wifi: mac80211: fix prep_connection error path
        wifi: cfg80211: fix rdev_dump_mpp() arguments order
        wifi: iwlwifi: mvm: disable MLO for the time being
        wifi: cfg80211: add a flag to disable wireless extensions
        wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc
        wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
        wifi: mac80211: fix mlme_link_id_dbg()
        MAINTAINERS: wifi: add git tree for Realtek WiFi drivers
        ...
      ====================
      
      Link: https://lore.kernel.org/r/20240327191346.1A1EAC433C7@smtp.kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      56d2f48e
    • Linus Torvalds's avatar
      Merge tag '9p-fixes-for-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs · 4076fa16
      Linus Torvalds authored
      Pull 9p fixes from Eric Van Hensbergen:
       "Two of these fix syzbot reported issues, and the other fixes a unused
        variable in some configurations"
      
      * tag '9p-fixes-for-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs:
        fs/9p: fix uninitialized values during inode evict
        fs/9p: remove redundant pointer v9ses
        fs/9p: fix uaf in in v9fs_stat2inode_dotl
      4076fa16
    • Linus Torvalds's avatar
      Merge tag 'for-6.9-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 400dd456
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - fix race when reading extent buffer and 'uptodate' status is missed
         by one thread (introduced in 6.5)
      
       - do additional validation of devices using major:minor numbers
      
       - zoned mode fixes:
           - use zone-aware super block access during scrub
           - fix use-after-free during device replace (found by KASAN)
           - also delete zones that are 100% unusable to reclaim space
      
       - extent unpinning fixes:
           - fix extent map leak after error handling
           - print correct range in error message
      
       - error code and message updates
      
      * tag 'for-6.9-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix race in read_extent_buffer_pages()
        btrfs: return accurate error code on open failure in open_fs_devices()
        btrfs: zoned: don't skip block groups with 100% zone unusable
        btrfs: use btrfs_warn() to log message at btrfs_add_extent_mapping()
        btrfs: fix message not properly printing interval when adding extent map
        btrfs: fix warning messages not printing interval at unpin_extent_range()
        btrfs: fix extent map leak in unexpected scenario at unpin_extent_cache()
        btrfs: validate device maj:min during open
        btrfs: zoned: fix use-after-free in do_zone_finish()
        btrfs: zoned: use zone aware sb location for scrub
      400dd456
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2024-03-27-11-25' of... · dc189b8e
      Linus Torvalds authored
      Merge tag 'mm-hotfixes-stable-2024-03-27-11-25' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
      
      Pull misc fixes from Andrew Morton:
       "Various hotfixes. About half are cc:stable and the remainder address
        post-6.8 issues or aren't considered suitable for backporting.
      
        zswap figures prominently in the post-6.8 issues - folloup against the
        large amount of changes we have just made to that code.
      
        Apart from that, all over the map"
      
      * tag 'mm-hotfixes-stable-2024-03-27-11-25' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (21 commits)
        crash: use macro to add crashk_res into iomem early for specific arch
        mm: zswap: fix data loss on SWP_SYNCHRONOUS_IO devices
        selftests/mm: fix ARM related issue with fork after pthread_create
        hexagon: vmlinux.lds.S: handle attributes section
        userfaultfd: fix deadlock warning when locking src and dst VMAs
        tmpfs: fix race on handling dquot rbtree
        selftests/mm: sigbus-wp test requires UFFD_FEATURE_WP_HUGETLBFS_SHMEM
        mm: zswap: fix writeback shinker GFP_NOIO/GFP_NOFS recursion
        ARM: prctl: reject PR_SET_MDWE on pre-ARMv6
        prctl: generalize PR_SET_MDWE support check to be per-arch
        MAINTAINERS: remove incorrect M: tag for dm-devel@lists.linux.dev
        mm: zswap: fix kernel BUG in sg_init_one
        selftests: mm: restore settings from only parent process
        tools/Makefile: remove cgroup target
        mm: cachestat: fix two shmem bugs
        mm: increase folio batch size
        mm,page_owner: fix recursion
        mailmap: update entry for Leonard Crestez
        init: open /initrd.image with O_LARGEFILE
        selftests/mm: Fix build with _FORTIFY_SOURCE
        ...
      dc189b8e
    • Matt Bobrowski's avatar
      bpf: update BPF LSM designated reviewer list · 4dd65107
      Matt Bobrowski authored
      Adding myself in place of both Brendan and Florent as both have since
      moved on from working on the BPF LSM and will no longer be devoting
      their time to maintaining the BPF LSM.
      Signed-off-by: default avatarMatt Bobrowski <mattbobrowski@google.com>
      Acked-by: default avatarKP Singh <kpsingh@kernel.org>
      Link: https://lore.kernel.org/r/ZgMhWF_egdYF8t4D@google.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      4dd65107
    • Linus Torvalds's avatar
      Merge tag 'probes-fixes-v6.9-rc1' of... · 96249052
      Linus Torvalds authored
      Merge tag 'probes-fixes-v6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
      
      Pull probes fixlet from Masami Hiramatsu:
      
       - tracing/probes: initialize a 'val' local variable with zero.
      
         This variable is read by FETCH_OP_ST_EDATA in a loop, and is
         initialized by FETCH_OP_ARG in the same loop. Since this
         initialization is not obvious, smatch warns about it.
      
         Explicitly initializing 'val' with zero fixes this warning.
      
      * tag 'probes-fixes-v6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing: probes: Fix to zero initialize a local variable
      96249052
    • Linus Torvalds's avatar
      Merge tag 'execve-v6.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · f4a43291
      Linus Torvalds authored
      Pull execve fixes from Kees Cook:
      
       - Fix selftests to conform to the TAP output format (Muhammad Usama
         Anjum)
      
       - Fix NOMMU linux_binprm::exec pointer in auxv (Max Filippov)
      
       - Replace deprecated strncpy usage (Justin Stitt)
      
       - Replace another /bin/sh instance in selftests
      
      * tag 'execve-v6.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        binfmt: replace deprecated strncpy
        exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
        selftests/exec: Convert remaining /bin/sh to /bin/bash
        selftests/exec: execveat: Improve debug reporting
        selftests/exec: recursion-depth: conform test to TAP format output
        selftests/exec: load_address: conform test to TAP format output
        selftests/exec: binfmt_script: Add the overall result line according to TAP
      f4a43291
    • Alexei Starovoitov's avatar
      Merge branch 'check-bloom-filter-map-value-size' · a4e02d6b
      Alexei Starovoitov authored
      Andrei Matei says:
      
      ====================
      Check bloom filter map value size
      
      v1->v2:
      - prepend a patch addressing the bloom map specifically
      - change low-level rejection error to EFAULT, to indicate a bug
      ====================
      
      Link: https://lore.kernel.org/r/20240327024245.318299-1-andreimatei1@gmail.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a4e02d6b
    • Andrei Matei's avatar
      bpf: Protect against int overflow for stack access size · ecc6a210
      Andrei Matei authored
      This patch re-introduces protection against the size of access to stack
      memory being negative; the access size can appear negative as a result
      of overflowing its signed int representation. This should not actually
      happen, as there are other protections along the way, but we should
      protect against it anyway. One code path was missing such protections
      (fixed in the previous patch in the series), causing out-of-bounds array
      accesses in check_stack_range_initialized(). This patch causes the
      verification of a program with such a non-sensical access size to fail.
      
      This check used to exist in a more indirect way, but was inadvertendly
      removed in a833a17a.
      
      Fixes: a833a17a ("bpf: Fix verification of indirect var-off stack access")
      Reported-by: syzbot+33f4297b5f927648741a@syzkaller.appspotmail.com
      Reported-by: syzbot+aafd0513053a1cbf52ef@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/bpf/CAADnVQLORV5PT0iTAhRER+iLBTkByCYNBYyvBSgjN1T31K+gOw@mail.gmail.com/Acked-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Signed-off-by: default avatarAndrei Matei <andreimatei1@gmail.com>
      Link: https://lore.kernel.org/r/20240327024245.318299-3-andreimatei1@gmail.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      ecc6a210
    • Andrei Matei's avatar
      bpf: Check bloom filter map value size · a8d89feb
      Andrei Matei authored
      This patch adds a missing check to bloom filter creating, rejecting
      values above KMALLOC_MAX_SIZE. This brings the bloom map in line with
      many other map types.
      
      The lack of this protection can cause kernel crashes for value sizes
      that overflow int's. Such a crash was caught by syzkaller. The next
      patch adds more guard-rails at a lower level.
      Signed-off-by: default avatarAndrei Matei <andreimatei1@gmail.com>
      Acked-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://lore.kernel.org/r/20240327024245.318299-2-andreimatei1@gmail.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a8d89feb
    • Linus Torvalds's avatar
      Fix build errors due to new UIO_MEM_DMA_COHERENT mess · 498e47cd
      Linus Torvalds authored
      Commit 576882ef ("uio: introduce UIO_MEM_DMA_COHERENT type")
      introduced a new use-case for 'struct uio_mem' where the 'mem' field now
      contains a kernel virtual address when 'memtype' is set to
      UIO_MEM_DMA_COHERENT.
      
      That in turn causes build errors, because 'mem' is of type
      'phys_addr_t', and a virtual address is a pointer type.  When the code
      just blindly uses cast to mix the two, it caused problems when
      phys_addr_t isn't the same size as a pointer - notably on 32-bit
      architectures with PHYS_ADDR_T_64BIT.
      
      The proper thing to do would probably be to use a union member, and not
      have any casts, and make the 'mem' member be a union of 'mem.physaddr'
      and 'mem.vaddr', based on 'memtype'.
      
      This is not that proper thing.  This is just fixing the ugly casts to be
      even uglier, but at least not cause build errors on 32-bit platforms
      with 64-bit physical addresses.
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Fixes: 576882ef ("uio: introduce UIO_MEM_DMA_COHERENT type")
      Fixes: 7722151e ("uio_pruss: UIO_MEM_DMA_COHERENT conversion")
      Fixes: 01994780 ("uio_dmem_genirq: UIO_MEM_DMA_COHERENT conversion")
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Chris Leech <cleech@redhat.com>
      Cc: Nilesh Javali <njavali@marvell.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linuxfoundation.org>
      498e47cd
    • Linus Torvalds's avatar
      Fix memory leak in posix_clock_open() · 5b4cdd9c
      Linus Torvalds authored
      If the clk ops.open() function returns an error, we don't release the
      pccontext we allocated for this clock.
      
      Re-organize the code slightly to make it all more obvious.
      Reported-by: default avatarRohit Keshri <rkeshri@redhat.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Fixes: 60c69466 ("posix-clock: introduce posix_clock_context concept")
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linuxfoundation.org>
      5b4cdd9c
    • Hari Bathini's avatar
      bpf: fix warning for crash_kexec · 96b98a65
      Hari Bathini authored
      With [1], crash dump specific code is moved out of CONFIG_KEXEC_CORE
      and placed under CONFIG_CRASH_DUMP, where it is more appropriate.
      And since CONFIG_KEXEC & !CONFIG_CRASH_DUMP build option is supported
      with that, it led to the below warning:
      
        "WARN: resolve_btfids: unresolved symbol crash_kexec"
      
      Fix it by using the appropriate #ifdef.
      
      [1] https://lore.kernel.org/all/20240124051254.67105-1-bhe@redhat.com/Acked-by: default avatarBaoquan He <bhe@redhat.com>
      Fixes: 02aff848 ("crash: split crash dumping code out from kexec_core.c")
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Acked-by: default avatarStanislav Fomichev <sdf@google.com>
      Signed-off-by: default avatarHari Bathini <hbathini@linux.ibm.com>
      Link: https://lore.kernel.org/r/20240319080152.36987-1-hbathini@linux.ibm.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      96b98a65
    • Jakub Kicinski's avatar
      selftests: netdevsim: set test timeout to 10 minutes · afbf75e8
      Jakub Kicinski authored
      The longest running netdevsim test, nexthop.sh, currently takes
      5 min to finish. Around 260s to be exact, and 310s on a debug kernel.
      The default timeout in selftest is 45sec, so we need an explicit
      config. Give ourselves some headroom and use 10min.
      
      Commit under Fixes isn't really to "blame" but prior to that
      netdevsim tests weren't integrated with kselftest infra
      so blaming the tests themselves doesn't seem right, either.
      
      Fixes: 8ff25dac ("netdevsim: add Makefile for selftests")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      afbf75e8
    • Herve Codina's avatar
      net: wan: framer: Add missing static inline qualifiers · ea2c0928
      Herve Codina authored
      Compilation with CONFIG_GENERIC_FRAMER disabled lead to the following
      warnings:
        framer.h:184:16: warning: no previous prototype for function 'framer_get' [-Wmissing-prototypes]
        184 | struct framer *framer_get(struct device *dev, const char *con_id)
        framer.h:184:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
        184 | struct framer *framer_get(struct device *dev, const char *con_id)
        framer.h:189:6: warning: no previous prototype for function 'framer_put' [-Wmissing-prototypes]
        189 | void framer_put(struct device *dev, struct framer *framer)
        framer.h:189:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
        189 | void framer_put(struct device *dev, struct framer *framer)
      
      Add missing 'static inline' qualifiers for these functions.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202403241110.hfJqeJRu-lkp@intel.com/
      Fixes: 82c944d0 ("net: wan: Add framer framework support")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHerve Codina <herve.codina@bootlin.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ea2c0928
    • Jakub Kicinski's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · c4d2d23d
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2024-03-25 (ice, ixgbe, igc)
      
      This series contains updates to ice, ixgbe, and igc drivers.
      
      Steven fixes incorrect casting of bitmap type for ice driver.
      
      Jesse fixes memory corruption issue with suspend flow on ice.
      
      Przemek adds GFP_ATOMIC flag to avoid sleeping in IRQ context for ixgbe.
      
      Kurt Kanzenbach removes no longer valid comment on igc.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        igc: Remove stale comment about Tx timestamping
        ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa()
        ice: fix memory corruption bug with suspend and rebuild
        ice: Refactor FW data type and fix bitmap casting issue
      ====================
      
      Link: https://lore.kernel.org/r/20240325200659.993749-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c4d2d23d
    • David Thompson's avatar
      mlxbf_gige: call request_irq() after NAPI initialized · f7442a63
      David Thompson authored
      The mlxbf_gige driver encounters a NULL pointer exception in
      mlxbf_gige_open() when kdump is enabled.  The sequence to reproduce
      the exception is as follows:
      a) enable kdump
      b) trigger kdump via "echo c > /proc/sysrq-trigger"
      c) kdump kernel executes
      d) kdump kernel loads mlxbf_gige module
      e) the mlxbf_gige module runs its open() as the
         the "oob_net0" interface is brought up
      f) mlxbf_gige module will experience an exception
         during its open(), something like:
      
           Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
           Mem abort info:
             ESR = 0x0000000086000004
             EC = 0x21: IABT (current EL), IL = 32 bits
             SET = 0, FnV = 0
             EA = 0, S1PTW = 0
             FSC = 0x04: level 0 translation fault
           user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000
           [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
           Internal error: Oops: 0000000086000004 [#1] SMP
           CPU: 0 PID: 812 Comm: NetworkManager Tainted: G           OE     5.15.0-1035-bluefield #37-Ubuntu
           Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024
           pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
           pc : 0x0
           lr : __napi_poll+0x40/0x230
           sp : ffff800008003e00
           x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff
           x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8
           x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000
           x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000
           x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0
           x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c
           x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398
           x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2
           x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100
           x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238
           Call trace:
            0x0
            net_rx_action+0x178/0x360
            __do_softirq+0x15c/0x428
            __irq_exit_rcu+0xac/0xec
            irq_exit+0x18/0x2c
            handle_domain_irq+0x6c/0xa0
            gic_handle_irq+0xec/0x1b0
            call_on_irq_stack+0x20/0x2c
            do_interrupt_handler+0x5c/0x70
            el1_interrupt+0x30/0x50
            el1h_64_irq_handler+0x18/0x2c
            el1h_64_irq+0x7c/0x80
            __setup_irq+0x4c0/0x950
            request_threaded_irq+0xf4/0x1bc
            mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]
            mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]
            __dev_open+0x100/0x220
            __dev_change_flags+0x16c/0x1f0
            dev_change_flags+0x2c/0x70
            do_setlink+0x220/0xa40
            __rtnl_newlink+0x56c/0x8a0
            rtnl_newlink+0x58/0x84
            rtnetlink_rcv_msg+0x138/0x3c4
            netlink_rcv_skb+0x64/0x130
            rtnetlink_rcv+0x20/0x30
            netlink_unicast+0x2ec/0x360
            netlink_sendmsg+0x278/0x490
            __sock_sendmsg+0x5c/0x6c
            ____sys_sendmsg+0x290/0x2d4
            ___sys_sendmsg+0x84/0xd0
            __sys_sendmsg+0x70/0xd0
            __arm64_sys_sendmsg+0x2c/0x40
            invoke_syscall+0x78/0x100
            el0_svc_common.constprop.0+0x54/0x184
            do_el0_svc+0x30/0xac
            el0_svc+0x48/0x160
            el0t_64_sync_handler+0xa4/0x12c
            el0t_64_sync+0x1a4/0x1a8
           Code: bad PC value
           ---[ end trace 7d1c3f3bf9d81885 ]---
           Kernel panic - not syncing: Oops: Fatal exception in interrupt
           Kernel Offset: 0x2870a7a00000 from 0xffff800008000000
           PHYS_OFFSET: 0x80000000
           CPU features: 0x0,000005c1,a3332a5a
           Memory Limit: none
           ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---
      
      The exception happens because there is a pending RX interrupt before the
      call to request_irq(RX IRQ) executes.  Then, the RX IRQ handler fires
      immediately after this request_irq() completes. The RX IRQ handler runs
      "napi_schedule()" before NAPI is fully initialized via "netif_napi_add()"
      and "napi_enable()", both which happen later in the open() logic.
      
      The logic in mlxbf_gige_open() must fully initialize NAPI before any calls
      to request_irq() execute.
      
      Fixes: f92e1869 ("Add Mellanox BlueField Gigabit Ethernet driver")
      Signed-off-by: default avatarDavid Thompson <davthompson@nvidia.com>
      Reviewed-by: default avatarAsmaa Mnebhi <asmaa@nvidia.com>
      Link: https://lore.kernel.org/r/20240325183627.7641-1-davthompson@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f7442a63
    • Jakub Kicinski's avatar
      Merge branch 'tls-recvmsg-fixes' · 646fc4bd
      Jakub Kicinski authored
      Sabrina Dubroca says:
      
      ====================
      tls: recvmsg fixes
      
      The first two fixes are again related to async decrypt. The last one
      is unrelated but I stumbled upon it while reading the code.
      ====================
      
      Link: https://lore.kernel.org/r/cover.1711120964.git.sd@queasysnail.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      646fc4bd