1. 26 Oct, 2021 1 commit
    • Ido Schimmel's avatar
      mlxsw: pci: Recycle received packet upon allocation failure · 75963576
      Ido Schimmel authored
      When the driver fails to allocate a new Rx buffer, it passes an empty Rx
      descriptor (contains zero address and size) to the device and marks it
      as invalid by setting the skb pointer in the descriptor's metadata to
      NULL.
      
      After processing enough Rx descriptors, the driver will try to process
      the invalid descriptor, but will return immediately seeing that the skb
      pointer is NULL. Since the driver no longer passes new Rx descriptors to
      the device, the Rx queue will eventually become full and the device will
      start to drop packets.
      
      Fix this by recycling the received packet if allocation of the new
      packet failed. This means that allocation is no longer performed at the
      end of the Rx routine, but at the start, before tearing down the DMA
      mapping of the received packet.
      
      Remove the comment about the descriptor being zeroed as it is no longer
      correct. This is OK because we either use the descriptor as-is (when
      recycling) or overwrite its address and size fields with that of the
      newly allocated Rx buffer.
      
      The issue was discovered when a process ("perf") consumed too much
      memory and put the system under memory pressure. It can be reproduced by
      injecting slab allocation failures [1]. After the fix, the Rx queue no
      longer comes to a halt.
      
      [1]
       # echo 10 > /sys/kernel/debug/failslab/times
       # echo 1000 > /sys/kernel/debug/failslab/interval
       # echo 100 > /sys/kernel/debug/failslab/probability
      
       FAULT_INJECTION: forcing a failure.
       name failslab, interval 1000, probability 100, space 0, times 8
       [...]
       Call Trace:
        <IRQ>
        dump_stack_lvl+0x34/0x44
        should_fail.cold+0x32/0x37
        should_failslab+0x5/0x10
        kmem_cache_alloc_node+0x23/0x190
        __alloc_skb+0x1f9/0x280
        __netdev_alloc_skb+0x3a/0x150
        mlxsw_pci_rdq_skb_alloc+0x24/0x90
        mlxsw_pci_cq_tasklet+0x3dc/0x1200
        tasklet_action_common.constprop.0+0x9f/0x100
        __do_softirq+0xb5/0x252
        irq_exit_rcu+0x7a/0xa0
        common_interrupt+0x83/0xa0
        </IRQ>
        asm_common_interrupt+0x1e/0x40
       RIP: 0010:cpuidle_enter_state+0xc8/0x340
       [...]
       mlxsw_spectrum2 0000:06:00.0: Failed to alloc skb for RDQ
      
      Fixes: eda6500a ("mlxsw: Add PCI bus implementation")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
      Link: https://lore.kernel.org/r/20211024064014.1060919-1-idosch@idosch.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      75963576
  2. 25 Oct, 2021 9 commits
  3. 24 Oct, 2021 2 commits
  4. 22 Oct, 2021 17 commits
    • Florian Westphal's avatar
      fcnal-test: kill hanging ping/nettest binaries on cleanup · 1f83b835
      Florian Westphal authored
      On my box I see a bunch of ping/nettest processes hanging
      around after fcntal-test.sh is done.
      
      Clean those up before netns deletion.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20211021140247.29691-1-fw@strlen.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1f83b835
    • Jakub Kicinski's avatar
      Merge branch 'sctp-enhancements-for-the-verification-tag' · 32f8807a
      Jakub Kicinski authored
      Xin Long says:
      
      ====================
      sctp: enhancements for the verification tag
      
      This patchset is to address CVE-2021-3772:
      
        A flaw was found in the Linux SCTP stack. A blind attacker may be able to
        kill an existing SCTP association through invalid chunks if the attacker
        knows the IP-addresses and port numbers being used and the attacker can
        send packets with spoofed IP addresses.
      
      This is caused by the missing VTAG verification for the received chunks
      and the incorrect vtag for the ABORT used to reply to these invalid
      chunks.
      
      This patchset is to go over all processing functions for the received
      chunks and do:
      
      1. Make sure sctp_vtag_verify() is called firstly to verify the vtag from
         the received chunk and discard this chunk if it fails. With some
         exceptions:
      
         a. sctp_sf_do_5_1B_init()/5_2_2_dupinit()/9_2_reshutack(), processing
            INIT chunk, as sctphdr vtag is always 0 in INIT chunk.
      
         b. sctp_sf_do_5_2_4_dupcook(), processing dupicate COOKIE_ECHO chunk,
            as the vtag verification will be done by sctp_tietags_compare() and
            then it takes right actions according to the return.
      
         c. sctp_sf_shut_8_4_5(), processing SHUTDOWN_ACK chunk for cookie_wait
            and cookie_echoed state, as RFC demand sending a SHUTDOWN_COMPLETE
            even if the vtag verification failed.
      
         d. sctp_sf_ootb(), called in many types of chunks for closed state or
            no asoc, as the same reason to c.
      
      2. Always use the vtag from the received INIT chunk to make the response
         ABORT in sctp_ootb_pkt_new().
      
      3. Fix the order for some checks and add some missing checks for the
         received chunk.
      
      This patch series has been tested with SCTP TAHI testing to make sure no
      regression caused on protocol conformance.
      ====================
      
      Link: https://lore.kernel.org/r/cover.1634730082.git.lucien.xin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      32f8807a
    • Xin Long's avatar
      sctp: add vtag check in sctp_sf_ootb · 9d02831e
      Xin Long authored
      sctp_sf_ootb() is called when processing DATA chunk in closed state,
      and many other places are also using it.
      
      The vtag in the chunk's sctphdr should be verified, otherwise, as
      later in chunk length check, it may send abort with the existent
      asoc's vtag, which can be exploited by one to cook a malicious
      chunk to terminate a SCTP asoc.
      
      When fails to verify the vtag from the chunk, this patch sets asoc
      to NULL, so that the abort will be made with the vtag from the
      received chunk later.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9d02831e
    • Xin Long's avatar
      sctp: add vtag check in sctp_sf_do_8_5_1_E_sa · ef16b173
      Xin Long authored
      sctp_sf_do_8_5_1_E_sa() is called when processing SHUTDOWN_ACK chunk
      in cookie_wait and cookie_echoed state.
      
      The vtag in the chunk's sctphdr should be verified, otherwise, as
      later in chunk length check, it may send abort with the existent
      asoc's vtag, which can be exploited by one to cook a malicious
      chunk to terminate a SCTP asoc.
      
      Note that when fails to verify the vtag from SHUTDOWN-ACK chunk,
      SHUTDOWN COMPLETE message will still be sent back to peer, but
      with the vtag from SHUTDOWN-ACK chunk, as said in 5) of
      rfc4960#section-8.4.
      
      While at it, also remove the unnecessary chunk length check from
      sctp_sf_shut_8_4_5(), as it's already done in both places where
      it calls sctp_sf_shut_8_4_5().
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ef16b173
    • Xin Long's avatar
      sctp: add vtag check in sctp_sf_violation · aa0f697e
      Xin Long authored
      sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk
      in cookie_wait state, and some other places are also using it.
      
      The vtag in the chunk's sctphdr should be verified, otherwise, as
      later in chunk length check, it may send abort with the existent
      asoc's vtag, which can be exploited by one to cook a malicious
      chunk to terminate a SCTP asoc.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aa0f697e
    • Xin Long's avatar
      sctp: fix the processing for COOKIE_ECHO chunk · a64b341b
      Xin Long authored
      1. In closed state: in sctp_sf_do_5_1D_ce():
      
        When asoc is NULL, making packet for abort will use chunk's vtag
        in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk
        should be verified before using peer.i.init_tag to make packet
        for abort in sctp_ootb_pkt_new(), and just discard it if vtag is
        not correct.
      
      2. In the other states: in sctp_sf_do_5_2_4_dupcook():
      
        asoc always exists, but duplicate cookie_echo's vtag will be
        handled by sctp_tietags_compare() and then take actions, so before
        that we only verify the vtag for the abort sent for invalid chunk
        length.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a64b341b
    • Xin Long's avatar
      sctp: fix the processing for INIT_ACK chunk · 438b95a7
      Xin Long authored
      Currently INIT_ACK chunk in non-cookie_echoed state is processed in
      sctp_sf_discard_chunk() to send an abort with the existent asoc's
      vtag if the chunk length is not valid. But the vtag in the chunk's
      sctphdr is not verified, which may be exploited by one to cook a
      malicious chunk to terminal a SCTP asoc.
      
      sctp_sf_discard_chunk() also is called in many other places to send
      an abort, and most of those have this problem. This patch is to fix
      it by sending abort with the existent asoc's vtag only if the vtag
      from the chunk's sctphdr is verified in sctp_sf_discard_chunk().
      
      Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(),
      the chunk length has been verified before sctp_sf_discard_chunk(),
      so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and
      sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of
      sctp_sf_discard_chunk(), then replace it with sctp_sf_discard().
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      438b95a7
    • Xin Long's avatar
      sctp: fix the processing for INIT chunk · eae57839
      Xin Long authored
      This patch fixes the problems below:
      
      1. In non-shutdown_ack_sent states: in sctp_sf_do_5_1B_init() and
         sctp_sf_do_5_2_2_dupinit():
      
        chunk length check should be done before any checks that may cause
        to send abort, as making packet for abort will access the init_tag
        from init_hdr in sctp_ootb_pkt_new().
      
      2. In shutdown_ack_sent state: in sctp_sf_do_9_2_reshutack():
      
        The same checks as does in sctp_sf_do_5_2_2_dupinit() is needed
        for sctp_sf_do_9_2_reshutack().
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      eae57839
    • Xin Long's avatar
      sctp: use init_tag from inithdr for ABORT chunk · 4f7019c7
      Xin Long authored
      Currently Linux SCTP uses the verification tag of the existing SCTP
      asoc when failing to process and sending the packet with the ABORT
      chunk. This will result in the peer accepting the ABORT chunk and
      removing the SCTP asoc. One could exploit this to terminate a SCTP
      asoc.
      
      This patch is to fix it by always using the initiate tag of the
      received INIT chunk for the ABORT chunk to be sent.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4f7019c7
    • Vasily Averin's avatar
      skb_expand_head() adjust skb->truesize incorrectly · 7f678def
      Vasily Averin authored
      Christoph Paasch reports [1] about incorrect skb->truesize
      after skb_expand_head() call in ip6_xmit.
      This may happen because of two reasons:
      - skb_set_owner_w() for newly cloned skb is called too early,
      before pskb_expand_head() where truesize is adjusted for (!skb-sk) case.
      - pskb_expand_head() does not adjust truesize in (skb->sk) case.
      In this case sk->sk_wmem_alloc should be adjusted too.
      
      [1] https://lkml.org/lkml/2021/8/20/1082
      
      Fixes: f1260ff1 ("skbuff: introduce skb_expand_head()")
      Fixes: 2d85a1b3 ("ipv6: ip6_finish_output2: set sk into newly allocated nskb")
      Reported-by: default avatarChristoph Paasch <christoph.paasch@gmail.com>
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/644330dd-477e-0462-83bf-9f514c41edd1@virtuozzo.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7f678def
    • Jakub Kicinski's avatar
      Merge tag 'mac80211-for-net-2021-10-21' of... · 7fcb1c95
      Jakub Kicinski authored
      Merge tag 'mac80211-for-net-2021-10-21' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Two small fixes:
       * RCU misuse in scan processing in cfg80211
       * missing size check for HE data in mac80211 mesh
      
      * tag 'mac80211-for-net-2021-10-21' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211:
        cfg80211: scan: fix RCU in cfg80211_add_nontrans_list()
        mac80211: mesh: fix HE operation element length check
      ====================
      
      Link: https://lore.kernel.org/r/20211021154351.134297-1-johannes@sipsolutions.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7fcb1c95
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2021-10-22' of git://anongit.freedesktop.org/drm/drm · 64222515
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Nothing too crazy at the end of the cycle, the kmb modesetting fixes
        are probably a bit large but it's not a major driver, and its fixing
        monitor doesn't turn on type problems.
      
        Otherwise it's just a few minor patches, one ast regression revert, an
        msm power stability fix.
      
        ast:
         - fix regression with connector detect
      
        msm:
         - fix power stability issue
      
        msxfb:
         - fix crash on unload
      
        panel:
         - sync fix
      
        kmb:
         - modesetting fixes"
      
      * tag 'drm-fixes-2021-10-22' of git://anongit.freedesktop.org/drm/drm:
        Revert "drm/ast: Add detect function support"
        drm/kmb: Enable ADV bridge after modeset
        drm/kmb: Corrected typo in handle_lcd_irq
        drm/kmb: Disable change of plane parameters
        drm/kmb: Remove clearing DPHY regs
        drm/kmb: Limit supported mode to 1080p
        drm/kmb: Work around for higher system clock
        drm/panel: ilitek-ili9881c: Fix sync for Feixin K101-IM2BYL02 panel
        drm: mxsfb: Fix NULL pointer dereference crash on unload
        drm/msm/devfreq: Restrict idle clamping to a618 for now
      64222515
    • Mike Rapoport's avatar
      memblock: exclude MEMBLOCK_NOMAP regions from kmemleak · 658aafc8
      Mike Rapoport authored
      Vladimir Zapolskiy reports:
      
      Commit a7259df7 ("memblock: make memblock_find_in_range method
      private") invokes a kernel panic while running kmemleak on OF platforms
      with nomaped regions:
      
        Unable to handle kernel paging request at virtual address fff000021e00000
        [...]
          scan_block+0x64/0x170
          scan_gray_list+0xe8/0x17c
          kmemleak_scan+0x270/0x514
          kmemleak_write+0x34c/0x4ac
      
      The memory allocated from memblock is registered with kmemleak, but if
      it is marked MEMBLOCK_NOMAP it won't have linear map entries so an
      attempt to scan such areas will fault.
      
      Ideally, memblock_mark_nomap() would inform kmemleak to ignore
      MEMBLOCK_NOMAP memory, but it can be called before kmemleak interfaces
      operating on physical addresses can use __va() conversion.
      
      Make sure that functions that mark allocated memory as MEMBLOCK_NOMAP
      take care of informing kmemleak to ignore such memory.
      
      Link: https://lore.kernel.org/all/8ade5174-b143-d621-8c8e-dc6a1898c6fb@linaro.org
      Link: https://lore.kernel.org/all/c30ff0a2-d196-c50d-22f0-bd50696b1205@quicinc.com
      Fixes: a7259df7 ("memblock: make memblock_find_in_range method private")
      Reported-by: default avatarVladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
      Signed-off-by: default avatarMike Rapoport <rppt@linux.ibm.com>
      Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Tested-by: default avatarVladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
      Tested-by: default avatarQian Cai <quic_qiancai@quicinc.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      658aafc8
    • Mike Rapoport's avatar
      Revert "memblock: exclude NOMAP regions from kmemleak" · 6c9a5455
      Mike Rapoport authored
      Commit 6e44bd6d ("memblock: exclude NOMAP regions from kmemleak")
      breaks boot on EFI systems with kmemleak and VM_DEBUG enabled:
      
        efi: Processing EFI memory map:
        efi:   0x000090000000-0x000091ffffff [Conventional|   |  |  |  |  |  |  |  |  |   |WB|WT|WC|UC]
        efi:   0x000092000000-0x0000928fffff [Runtime Data|RUN|  |  |  |  |  |  |  |  |   |WB|WT|WC|UC]
        ------------[ cut here ]------------
        kernel BUG at mm/kmemleak.c:1140!
        Internal error: Oops - BUG: 0 [#1] SMP
        Modules linked in:
        CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.0-rc6-next-20211019+ #104
        pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
        pc : kmemleak_free_part_phys+0x64/0x8c
        lr : kmemleak_free_part_phys+0x38/0x8c
        sp : ffff800011eafbc0
        x29: ffff800011eafbc0 x28: 1fffff7fffb41c0d x27: fffffbfffda0e068
        x26: 0000000092000000 x25: 1ffff000023d5f94 x24: ffff800011ed84d0
        x23: ffff800011ed84c0 x22: ffff800011ed83d8 x21: 0000000000900000
        x20: ffff800011782000 x19: 0000000092000000 x18: ffff800011ee0730
        x17: 0000000000000000 x16: 0000000000000000 x15: 1ffff0000233252c
        x14: ffff800019a905a0 x13: 0000000000000001 x12: ffff7000023d5ed7
        x11: 1ffff000023d5ed6 x10: ffff7000023d5ed6 x9 : dfff800000000000
        x8 : ffff800011eaf6b7 x7 : 0000000000000001 x6 : ffff800011eaf6b0
        x5 : 00008ffffdc2a12a x4 : ffff7000023d5ed7 x3 : 1ffff000023dbf99
        x2 : 1ffff000022f0463 x1 : 0000000000000000 x0 : ffffffffffffffff
        Call trace:
         kmemleak_free_part_phys+0x64/0x8c
         memblock_mark_nomap+0x5c/0x78
         reserve_regions+0x294/0x33c
         efi_init+0x2d0/0x490
         setup_arch+0x80/0x138
         start_kernel+0xa0/0x3ec
         __primary_switched+0xc0/0xc8
        Code: 34000041 97d526e7 f9418e80 36000040 (d4210000)
        random: get_random_bytes called from print_oops_end_marker+0x34/0x80 with crng_init=0
        ---[ end trace 0000000000000000 ]---
      
      The crash happens because kmemleak_free_part_phys() tries to use __va()
      before memstart_addr is initialized and this triggers a VM_BUG_ON() in
      arch/arm64/include/asm/memory.h:
      
      Revert 6e44bd6d ("memblock: exclude NOMAP regions from kmemleak"),
      the issue it is fixing will be fixed differently.
      Reported-by: default avatarQian Cai <quic_qiancai@quicinc.com>
      Signed-off-by: default avatarMike Rapoport <rppt@linux.ibm.com>
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6c9a5455
    • Linus Torvalds's avatar
      Merge branch 'ucount-fixes-for-v5.15' of... · 9d235ac0
      Linus Torvalds authored
      Merge branch 'ucount-fixes-for-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
      
      Pull ucounts fixes from Eric Biederman:
       "There has been one very hard to track down bug in the ucount code that
        we have been tracking since roughly v5.14 was released. Alex managed
        to find a reliable reproducer a few days ago and then I was able to
        instrument the code and figure out what the issue was.
      
        It turns out the sigqueue_alloc single atomic operation optimization
        did not play nicely with ucounts multiple level rlimits. It turned out
        that either sigqueue_alloc or sigqueue_free could be operating on
        multiple levels and trigger the conditions for the optimization on
        more than one level at the same time.
      
        To deal with that situation I have introduced inc_rlimit_get_ucounts
        and dec_rlimit_put_ucounts that just focuses on the optimization and
        the rlimit and ucount changes.
      
        While looking into the big bug I found I couple of other little issues
        so I am including those fixes here as well.
      
        When I have time I would very much like to dig into process ownership
        of the shared signal queue and see if we could pick a single owner for
        the entire queue so that all of the rlimits can count to that owner.
        That should entirely remove the need to call get_ucounts and
        put_ucounts in sigqueue_alloc and sigqueue_free. It is difficult
        because Linux unlike POSIX supports setuid that works on a single
        thread"
      
      * 'ucount-fixes-for-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        ucounts: Move get_ucounts from cred_alloc_blank to key_change_session_keyring
        ucounts: Proper error handling in set_cred_ucounts
        ucounts: Pair inc_rlimit_ucounts with dec_rlimit_ucoutns in commit_creds
        ucounts: Fix signal ucount refcounting
      9d235ac0
    • Linus Torvalds's avatar
      Merge tag 'net-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 6c2c7127
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter, and can.
      
        We'll have one more fix for a socket accounting regression, it's still
        getting polished. Otherwise things look fine.
      
        Current release - regressions:
      
         - revert "vrf: reset skb conntrack connection on VRF rcv", there are
           valid uses for previous behavior
      
         - can: m_can: fix iomap_read_fifo() and iomap_write_fifo()
      
        Current release - new code bugs:
      
         - mlx5: e-switch, return correct error code on group creation failure
      
        Previous releases - regressions:
      
         - sctp: fix transport encap_port update in sctp_vtag_verify
      
         - stmmac: fix E2E delay mechanism (in PTP timestamping)
      
        Previous releases - always broken:
      
         - netfilter: ip6t_rt: fix out-of-bounds read of ipv6_rt_hdr
      
         - netfilter: xt_IDLETIMER: fix out-of-bound read caused by lack of
           init
      
         - netfilter: ipvs: make global sysctl read-only in non-init netns
      
         - tcp: md5: fix selection between vrf and non-vrf keys
      
         - ipv6: count rx stats on the orig netdev when forwarding
      
         - bridge: mcast: use multicast_membership_interval for IGMPv3
      
         - can:
            - j1939: fix UAF for rx_kref of j1939_priv abort sessions on
              receiving bad messages
      
            - isotp: fix TX buffer concurrent access in isotp_sendmsg() fix
              return error on FC timeout on TX path
      
         - ice: fix re-init of RDMA Tx queues and crash if RDMA was not inited
      
         - hns3: schedule the polling again when allocation fails, prevent
           stalls
      
         - drivers: add missing of_node_put() when aborting
           for_each_available_child_of_node()
      
         - ptp: fix possible memory leak and UAF in ptp_clock_register()
      
         - e1000e: fix packet loss in burst mode on Tiger Lake and later
      
         - mlx5e: ipsec: fix more checksum offload issues"
      
      * tag 'net-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (75 commits)
        usbnet: sanity check for maxpacket
        net: enetc: make sure all traffic classes can send large frames
        net: enetc: fix ethtool counter name for PM0_TERR
        ptp: free 'vclock_index' in ptp_clock_release()
        sfc: Don't use netif_info before net_device setup
        sfc: Export fibre-specific supported link modes
        net/mlx5e: IPsec: Fix work queue entry ethernet segment checksum flags
        net/mlx5e: IPsec: Fix a misuse of the software parser's fields
        net/mlx5e: Fix vlan data lost during suspend flow
        net/mlx5: E-switch, Return correct error code on group creation failure
        net/mlx5: Lag, change multipath and bonding to be mutually exclusive
        ice: Add missing E810 device ids
        igc: Update I226_K device ID
        e1000e: Fix packet loss on Tiger Lake and later
        e1000e: Separate TGP board type from SPT
        ptp: Fix possible memory leak in ptp_clock_register()
        net: stmmac: Fix E2E delay mechanism
        nfc: st95hf: Make spi remove() callback return zero
        net: hns3: disable sriov before unload hclge layer
        net: hns3: fix vf reset workqueue cannot exit
        ...
      6c2c7127
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.15-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 0a3221b6
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix a bug exposed by a previous fix, where running guests with
         certain SMT topologies could crash the host on Power8.
      
       - Fix atomic sleep warnings when re-onlining CPUs, when PREEMPT is
         enabled.
      
      Thanks to Nathan Lynch, Srikar Dronamraju, and Valentin Schneider.
      
      * tag 'powerpc-5.15-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/smp: do not decrement idle task preempt count in CPU offline
        powerpc/idle: Don't corrupt back chain when going idle
      0a3221b6
  5. 21 Oct, 2021 11 commits
    • Kim Phillips's avatar
      Revert "drm/ast: Add detect function support" · 595cb5e0
      Kim Phillips authored
      This reverts commit aae74ff9,
      since it prevents my AMD Milan system from booting, with:
      
      [   27.189558] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [   27.197506] #PF: supervisor write access in kernel mode
      [   27.203333] #PF: error_code(0x0002) - not-present page
      [   27.209064] PGD 0 P4D 0
      [   27.211885] Oops: 0002 [#1] PREEMPT SMP NOPTI
      [   27.216744] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-rc6+ #15
      [   27.223928] Hardware name: AMD Corporation ETHANOL_X/ETHANOL_X, BIOS RXM1006B 08/20/2021
      [   27.232955] RIP: 0010:run_timer_softirq+0x38b/0x4a0
      [   27.238397] Code: 4c 89 f7 e8 37 27 ac 00 49 c7 46 08 00 00 00 00 49 8b 04 24 48 85 c0 74 71 4d 8b 3c 24 4d 89 7e 08 66 90 49 8b 07 49 8b 57 08 <48> 89 02 48 85 c0 74 04 48 89 50 08 49 8b 77 18 41 f6 47 22 20 4c
      [   27.259350] RSP: 0018:ffffc42d00003ee8 EFLAGS: 00010086
      [   27.265176] RAX: dead000000000122 RBX: 0000000000000000 RCX: 0000000000000101
      [   27.273134] RDX: 0000000000000000 RSI: 0000000000000087 RDI: 0000000000000001
      [   27.281084] RBP: ffffc42d00003f70 R08: 0000000000000000 R09: 00000000000003eb
      [   27.289043] R10: ffffa0860cb300d0 R11: ffffa0c44de290b0 R12: ffffc42d00003ef8
      [   27.297002] R13: 00000000fffef200 R14: ffffa0c44de18dc0 R15: ffffa0867a882350
      [   27.304961] FS:  0000000000000000(0000) GS:ffffa0c44de00000(0000) knlGS:0000000000000000
      [   27.313988] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   27.320396] CR2: 0000000000000000 CR3: 000000014569c001 CR4: 0000000000770ef0
      [   27.328346] PKRU: 55555554
      [   27.331359] Call Trace:
      [   27.334073]  <IRQ>
      [   27.336314]  ? __queue_work+0x420/0x420
      [   27.340589]  ? lapic_next_event+0x21/0x30
      [   27.345060]  ? clockevents_program_event+0x8f/0xe0
      [   27.350402]  __do_softirq+0xfb/0x2db
      [   27.354388]  irq_exit_rcu+0x98/0xd0
      [   27.358275]  sysvec_apic_timer_interrupt+0xac/0xd0
      [   27.363620]  </IRQ>
      [   27.365955]  asm_sysvec_apic_timer_interrupt+0x12/0x20
      [   27.371685] RIP: 0010:cpuidle_enter_state+0xcc/0x390
      [   27.377292] Code: 3d 01 79 0a 50 e8 44 ed 77 ff 49 89 c6 0f 1f 44 00 00 31 ff e8 f5 f8 77 ff 80 7d d7 00 0f 85 e6 01 00 00 fb 66 0f 1f 44 00 00 <45> 85 ff 0f 88 17 01 00 00 49 63 c7 4c 2b 75 c8 48 8d 14 40 48 8d
      [   27.398243] RSP: 0018:ffffffffb0e03dc8 EFLAGS: 00000246
      [   27.404069] RAX: ffffa0c44de00000 RBX: 0000000000000001 RCX: 000000000000001f
      [   27.412028] RDX: 0000000000000000 RSI: ffffffffb0bafc1f RDI: ffffffffb0bbdb81
      [   27.419986] RBP: ffffffffb0e03e00 R08: 00000006549f8f3f R09: ffffffffb1065200
      [   27.427935] R10: ffffa0c44de27ae4 R11: ffffa0c44de27ac4 R12: ffffa0c5634cb000
      [   27.435894] R13: ffffffffb1065200 R14: 00000006549f8f3f R15: 0000000000000001
      [   27.443854]  ? cpuidle_enter_state+0xbb/0x390
      [   27.448712]  cpuidle_enter+0x2e/0x40
      [   27.452695]  call_cpuidle+0x23/0x40
      [   27.456584]  do_idle+0x1f0/0x270
      [   27.460181]  cpu_startup_entry+0x20/0x30
      [   27.464553]  rest_init+0xd4/0xe0
      [   27.468149]  arch_call_rest_init+0xe/0x1b
      [   27.472619]  start_kernel+0x6bc/0x6e2
      [   27.476764]  x86_64_start_reservations+0x24/0x26
      [   27.481912]  x86_64_start_kernel+0x75/0x79
      [   27.486477]  secondary_startup_64_no_verify+0xb0/0xbb
      [   27.492111] Modules linked in: kvm_amd(+) kvm ipmi_si(+) ipmi_devintf rapl wmi_bmof ipmi_msghandler input_leds ccp k10temp mac_hid sch_fq_codel msr ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear ast i2c_algo_bit drm_vram_helper drm_ttm_helper ttm drm_kms_helper crct10dif_pclmul crc32_pclmul ghash_clmulni_intel syscopyarea aesni_intel sysfillrect crypto_simd sysimgblt fb_sys_fops cryptd hid_generic cec nvme ahci usbhid drm e1000e nvme_core hid libahci i2c_piix4 wmi
      [   27.551789] CR2: 0000000000000000
      [   27.555482] ---[ end trace 897987dfe93dccc6 ]---
      [   27.560630] RIP: 0010:run_timer_softirq+0x38b/0x4a0
      [   27.566069] Code: 4c 89 f7 e8 37 27 ac 00 49 c7 46 08 00 00 00 00 49 8b 04 24 48 85 c0 74 71 4d 8b 3c 24 4d 89 7e 08 66 90 49 8b 07 49 8b 57 08 <48> 89 02 48 85 c0 74 04 48 89 50 08 49 8b 77 18 41 f6 47 22 20 4c
      [   27.587021] RSP: 0018:ffffc42d00003ee8 EFLAGS: 00010086
      [   27.592848] RAX: dead000000000122 RBX: 0000000000000000 RCX: 0000000000000101
      [   27.600808] RDX: 0000000000000000 RSI: 0000000000000087 RDI: 0000000000000001
      [   27.608765] RBP: ffffc42d00003f70 R08: 0000000000000000 R09: 00000000000003eb
      [   27.616716] R10: ffffa0860cb300d0 R11: ffffa0c44de290b0 R12: ffffc42d00003ef8
      [   27.624673] R13: 00000000fffef200 R14: ffffa0c44de18dc0 R15: ffffa0867a882350
      [   27.632624] FS:  0000000000000000(0000) GS:ffffa0c44de00000(0000) knlGS:0000000000000000
      [   27.641650] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   27.648159] CR2: 0000000000000000 CR3: 000000014569c001 CR4: 0000000000770ef0
      [   27.656119] PKRU: 55555554
      [   27.659133] Kernel panic - not syncing: Fatal exception in interrupt
      [   29.030411] Shutting down cpus with NMI
      [   29.034699] Kernel Offset: 0x2e600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      [   29.046790] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      Since unreliable, found by bisecting for KASAN's use-after-free in
      enqueue_timer+0x4f/0x1e0, where the timer callback is called.
      Reported-by: default avatarKim Phillips <kim.phillips@amd.com>
      Signed-off-by: default avatarKim Phillips <kim.phillips@amd.com>
      Fixes: aae74ff9 ("drm/ast: Add detect function support")
      Link: https://lore.kernel.org/lkml/0f7871be-9ca6-5ae4-3a40-5db9a8fb2365@amd.com/
      Cc: Ainux <ainux.wang@gmail.com>
      Cc: Thomas Zimmermann <tzimmermann@suse.de>
      Cc: David Airlie <airlied@redhat.com>
      Cc: David Airlie <airlied@linux.ie>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: sterlingteng@gmail.com
      Cc: chenhuacai@kernel.org
      Cc: Chuck Lever III <chuck.lever@oracle.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Jon Grimm <jon.grimm@amd.com>
      Cc: dri-devel <dri-devel@lists.freedesktop.org>
      Cc: linux-kernel <linux-kernel@vger.kernel.org>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20211021153006.92983-1-kim.phillips@amd.com
      595cb5e0
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2021-10-21-1' of... · 7e1c5440
      Dave Airlie authored
      Merge tag 'drm-misc-fixes-2021-10-21-1' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes
      
      drm-misc-fixes for v5.15-rc7:
      - Rebased, to remove vc4 patches.
      - Fix mxsfb crash on unload.
      - Use correct sync parameters for Feixin K101-IM2BYL02.
      - Assorted kmb modeset/atomic fixes.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/e66eaf89-b9b9-41f5-d0d2-dad7e59fabb5@linux.intel.com
      7e1c5440
    • Dave Airlie's avatar
      Merge tag 'drm-msm-fixes-2021-10-18' of https://gitlab.freedesktop.org/drm/msm into drm-fixes · 730b64d8
      Dave Airlie authored
      One more fix for v5.15, to work around a power stability issue on a630
      (and possibly others)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Rob Clark <robdclark@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/CAF6AEGs1WPLthmd=ToDcEHm=u-7O38RAVJ2XwRoS8xPmC520vg@mail.gmail.com
      730b64d8
    • Oliver Neukum's avatar
      usbnet: sanity check for maxpacket · 397430b5
      Oliver Neukum authored
      maxpacket of 0 makes no sense and oopses as we need to divide
      by it. Give up.
      
      V2: fixed typo in log and stylistic issues
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      397430b5
    • Vladimir Oltean's avatar
      net: enetc: make sure all traffic classes can send large frames · e378f496
      Vladimir Oltean authored
      The enetc driver does not implement .ndo_change_mtu, instead it
      configures the MAC register field PTC{Traffic Class}MSDUR[MAXSDU]
      statically to a large value during probe time.
      
      The driver used to configure only the max SDU for traffic class 0, and
      that was fine while the driver could only use traffic class 0. But with
      the introduction of mqprio, sending a large frame into any other TC than
      0 is broken.
      
      This patch fixes that by replicating per traffic class the static
      configuration done in enetc_configure_port_mac().
      
      Fixes: cbe9e835 ("enetc: Enable TC offloading with mqprio")
      Reported-by: default avatarRichie Pearn <richard.pearn@nxp.com>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatar&lt;Claudiu Manoil <claudiu.manoil@nxp.com>
      Link: https://lore.kernel.org/r/20211020173340.1089992-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e378f496
    • Vladimir Oltean's avatar
      net: enetc: fix ethtool counter name for PM0_TERR · fb8dc5fc
      Vladimir Oltean authored
      There are two counters named "MAC tx frames", one of them is actually
      incorrect. The correct name for that counter should be "MAC tx error
      frames", which is symmetric to the existing "MAC rx error frames".
      
      Fixes: 16eb4c85 ("enetc: Add ethtool statistics")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatar&lt;Claudiu Manoil <claudiu.manoil@nxp.com>
      Link: https://lore.kernel.org/r/20211020165206.1069889-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fb8dc5fc
    • Yang Yingliang's avatar
      ptp: free 'vclock_index' in ptp_clock_release() · b6b19a71
      Yang Yingliang authored
      'vclock_index' is accessed from sysfs, it shouled be freed
      in release function, so move it from ptp_clock_unregister()
      to ptp_clock_release().
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6b19a71
    • Erik Ekman's avatar
      sfc: Don't use netif_info before net_device setup · bf6abf34
      Erik Ekman authored
      Use pci_info instead to avoid unnamed/uninitialized noise:
      
      [197088.688729] sfc 0000:01:00.0: Solarflare NIC detected
      [197088.690333] sfc 0000:01:00.0: Part Number : SFN5122F
      [197088.729061] sfc 0000:01:00.0 (unnamed net_device) (uninitialized): no SR-IOV VFs probed
      [197088.729071] sfc 0000:01:00.0 (unnamed net_device) (uninitialized): no PTP support
      
      Inspired by fa44821a ("sfc: don't use netif_info et al before
      net_device is registered") from Heiner Kallweit.
      Signed-off-by: default avatarErik Ekman <erik@kryo.se>
      Acked-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf6abf34
    • Erik Ekman's avatar
      sfc: Export fibre-specific supported link modes · c62041c5
      Erik Ekman authored
      The 1/10GbaseT modes were set up for cards with SFP+ cages in
      3497ed8c ("sfc: report supported link speeds on SFP connections").
      10GbaseT was likely used since no 10G fibre mode existed.
      
      The missing fibre modes for 1/10G were added to ethtool.h in 5711a982
      ("net: ethtool: add support for 1000BaseX and missing 10G link modes")
      shortly thereafter.
      
      The user guide available at https://support-nic.xilinx.com/wp/drivers
      lists support for the following cable and transceiver types in section 2.9:
      - QSFP28 100G Direct Attach Cables
      - QSFP28 100G SR Optical Transceivers (with SR4 modules listed)
      - SFP28 25G Direct Attach Cables
      - SFP28 25G SR Optical Transceivers
      - QSFP+ 40G Direct Attach Cables
      - QSFP+ 40G Active Optical Cables
      - QSFP+ 40G SR4 Optical Transceivers
      - QSFP+ to SFP+ Breakout Direct Attach Cables
      - QSFP+ to SFP+ Breakout Active Optical Cables
      - SFP+ 10G Direct Attach Cables
      - SFP+ 10G SR Optical Transceivers
      - SFP+ 10G LR Optical Transceivers
      - SFP 1000BASE‐T Transceivers
      - 1G Optical Transceivers
      (From user guide issue 28. Issue 16 which also includes older cards like
      SFN5xxx/SFN6xxx has matching lists for 1/10/40G transceiver types.)
      
      Regarding SFP+ 10GBASE‐T transceivers the latest guide says:
      "Solarflare adapters do not support 10GBASE‐T transceiver modules."
      
      Tested using SFN5122F-R7 (with 2 SFP+ ports). Supported link modes do not change
      depending on module used (tested with 1000BASE-T, 1000BASE-BX10, 10GBASE-LR).
      Before:
      
      $ ethtool ext
      Settings for ext:
      	Supported ports: [ FIBRE ]
      	Supported link modes:   1000baseT/Full
      	                        10000baseT/Full
      	Supported pause frame use: Symmetric Receive-only
      	Supports auto-negotiation: No
      	Supported FEC modes: Not reported
      	Advertised link modes:  Not reported
      	Advertised pause frame use: No
      	Advertised auto-negotiation: No
      	Advertised FEC modes: Not reported
      	Link partner advertised link modes:  Not reported
      	Link partner advertised pause frame use: No
      	Link partner advertised auto-negotiation: No
      	Link partner advertised FEC modes: Not reported
      	Speed: 1000Mb/s
      	Duplex: Full
      	Auto-negotiation: off
      	Port: FIBRE
      	PHYAD: 255
      	Transceiver: internal
              Current message level: 0x000020f7 (8439)
                                     drv probe link ifdown ifup rx_err tx_err hw
      	Link detected: yes
      
      After:
      
      $ ethtool ext
      Settings for ext:
      	Supported ports: [ FIBRE ]
      	Supported link modes:   1000baseT/Full
      	                        1000baseX/Full
      	                        10000baseCR/Full
      	                        10000baseSR/Full
      	                        10000baseLR/Full
      	Supported pause frame use: Symmetric Receive-only
      	Supports auto-negotiation: No
      	Supported FEC modes: Not reported
      	Advertised link modes:  Not reported
      	Advertised pause frame use: No
      	Advertised auto-negotiation: No
      	Advertised FEC modes: Not reported
      	Link partner advertised link modes:  Not reported
      	Link partner advertised pause frame use: No
      	Link partner advertised auto-negotiation: No
      	Link partner advertised FEC modes: Not reported
      	Speed: 1000Mb/s
      	Duplex: Full
      	Auto-negotiation: off
      	Port: FIBRE
      	PHYAD: 255
      	Transceiver: internal
      	Supports Wake-on: g
      	Wake-on: d
              Current message level: 0x000020f7 (8439)
                                     drv probe link ifdown ifup rx_err tx_err hw
      	Link detected: yes
      Signed-off-by: default avatarErik Ekman <erik@kryo.se>
      Acked-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c62041c5
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 1439caa1
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Crash due to missing initialization of timer data in
         xt_IDLETIMER, from Juhee Kang.
      
      2) NF_CONNTRACK_SECMARK should be bool in Kconfig, from Vegard Nossum.
      
      3) Skip netdev events on netns removal, from Florian Westphal.
      
      4) Add testcase to show port shadowing via UDP, also from Florian.
      
      5) Remove pr_debug() code in ip6t_rt, this fixes a crash due to
         unsafe access to non-linear skbuff, from Xin Long.
      
      6) Make net/ipv4/vs/debug_level read-only from non-init netns,
         from Antoine Tenart.
      
      7) Remove bogus invocation to bash in selftests/netfilter/nft_flowtable.sh
         also from Florian.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1439caa1
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2021-10-20' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · e0bfcf9c
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      mlx5-fixes-2021-10-20
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e0bfcf9c