1. 20 Apr, 2023 6 commits
  2. 19 Apr, 2023 11 commits
    • Christophe JAILLET's avatar
      net: dsa: microchip: ksz8795: Correctly handle huge frame configuration · 3d2f8f1f
      Christophe JAILLET authored
      Because of the logic in place, SW_HUGE_PACKET can never be set.
      (If the first condition is true, then the 2nd one is also true, but is not
      executed)
      
      Change the logic and update each bit individually.
      
      Fixes: 29d1e85f ("net: dsa: microchip: ksz8: add MTU configuration support")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/43107d9e8b5b8b05f0cbd4e1f47a2bb88c8747b2.1681755535.git.christophe.jaillet@wanadoo.frSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3d2f8f1f
    • Daniel Borkmann's avatar
      bpf: Fix incorrect verifier pruning due to missing register precision taints · 71b547f5
      Daniel Borkmann authored
      Juan Jose et al reported an issue found via fuzzing where the verifier's
      pruning logic prematurely marks a program path as safe.
      
      Consider the following program:
      
         0: (b7) r6 = 1024
         1: (b7) r7 = 0
         2: (b7) r8 = 0
         3: (b7) r9 = -2147483648
         4: (97) r6 %= 1025
         5: (05) goto pc+0
         6: (bd) if r6 <= r9 goto pc+2
         7: (97) r6 %= 1
         8: (b7) r9 = 0
         9: (bd) if r6 <= r9 goto pc+1
        10: (b7) r6 = 0
        11: (b7) r0 = 0
        12: (63) *(u32 *)(r10 -4) = r0
        13: (18) r4 = 0xffff888103693400 // map_ptr(ks=4,vs=48)
        15: (bf) r1 = r4
        16: (bf) r2 = r10
        17: (07) r2 += -4
        18: (85) call bpf_map_lookup_elem#1
        19: (55) if r0 != 0x0 goto pc+1
        20: (95) exit
        21: (77) r6 >>= 10
        22: (27) r6 *= 8192
        23: (bf) r1 = r0
        24: (0f) r0 += r6
        25: (79) r3 = *(u64 *)(r0 +0)
        26: (7b) *(u64 *)(r1 +0) = r3
        27: (95) exit
      
      The verifier treats this as safe, leading to oob read/write access due
      to an incorrect verifier conclusion:
      
        func#0 @0
        0: R1=ctx(off=0,imm=0) R10=fp0
        0: (b7) r6 = 1024                     ; R6_w=1024
        1: (b7) r7 = 0                        ; R7_w=0
        2: (b7) r8 = 0                        ; R8_w=0
        3: (b7) r9 = -2147483648              ; R9_w=-2147483648
        4: (97) r6 %= 1025                    ; R6_w=scalar()
        5: (05) goto pc+0
        6: (bd) if r6 <= r9 goto pc+2         ; R6_w=scalar(umin=18446744071562067969,var_off=(0xffffffff00000000; 0xffffffff)) R9_w=-2147483648
        7: (97) r6 %= 1                       ; R6_w=scalar()
        8: (b7) r9 = 0                        ; R9=0
        9: (bd) if r6 <= r9 goto pc+1         ; R6=scalar(umin=1) R9=0
        10: (b7) r6 = 0                       ; R6_w=0
        11: (b7) r0 = 0                       ; R0_w=0
        12: (63) *(u32 *)(r10 -4) = r0
        last_idx 12 first_idx 9
        regs=1 stack=0 before 11: (b7) r0 = 0
        13: R0_w=0 R10=fp0 fp-8=0000????
        13: (18) r4 = 0xffff8ad3886c2a00      ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
        15: (bf) r1 = r4                      ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
        16: (bf) r2 = r10                     ; R2_w=fp0 R10=fp0
        17: (07) r2 += -4                     ; R2_w=fp-4
        18: (85) call bpf_map_lookup_elem#1   ; R0=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0)
        19: (55) if r0 != 0x0 goto pc+1       ; R0=0
        20: (95) exit
      
        from 19 to 21: R0=map_value(off=0,ks=4,vs=48,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm????
        21: (77) r6 >>= 10                    ; R6_w=0
        22: (27) r6 *= 8192                   ; R6_w=0
        23: (bf) r1 = r0                      ; R0=map_value(off=0,ks=4,vs=48,imm=0) R1_w=map_value(off=0,ks=4,vs=48,imm=0)
        24: (0f) r0 += r6
        last_idx 24 first_idx 19
        regs=40 stack=0 before 23: (bf) r1 = r0
        regs=40 stack=0 before 22: (27) r6 *= 8192
        regs=40 stack=0 before 21: (77) r6 >>= 10
        regs=40 stack=0 before 19: (55) if r0 != 0x0 goto pc+1
        parent didn't have regs=40 stack=0 marks: R0_rw=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0) R6_rw=P0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm????
        last_idx 18 first_idx 9
        regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1
        regs=40 stack=0 before 17: (07) r2 += -4
        regs=40 stack=0 before 16: (bf) r2 = r10
        regs=40 stack=0 before 15: (bf) r1 = r4
        regs=40 stack=0 before 13: (18) r4 = 0xffff8ad3886c2a00
        regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0
        regs=40 stack=0 before 11: (b7) r0 = 0
        regs=40 stack=0 before 10: (b7) r6 = 0
        25: (79) r3 = *(u64 *)(r0 +0)         ; R0_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar()
        26: (7b) *(u64 *)(r1 +0) = r3         ; R1_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar()
        27: (95) exit
      
        from 9 to 11: R1=ctx(off=0,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0
        11: (b7) r0 = 0                       ; R0_w=0
        12: (63) *(u32 *)(r10 -4) = r0
        last_idx 12 first_idx 11
        regs=1 stack=0 before 11: (b7) r0 = 0
        13: R0_w=0 R10=fp0 fp-8=0000????
        13: (18) r4 = 0xffff8ad3886c2a00      ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
        15: (bf) r1 = r4                      ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
        16: (bf) r2 = r10                     ; R2_w=fp0 R10=fp0
        17: (07) r2 += -4                     ; R2_w=fp-4
        18: (85) call bpf_map_lookup_elem#1
        frame 0: propagating r6
        last_idx 19 first_idx 11
        regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1
        regs=40 stack=0 before 17: (07) r2 += -4
        regs=40 stack=0 before 16: (bf) r2 = r10
        regs=40 stack=0 before 15: (bf) r1 = r4
        regs=40 stack=0 before 13: (18) r4 = 0xffff8ad3886c2a00
        regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0
        regs=40 stack=0 before 11: (b7) r0 = 0
        parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_r=P0 R7=0 R8=0 R9=0 R10=fp0
        last_idx 9 first_idx 9
        regs=40 stack=0 before 9: (bd) if r6 <= r9 goto pc+1
        parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_rw=Pscalar() R7_w=0 R8_w=0 R9_rw=0 R10=fp0
        last_idx 8 first_idx 0
        regs=40 stack=0 before 8: (b7) r9 = 0
        regs=40 stack=0 before 7: (97) r6 %= 1
        regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
        regs=40 stack=0 before 5: (05) goto pc+0
        regs=40 stack=0 before 4: (97) r6 %= 1025
        regs=40 stack=0 before 3: (b7) r9 = -2147483648
        regs=40 stack=0 before 2: (b7) r8 = 0
        regs=40 stack=0 before 1: (b7) r7 = 0
        regs=40 stack=0 before 0: (b7) r6 = 1024
        19: safe
        frame 0: propagating r6
        last_idx 9 first_idx 0
        regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
        regs=40 stack=0 before 5: (05) goto pc+0
        regs=40 stack=0 before 4: (97) r6 %= 1025
        regs=40 stack=0 before 3: (b7) r9 = -2147483648
        regs=40 stack=0 before 2: (b7) r8 = 0
        regs=40 stack=0 before 1: (b7) r7 = 0
        regs=40 stack=0 before 0: (b7) r6 = 1024
      
        from 6 to 9: safe
        verification time 110 usec
        stack depth 4
        processed 36 insns (limit 1000000) max_states_per_insn 0 total_states 3 peak_states 3 mark_read 2
      
      The verifier considers this program as safe by mistakenly pruning unsafe
      code paths. In the above func#0, code lines 0-10 are of interest. In line
      0-3 registers r6 to r9 are initialized with known scalar values. In line 4
      the register r6 is reset to an unknown scalar given the verifier does not
      track modulo operations. Due to this, the verifier can also not determine
      precisely which branches in line 6 and 9 are taken, therefore it needs to
      explore them both.
      
      As can be seen, the verifier starts with exploring the false/fall-through
      paths first. The 'from 19 to 21' path has both r6=0 and r9=0 and the pointer
      arithmetic on r0 += r6 is therefore considered safe. Given the arithmetic,
      r6 is correctly marked for precision tracking where backtracking kicks in
      where it walks back the current path all the way where r6 was set to 0 in
      the fall-through branch.
      
      Next, the pruning logics pops the path 'from 9 to 11' from the stack. Also
      here, the state of the registers is the same, that is, r6=0 and r9=0, so
      that at line 19 the path can be pruned as it is considered safe. It is
      interesting to note that the conditional in line 9 turned r6 into a more
      precise state, that is, in the fall-through path at the beginning of line
      10, it is R6=scalar(umin=1), and in the branch-taken path (which is analyzed
      here) at the beginning of line 11, r6 turned into a known const r6=0 as
      r9=0 prior to that and therefore (unsigned) r6 <= 0 concludes that r6 must
      be 0 (**):
      
        [...]                                 ; R6_w=scalar()
        9: (bd) if r6 <= r9 goto pc+1         ; R6=scalar(umin=1) R9=0
        [...]
      
        from 9 to 11: R1=ctx(off=0,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0
        [...]
      
      The next path is 'from 6 to 9'. The verifier considers the old and current
      state equivalent, and therefore prunes the search incorrectly. Looking into
      the two states which are being compared by the pruning logic at line 9, the
      old state consists of R6_rwD=Pscalar() R9_rwD=0 R10=fp0 and the new state
      consists of R1=ctx(off=0,imm=0) R6_w=scalar(umax=18446744071562067968)
      R7_w=0 R8_w=0 R9_w=-2147483648 R10=fp0. While r6 had the reg->precise flag
      correctly set in the old state, r9 did not. Both r6'es are considered as
      equivalent given the old one is a superset of the current, more precise one,
      however, r9's actual values (0 vs 0x80000000) mismatch. Given the old r9
      did not have reg->precise flag set, the verifier does not consider the
      register as contributing to the precision state of r6, and therefore it
      considered both r9 states as equivalent. However, for this specific pruned
      path (which is also the actual path taken at runtime), register r6 will be
      0x400 and r9 0x80000000 when reaching line 21, thus oob-accessing the map.
      
      The purpose of precision tracking is to initially mark registers (including
      spilled ones) as imprecise to help verifier's pruning logic finding equivalent
      states it can then prune if they don't contribute to the program's safety
      aspects. For example, if registers are used for pointer arithmetic or to pass
      constant length to a helper, then the verifier sets reg->precise flag and
      backtracks the BPF program instruction sequence and chain of verifier states
      to ensure that the given register or stack slot including their dependencies
      are marked as precisely tracked scalar. This also includes any other registers
      and slots that contribute to a tracked state of given registers/stack slot.
      This backtracking relies on recorded jmp_history and is able to traverse
      entire chain of parent states. This process ends only when all the necessary
      registers/slots and their transitive dependencies are marked as precise.
      
      The backtrack_insn() is called from the current instruction up to the first
      instruction, and its purpose is to compute a bitmask of registers and stack
      slots that need precision tracking in the parent's verifier state. For example,
      if a current instruction is r6 = r7, then r6 needs precision after this
      instruction and r7 needs precision before this instruction, that is, in the
      parent state. Hence for the latter r7 is marked and r6 unmarked.
      
      For the class of jmp/jmp32 instructions, backtrack_insn() today only looks
      at call and exit instructions and for all other conditionals the masks
      remain as-is. However, in the given situation register r6 has a dependency
      on r9 (as described above in **), so also that one needs to be marked for
      precision tracking. In other words, if an imprecise register influences a
      precise one, then the imprecise register should also be marked precise.
      Meaning, in the parent state both dest and src register need to be tracked
      for precision and therefore the marking must be more conservative by setting
      reg->precise flag for both. The precision propagation needs to cover both
      for the conditional: if the src reg was marked but not the dst reg and vice
      versa.
      
      After the fix the program is correctly rejected:
      
        func#0 @0
        0: R1=ctx(off=0,imm=0) R10=fp0
        0: (b7) r6 = 1024                     ; R6_w=1024
        1: (b7) r7 = 0                        ; R7_w=0
        2: (b7) r8 = 0                        ; R8_w=0
        3: (b7) r9 = -2147483648              ; R9_w=-2147483648
        4: (97) r6 %= 1025                    ; R6_w=scalar()
        5: (05) goto pc+0
        6: (bd) if r6 <= r9 goto pc+2         ; R6_w=scalar(umin=18446744071562067969,var_off=(0xffffffff80000000; 0x7fffffff),u32_min=-2147483648) R9_w=-2147483648
        7: (97) r6 %= 1                       ; R6_w=scalar()
        8: (b7) r9 = 0                        ; R9=0
        9: (bd) if r6 <= r9 goto pc+1         ; R6=scalar(umin=1) R9=0
        10: (b7) r6 = 0                       ; R6_w=0
        11: (b7) r0 = 0                       ; R0_w=0
        12: (63) *(u32 *)(r10 -4) = r0
        last_idx 12 first_idx 9
        regs=1 stack=0 before 11: (b7) r0 = 0
        13: R0_w=0 R10=fp0 fp-8=0000????
        13: (18) r4 = 0xffff9290dc5bfe00      ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
        15: (bf) r1 = r4                      ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
        16: (bf) r2 = r10                     ; R2_w=fp0 R10=fp0
        17: (07) r2 += -4                     ; R2_w=fp-4
        18: (85) call bpf_map_lookup_elem#1   ; R0=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0)
        19: (55) if r0 != 0x0 goto pc+1       ; R0=0
        20: (95) exit
      
        from 19 to 21: R0=map_value(off=0,ks=4,vs=48,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm????
        21: (77) r6 >>= 10                    ; R6_w=0
        22: (27) r6 *= 8192                   ; R6_w=0
        23: (bf) r1 = r0                      ; R0=map_value(off=0,ks=4,vs=48,imm=0) R1_w=map_value(off=0,ks=4,vs=48,imm=0)
        24: (0f) r0 += r6
        last_idx 24 first_idx 19
        regs=40 stack=0 before 23: (bf) r1 = r0
        regs=40 stack=0 before 22: (27) r6 *= 8192
        regs=40 stack=0 before 21: (77) r6 >>= 10
        regs=40 stack=0 before 19: (55) if r0 != 0x0 goto pc+1
        parent didn't have regs=40 stack=0 marks: R0_rw=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0) R6_rw=P0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm????
        last_idx 18 first_idx 9
        regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1
        regs=40 stack=0 before 17: (07) r2 += -4
        regs=40 stack=0 before 16: (bf) r2 = r10
        regs=40 stack=0 before 15: (bf) r1 = r4
        regs=40 stack=0 before 13: (18) r4 = 0xffff9290dc5bfe00
        regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0
        regs=40 stack=0 before 11: (b7) r0 = 0
        regs=40 stack=0 before 10: (b7) r6 = 0
        25: (79) r3 = *(u64 *)(r0 +0)         ; R0_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar()
        26: (7b) *(u64 *)(r1 +0) = r3         ; R1_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar()
        27: (95) exit
      
        from 9 to 11: R1=ctx(off=0,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0
        11: (b7) r0 = 0                       ; R0_w=0
        12: (63) *(u32 *)(r10 -4) = r0
        last_idx 12 first_idx 11
        regs=1 stack=0 before 11: (b7) r0 = 0
        13: R0_w=0 R10=fp0 fp-8=0000????
        13: (18) r4 = 0xffff9290dc5bfe00      ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
        15: (bf) r1 = r4                      ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
        16: (bf) r2 = r10                     ; R2_w=fp0 R10=fp0
        17: (07) r2 += -4                     ; R2_w=fp-4
        18: (85) call bpf_map_lookup_elem#1
        frame 0: propagating r6
        last_idx 19 first_idx 11
        regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1
        regs=40 stack=0 before 17: (07) r2 += -4
        regs=40 stack=0 before 16: (bf) r2 = r10
        regs=40 stack=0 before 15: (bf) r1 = r4
        regs=40 stack=0 before 13: (18) r4 = 0xffff9290dc5bfe00
        regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0
        regs=40 stack=0 before 11: (b7) r0 = 0
        parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_r=P0 R7=0 R8=0 R9=0 R10=fp0
        last_idx 9 first_idx 9
        regs=40 stack=0 before 9: (bd) if r6 <= r9 goto pc+1
        parent didn't have regs=240 stack=0 marks: R1=ctx(off=0,imm=0) R6_rw=Pscalar() R7_w=0 R8_w=0 R9_rw=P0 R10=fp0
        last_idx 8 first_idx 0
        regs=240 stack=0 before 8: (b7) r9 = 0
        regs=40 stack=0 before 7: (97) r6 %= 1
        regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
        regs=240 stack=0 before 5: (05) goto pc+0
        regs=240 stack=0 before 4: (97) r6 %= 1025
        regs=240 stack=0 before 3: (b7) r9 = -2147483648
        regs=40 stack=0 before 2: (b7) r8 = 0
        regs=40 stack=0 before 1: (b7) r7 = 0
        regs=40 stack=0 before 0: (b7) r6 = 1024
        19: safe
      
        from 6 to 9: R1=ctx(off=0,imm=0) R6_w=scalar(umax=18446744071562067968) R7_w=0 R8_w=0 R9_w=-2147483648 R10=fp0
        9: (bd) if r6 <= r9 goto pc+1
        last_idx 9 first_idx 0
        regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
        regs=240 stack=0 before 5: (05) goto pc+0
        regs=240 stack=0 before 4: (97) r6 %= 1025
        regs=240 stack=0 before 3: (b7) r9 = -2147483648
        regs=40 stack=0 before 2: (b7) r8 = 0
        regs=40 stack=0 before 1: (b7) r7 = 0
        regs=40 stack=0 before 0: (b7) r6 = 1024
        last_idx 9 first_idx 0
        regs=200 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
        regs=240 stack=0 before 5: (05) goto pc+0
        regs=240 stack=0 before 4: (97) r6 %= 1025
        regs=240 stack=0 before 3: (b7) r9 = -2147483648
        regs=40 stack=0 before 2: (b7) r8 = 0
        regs=40 stack=0 before 1: (b7) r7 = 0
        regs=40 stack=0 before 0: (b7) r6 = 1024
        11: R6=scalar(umax=18446744071562067968) R9=-2147483648
        11: (b7) r0 = 0                       ; R0_w=0
        12: (63) *(u32 *)(r10 -4) = r0
        last_idx 12 first_idx 11
        regs=1 stack=0 before 11: (b7) r0 = 0
        13: R0_w=0 R10=fp0 fp-8=0000????
        13: (18) r4 = 0xffff9290dc5bfe00      ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
        15: (bf) r1 = r4                      ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
        16: (bf) r2 = r10                     ; R2_w=fp0 R10=fp0
        17: (07) r2 += -4                     ; R2_w=fp-4
        18: (85) call bpf_map_lookup_elem#1   ; R0_w=map_value_or_null(id=3,off=0,ks=4,vs=48,imm=0)
        19: (55) if r0 != 0x0 goto pc+1       ; R0_w=0
        20: (95) exit
      
        from 19 to 21: R0=map_value(off=0,ks=4,vs=48,imm=0) R6=scalar(umax=18446744071562067968) R7=0 R8=0 R9=-2147483648 R10=fp0 fp-8=mmmm????
        21: (77) r6 >>= 10                    ; R6_w=scalar(umax=18014398507384832,var_off=(0x0; 0x3fffffffffffff))
        22: (27) r6 *= 8192                   ; R6_w=scalar(smax=9223372036854767616,umax=18446744073709543424,var_off=(0x0; 0xffffffffffffe000),s32_max=2147475456,u32_max=-8192)
        23: (bf) r1 = r0                      ; R0=map_value(off=0,ks=4,vs=48,imm=0) R1_w=map_value(off=0,ks=4,vs=48,imm=0)
        24: (0f) r0 += r6
        last_idx 24 first_idx 21
        regs=40 stack=0 before 23: (bf) r1 = r0
        regs=40 stack=0 before 22: (27) r6 *= 8192
        regs=40 stack=0 before 21: (77) r6 >>= 10
        parent didn't have regs=40 stack=0 marks: R0_rw=map_value(off=0,ks=4,vs=48,imm=0) R6_r=Pscalar(umax=18446744071562067968) R7=0 R8=0 R9=-2147483648 R10=fp0 fp-8=mmmm????
        last_idx 19 first_idx 11
        regs=40 stack=0 before 19: (55) if r0 != 0x0 goto pc+1
        regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1
        regs=40 stack=0 before 17: (07) r2 += -4
        regs=40 stack=0 before 16: (bf) r2 = r10
        regs=40 stack=0 before 15: (bf) r1 = r4
        regs=40 stack=0 before 13: (18) r4 = 0xffff9290dc5bfe00
        regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0
        regs=40 stack=0 before 11: (b7) r0 = 0
        parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_rw=Pscalar(umax=18446744071562067968) R7_w=0 R8_w=0 R9_w=-2147483648 R10=fp0
        last_idx 9 first_idx 0
        regs=40 stack=0 before 9: (bd) if r6 <= r9 goto pc+1
        regs=240 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
        regs=240 stack=0 before 5: (05) goto pc+0
        regs=240 stack=0 before 4: (97) r6 %= 1025
        regs=240 stack=0 before 3: (b7) r9 = -2147483648
        regs=40 stack=0 before 2: (b7) r8 = 0
        regs=40 stack=0 before 1: (b7) r7 = 0
        regs=40 stack=0 before 0: (b7) r6 = 1024
        math between map_value pointer and register with unbounded min value is not allowed
        verification time 886 usec
        stack depth 4
        processed 49 insns (limit 1000000) max_states_per_insn 1 total_states 5 peak_states 5 mark_read 2
      
      Fixes: b5dc0163 ("bpf: precise scalar_value tracking")
      Reported-by: default avatarJuan Jose Lopez Jaimez <jjlopezjaimez@google.com>
      Reported-by: default avatarMeador Inge <meadori@google.com>
      Reported-by: default avatarSimon Scannell <simonscannell@google.com>
      Reported-by: default avatarNenad Stojanovski <thenenadx@google.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Co-developed-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Reviewed-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Reviewed-by: default avatarJuan Jose Lopez Jaimez <jjlopezjaimez@google.com>
      Reviewed-by: default avatarMeador Inge <meadori@google.com>
      Reviewed-by: default avatarSimon Scannell <simonscannell@google.com>
      71b547f5
    • Arnd Bergmann's avatar
      hamradio: drop ISA_DMA_API dependency · fcd4843a
      Arnd Bergmann authored
      It looks like the dependency got added accidentally in commit a5532606
      ("[PATCH] ISA DMA Kconfig fixes - part 3"). Unlike the previously removed
      dmascc driver, the scc driver never used DMA.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fcd4843a
    • Ido Schimmel's avatar
      mlxsw: pci: Fix possible crash during initialization · 1f64757e
      Ido Schimmel authored
      During initialization the driver issues a reset command via its command
      interface in order to remove previous configuration from the device.
      
      After issuing the reset, the driver waits for 200ms before polling on
      the "system_status" register using memory-mapped IO until the device
      reaches a ready state (0x5E). The wait is necessary because the reset
      command only triggers the reset, but the reset itself happens
      asynchronously. If the driver starts polling too soon, the read of the
      "system_status" register will never return and the system will crash
      [1].
      
      The issue was discovered when the device was flashed with a development
      firmware version where the reset routine took longer to complete. The
      issue was fixed in the firmware, but it exposed the fact that the
      current wait time is borderline.
      
      Fix by increasing the wait time from 200ms to 400ms. With this patch and
      the buggy firmware version, the issue did not reproduce in 10 reboots
      whereas without the patch the issue is reproduced quite consistently.
      
      [1]
      mce: CPUs not responding to MCE broadcast (may include false positives): 0,4
      mce: CPUs not responding to MCE broadcast (may include false positives): 0,4
      Kernel panic - not syncing: Timeout: Not all CPUs entered broadcast exception handler
      Shutting down cpus with NMI
      Kernel Offset: 0x12000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      
      Fixes: ac004e84 ("mlxsw: pci: Wait longer before accessing the device after reset")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f64757e
    • David S. Miller's avatar
      Merge branch 'mptcp-fixes' · ed7f9c01
      David S. Miller authored
      Matthieu Baerts says:
      
      ====================
      mptcp: fixes around listening sockets and the MPTCP worker
      
      Christoph Paasch reported a couple of issues found by syzkaller and
      linked to operations done by the MPTCP worker on (un)accepted sockets.
      
      Fixing these issues was not obvious and rather complex but Paolo Abeni
      nicely managed to propose these excellent patches that seem to satisfy
      syzkaller.
      
      Patch 1 partially reverts a recent fix but while still providing a
      solution for the previous issue, it also prevents the MPTCP worker from
      running concurrently with inet_csk_listen_stop(). A warning is then
      avoided. The partially reverted patch has been introduced in v6.3-rc3,
      backported up to v6.1 and fixing an issue visible from v5.18.
      
      Patch 2 prevents the MPTCP worker to race with mptcp_accept() causing a
      UaF when a fallback to TCP is done while in parallel, the socket is
      being accepted by the userspace. This is also a fix of a previous fix
      introduced in v6.3-rc3, backported up to v6.1 but here fixing an issue
      that is in theory there from v5.7. There is no need to backport it up
      to here as it looks like it is only visible later, around v5.18, see the
      previous cover-letter linked to this original fix.
      ====================
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      ed7f9c01
    • Paolo Abeni's avatar
      mptcp: fix accept vs worker race · 63740448
      Paolo Abeni authored
      The mptcp worker and mptcp_accept() can race, as reported by Christoph:
      
      refcount_t: addition on 0; use-after-free.
      WARNING: CPU: 1 PID: 14351 at lib/refcount.c:25 refcount_warn_saturate+0x105/0x1b0 lib/refcount.c:25
      Modules linked in:
      CPU: 1 PID: 14351 Comm: syz-executor.2 Not tainted 6.3.0-rc1-gde5e8fd0123c #11
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
      RIP: 0010:refcount_warn_saturate+0x105/0x1b0 lib/refcount.c:25
      Code: 02 31 ff 89 de e8 1b f0 a7 ff 84 db 0f 85 6e ff ff ff e8 3e f5 a7 ff 48 c7 c7 d8 c7 34 83 c6 05 6d 2d 0f 02 01 e8 cb 3d 90 ff <0f> 0b e9 4f ff ff ff e8 1f f5 a7 ff 0f b6 1d 54 2d 0f 02 31 ff 89
      RSP: 0018:ffffc90000a47bf8 EFLAGS: 00010282
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: ffff88802eae98c0 RSI: ffffffff81097d4f RDI: 0000000000000001
      RBP: ffff88802e712180 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000001 R11: ffff88802eaea148 R12: ffff88802e712100
      R13: ffff88802e712a88 R14: ffff888005cb93a8 R15: ffff88802e712a88
      FS:  0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f277fd89120 CR3: 0000000035486002 CR4: 0000000000370ee0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       __refcount_add include/linux/refcount.h:199 [inline]
       __refcount_inc include/linux/refcount.h:250 [inline]
       refcount_inc include/linux/refcount.h:267 [inline]
       sock_hold include/net/sock.h:775 [inline]
       __mptcp_close+0x4c6/0x4d0 net/mptcp/protocol.c:3051
       mptcp_close+0x24/0xe0 net/mptcp/protocol.c:3072
       inet_release+0x56/0xa0 net/ipv4/af_inet.c:429
       __sock_release+0x51/0xf0 net/socket.c:653
       sock_close+0x18/0x20 net/socket.c:1395
       __fput+0x113/0x430 fs/file_table.c:321
       task_work_run+0x96/0x100 kernel/task_work.c:179
       exit_task_work include/linux/task_work.h:38 [inline]
       do_exit+0x4fc/0x10c0 kernel/exit.c:869
       do_group_exit+0x51/0xf0 kernel/exit.c:1019
       get_signal+0x12b0/0x1390 kernel/signal.c:2859
       arch_do_signal_or_restart+0x25/0x260 arch/x86/kernel/signal.c:306
       exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
       exit_to_user_mode_prepare+0x131/0x1a0 kernel/entry/common.c:203
       __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
       syscall_exit_to_user_mode+0x19/0x40 kernel/entry/common.c:296
       do_syscall_64+0x46/0x90 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      RIP: 0033:0x7fec4b4926a9
      Code: Unable to access opcode bytes at 0x7fec4b49267f.
      RSP: 002b:00007fec49f9dd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
      RAX: fffffffffffffe00 RBX: 00000000006bc058 RCX: 00007fec4b4926a9
      RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006bc058
      RBP: 00000000006bc050 R08: 00000000007df998 R09: 00000000007df998
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006bc05c
      R13: fffffffffffffea8 R14: 000000000000000b R15: 000000000001fe40
       </TASK>
      
      The root cause is that the worker can force fallback to TCP the first
      mptcp subflow, actually deleting the unaccepted msk socket.
      
      We can explicitly prevent the race delaying the unaccepted msk deletion
      at listener shutdown time. In case the closed subflow is later accepted,
      just drop the mptcp context and let the user-space deal with the
      paired mptcp socket.
      
      Fixes: b6985b9b ("mptcp: use the workqueue to destroy unaccepted sockets")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Link: https://github.com/multipath-tcp/mptcp_net-next/issues/375Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Tested-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      63740448
    • Paolo Abeni's avatar
      mptcp: stops worker on unaccepted sockets at listener close · 2a6a870e
      Paolo Abeni authored
      This is a partial revert of the blamed commit, with a relevant
      change: mptcp_subflow_queue_clean() now just change the msk
      socket status and stop the worker, so that the UaF issue addressed
      by the blamed commit is not re-introduced.
      
      The above prevents the mptcp worker from running concurrently with
      inet_csk_listen_stop(), as such race would trigger a warning, as
      reported by Christoph:
      
      RSP: 002b:00007f784fe09cd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      WARNING: CPU: 0 PID: 25807 at net/ipv4/inet_connection_sock.c:1387 inet_csk_listen_stop+0x664/0x870 net/ipv4/inet_connection_sock.c:1387
      RAX: ffffffffffffffda RBX: 00000000006bc050 RCX: 00007f7850afd6a9
      RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000004
      Modules linked in:
      RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006bc05c
      R13: fffffffffffffea8 R14: 00000000006bc050 R15: 000000000001fe40
      
       </TASK>
      CPU: 0 PID: 25807 Comm: syz-executor.7 Not tainted 6.2.0-g778e54711659 #7
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
      RIP: 0010:inet_csk_listen_stop+0x664/0x870 net/ipv4/inet_connection_sock.c:1387
      RAX: 0000000000000000 RBX: ffff888100dfbd40 RCX: 0000000000000000
      RDX: ffff8881363aab80 RSI: ffffffff81c494f4 RDI: 0000000000000005
      RBP: ffff888126dad080 R08: 0000000000000005 R09: 0000000000000000
      R10: 0000000000000001 R11: 0000000000000000 R12: ffff888100dfe040
      R13: 0000000000000001 R14: 0000000000000000 R15: ffff888100dfbdd8
      FS:  00007f7850a2c800(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b32d26000 CR3: 000000012fdd8006 CR4: 0000000000770ef0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       <TASK>
       __tcp_close+0x5b2/0x620 net/ipv4/tcp.c:2875
       __mptcp_close_ssk+0x145/0x3d0 net/mptcp/protocol.c:2427
       mptcp_destroy_common+0x8a/0x1c0 net/mptcp/protocol.c:3277
       mptcp_destroy+0x41/0x60 net/mptcp/protocol.c:3304
       __mptcp_destroy_sock+0x56/0x140 net/mptcp/protocol.c:2965
       __mptcp_close+0x38f/0x4a0 net/mptcp/protocol.c:3057
       mptcp_close+0x24/0xe0 net/mptcp/protocol.c:3072
       inet_release+0x53/0xa0 net/ipv4/af_inet.c:429
       __sock_release+0x4e/0xf0 net/socket.c:651
       sock_close+0x15/0x20 net/socket.c:1393
       __fput+0xff/0x420 fs/file_table.c:321
       task_work_run+0x8b/0xe0 kernel/task_work.c:179
       resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
       exit_to_user_mode_prepare+0x113/0x120 kernel/entry/common.c:203
       __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
       syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:296
       do_syscall_64+0x46/0x90 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      RIP: 0033:0x7f7850af70dc
      RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f7850af70dc
      RDX: 00007f7850a2c800 RSI: 0000000000000002 RDI: 0000000000000003
      RBP: 00000000006bd980 R08: 0000000000000000 R09: 00000000000018a0
      R10: 00000000316338a4 R11: 0000000000000293 R12: 0000000000211e31
      R13: 00000000006bc05c R14: 00007f785062c000 R15: 0000000000211af0
      
      Fixes: 0a3f4f1f ("mptcp: fix UaF in listener shutdown")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Link: https://github.com/multipath-tcp/mptcp_net-next/issues/371Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a6a870e
    • Alexander Aring's avatar
      net: rpl: fix rpl header size calculation · 4e006c7a
      Alexander Aring authored
      This patch fixes a missing 8 byte for the header size calculation. The
      ipv6_rpl_srh_size() is used to check a skb_pull() on skb->data which
      points to skb_transport_header(). Currently we only check on the
      calculated addresses fields using CmprI and CmprE fields, see:
      
      https://www.rfc-editor.org/rfc/rfc6554#section-3
      
      there is however a missing 8 byte inside the calculation which stands
      for the fields before the addresses field. Those 8 bytes are represented
      by sizeof(struct ipv6_rpl_sr_hdr) expression.
      
      Fixes: 8610c7c6 ("net: ipv6: add support for rpl sr exthdr")
      Signed-off-by: default avatarAlexander Aring <aahringo@redhat.com>
      Reported-by: default avatarmaxpl0it <maxpl0it@protonmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e006c7a
    • Seiji Nishikawa's avatar
      net: vmxnet3: Fix NULL pointer dereference in vmxnet3_rq_rx_complete() · 6f483338
      Seiji Nishikawa authored
      When vmxnet3_rq_create() fails to allocate rq->data_ring.base due to page
      allocation failure, subsequent call to vmxnet3_rq_rx_complete() can result in
      NULL pointer dereference.
      
      To fix this bug, check not only that rxDataRingUsed is true but also that
      adapter->rxdataring_enabled is true before calling memcpy() in
      vmxnet3_rq_rx_complete().
      
      [1728352.477993] ethtool: page allocation failure: order:9, mode:0x6000c0(GFP_KERNEL), nodemask=(null),cpuset=/,mems_allowed=0
      ...
      [1728352.478009] Call Trace:
      [1728352.478028]  dump_stack+0x41/0x60
      [1728352.478035]  warn_alloc.cold.120+0x7b/0x11b
      [1728352.478038]  ? _cond_resched+0x15/0x30
      [1728352.478042]  ? __alloc_pages_direct_compact+0x15f/0x170
      [1728352.478043]  __alloc_pages_slowpath+0xcd3/0xd10
      [1728352.478047]  __alloc_pages_nodemask+0x2e2/0x320
      [1728352.478049]  __dma_direct_alloc_pages.constprop.25+0x8a/0x120
      [1728352.478053]  dma_direct_alloc+0x5a/0x2a0
      [1728352.478056]  vmxnet3_rq_create.part.57+0x17c/0x1f0 [vmxnet3]
      ...
      [1728352.478188] vmxnet3 0000:0b:00.0 ens192: rx data ring will be disabled
      ...
      [1728352.515347] BUG: unable to handle kernel NULL pointer dereference at 0000000000000034
      ...
      [1728352.515440] RIP: 0010:memcpy_orig+0x54/0x130
      ...
      [1728352.515655] Call Trace:
      [1728352.515665]  <IRQ>
      [1728352.515672]  vmxnet3_rq_rx_complete+0x419/0xef0 [vmxnet3]
      [1728352.515690]  vmxnet3_poll_rx_only+0x31/0xa0 [vmxnet3]
      ...
      Signed-off-by: default avatarSeiji Nishikawa <snishika@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f483338
    • Ido Schimmel's avatar
      bonding: Fix memory leak when changing bond type to Ethernet · c484fcc0
      Ido Schimmel authored
      When a net device is put administratively up, its 'IFF_UP' flag is set
      (if not set already) and a 'NETDEV_UP' notification is emitted, which
      causes the 8021q driver to add VLAN ID 0 on the device. The reverse
      happens when a net device is put administratively down.
      
      When changing the type of a bond to Ethernet, its 'IFF_UP' flag is
      incorrectly cleared, resulting in the kernel skipping the above process
      and VLAN ID 0 being leaked [1].
      
      Fix by restoring the flag when changing the type to Ethernet, in a
      similar fashion to the restoration of the 'IFF_SLAVE' flag.
      
      The issue can be reproduced using the script in [2], with example out
      before and after the fix in [3].
      
      [1]
      unreferenced object 0xffff888103479900 (size 256):
        comm "ip", pid 329, jiffies 4294775225 (age 28.561s)
        hex dump (first 32 bytes):
          00 a0 0c 15 81 88 ff ff 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff81a6051a>] kmalloc_trace+0x2a/0xe0
          [<ffffffff8406426c>] vlan_vid_add+0x30c/0x790
          [<ffffffff84068e21>] vlan_device_event+0x1491/0x21a0
          [<ffffffff81440c8e>] notifier_call_chain+0xbe/0x1f0
          [<ffffffff8372383a>] call_netdevice_notifiers_info+0xba/0x150
          [<ffffffff837590f2>] __dev_notify_flags+0x132/0x2e0
          [<ffffffff8375ad9f>] dev_change_flags+0x11f/0x180
          [<ffffffff8379af36>] do_setlink+0xb96/0x4060
          [<ffffffff837adf6a>] __rtnl_newlink+0xc0a/0x18a0
          [<ffffffff837aec6c>] rtnl_newlink+0x6c/0xa0
          [<ffffffff837ac64e>] rtnetlink_rcv_msg+0x43e/0xe00
          [<ffffffff839a99e0>] netlink_rcv_skb+0x170/0x440
          [<ffffffff839a738f>] netlink_unicast+0x53f/0x810
          [<ffffffff839a7fcb>] netlink_sendmsg+0x96b/0xe90
          [<ffffffff8369d12f>] ____sys_sendmsg+0x30f/0xa70
          [<ffffffff836a6d7a>] ___sys_sendmsg+0x13a/0x1e0
      unreferenced object 0xffff88810f6a83e0 (size 32):
        comm "ip", pid 329, jiffies 4294775225 (age 28.561s)
        hex dump (first 32 bytes):
          a0 99 47 03 81 88 ff ff a0 99 47 03 81 88 ff ff  ..G.......G.....
          81 00 00 00 01 00 00 00 cc cc cc cc cc cc cc cc  ................
        backtrace:
          [<ffffffff81a6051a>] kmalloc_trace+0x2a/0xe0
          [<ffffffff84064369>] vlan_vid_add+0x409/0x790
          [<ffffffff84068e21>] vlan_device_event+0x1491/0x21a0
          [<ffffffff81440c8e>] notifier_call_chain+0xbe/0x1f0
          [<ffffffff8372383a>] call_netdevice_notifiers_info+0xba/0x150
          [<ffffffff837590f2>] __dev_notify_flags+0x132/0x2e0
          [<ffffffff8375ad9f>] dev_change_flags+0x11f/0x180
          [<ffffffff8379af36>] do_setlink+0xb96/0x4060
          [<ffffffff837adf6a>] __rtnl_newlink+0xc0a/0x18a0
          [<ffffffff837aec6c>] rtnl_newlink+0x6c/0xa0
          [<ffffffff837ac64e>] rtnetlink_rcv_msg+0x43e/0xe00
          [<ffffffff839a99e0>] netlink_rcv_skb+0x170/0x440
          [<ffffffff839a738f>] netlink_unicast+0x53f/0x810
          [<ffffffff839a7fcb>] netlink_sendmsg+0x96b/0xe90
          [<ffffffff8369d12f>] ____sys_sendmsg+0x30f/0xa70
          [<ffffffff836a6d7a>] ___sys_sendmsg+0x13a/0x1e0
      
      [2]
      ip link add name t-nlmon type nlmon
      ip link add name t-dummy type dummy
      ip link add name t-bond type bond mode active-backup
      
      ip link set dev t-bond up
      ip link set dev t-nlmon master t-bond
      ip link set dev t-nlmon nomaster
      ip link show dev t-bond
      ip link set dev t-dummy master t-bond
      ip link show dev t-bond
      
      ip link del dev t-bond
      ip link del dev t-dummy
      ip link del dev t-nlmon
      
      [3]
      Before:
      
      12: t-bond: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
          link/netlink
      12: t-bond: <BROADCAST,MULTICAST,MASTER,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
          link/ether 46:57:39:a4:46:a2 brd ff:ff:ff:ff:ff:ff
      
      After:
      
      12: t-bond: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
          link/netlink
      12: t-bond: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
          link/ether 66:48:7b:74:b6:8a brd ff:ff:ff:ff:ff:ff
      
      Fixes: e36b9d16 ("bonding: clean muticast addresses when device changes type")
      Fixes: 75c78500 ("bonding: remap muticast addresses without using dev_close() and dev_open()")
      Fixes: 9ec7eb60 ("bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change")
      Reported-by: default avatarMirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
      Link: https://lore.kernel.org/netdev/78a8a03b-6070-3e6b-5042-f848dab16fb8@alu.unizg.hr/Tested-by: default avatarMirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Acked-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c484fcc0
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 92e8c732
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Unbreak br_netfilter physdev match support, from Florian Westphal.
      
      2) Use GFP_KERNEL_ACCOUNT for stateful/policy objects, from Chen Aotian.
      
      3) Use IS_ENABLED() in nf_reset_trace(), from Florian Westphal.
      
      4) Fix validation of catch-all set element.
      
      5) Tighten requirements for catch-all set elements.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements
        netfilter: nf_tables: validate catch-all set elements
        netfilter: nf_tables: fix ifdef to also consider nf_tables=m
        netfilter: nf_tables: Modify nla_memdup's flag to GFP_KERNEL_ACCOUNT
        netfilter: br_netfilter: fix recent physdev match breakage
      ====================
      
      Link: https://lore.kernel.org/r/20230418145048.67270-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      92e8c732
  3. 18 Apr, 2023 9 commits
  4. 17 Apr, 2023 6 commits
    • Aleksandr Loktionov's avatar
      i40e: fix i40e_setup_misc_vector() error handling · c86c00c6
      Aleksandr Loktionov authored
      Add error handling of i40e_setup_misc_vector() in i40e_rebuild().
      In case interrupt vectors setup fails do not re-open vsi-s and
      do not bring up vf-s, we have no interrupts to serve a traffic
      anyway.
      
      Fixes: 41c445ff ("i40e: main driver core")
      Signed-off-by: default avatarAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      c86c00c6
    • Aleksandr Loktionov's avatar
      i40e: fix accessing vsi->active_filters without holding lock · 8485d093
      Aleksandr Loktionov authored
      Fix accessing vsi->active_filters without holding the mac_filter_hash_lock.
      Move vsi->active_filters = 0 inside critical section and
      move clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state) after the critical
      section to ensure the new filters from other threads can be added only after
      filters cleaning in the critical section is finished.
      
      Fixes: 278e7d0b ("i40e: store MAC/VLAN filters in a hash with the MAC Address as key")
      Signed-off-by: default avatarAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      8485d093
    • Florian Westphal's avatar
      netfilter: nf_tables: fix ifdef to also consider nf_tables=m · c55c0e91
      Florian Westphal authored
      nftables can be built as a module, so fix the preprocessor conditional
      accordingly.
      
      Fixes: 478b360a ("netfilter: nf_tables: fix nf_trace always-on with XT_TRACE=n")
      Reported-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reported-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c55c0e91
    • Pedro Tammela's avatar
      net/sched: clear actions pointer in miss cookie init fail · 338469d6
      Pedro Tammela authored
      Palash reports a UAF when using a modified version of syzkaller[1].
      
      When 'tcf_exts_miss_cookie_base_alloc()' fails in 'tcf_exts_init_ex()'
      a call to 'tcf_exts_destroy()' is made to free up the tcf_exts
      resources.
      In flower, a call to '__fl_put()' when 'tcf_exts_init_ex()' fails is made;
      Then calling 'tcf_exts_destroy()', which triggers an UAF since the
      already freed tcf_exts action pointer is lingering in the struct.
      
      Before the offending patch, this was not an issue since there was no
      case where the tcf_exts action pointer could linger. Therefore, restore
      the old semantic by clearing the action pointer in case of a failure to
      initialize the miss_cookie.
      
      [1] https://github.com/cmu-pasta/linux-kernel-enriched-corpus
      
      v1->v2: Fix compilation on configs without tc actions (kernel test robot)
      
      Fixes: 80cd22c3 ("net/sched: cls_api: Support hardware miss to tc action")
      Reported-by: default avatarPalash Oswal <oswalpalash@gmail.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      338469d6
    • Ding Hui's avatar
      sfc: Fix use-after-free due to selftest_work · a80bb8e7
      Ding Hui authored
      There is a use-after-free scenario that is:
      
      When the NIC is down, user set mac address or vlan tag to VF,
      the xxx_set_vf_mac() or xxx_set_vf_vlan() will invoke efx_net_stop()
      and efx_net_open(), since netif_running() is false, the port will not
      start and keep port_enabled false, but selftest_work is scheduled
      in efx_net_open().
      
      If we remove the device before selftest_work run, the efx_stop_port()
      will not be called since the NIC is down, and then efx is freed,
      we will soon get a UAF in run_timer_softirq() like this:
      
      [ 1178.907941] ==================================================================
      [ 1178.907948] BUG: KASAN: use-after-free in run_timer_softirq+0xdea/0xe90
      [ 1178.907950] Write of size 8 at addr ff11001f449cdc80 by task swapper/47/0
      [ 1178.907950]
      [ 1178.907953] CPU: 47 PID: 0 Comm: swapper/47 Kdump: loaded Tainted: G           O     --------- -t - 4.18.0 #1
      [ 1178.907954] Hardware name: SANGFOR X620G40/WI2HG-208T1061A, BIOS SPYH051032-U01 04/01/2022
      [ 1178.907955] Call Trace:
      [ 1178.907956]  <IRQ>
      [ 1178.907960]  dump_stack+0x71/0xab
      [ 1178.907963]  print_address_description+0x6b/0x290
      [ 1178.907965]  ? run_timer_softirq+0xdea/0xe90
      [ 1178.907967]  kasan_report+0x14a/0x2b0
      [ 1178.907968]  run_timer_softirq+0xdea/0xe90
      [ 1178.907971]  ? init_timer_key+0x170/0x170
      [ 1178.907973]  ? hrtimer_cancel+0x20/0x20
      [ 1178.907976]  ? sched_clock+0x5/0x10
      [ 1178.907978]  ? sched_clock_cpu+0x18/0x170
      [ 1178.907981]  __do_softirq+0x1c8/0x5fa
      [ 1178.907985]  irq_exit+0x213/0x240
      [ 1178.907987]  smp_apic_timer_interrupt+0xd0/0x330
      [ 1178.907989]  apic_timer_interrupt+0xf/0x20
      [ 1178.907990]  </IRQ>
      [ 1178.907991] RIP: 0010:mwait_idle+0xae/0x370
      
      If the NIC is not actually brought up, there is no need to schedule
      selftest_work, so let's move invoking efx_selftest_async_start()
      into efx_start_all(), and it will be canceled by broughting down.
      
      Fixes: dd40781e ("sfc: Run event/IRQ self-test asynchronously when interface is brought up")
      Fixes: e340be92 ("sfc: add ndo_set_vf_mac() function for EF10")
      Debugged-by: default avatarHuang Cun <huangcun@sangfor.com.cn>
      Cc: Donglin Peng <pengdonglin@sangfor.com.cn>
      Suggested-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Signed-off-by: default avatarDing Hui <dinghui@sangfor.com.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a80bb8e7
    • Xuan Zhuo's avatar
      virtio_net: bugfix overflow inside xdp_linearize_page() · 853618d5
      Xuan Zhuo authored
      Here we copy the data from the original buf to the new page. But we
      not check that it may be overflow.
      
      As long as the size received(including vnethdr) is greater than 3840
      (PAGE_SIZE -VIRTIO_XDP_HEADROOM). Then the memcpy will overflow.
      
      And this is completely possible, as long as the MTU is large, such
      as 4096. In our test environment, this will cause crash. Since crash is
      caused by the written memory, it is meaningless, so I do not include it.
      
      Fixes: 72979a6c ("virtio_net: xdp, add slowpath case for non contiguous buffers")
      Signed-off-by: default avatarXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      853618d5
  5. 14 Apr, 2023 2 commits
    • Ilya Leoshkevich's avatar
      s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL · c730fce7
      Ilya Leoshkevich authored
      Thomas Richter reported a crash in linux-next with a backtrace similar
      to the following one:
      
      	 [<0000000000000000>] 0x0
      	([<000000000031a182>] bpf_trace_run4+0xc2/0x218)
      	 [<00000000001d59f4>] __bpf_trace_sched_switch+0x1c/0x28
      	 [<0000000000c44a3a>] __schedule+0x43a/0x890
      	 [<0000000000c44ef8>] schedule+0x68/0x110
      	 [<0000000000c4e5ca>] do_nanosleep+0xa2/0x168
      	 [<000000000026e7fe>] hrtimer_nanosleep+0xf6/0x1c0
      	 [<000000000026eb6e>] __s390x_sys_nanosleep+0xb6/0xf0
      	 [<0000000000c3b81c>] __do_syscall+0x1e4/0x208
      	 [<0000000000c50510>] system_call+0x70/0x98
      	Last Breaking-Event-Address:
      	 [<000003ff7fda1814>] bpf_prog_65e887c70a835bbf_on_switch+0x1a4/0x1f0
      
      The problem is that bpf_arch_text_poke() with new_addr == NULL is
      susceptible to the following race condition:
      
      	T1                 T2
              -----------------  -------------------
      	plt.target = NULL
      	                   entry: brcl 0xf,plt
      	entry.mask = 0
      	                   lgrl %r1,plt.target
      	                   br %r1
      
      Fix by setting PLT target to the instruction following `brcl 0xf,plt`
      instead of 0. This way T2 will simply resume the execution of the eBPF
      program, which is the desired effect of passing new_addr == NULL.
      
      Fixes: f1d5df84 ("s390/bpf: Implement bpf_arch_text_poke()")
      Reported-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Signed-off-by: default avatarIlya Leoshkevich <iii@linux.ibm.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarHeiko Carstens <hca@linux.ibm.com>
      Link: https://lore.kernel.org/bpf/20230414154755.184502-1-iii@linux.ibm.com
      c730fce7
    • Gwangun Jung's avatar
      net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg · 30379334
      Gwangun Jung authored
      If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device.
      The MTU of the loopback device can be set up to 2^31-1.
      As a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX.
      
      Due to the invalid lmax value, an index is generated that exceeds the QFQ_MAX_INDEX(=24) value, causing out-of-bounds read/write errors.
      
      The following reports a oob access:
      
      [   84.582666] BUG: KASAN: slab-out-of-bounds in qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313)
      [   84.583267] Read of size 4 at addr ffff88810f676948 by task ping/301
      [   84.583686]
      [   84.583797] CPU: 3 PID: 301 Comm: ping Not tainted 6.3.0-rc5 #1
      [   84.584164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
      [   84.584644] Call Trace:
      [   84.584787]  <TASK>
      [   84.584906] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
      [   84.585108] print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
      [   84.585570] kasan_report (mm/kasan/report.c:538)
      [   84.585988] qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313)
      [   84.586599] qfq_enqueue (net/sched/sch_qfq.c:1255)
      [   84.587607] dev_qdisc_enqueue (net/core/dev.c:3776)
      [   84.587749] __dev_queue_xmit (./include/net/sch_generic.h:186 net/core/dev.c:3865 net/core/dev.c:4212)
      [   84.588763] ip_finish_output2 (./include/net/neighbour.h:546 net/ipv4/ip_output.c:228)
      [   84.589460] ip_output (net/ipv4/ip_output.c:430)
      [   84.590132] ip_push_pending_frames (./include/net/dst.h:444 net/ipv4/ip_output.c:126 net/ipv4/ip_output.c:1586 net/ipv4/ip_output.c:1606)
      [   84.590285] raw_sendmsg (net/ipv4/raw.c:649)
      [   84.591960] sock_sendmsg (net/socket.c:724 net/socket.c:747)
      [   84.592084] __sys_sendto (net/socket.c:2142)
      [   84.593306] __x64_sys_sendto (net/socket.c:2150)
      [   84.593779] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
      [   84.593902] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
      [   84.594070] RIP: 0033:0x7fe568032066
      [   84.594192] Code: 0e 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c09[ 84.594796] RSP: 002b:00007ffce388b4e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      
      Code starting with the faulting instruction
      ===========================================
      [   84.595047] RAX: ffffffffffffffda RBX: 00007ffce388cc70 RCX: 00007fe568032066
      [   84.595281] RDX: 0000000000000040 RSI: 00005605fdad6d10 RDI: 0000000000000003
      [   84.595515] RBP: 00005605fdad6d10 R08: 00007ffce388eeec R09: 0000000000000010
      [   84.595749] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
      [   84.595984] R13: 00007ffce388cc30 R14: 00007ffce388b4f0 R15: 0000001d00000001
      [   84.596218]  </TASK>
      [   84.596295]
      [   84.596351] Allocated by task 291:
      [   84.596467] kasan_save_stack (mm/kasan/common.c:46)
      [   84.596597] kasan_set_track (mm/kasan/common.c:52)
      [   84.596725] __kasan_kmalloc (mm/kasan/common.c:384)
      [   84.596852] __kmalloc_node (./include/linux/kasan.h:196 mm/slab_common.c:967 mm/slab_common.c:974)
      [   84.596979] qdisc_alloc (./include/linux/slab.h:610 ./include/linux/slab.h:731 net/sched/sch_generic.c:938)
      [   84.597100] qdisc_create (net/sched/sch_api.c:1244)
      [   84.597222] tc_modify_qdisc (net/sched/sch_api.c:1680)
      [   84.597357] rtnetlink_rcv_msg (net/core/rtnetlink.c:6174)
      [   84.597495] netlink_rcv_skb (net/netlink/af_netlink.c:2574)
      [   84.597627] netlink_unicast (net/netlink/af_netlink.c:1340 net/netlink/af_netlink.c:1365)
      [   84.597759] netlink_sendmsg (net/netlink/af_netlink.c:1942)
      [   84.597891] sock_sendmsg (net/socket.c:724 net/socket.c:747)
      [   84.598016] ____sys_sendmsg (net/socket.c:2501)
      [   84.598147] ___sys_sendmsg (net/socket.c:2557)
      [   84.598275] __sys_sendmsg (./include/linux/file.h:31 net/socket.c:2586)
      [   84.598399] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
      [   84.598520] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
      [   84.598688]
      [   84.598744] The buggy address belongs to the object at ffff88810f674000
      [   84.598744]  which belongs to the cache kmalloc-8k of size 8192
      [   84.599135] The buggy address is located 2664 bytes to the right of
      [   84.599135]  allocated 7904-byte region [ffff88810f674000, ffff88810f675ee0)
      [   84.599544]
      [   84.599598] The buggy address belongs to the physical page:
      [   84.599777] page:00000000e638567f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f670
      [   84.600074] head:00000000e638567f order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      [   84.600330] flags: 0x200000000010200(slab|head|node=0|zone=2)
      [   84.600517] raw: 0200000000010200 ffff888100043180 dead000000000122 0000000000000000
      [   84.600764] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
      [   84.601009] page dumped because: kasan: bad access detected
      [   84.601187]
      [   84.601241] Memory state around the buggy address:
      [   84.601396]  ffff88810f676800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   84.601620]  ffff88810f676880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   84.601845] >ffff88810f676900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   84.602069]                                               ^
      [   84.602243]  ffff88810f676980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   84.602468]  ffff88810f676a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   84.602693] ==================================================================
      [   84.602924] Disabling lock debugging due to kernel taint
      
      Fixes: 3015f3d2 ("pkt_sched: enable QFQ to support TSO/GSO")
      Reported-by: default avatarGwangun Jung <exsociety@gmail.com>
      Signed-off-by: default avatarGwangun Jung <exsociety@gmail.com>
      Acked-by: Jamal Hadi Salim<jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      30379334
  6. 13 Apr, 2023 6 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 829cca4d
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf, and bluetooth.
      
        Not all that quiet given spring celebrations, but "current" fixes are
        thinning out, which is encouraging. One outstanding regression in the
        mlx5 driver when using old FW, not blocking but we're pushing for a
        fix.
      
        Current release - new code bugs:
      
         - eth: enetc: workaround for unresponsive pMAC after receiving
           express traffic
      
        Previous releases - regressions:
      
         - rtnetlink: restore RTM_NEW/DELLINK notification behavior, keep the
           pid/seq fields 0 for backward compatibility
      
        Previous releases - always broken:
      
         - sctp: fix a potential overflow in sctp_ifwdtsn_skip
      
         - mptcp:
            - use mptcp_schedule_work instead of open-coding it and make the
              worker check stricter, to avoid scheduling work on closed
              sockets
            - fix NULL pointer dereference on fastopen early fallback
      
         - skbuff: fix memory corruption due to a race between skb coalescing
           and releasing clones confusing page_pool reference counting
      
         - bonding: fix neighbor solicitation validation on backup slaves
      
         - bpf: tcp: use sock_gen_put instead of sock_put in bpf_iter_tcp
      
         - bpf: arm64: fixed a BTI error on returning to patched function
      
         - openvswitch: fix race on port output leading to inf loop
      
         - sfp: initialize sfp->i2c_block_size at sfp allocation to avoid
           returning a different errno than expected
      
         - phy: nxp-c45-tja11xx: unregister PTP, purge queues on remove
      
         - Bluetooth: fix printing errors if LE Connection times out
      
         - Bluetooth: assorted UaF, deadlock and data race fixes
      
         - eth: macb: fix memory corruption in extended buffer descriptor mode
      
        Misc:
      
         - adjust the XDP Rx flow hash API to also include the protocol layers
           over which the hash was computed"
      
      * tag 'net-6.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (50 commits)
        selftests/bpf: Adjust bpf_xdp_metadata_rx_hash for new arg
        mlx4: bpf_xdp_metadata_rx_hash add xdp rss hash type
        veth: bpf_xdp_metadata_rx_hash add xdp rss hash type
        mlx5: bpf_xdp_metadata_rx_hash add xdp rss hash type
        xdp: rss hash types representation
        selftests/bpf: xdp_hw_metadata remove bpf_printk and add counters
        skbuff: Fix a race between coalescing and releasing SKBs
        net: macb: fix a memory corruption in extended buffer descriptor mode
        selftests: add the missing CONFIG_IP_SCTP in net config
        udp6: fix potential access to stale information
        selftests: openvswitch: adjust datapath NL message declaration
        selftests: mptcp: userspace pm: uniform verify events
        mptcp: fix NULL pointer dereference on fastopen early fallback
        mptcp: stricter state check in mptcp_worker
        mptcp: use mptcp_schedule_work instead of open-coding it
        net: enetc: workaround for unresponsive pMAC after receiving express traffic
        sctp: fix a potential overflow in sctp_ifwdtsn_skip
        net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
        rtnetlink: Restore RTM_NEW/DELLINK notification behavior
        net: ti/cpsw: Add explicit platform_device.h and of_platform.h includes
        ...
      829cca4d
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 4413ad01
      Linus Torvalds authored
      Pull devicetree fixes from Rob Herring:
      
       - Fix interaction between fw_devlink and DT overlays causing devices to
         not be probed
      
       - Fix the compatible string for loongson,cpu-interrupt-controller
      
      * tag 'devicetree-fixes-for-6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        treewide: Fix probing of devices in DT overlays
        dt-bindings: interrupt-controller: loongarch: Fix mismatched compatible
      4413ad01
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.3-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 531f27ad
      Linus Torvalds authored
      Pull pin control fix from Linus Walleij:
       "This is just a revert of the AMD fix, because the fix broke some
        laptops. We are working on a proper solution"
      
      * tag 'pinctrl-v6.3-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        Revert "pinctrl: amd: Disable and mask interrupts on resume"
      531f27ad
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-04-13' of git://anongit.freedesktop.org/drm/drm · f1be7b6c
      Linus Torvalds authored
      Pull drm fixes from Daniel Vetter:
      
       - two fbcon regressions
      
       - amdgpu: dp mst, smu13
      
       - i915: dual link dsi for tgl+
      
       - armada, nouveau, drm/sched, fbmem
      
      * tag 'drm-fixes-2023-04-13' of git://anongit.freedesktop.org/drm/drm:
        fbcon: set_con2fb_map needs to set con2fb_map!
        fbcon: Fix error paths in set_con2fb_map
        drm/amd/pm: correct the pcie link state check for SMU13
        drm/amd/pm: correct SMU13.0.7 max shader clock reporting
        drm/amd/pm: correct SMU13.0.7 pstate profiling clock settings
        drm/amd/display: Pass the right info to drm_dp_remove_payload
        drm/armada: Fix a potential double free in an error handling path
        fbmem: Reject FB_ACTIVATE_KD_TEXT from userspace
        drm/nouveau/fb: add missing sysmen flush callbacks
        drm/i915/dsi: fix DSS CTL register offsets for TGL+
        drm/scheduler: Fix UAF race in drm_sched_entity_push_job()
      f1be7b6c
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · d0f89c4c
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2023-04-13
      
      We've added 6 non-merge commits during the last 1 day(s) which contain
      a total of 14 files changed, 205 insertions(+), 38 deletions(-).
      
      The main changes are:
      
      1) One late straggler fix on the XDP hints side which fixes
         bpf_xdp_metadata_rx_hash kfunc API before the release goes out
         in order to provide information on the RSS hash type,
         from Jesper Dangaard Brouer.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        selftests/bpf: Adjust bpf_xdp_metadata_rx_hash for new arg
        mlx4: bpf_xdp_metadata_rx_hash add xdp rss hash type
        veth: bpf_xdp_metadata_rx_hash add xdp rss hash type
        mlx5: bpf_xdp_metadata_rx_hash add xdp rss hash type
        xdp: rss hash types representation
        selftests/bpf: xdp_hw_metadata remove bpf_printk and add counters
      ====================
      
      Link: https://lore.kernel.org/r/20230413192939.10202-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d0f89c4c
    • Daniel Vetter's avatar
      Merge tag 'drm-misc-fixes-2023-04-13' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · cab29322
      Daniel Vetter authored
      Short summary of fixes pull:
      
       * armada: Fix double free
       * fb: Clear FB_ACTIVATE_KD_TEXT in ioctl
       * nouveau: Add missing callbacks
       * scheduler: Fix use-after-free error
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      From: Thomas Zimmermann <tzimmermann@suse.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230413184233.GA8148@linux-uq9g
      cab29322