1. 17 Jun, 2024 3 commits
    • Yonghong Song's avatar
      selftests/bpf: Add a few tests to cover · a62293c3
      Yonghong Song authored
      Add three unit tests in verifier_movsx.c to cover
      cases where missed var_off setting can cause
      unexpected verification success or failure.
      Signed-off-by: default avatarYonghong Song <yonghong.song@linux.dev>
      Link: https://lore.kernel.org/r/20240615174637.3995589-1-yonghong.song@linux.devSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a62293c3
    • Yonghong Song's avatar
      bpf: Add missed var_off setting in coerce_subreg_to_size_sx() · 44b7f715
      Yonghong Song authored
      In coerce_subreg_to_size_sx(), for the case where upper
      sign extension bits are the same for smax32 and smin32
      values, we missed to setup properly. This is especially
      problematic if both smax32 and smin32's sign extension
      bits are 1.
      
      The following is a simple example illustrating the inconsistent
      verifier states due to missed var_off:
      
        0: (85) call bpf_get_prandom_u32#7    ; R0_w=scalar()
        1: (bf) r3 = r0                       ; R0_w=scalar(id=1) R3_w=scalar(id=1)
        2: (57) r3 &= 15                      ; R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=15,var_off=(0x0; 0xf))
        3: (47) r3 |= 128                     ; R3_w=scalar(smin=umin=smin32=umin32=128,smax=umax=smax32=umax32=143,var_off=(0x80; 0xf))
        4: (bc) w7 = (s8)w3
        REG INVARIANTS VIOLATION (alu): range bounds violation u64=[0xffffff80, 0x8f] s64=[0xffffff80, 0x8f]
          u32=[0xffffff80, 0x8f] s32=[0x80, 0xffffff8f] var_off=(0x80, 0xf)
      
      The var_off=(0x80, 0xf) is not correct, and the correct one should
      be var_off=(0xffffff80; 0xf) since from insn 3, we know that at
      insn 4, the sign extension bits will be 1. This patch fixed this
      issue by setting var_off properly.
      
      Fixes: 8100928c ("bpf: Support new sign-extension mov insns")
      Signed-off-by: default avatarYonghong Song <yonghong.song@linux.dev>
      Link: https://lore.kernel.org/r/20240615174632.3995278-1-yonghong.song@linux.devSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      44b7f715
    • Yonghong Song's avatar
      bpf: Add missed var_off setting in set_sext32_default_val() · 380d5f89
      Yonghong Song authored
      Zac reported a verification failure and Alexei reproduced the issue
      with a simple reproducer ([1]). The verification failure is due to missed
      setting for var_off.
      
      The following is the reproducer in [1]:
        0: R1=ctx() R10=fp0
        0: (71) r3 = *(u8 *)(r10 -387)        ;
           R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) R10=fp0
        1: (bc) w7 = (s8)w3                   ;
           R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))
           R7_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=127,var_off=(0x0; 0x7f))
        2: (36) if w7 >= 0x2533823b goto pc-3
           mark_precise: frame0: last_idx 2 first_idx 0 subseq_idx -1
           mark_precise: frame0: regs=r7 stack= before 1: (bc) w7 = (s8)w3
           mark_precise: frame0: regs=r3 stack= before 0: (71) r3 = *(u8 *)(r10 -387)
        2: R7_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=127,var_off=(0x0; 0x7f))
        3: (b4) w0 = 0                        ; R0_w=0
        4: (95) exit
      
      Note that after insn 1, the var_off for R7 is (0x0; 0x7f). This is not correct
      since upper 24 bits of w7 could be 0 or 1. So correct var_off should be
      (0x0; 0xffffffff). Missing var_off setting in set_sext32_default_val() caused later
      incorrect analysis in zext_32_to_64(dst_reg) and reg_bounds_sync(dst_reg).
      
      To fix the issue, set var_off correctly in set_sext32_default_val(). The correct
      reg state after insn 1 becomes:
        1: (bc) w7 = (s8)w3                   ;
           R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))
           R7_w=scalar(smin=0,smax=umax=0xffffffff,smin32=-128,smax32=127,var_off=(0x0; 0xffffffff))
      and at insn 2, the verifier correctly determines either branch is possible.
      
        [1] https://lore.kernel.org/bpf/CAADnVQLPU0Shz7dWV4bn2BgtGdxN3uFHPeobGBA72tpg5Xoykw@mail.gmail.com/
      
      Fixes: 8100928c ("bpf: Support new sign-extension mov insns")
      Reported-by: default avatarZac Ecob <zacecob@protonmail.com>
      Signed-off-by: default avatarYonghong Song <yonghong.song@linux.dev>
      Link: https://lore.kernel.org/r/20240615174626.3994813-1-yonghong.song@linux.devSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      380d5f89
  2. 15 Jun, 2024 3 commits
  3. 14 Jun, 2024 8 commits
  4. 13 Jun, 2024 22 commits
    • Aryan Srivastava's avatar
      net: mvpp2: use slab_build_skb for oversized frames · 4467c09b
      Aryan Srivastava authored
      Setting frag_size to 0 to indicate kmalloc has been deprecated,
      use slab_build_skb directly.
      
      Fixes: ce098da1 ("skbuff: Introduce slab_build_skb()")
      Signed-off-by: default avatarAryan Srivastava <aryan.srivastava@alliedtelesis.co.nz>
      Reviewed-by: default avatarKees Cook <kees@kernel.org>
      Link: https://lore.kernel.org/r/20240613024900.3842238-1-aryan.srivastava@alliedtelesis.co.nzSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4467c09b
    • Maciej Żenczykowski's avatar
      bpf: fix UML x86_64 compile failure · b99a95bc
      Maciej Żenczykowski authored
      pcpu_hot (defined in arch/x86) is not available on user mode linux (ARCH=um)
      
      Cc: Andrii Nakryiko <andrii@kernel.org>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Fixes: 1ae69210 ("bpf: inline bpf_get_smp_processor_id() helper")
      Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
      Link: https://lore.kernel.org/r/20240613173146.2524647-1-maze@google.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      b99a95bc
    • Daniel Borkmann's avatar
      selftests/bpf: Add test coverage for reg_set_min_max handling · ceb65eb6
      Daniel Borkmann authored
      Add a test case for the jmp32/k fix to ensure selftests have coverage.
      
      Before fix:
      
        # ./vmtest.sh -- ./test_progs -t verifier_or_jmp32_k
        [...]
        ./test_progs -t verifier_or_jmp32_k
        tester_init:PASS:tester_log_buf 0 nsec
        process_subtest:PASS:obj_open_mem 0 nsec
        process_subtest:PASS:specs_alloc 0 nsec
        run_subtest:PASS:obj_open_mem 0 nsec
        run_subtest:FAIL:unexpected_load_success unexpected success: 0
        #492/1   verifier_or_jmp32_k/or_jmp32_k: bit ops + branch on unknown value:FAIL
        #492     verifier_or_jmp32_k:FAIL
        Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
      
      After fix:
      
        # ./vmtest.sh -- ./test_progs -t verifier_or_jmp32_k
        [...]
        ./test_progs -t verifier_or_jmp32_k
        #492/1   verifier_or_jmp32_k/or_jmp32_k: bit ops + branch on unknown value:OK
        #492     verifier_or_jmp32_k:OK
        Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/r/20240613115310.25383-3-daniel@iogearbox.netSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      ceb65eb6
    • Daniel Borkmann's avatar
      bpf: Reduce stack consumption in check_stack_write_fixed_off · e73cd1cf
      Daniel Borkmann authored
      The fake_reg moved into env->fake_reg given it consumes a lot of stack
      space (120 bytes). Migrate the fake_reg in check_stack_write_fixed_off()
      as well now that we have it.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/r/20240613115310.25383-2-daniel@iogearbox.netSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      e73cd1cf
    • Daniel Borkmann's avatar
      bpf: Fix reg_set_min_max corruption of fake_reg · 92424801
      Daniel Borkmann authored
      Juan reported that after doing some changes to buzzer [0] and implementing
      a new fuzzing strategy guided by coverage, they noticed the following in
      one of the probes:
      
        [...]
        13: (79) r6 = *(u64 *)(r0 +0)         ; R0=map_value(ks=4,vs=8) R6_w=scalar()
        14: (b7) r0 = 0                       ; R0_w=0
        15: (b4) w0 = -1                      ; R0_w=0xffffffff
        16: (74) w0 >>= 1                     ; R0_w=0x7fffffff
        17: (5c) w6 &= w0                     ; R0_w=0x7fffffff R6_w=scalar(smin=smin32=0,smax=umax=umax32=0x7fffffff,var_off=(0x0; 0x7fffffff))
        18: (44) w6 |= 2                      ; R6_w=scalar(smin=umin=smin32=umin32=2,smax=umax=umax32=0x7fffffff,var_off=(0x2; 0x7ffffffd))
        19: (56) if w6 != 0x7ffffffd goto pc+1
        REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)
        REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)
        REG INVARIANTS VIOLATION (false_reg2): const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] u32=[0x0, 0xffffffff] s32=[0x80000000, 0x7fffffff] var_off=(0x7fffffff, 0x0)
        19: R6_w=0x7fffffff
        20: (95) exit
      
        from 19 to 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
        21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
        21: (14) w6 -= 2147483632             ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=14,var_off=(0x2; 0xfffffffd))
        22: (76) if w6 s>= 0xe goto pc+1      ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=13,var_off=(0x2; 0xfffffffd))
        23: (95) exit
      
        from 22 to 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
        24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
        24: (14) w6 -= 14                     ; R6_w=0
        [...]
      
      What can be seen here is a register invariant violation on line 19. After
      the binary-or in line 18, the verifier knows that bit 2 is set but knows
      nothing about the rest of the content which was loaded from a map value,
      meaning, range is [2,0x7fffffff] with var_off=(0x2; 0x7ffffffd). When in
      line 19 the verifier analyzes the branch, it splits the register states
      in reg_set_min_max() into the registers of the true branch (true_reg1,
      true_reg2) and the registers of the false branch (false_reg1, false_reg2).
      
      Since the test is w6 != 0x7ffffffd, the src_reg is a known constant.
      Internally, the verifier creates a "fake" register initialized as scalar
      to the value of 0x7ffffffd, and then passes it onto reg_set_min_max(). Now,
      for line 19, it is mathematically impossible to take the false branch of
      this program, yet the verifier analyzes it. It is impossible because the
      second bit of r6 will be set due to the prior or operation and the
      constant in the condition has that bit unset (hex(fd) == binary(1111 1101).
      
      When the verifier first analyzes the false / fall-through branch, it will
      compute an intersection between the var_off of r6 and of the constant. This
      is because the verifier creates a "fake" register initialized to the value
      of the constant. The intersection result later refines both registers in
      regs_refine_cond_op():
      
        [...]
        t = tnum_intersect(tnum_subreg(reg1->var_off), tnum_subreg(reg2->var_off));
        reg1->var_off = tnum_with_subreg(reg1->var_off, t);
        reg2->var_off = tnum_with_subreg(reg2->var_off, t);
        [...]
      
      Since the verifier is analyzing the false branch of the conditional jump,
      reg1 is equal to false_reg1 and reg2 is equal to false_reg2, i.e. the reg2
      is the "fake" register that was meant to hold a constant value. The resulting
      var_off of the intersection says that both registers now hold a known value
      of var_off=(0x7fffffff, 0x0) or in other words: this operation manages to
      make the verifier think that the "constant" value that was passed in the
      jump operation now holds a different value.
      
      Normally this would not be an issue since it should not influence the true
      branch, however, false_reg2 and true_reg2 are pointers to the same "fake"
      register. Meaning, the false branch can influence the results of the true
      branch. In line 24, the verifier assumes R6_w=0, but the actual runtime
      value in this case is 1. The fix is simply not passing in the same "fake"
      register location as inputs to reg_set_min_max(), but instead making a
      copy. Moving the fake_reg into the env also reduces stack consumption by
      120 bytes. With this, the verifier successfully rejects invalid accesses
      from the test program.
      
        [0] https://github.com/google/buzzer
      
      Fixes: 67420501 ("bpf: generalize reg_set_min_max() to handle non-const register comparisons")
      Reported-by: default avatarJuan José López Jaimez <jjlopezjaimez@google.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/r/20240613115310.25383-1-daniel@iogearbox.netSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      92424801
    • Linus Torvalds's avatar
      Merge tag 'net-6.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · d20f6b3d
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bluetooth and netfilter.
      
        Slim pickings this time, probably a combination of summer, DevConf.cz,
        and the end of first half of the year at corporations.
      
        Current release - regressions:
      
         - Revert "igc: fix a log entry using uninitialized netdev", it traded
           lack of netdev name in a printk() for a crash
      
        Previous releases - regressions:
      
         - Bluetooth: L2CAP: fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
      
         - geneve: fix incorrectly setting lengths of inner headers in the
           skb, confusing the drivers and causing mangled packets
      
         - sched: initialize noop_qdisc owner to avoid false-positive
           recursion detection (recursing on CPU 0), which bubbles up to user
           space as a sendmsg() error, while noop_qdisc should silently drop
      
         - netdevsim: fix backwards compatibility in nsim_get_iflink()
      
        Previous releases - always broken:
      
         - netfilter: ipset: fix race between namespace cleanup and gc in the
           list:set type"
      
      * tag 'net-6.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (35 commits)
        bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()
        af_unix: Read with MSG_PEEK loops if the first unread byte is OOB
        bnxt_en: Cap the size of HWRM_PORT_PHY_QCFG forwarded response
        gve: Clear napi->skb before dev_kfree_skb_any()
        ionic: fix use after netif_napi_del()
        Revert "igc: fix a log entry using uninitialized netdev"
        net: bridge: mst: fix suspicious rcu usage in br_mst_set_state
        net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state
        net/ipv6: Fix the RT cache flush via sysctl using a previous delay
        net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters
        gve: ignore nonrelevant GSO type bits when processing TSO headers
        net: pse-pd: Use EOPNOTSUPP error code instead of ENOTSUPP
        netfilter: Use flowlabel flow key when re-routing mangled packets
        netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
        netfilter: nft_inner: validate mandatory meta and payload
        tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()
        mailmap: map Geliang's new email address
        mptcp: pm: update add_addr counters after connect
        mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID
        mptcp: ensure snd_una is properly initialized on connect
        ...
      d20f6b3d
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-6.10-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · fd88e181
      Linus Torvalds authored
      Pull NFS client fixes from Trond Myklebust:
       "Bugfixes:
         - NFSv4.2: Fix a memory leak in nfs4_set_security_label
         - NFSv2/v3: abort nfs_atomic_open_v23 if the name is too long.
         - NFS: Add appropriate memory barriers to the sillyrename code
         - Propagate readlink errors in nfs_symlink_filler
         - NFS: don't invalidate dentries on transient errors
         - NFS: fix unnecessary synchronous writes in random write workloads
         - NFSv4.1: enforce rootpath check when deciding whether or not to trunk
      
        Other:
         - Change email address for Trond Myklebust due to email server concerns"
      
      * tag 'nfs-for-6.10-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFS: add barriers when testing for NFS_FSDATA_BLOCKED
        SUNRPC: return proper error from gss_wrap_req_priv
        NFSv4.1 enforce rootpath check in fs_location query
        NFS: abort nfs_atomic_open_v23 if name is too long.
        nfs: don't invalidate dentries on transient errors
        nfs: Avoid flushing many pages with NFS_FILE_SYNC
        nfs: propagate readlink errors in nfs_symlink_filler
        MAINTAINERS: Change email address for Trond Myklebust
        NFSv4: Fix memory leak in nfs4_set_security_label
      fd88e181
    • Linus Torvalds's avatar
      Merge tag 'fixes-2024-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock · 3572597c
      Linus Torvalds authored
      Pull memblock fixes from Mike Rapoport:
       "Fix validation of NUMA coverage.
      
        memblock_validate_numa_coverage() was checking for a unset node ID
        using NUMA_NO_NODE, but x86 used MAX_NUMNODES when no node ID was
        specified by buggy firmware.
      
        Update memblock to substitute MAX_NUMNODES with NUMA_NO_NODE in
        memblock_set_node() and use NUMA_NO_NODE in x86::numa_init()"
      
      * tag 'fixes-2024-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock:
        x86/mm/numa: Use NUMA_NO_NODE when calling memblock_set_node()
        memblock: make memblock_set_node() also warn about use of MAX_NUMNODES
      3572597c
    • Wojciech Drewek's avatar
      ice: implement AQ download pkg retry · a27f6ac9
      Wojciech Drewek authored
      ice_aqc_opc_download_pkg (0x0C40) AQ sporadically returns error due
      to FW issue. Fix this by retrying five times before moving to
      Safe Mode. Sleep for 20 ms before retrying. This was tested with the
      4.40 firmware.
      
      Fixes: c7648810 ("ice: Implement Dynamic Device Personalization (DDP) download")
      Reviewed-by: default avatarMichal Swiatkowski <michal.swiatkowski@linux.intel.com>
      Signed-off-by: default avatarWojciech Drewek <wojciech.drewek@intel.com>
      Reviewed-by: default avatarBrett Creeley <brett.creeley@amd.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      a27f6ac9
    • Paul Greenwalt's avatar
      ice: fix 200G link speed message log · aeccadb2
      Paul Greenwalt authored
      Commit 24407a01 ("ice: Add 200G speed/phy type use") added support
      for 200G PHY speeds, but did not include 200G link speed message
      support. As a result the driver incorrectly reports Unknown for 200G
      link speed.
      
      Fix this by adding 200G support to ice_print_link_msg().
      
      Fixes: 24407a01 ("ice: Add 200G speed/phy type use")
      Reviewed-by: default avatarMichal Swiatkowski <michal.swiatkowski@linux.intel.com>
      Signed-off-by: default avatarPaul Greenwalt <paul.greenwalt@intel.com>
      Reviewed-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      aeccadb2
    • En-Wei Wu's avatar
      ice: avoid IRQ collision to fix init failure on ACPI S3 resume · bc69ad74
      En-Wei Wu authored
      A bug in https://bugzilla.kernel.org/show_bug.cgi?id=218906 describes
      that irdma would break and report hardware initialization failed after
      suspend/resume with Intel E810 NIC (tested on 6.9.0-rc5).
      
      The problem is caused due to the collision between the irq numbers
      requested in irdma and the irq numbers requested in other drivers
      after suspend/resume.
      
      The irq numbers used by irdma are derived from ice's ice_pf->msix_entries
      which stores mappings between MSI-X index and Linux interrupt number.
      It's supposed to be cleaned up when suspend and rebuilt in resume but
      it's not, causing irdma using the old irq numbers stored in the old
      ice_pf->msix_entries to request_irq() when resume. And eventually
      collide with other drivers.
      
      This patch fixes this problem. On suspend, we call ice_deinit_rdma() to
      clean up the ice_pf->msix_entries (and free the MSI-X vectors used by
      irdma if we've dynamically allocated them). On resume, we call
      ice_init_rdma() to rebuild the ice_pf->msix_entries (and allocate the
      MSI-X vectors if we would like to dynamically allocate them).
      
      Fixes: f9f5301e ("ice: Register auxiliary device to provide RDMA")
      Tested-by: default avatarCyrus Lien <cyrus.lien@canonical.com>
      Signed-off-by: default avatarEn-Wei Wu <en-wei.wu@canonical.com>
      Reviewed-by: default avatarWojciech Drewek <wojciech.drewek@intel.com>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      bc69ad74
    • Aleksandr Mishin's avatar
      bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() · a9b97418
      Aleksandr Mishin authored
      In case of token is released due to token->state == BNXT_HWRM_DEFERRED,
      released token (set to NULL) is used in log messages. This issue is
      expected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But
      this error code is returned by recent firmware. So some firmware may not
      return it. This may lead to NULL pointer dereference.
      Adjust this issue by adding token pointer check.
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE.
      
      Fixes: 8fa4219d ("bnxt_en: add dynamic debug support for HWRM messages")
      Suggested-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarAleksandr Mishin <amishin@t-argos.ru>
      Reviewed-by: default avatarWojciech Drewek <wojciech.drewek@intel.com>
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Link: https://lore.kernel.org/r/20240611082547.12178-1-amishin@t-argos.ruSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a9b97418
    • Rao Shoaib's avatar
      af_unix: Read with MSG_PEEK loops if the first unread byte is OOB · a6736a0a
      Rao Shoaib authored
      Read with MSG_PEEK flag loops if the first byte to read is an OOB byte.
      commit 22dd70eb ("af_unix: Don't peek OOB data without MSG_OOB.")
      addresses the loop issue but does not address the issue that no data
      beyond OOB byte can be read.
      
      >>> from socket import *
      >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
      >>> c1.send(b'a', MSG_OOB)
      1
      >>> c1.send(b'b')
      1
      >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
      b'b'
      
      >>> from socket import *
      >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
      >>> c2.setsockopt(SOL_SOCKET, SO_OOBINLINE, 1)
      >>> c1.send(b'a', MSG_OOB)
      1
      >>> c1.send(b'b')
      1
      >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
      b'a'
      >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
      b'a'
      >>> c2.recv(1, MSG_DONTWAIT)
      b'a'
      >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
      b'b'
      >>>
      
      Fixes: 314001f0 ("af_unix: Add OOB support")
      Signed-off-by: default avatarRao Shoaib <Rao.Shoaib@oracle.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240611084639.2248934-1-Rao.Shoaib@oracle.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a6736a0a
    • Michael Chan's avatar
      bnxt_en: Cap the size of HWRM_PORT_PHY_QCFG forwarded response · 7d9df38c
      Michael Chan authored
      Firmware interface 1.10.2.118 has increased the size of
      HWRM_PORT_PHY_QCFG response beyond the maximum size that can be
      forwarded.  When the VF's link state is not the default auto state,
      the PF will need to forward the response back to the VF to indicate
      the forced state.  This regression may cause the VF to fail to
      initialize.
      
      Fix it by capping the HWRM_PORT_PHY_QCFG response to the maximum
      96 bytes.  The SPEEDS2_SUPPORTED flag needs to be cleared because the
      new speeds2 fields are beyond the legacy structure.  Also modify
      bnxt_hwrm_fwd_resp() to print a warning if the message size exceeds 96
      bytes to make this failure more obvious.
      
      Fixes: 84a911db ("bnxt_en: Update firmware interface to 1.10.2.118")
      Reviewed-by: default avatarSomnath Kotur <somnath.kotur@broadcom.com>
      Reviewed-by: default avatarPavan Chebbi <pavan.chebbi@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Link: https://lore.kernel.org/r/20240612231736.57823-1-michael.chan@broadcom.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7d9df38c
    • Ziwei Xiao's avatar
      gve: Clear napi->skb before dev_kfree_skb_any() · 6f4d93b7
      Ziwei Xiao authored
      gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it
      is freed with dev_kfree_skb_any(). This can result in a subsequent call
      to napi_get_frags returning a dangling pointer.
      
      Fix this by clearing napi->skb before the skb is freed.
      
      Fixes: 9b8dd5e5 ("gve: DQO: Add RX path")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarShailend Chand <shailend@google.com>
      Signed-off-by: default avatarZiwei Xiao <ziweixiao@google.com>
      Reviewed-by: default avatarHarshitha Ramamurthy <hramamurthy@google.com>
      Reviewed-by: default avatarShailend Chand <shailend@google.com>
      Reviewed-by: default avatarPraveen Kaligineedi <pkaligineedi@google.com>
      Link: https://lore.kernel.org/r/20240612001654.923887-1-ziweixiao@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6f4d93b7
    • Taehee Yoo's avatar
      ionic: fix use after netif_napi_del() · 79f18a41
      Taehee Yoo authored
      When queues are started, netif_napi_add() and napi_enable() are called.
      If there are 4 queues and only 3 queues are used for the current
      configuration, only 3 queues' napi should be registered and enabled.
      The ionic_qcq_enable() checks whether the .poll pointer is not NULL for
      enabling only the using queue' napi. Unused queues' napi will not be
      registered by netif_napi_add(), so the .poll pointer indicates NULL.
      But it couldn't distinguish whether the napi was unregistered or not
      because netif_napi_del() doesn't reset the .poll pointer to NULL.
      So, ionic_qcq_enable() calls napi_enable() for the queue, which was
      unregistered by netif_napi_del().
      
      Reproducer:
         ethtool -L <interface name> rx 1 tx 1 combined 0
         ethtool -L <interface name> rx 0 tx 0 combined 1
         ethtool -L <interface name> rx 0 tx 0 combined 4
      
      Splat looks like:
      kernel BUG at net/core/dev.c:6666!
      Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
      CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16
      Workqueue: events ionic_lif_deferred_work [ionic]
      RIP: 0010:napi_enable+0x3b/0x40
      Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f
      RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029
      RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28
      RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001
      R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
      R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20
      FS:  0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0
      PKRU: 55555554
      Call Trace:
       <TASK>
       ? die+0x33/0x90
       ? do_trap+0xd9/0x100
       ? napi_enable+0x3b/0x40
       ? do_error_trap+0x83/0xb0
       ? napi_enable+0x3b/0x40
       ? napi_enable+0x3b/0x40
       ? exc_invalid_op+0x4e/0x70
       ? napi_enable+0x3b/0x40
       ? asm_exc_invalid_op+0x16/0x20
       ? napi_enable+0x3b/0x40
       ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
       ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
       ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
       ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
       process_one_work+0x145/0x360
       worker_thread+0x2bb/0x3d0
       ? __pfx_worker_thread+0x10/0x10
       kthread+0xcc/0x100
       ? __pfx_kthread+0x10/0x10
       ret_from_fork+0x2d/0x50
       ? __pfx_kthread+0x10/0x10
       ret_from_fork_asm+0x1a/0x30
      
      Fixes: 0f3154e6 ("ionic: Add Tx and Rx handling")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Reviewed-by: default avatarBrett Creeley <brett.creeley@amd.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Link: https://lore.kernel.org/r/20240612060446.1754392-1-ap420073@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      79f18a41
    • Sasha Neftin's avatar
      Revert "igc: fix a log entry using uninitialized netdev" · 8eef5c3c
      Sasha Neftin authored
      This reverts commit 86167183.
      
      igc_ptp_init() needs to be called before igc_reset(), otherwise kernel
      crash could be observed. Following the corresponding discussion [1] and
      [2] revert this commit.
      
      Link: https://lore.kernel.org/all/8fb634f8-7330-4cf4-a8ce-485af9c0a61a@intel.com/ [1]
      Link: https://lore.kernel.org/all/87o78rmkhu.fsf@intel.com/ [2]
      Fixes: 86167183 ("igc: fix a log entry using uninitialized netdev")
      Signed-off-by: default avatarSasha Neftin <sasha.neftin@intel.com>
      Tested-by: default avatarNaama Meir <naamax.meir@linux.intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Link: https://lore.kernel.org/r/20240611162456.961631-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8eef5c3c
    • Jakub Kicinski's avatar
      Merge branch 'net-bridge-mst-fix-suspicious-rcu-usage-warning' · b60b1bdc
      Jakub Kicinski authored
      Nikolay Aleksandrov says:
      
      ====================
      net: bridge: mst: fix suspicious rcu usage warning
      
      This set fixes a suspicious RCU usage warning triggered by syzbot[1] in
      the bridge's MST code. After I converted br_mst_set_state to RCU, I
      forgot to update the vlan group dereference helper. Fix it by using
      the proper helper, in order to do that we need to pass the vlan group
      which is already obtained correctly by the callers for their respective
      context. Patch 01 is a requirement for the fix in patch 02.
      
      Note I did consider rcu_dereference_rtnl() but the churn is much bigger
      and in every part of the bridge. We can do that as a cleanup in
      net-next.
      
      [1] https://syzkaller.appspot.com/bug?extid=9bbe2de1bc9d470eb5fe
       =============================
       WARNING: suspicious RCU usage
       6.10.0-rc2-syzkaller-00235-g8a929806 #0 Not tainted
       -----------------------------
       net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!
      
       other info that might help us debug this:
      
       rcu_scheduler_active = 2, debug_locks = 1
       4 locks held by syz-executor.1/5374:
        #0: ffff888022d50b18 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:144 [inline]
        #0: ffff888022d50b18 (&mm->mmap_lock){++++}-{3:3}, at: __mm_populate+0x1b0/0x460 mm/gup.c:2111
        #1: ffffc90000a18c00 ((&p->forward_delay_timer)){+.-.}-{0:0}, at: call_timer_fn+0xc0/0x650 kernel/time/timer.c:1789
        #2: ffff88805fb2ccb8 (&br->lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
        #2: ffff88805fb2ccb8 (&br->lock){+.-.}-{2:2}, at: br_forward_delay_timer_expired+0x50/0x440 net/bridge/br_stp_timer.c:86
        #3: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
        #3: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
        #3: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: br_mst_set_state+0x171/0x7a0 net/bridge/br_mst.c:105
      
       stack backtrace:
       CPU: 1 PID: 5374 Comm: syz-executor.1 Not tainted 6.10.0-rc2-syzkaller-00235-g8a929806 #0
       Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
       Call Trace:
        <IRQ>
        __dump_stack lib/dump_stack.c:88 [inline]
        dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
        lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712
        nbp_vlan_group net/bridge/br_private.h:1599 [inline]
        br_mst_set_state+0x29e/0x7a0 net/bridge/br_mst.c:106
        br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47
        br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88
        call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
        expire_timers kernel/time/timer.c:1843 [inline]
        __run_timers kernel/time/timer.c:2417 [inline]
        __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
        run_timer_base kernel/time/timer.c:2437 [inline]
        run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
        handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
        __do_softirq kernel/softirq.c:588 [inline]
        invoke_softirq kernel/softirq.c:428 [inline]
        __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
        irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
        instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
        sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
        </IRQ>
        <TASK>
      ====================
      
      Link: https://lore.kernel.org/r/20240609103654.914987-1-razor@blackwall.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b60b1bdc
    • Nikolay Aleksandrov's avatar
      net: bridge: mst: fix suspicious rcu usage in br_mst_set_state · 546ceb1d
      Nikolay Aleksandrov authored
      I converted br_mst_set_state to RCU to avoid a vlan use-after-free
      but forgot to change the vlan group dereference helper. Switch to vlan
      group RCU deref helper to fix the suspicious rcu usage warning.
      
      Fixes: 3a7c1661 ("net: bridge: mst: fix vlan use-after-free")
      Reported-by: syzbot+9bbe2de1bc9d470eb5fe@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=9bbe2de1bc9d470eb5feSigned-off-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Link: https://lore.kernel.org/r/20240609103654.914987-3-razor@blackwall.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      546ceb1d
    • Nikolay Aleksandrov's avatar
      net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state · 36c92936
      Nikolay Aleksandrov authored
      Pass the already obtained vlan group pointer to br_mst_vlan_set_state()
      instead of dereferencing it again. Each caller has already correctly
      dereferenced it for their context. This change is required for the
      following suspicious RCU dereference fix. No functional changes
      intended.
      
      Fixes: 3a7c1661 ("net: bridge: mst: fix vlan use-after-free")
      Reported-by: syzbot+9bbe2de1bc9d470eb5fe@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=9bbe2de1bc9d470eb5feSigned-off-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Link: https://lore.kernel.org/r/20240609103654.914987-2-razor@blackwall.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      36c92936
    • Stanislav Fomichev's avatar
      26ba7c3f
    • Petr Pavlu's avatar
      net/ipv6: Fix the RT cache flush via sysctl using a previous delay · 14a20e5b
      Petr Pavlu authored
      The net.ipv6.route.flush system parameter takes a value which specifies
      a delay used during the flush operation for aging exception routes. The
      written value is however not used in the currently requested flush and
      instead utilized only in the next one.
      
      A problem is that ipv6_sysctl_rtcache_flush() first reads the old value
      of net->ipv6.sysctl.flush_delay into a local delay variable and then
      calls proc_dointvec() which actually updates the sysctl based on the
      provided input.
      
      Fix the problem by switching the order of the two operations.
      
      Fixes: 4990509f ("[NETNS][IPV6]: Make sysctls route per namespace.")
      Signed-off-by: default avatarPetr Pavlu <petr.pavlu@suse.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20240607112828.30285-1-petr.pavlu@suse.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      14a20e5b
  5. 12 Jun, 2024 4 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux · 2ccbdf43
      Linus Torvalds authored
      Pull ARM and clkdev fixes from Russell King:
      
       - Fix clkdev - erroring out on long strings causes boot failures, so
         don't do this. Still warn about the over-sized strings (which will
         never match and thus their registration with clkdev is useless)
      
       - Fix for ftrace with frame pointer unwinder with recent GCC changing
         the way frames are stacked.
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux:
        ARM: 9405/1: ftrace: Don't assume stack frames are contiguous in memory
        clkdev: don't fail clkdev_alloc() if over-sized
      2ccbdf43
    • Jakub Kicinski's avatar
      Merge tag 'nf-24-06-11' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · d92589f8
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      Patch #1 fixes insufficient sanitization of netlink attributes for the
      	 inner expression which can trigger nul-pointer dereference,
      	 from Davide Ornaghi.
      
      Patch #2 address a report that there is a race condition between
               namespace cleanup and the garbage collection of the list:set
               type. This patch resolves this issue with other minor issues
      	 as well, from Jozsef Kadlecsik.
      
      Patch #3 ip6_route_me_harder() ignores flowlabel/dsfield when ip dscp
      	 has been mangled, this unbreaks ip6 dscp set $v,
      	 from Florian Westphal.
      
      All of these patches address issues that are present in several releases.
      
      * tag 'nf-24-06-11' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: Use flowlabel flow key when re-routing mangled packets
        netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
        netfilter: nft_inner: validate mandatory meta and payload
      ====================
      
      Link: https://lore.kernel.org/r/20240611220323.413713-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d92589f8
    • Linus Torvalds's avatar
      Merge tag 'bcachefs-2024-06-12' of https://evilpiepirate.org/git/bcachefs · 0b4989eb
      Linus Torvalds authored
      Pull bcachefs fixes from Kent Overstreet:
      
       - fix kworker explosion, due to calling submit_bio() (which can block)
         from a multithreaded workqueue
      
       - fix error handling in btree node scan
      
       - forward compat fix: kill an old debug assert
      
       - key cache shrinker fixes
      
         This is a partial fix for stalls doing multithreaded creates - there
         were various O(n^2) issues the key cache shrinker was hitting [1].
      
         There's more work coming here; I'm working on a patch to delete the
         key cache lock, which initial testing shows to be a pretty drastic
         performance improvement
      
       - assorted syzbot fixes
      
      Link: https://lore.kernel.org/linux-bcachefs/CAGudoHGenxzk0ZqPXXi1_QDbfqQhGHu+wUwzyS6WmfkUZ1HiXA@mail.gmail.com/ [1]
      
      * tag 'bcachefs-2024-06-12' of https://evilpiepirate.org/git/bcachefs:
        bcachefs: Fix rcu_read_lock() leak in drop_extra_replicas
        bcachefs: Add missing bch_inode_info.ei_flags init
        bcachefs: Add missing synchronize_srcu_expedited() call when shutting down
        bcachefs: Check for invalid bucket from bucket_gen(), gc_bucket()
        bcachefs: Replace bucket_valid() asserts in bucket lookup with proper checks
        bcachefs: Fix snapshot_create_lock lock ordering
        bcachefs: Fix refcount leak in check_fix_ptrs()
        bcachefs: Leave a buffer in the btree key cache to avoid lock thrashing
        bcachefs: Fix reporting of freed objects from key cache shrinker
        bcachefs: set sb->s_shrinker->seeks = 0
        bcachefs: increase key cache shrinker batch size
        bcachefs: Enable automatic shrinking for rhashtables
        bcachefs: fix the display format for show-super
        bcachefs: fix stack frame size in fsck.c
        bcachefs: Delete incorrect BTREE_ID_NR assertion
        bcachefs: Fix incorrect error handling found_btree_node_is_readable()
        bcachefs: Split out btree_write_submit_wq
      0b4989eb
    • Andy Shevchenko's avatar
      mailmap: Add my outdated addresses to the map file · cea2a265
      Andy Shevchenko authored
      There is a couple of outdated addresses that are still visible
      in the Git history, add them to .mailmap.
      
      While at it, replace one in the comment.
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cea2a265