1. 20 May, 2022 4 commits
  2. 19 May, 2022 16 commits
  3. 18 May, 2022 20 commits
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · db1fd3fc
      Linus Torvalds authored
      Pull mlx5 fix from Michael Tsirkin:
       "One last minute fixup
      
        The patch has been on list for a while but as it was posted as part of
        a thread it was missed"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        vdpa/mlx5: Use consistent RQT size
      db1fd3fc
    • Ilya Dryomov's avatar
      libceph: fix misleading ceph_osdc_cancel_request() comment · d0bb883c
      Ilya Dryomov authored
      cancel_request() never guaranteed that after its return the OSD
      client would be completely done with the OSD request.  The callback
      (if specified) can still be invoked and a ref can still be held.
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarXiubo Li <xiubli@redhat.com>
      d0bb883c
    • Ilya Dryomov's avatar
      libceph: fix potential use-after-free on linger ping and resends · 75dbb685
      Ilya Dryomov authored
      request_reinit() is not only ugly as the comment rightfully suggests,
      but also unsafe.  Even though it is called with osdc->lock held for
      write in all cases, resetting the OSD request refcount can still race
      with handle_reply() and result in use-after-free.  Taking linger ping
      as an example:
      
          handle_timeout thread                     handle_reply thread
      
                                                    down_read(&osdc->lock)
                                                    req = lookup_request(...)
                                                    ...
                                                    finish_request(req)  # unregisters
                                                    up_read(&osdc->lock)
                                                    __complete_request(req)
                                                      linger_ping_cb(req)
      
            # req->r_kref == 2 because handle_reply still holds its ref
      
          down_write(&osdc->lock)
          send_linger_ping(lreq)
            req = lreq->ping_req  # same req
            # cancel_linger_request is NOT
            # called - handle_reply already
            # unregistered
            request_reinit(req)
              WARN_ON(req->r_kref != 1)  # fires
              request_init(req)
                kref_init(req->r_kref)
      
                         # req->r_kref == 1 after kref_init
      
                                                    ceph_osdc_put_request(req)
                                                      kref_put(req->r_kref)
      
                  # req->r_kref == 0 after kref_put, req is freed
      
              <further req initialization/use> !!!
      
      This happens because send_linger_ping() always (re)uses the same OSD
      request for watch ping requests, relying on cancel_linger_request() to
      unregister it from the OSD client and rip its messages out from the
      messenger.  send_linger() does the same for watch/notify registration
      and watch reconnect requests.  Unfortunately cancel_request() doesn't
      guarantee that after it returns the OSD client would be completely done
      with the OSD request -- a ref could still be held and the callback (if
      specified) could still be invoked too.
      
      The original motivation for request_reinit() was inability to deal with
      allocation failures in send_linger() and send_linger_ping().  Switching
      to using osdc->req_mempool (currently only used by CephFS) respects that
      and allows us to get rid of request_reinit().
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarXiubo Li <xiubli@redhat.com>
      Acked-by: default avatarJeff Layton <jlayton@kernel.org>
      75dbb685
    • Al Viro's avatar
      Fix double fget() in vhost_net_set_backend() · fb4554c2
      Al Viro authored
      Descriptor table is a shared resource; two fget() on the same descriptor
      may return different struct file references.  get_tap_ptr_ring() is
      called after we'd found (and pinned) the socket we'll be using and it
      tries to find the private tun/tap data structures associated with it.
      Redoing the lookup by the same file descriptor we'd used to get the
      socket is racy - we need to same struct file.
      
      Thanks to Jason for spotting a braino in the original variant of patch -
      I'd missed the use of fd == -1 for disabling backend, and in that case
      we can end up with sock == NULL and sock != oldsock.
      
      Cc: stable@kernel.org
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      fb4554c2
    • Eli Cohen's avatar
      vdpa/mlx5: Use consistent RQT size · acde3929
      Eli Cohen authored
      The current code evaluates RQT size based on the configured number of
      virtqueues. This can raise an issue in the following scenario:
      
      Assume MQ was negotiated.
      1. mlx5_vdpa_set_map() gets called.
      2. handle_ctrl_mq() is called setting cur_num_vqs to some value, lower
         than the configured max VQs.
      3. A second set_map gets called, but now a smaller number of VQs is used
         to evaluate the size of the RQT.
      4. handle_ctrl_mq() is called with a value larger than what the RQT can
         hold. This will emit errors and the driver state is compromised.
      
      To fix this, we use a new field in struct mlx5_vdpa_net to hold the
      required number of entries in the RQT. This value is evaluated in
      mlx5_vdpa_set_driver_features() where we have the negotiated features
      all set up.
      
      In addition to that, we take into consideration the max capability of RQT
      entries early when the device is added so we don't need to take consider
      it when creating the RQT.
      
      Last, we remove the use of mlx5_vdpa_max_qps() which just returns the
      max_vas / 2 and make the code clearer.
      
      Fixes: 52893733 ("vdpa/mlx5: Add multiqueue support")
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarEli Cohen <elic@nvidia.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      acde3929
    • Linus Torvalds's avatar
      Merge tag 'sound-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · ef130216
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of last-minute HD- an USB-audio quirks in addition to a
        fix for the legacy ISA wavefront driver.
      
        All look small and easy"
      
      * tag 'sound-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: usb-audio: Restore Rane SL-1 quirk
        ALSA: hda/realtek: fix right sounds and mute/micmute LEDs for HP machine
        ALSA: hda/realtek: Add quirk for TongFang devices with pop noise
        ALSA: hda/realtek: Add quirk for the Framework Laptop
        ALSA: wavefront: Proper check of get_user() error
        ALSA: hda/realtek: Add quirk for Dell Latitude 7520
        ALSA: hda - fix unused Realtek function when PM is not enabled
        ALSA: usb-audio: Don't get sample rate for MCT Trigger 5 USB-to-HDMI
      ef130216
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: disable expression reduction infra · 9e539c5b
      Pablo Neira Ayuso authored
      Either userspace or kernelspace need to pre-fetch keys inconditionally
      before comparisons for this to work. Otherwise, register tracking data
      is misleading and it might result in reducing expressions which are not
      yet registers.
      
      First expression is also guaranteed to be evaluated always, however,
      certain expressions break before writing data to registers, before
      comparing the data, leaving the register in undetermined state.
      
      This patch disables this infrastructure by now.
      
      Fixes: b2d30654 ("netfilter: nf_tables: do not reduce read-only expressions")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9e539c5b
    • Ritaro Takenaka's avatar
      netfilter: flowtable: move dst_check to packet path · 2738d9d9
      Ritaro Takenaka authored
      Fixes sporadic IPv6 packet loss when flow offloading is enabled.
      
      IPv6 route GC and flowtable GC are not synchronized.
      When dst_cache becomes stale and a packet passes through the flow before
      the flowtable GC teardowns it, the packet can be dropped.
      So, it is necessary to check dst every time in packet path.
      
      Fixes: 227e1e4d ("netfilter: nf_flowtable: skip device lookup from interface index")
      Signed-off-by: default avatarRitaro Takenaka <ritarot634@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      2738d9d9
    • Pablo Neira Ayuso's avatar
      netfilter: flowtable: fix TCP flow teardown · e5eaac2b
      Pablo Neira Ayuso authored
      This patch addresses three possible problems:
      
      1. ct gc may race to undo the timeout adjustment of the packet path, leaving
         the conntrack entry in place with the internal offload timeout (one day).
      
      2. ct gc removes the ct because the IPS_OFFLOAD_BIT is not set and the CLOSE
         timeout is reached before the flow offload del.
      
      3. tcp ct is always set to ESTABLISHED with a very long timeout
         in flow offload teardown/delete even though the state might be already
         CLOSED. Also as a remark we cannot assume that the FIN or RST packet
         is hitting flow table teardown as the packet might get bumped to the
         slow path in nftables.
      
      This patch resets IPS_OFFLOAD_BIT from flow_offload_teardown(), so
      conntrack handles the tcp rst/fin packet which triggers the CLOSE/FIN
      state transition.
      
      Moreover, teturn the connection's ownership to conntrack upon teardown
      by clearing the offload flag and fixing the established timeout value.
      The flow table GC thread will asynchonrnously free the flow table and
      hardware offload entries.
      
      Before this patch, the IPS_OFFLOAD_BIT remained set for expired flows on
      which is also misleading since the flow is back to classic conntrack
      path.
      
      If nf_ct_delete() removes the entry from the conntrack table, then it
      calls nf_ct_put() which decrements the refcnt. This is not a problem
      because the flowtable holds a reference to the conntrack object from
      flow_offload_alloc() path which is released via flow_offload_free().
      
      This patch also updates nft_flow_offload to skip packets in SYN_RECV
      state. Since we might miss or bump packets to slow path, we do not know
      what will happen there while we are still in SYN_RECV, this patch
      postpones offload up to the next packet which also aligns to the
      existing behaviour in tc-ct.
      
      flow_offload_teardown() does not reset the existing tcp state from
      flow_offload_fixup_tcp() to ESTABLISHED anymore, packets bump to slow
      path might have already update the state to CLOSE/FIN.
      
      Joint work with Oz and Sven.
      
      Fixes: 1e5b2471 ("netfilter: nf_flow_table: teardown flow timeout race")
      Signed-off-by: default avatarOz Shlomo <ozsh@nvidia.com>
      Signed-off-by: default avatarSven Auhagen <sven.auhagen@voleatech.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e5eaac2b
    • Joel Stanley's avatar
      net: ftgmac100: Disable hardware checksum on AST2600 · 6fd45e79
      Joel Stanley authored
      The AST2600 when using the i210 NIC over NC-SI has been observed to
      produce incorrect checksum results with specific MTU values. This was
      first observed when sending data across a long distance set of networks.
      
      On a local network, the following test was performed using a 1MB file of
      random data.
      
      On the receiver run this script:
      
       #!/bin/bash
       while [ 1 ]; do
              # Zero the stats
              nstat -r  > /dev/null
              nc -l 9899 > test-file
              # Check for checksum errors
              TcpInCsumErrors=$(nstat | grep TcpInCsumErrors)
              if [ -z "$TcpInCsumErrors" ]; then
                      echo No TcpInCsumErrors
              else
                      echo TcpInCsumErrors = $TcpInCsumErrors
              fi
       done
      
      On an AST2600 system:
      
       # nc <IP of  receiver host> 9899 < test-file
      
      The test was repeated with various MTU values:
      
       # ip link set mtu 1410 dev eth0
      
      The observed results:
      
       1500 - good
       1434 - bad
       1400 - good
       1410 - bad
       1420 - good
      
      The test was repeated after disabling tx checksumming:
      
       # ethtool -K eth0 tx-checksumming off
      
      And all MTU values tested resulted in transfers without error.
      
      An issue with the driver cannot be ruled out, however there has been no
      bug discovered so far.
      
      David has done the work to take the original bug report of slow data
      transfer between long distance connections and triaged it down to this
      test case.
      
      The vendor suspects this this is a hardware issue when using NC-SI. The
      fixes line refers to the patch that introduced AST2600 support.
      Reported-by: default avatarDavid Wilder <wilder@us.ibm.com>
      Reviewed-by: default avatarDylan Hung <dylan_hung@aspeedtech.com>
      Signed-off-by: default avatarJoel Stanley <joel@jms.id.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6fd45e79
    • Kevin Mitchell's avatar
      igb: skip phy status check where unavailable · 942d2ad5
      Kevin Mitchell authored
      igb_read_phy_reg() will silently return, leaving phy_data untouched, if
      hw->ops.read_reg isn't set. Depending on the uninitialized value of
      phy_data, this led to the phy status check either succeeding immediately
      or looping continuously for 2 seconds before emitting a noisy err-level
      timeout. This message went out to the console even though there was no
      actual problem.
      
      Instead, first check if there is read_reg function pointer. If not,
      proceed without trying to check the phy status register.
      
      Fixes: b72f3f72 ("igb: When GbE link up, wait for Remote receiver status condition")
      Signed-off-by: default avatarKevin Mitchell <kevmitch@arista.com>
      Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      942d2ad5
    • Lin Ma's avatar
      nfc: pn533: Fix buggy cleanup order · b8cedb70
      Lin Ma authored
      When removing the pn533 device (i2c or USB), there is a logic error. The
      original code first cancels the worker (flush_delayed_work) and then
      destroys the workqueue (destroy_workqueue), leaving the timer the last
      one to be deleted (del_timer). This result in a possible race condition
      in a multi-core preempt-able kernel. That is, if the cleanup
      (pn53x_common_clean) is concurrently run with the timer handler
      (pn533_listen_mode_timer), the timer can queue the poll_work to the
      already destroyed workqueue, causing use-after-free.
      
      This patch reorder the cleanup: it uses the del_timer_sync to make sure
      the handler is finished before the routine will destroy the workqueue.
      Note that the timer cannot be activated by the worker again.
      
      static void pn533_wq_poll(struct work_struct *work)
      ...
       rc = pn533_send_poll_frame(dev);
       if (rc)
         return;
      
       if (cur_mod->len == 0 && dev->poll_mod_count > 1)
         mod_timer(&dev->listen_timer, ...);
      
      That is, the mod_timer can be called only when pn533_send_poll_frame()
      returns no error, which is impossible because the device is detaching
      and the lower driver should return ENODEV code.
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8cedb70
    • David S. Miller's avatar
      Merge branch 'mptcp-checksums' · 575fb4fb
      David S. Miller authored
      Mat Martineau says:
      
      ====================
      mptcp: Fix checksum byte order on little-endian
      
      These patches address a bug in the byte ordering of MPTCP checksums on
      little-endian architectures. The __sum16 type is always big endian, but
      was being cast to u16 and then byte-swapped (on little-endian archs)
      when reading/writing the checksum field in MPTCP option headers.
      
      MPTCP checksums are off by default, but are enabled if one or both peers
      request it in the SYN/SYNACK handshake.
      
      The corrected code is verified to interoperate between big-endian and
      little-endian machines.
      
      Patch 1 fixes the checksum byte order, patch 2 partially mitigates
      interoperation with peers sending bad checksums by falling back to TCP
      instead of resetting the connection.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      575fb4fb
    • Mat Martineau's avatar
      mptcp: Do TCP fallback on early DSS checksum failure · ae66fb2b
      Mat Martineau authored
      RFC 8684 section 3.7 describes several opportunities for a MPTCP
      connection to "fall back" to regular TCP early in the connection
      process, before it has been confirmed that MPTCP options can be
      successfully propagated on all SYN, SYN/ACK, and data packets. If a peer
      acknowledges the first received data packet with a regular TCP header
      (no MPTCP options), fallback is allowed.
      
      If the recipient of that first data packet finds a MPTCP DSS checksum
      error, this provides an opportunity to fail gracefully with a TCP
      fallback rather than resetting the connection (as might happen if a
      checksum failure were detected later).
      
      This commit modifies the checksum failure code to attempt fallback on
      the initial subflow of a MPTCP connection, only if it's a failure in the
      first data mapping. In cases where the peer initiates the connection,
      requests checksums, is the first to send data, and the peer is sending
      incorrect checksums (see
      https://github.com/multipath-tcp/mptcp_net-next/issues/275), this allows
      the connection to proceed as TCP rather than reset.
      
      Fixes: dd8bcd17 ("mptcp: validate the data checksum")
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae66fb2b
    • Paolo Abeni's avatar
      mptcp: fix checksum byte order · ba2c89e0
      Paolo Abeni authored
      The MPTCP code typecasts the checksum value to u16 and
      then converts it to big endian while storing the value into
      the MPTCP option.
      
      As a result, the wire encoding for little endian host is
      wrong, and that causes interoperabilty interoperability
      issues with other implementation or host with different endianness.
      
      Address the issue writing in the packet the unmodified __sum16 value.
      
      MPTCP checksum is disabled by default, interoperating with systems
      with bad mptcp-level csum encoding should cause fallback to TCP.
      
      Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/275
      Fixes: c5b39e26 ("mptcp: send out checksum for DSS")
      Fixes: 390b95a5 ("mptcp: receive checksum for DSS")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ba2c89e0
    • David S. Miller's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 680b8926
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2022-05-17
      
      This series contains updates to ice driver only.
      
      Arkadiusz prevents writing of timestamps when rings are being
      configured to resolve null pointer dereference.
      
      Paul changes a delayed call to baseline statistics to occur immediately
      which was causing misreporting of statistics due to the delay.
      
      Michal fixes incorrect restoration of interrupt moderation settings.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      680b8926
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 089403a3
      David S. Miller authored
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2022-05-18
      
      1) Fix "disable_policy" flag use when arriving from different devices.
         From Eyal Birger.
      
      2) Fix error handling of pfkey_broadcast in function pfkey_process.
         From Jiasheng Jiang.
      
      3) Check the encryption module availability consistency in pfkey.
         From Thomas Bartschies.
      
      Please pull or let me know if there are problems.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      089403a3
    • Ard Biesheuvel's avatar
      ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2 · 3cfb3019
      Ard Biesheuvel authored
      In Thumb2, 'b . + 4' produces a branch instruction that uses a narrow
      encoding, and so it does not jump to the following instruction as
      expected. So use W(b) instead.
      
      Fixes: 6c7cb60b ("ARM: fix Thumb2 regression with Spectre BHB")
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      3cfb3019
    • Ard Biesheuvel's avatar
      ARM: 9196/1: spectre-bhb: enable for Cortex-A15 · 0dc14aa9
      Ard Biesheuvel authored
      The Spectre-BHB mitigations were inadvertently left disabled for
      Cortex-A15, due to the fact that cpu_v7_bugs_init() is not called in
      that case. So fix that.
      
      Fixes: b9baf5c8 ("ARM: Spectre-BHB workaround")
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      0dc14aa9
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2022-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 765d1216
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2022-05-17
      
      This series provides bug fixes to mlx5 driver.
      Please pull and let me know if there is any problem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      765d1216