1. 13 Mar, 2022 1 commit
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v5.17_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f0e18b03
      Linus Torvalds authored
      Pull x86 fixes from Borislav Petkov:
      
       - Free shmem backing storage for SGX enclave pages when those are
         swapped back into EPC memory
      
       - Prevent do_int3() from being kprobed, to avoid recursion
      
       - Remap setup_data and setup_indirect structures properly when
         accessing their members
      
       - Correct the alternatives patching order for modules too
      
      * tag 'x86_urgent_for_v5.17_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/sgx: Free backing memory after faulting the enclave page
        x86/traps: Mark do_int3() NOKPROBE_SYMBOL
        x86/boot: Add setup_indirect support in early_memremap_is_setup_data()
        x86/boot: Fix memremap of setup_indirect structures
        x86/module: Fix the paravirt vs alternative order
      f0e18b03
  2. 12 Mar, 2022 8 commits
  3. 11 Mar, 2022 26 commits
  4. 10 Mar, 2022 5 commits
    • Ivan Vecera's avatar
      ice: Fix race condition during interface enslave · 5cb1ebdb
      Ivan Vecera authored
      Commit 5dbbbd01 ("ice: Avoid RTNL lock when re-creating
      auxiliary device") changes a process of re-creation of aux device
      so ice_plug_aux_dev() is called from ice_service_task() context.
      This unfortunately opens a race window that can result in dead-lock
      when interface has left LAG and immediately enters LAG again.
      
      Reproducer:
      ```
      #!/bin/sh
      
      ip link add lag0 type bond mode 1 miimon 100
      ip link set lag0
      
      for n in {1..10}; do
              echo Cycle: $n
              ip link set ens7f0 master lag0
              sleep 1
              ip link set ens7f0 nomaster
      done
      ```
      
      This results in:
      [20976.208697] Workqueue: ice ice_service_task [ice]
      [20976.213422] Call Trace:
      [20976.215871]  __schedule+0x2d1/0x830
      [20976.219364]  schedule+0x35/0xa0
      [20976.222510]  schedule_preempt_disabled+0xa/0x10
      [20976.227043]  __mutex_lock.isra.7+0x310/0x420
      [20976.235071]  enum_all_gids_of_dev_cb+0x1c/0x100 [ib_core]
      [20976.251215]  ib_enum_roce_netdev+0xa4/0xe0 [ib_core]
      [20976.256192]  ib_cache_setup_one+0x33/0xa0 [ib_core]
      [20976.261079]  ib_register_device+0x40d/0x580 [ib_core]
      [20976.266139]  irdma_ib_register_device+0x129/0x250 [irdma]
      [20976.281409]  irdma_probe+0x2c1/0x360 [irdma]
      [20976.285691]  auxiliary_bus_probe+0x45/0x70
      [20976.289790]  really_probe+0x1f2/0x480
      [20976.298509]  driver_probe_device+0x49/0xc0
      [20976.302609]  bus_for_each_drv+0x79/0xc0
      [20976.306448]  __device_attach+0xdc/0x160
      [20976.310286]  bus_probe_device+0x9d/0xb0
      [20976.314128]  device_add+0x43c/0x890
      [20976.321287]  __auxiliary_device_add+0x43/0x60
      [20976.325644]  ice_plug_aux_dev+0xb2/0x100 [ice]
      [20976.330109]  ice_service_task+0xd0c/0xed0 [ice]
      [20976.342591]  process_one_work+0x1a7/0x360
      [20976.350536]  worker_thread+0x30/0x390
      [20976.358128]  kthread+0x10a/0x120
      [20976.365547]  ret_from_fork+0x1f/0x40
      ...
      [20976.438030] task:ip              state:D stack:    0 pid:213658 ppid:213627 flags:0x00004084
      [20976.446469] Call Trace:
      [20976.448921]  __schedule+0x2d1/0x830
      [20976.452414]  schedule+0x35/0xa0
      [20976.455559]  schedule_preempt_disabled+0xa/0x10
      [20976.460090]  __mutex_lock.isra.7+0x310/0x420
      [20976.464364]  device_del+0x36/0x3c0
      [20976.467772]  ice_unplug_aux_dev+0x1a/0x40 [ice]
      [20976.472313]  ice_lag_event_handler+0x2a2/0x520 [ice]
      [20976.477288]  notifier_call_chain+0x47/0x70
      [20976.481386]  __netdev_upper_dev_link+0x18b/0x280
      [20976.489845]  bond_enslave+0xe05/0x1790 [bonding]
      [20976.494475]  do_setlink+0x336/0xf50
      [20976.502517]  __rtnl_newlink+0x529/0x8b0
      [20976.543441]  rtnl_newlink+0x43/0x60
      [20976.546934]  rtnetlink_rcv_msg+0x2b1/0x360
      [20976.559238]  netlink_rcv_skb+0x4c/0x120
      [20976.563079]  netlink_unicast+0x196/0x230
      [20976.567005]  netlink_sendmsg+0x204/0x3d0
      [20976.570930]  sock_sendmsg+0x4c/0x50
      [20976.574423]  ____sys_sendmsg+0x1eb/0x250
      [20976.586807]  ___sys_sendmsg+0x7c/0xc0
      [20976.606353]  __sys_sendmsg+0x57/0xa0
      [20976.609930]  do_syscall_64+0x5b/0x1a0
      [20976.613598]  entry_SYSCALL_64_after_hwframe+0x65/0xca
      
      1. Command 'ip link ... set nomaster' causes that ice_plug_aux_dev()
         is called from ice_service_task() context, aux device is created
         and associated device->lock is taken.
      2. Command 'ip link ... set master...' calls ice's notifier under
         RTNL lock and that notifier calls ice_unplug_aux_dev(). That
         function tries to take aux device->lock but this is already taken
         by ice_plug_aux_dev() in step 1
      3. Later ice_plug_aux_dev() tries to take RTNL lock but this is already
         taken in step 2
      4. Dead-lock
      
      The patch fixes this issue by following changes:
      - Bit ICE_FLAG_PLUG_AUX_DEV is kept to be set during ice_plug_aux_dev()
        call in ice_service_task()
      - The bit is checked in ice_clear_rdma_cap() and only if it is not set
        then ice_unplug_aux_dev() is called. If it is set (in other words
        plugging of aux device was requested and ice_plug_aux_dev() is
        potentially running) then the function only clears the bit
      - Once ice_plug_aux_dev() call (in ice_service_task) is finished
        the bit ICE_FLAG_PLUG_AUX_DEV is cleared but it is also checked
        whether it was already cleared by ice_clear_rdma_cap(). If so then
        aux device is unplugged.
      Signed-off-by: default avatarIvan Vecera <ivecera@redhat.com>
      Co-developed-by: default avatarPetr Oros <poros@redhat.com>
      Signed-off-by: default avatarPetr Oros <poros@redhat.com>
      Reviewed-by: default avatarDave Ertman <david.m.ertman@intel.com>
      Link: https://lore.kernel.org/r/20220310171641.3863659-1-ivecera@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5cb1ebdb
    • Heiner Kallweit's avatar
      net: phy: meson-gxl: improve link-up behavior · 2c87c6f9
      Heiner Kallweit authored
      Sometimes the link comes up but no data flows. This patch fixes
      this behavior. It's not clear what's the root cause of the issue.
      
      According to the tests one other link-up issue remains.
      In very rare cases the link isn't even reported as up.
      
      Fixes: 84c8f773 ("net: phy: meson-gxl: remove the use of .ack_callback()")
      Tested-by: default avatarErico Nunes <nunes.erico@gmail.com>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Link: https://lore.kernel.org/r/e3473452-a1f9-efcf-5fdd-02b6f44c3fcd@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2c87c6f9
    • Jeremy Linton's avatar
      net: bcmgenet: Don't claim WOL when its not available · 00b022f8
      Jeremy Linton authored
      Some of the bcmgenet platforms don't correctly support WOL, yet
      ethtool returns:
      
      "Supports Wake-on: gsf"
      
      which is false.
      
      Ideally if there isn't a wol_irq, or there is something else that
      keeps the device from being able to wakeup it should display:
      
      "Supports Wake-on: d"
      
      This patch checks whether the device can wakup, before using the
      hard-coded supported flags. This corrects the ethtool reporting, as
      well as the WOL configuration because ethtool verifies that the mode
      is supported before attempting it.
      
      Fixes: c51de7f3 ("net: bcmgenet: add Wake-on-LAN support code")
      Signed-off-by: default avatarJeremy Linton <jeremy.linton@arm.com>
      Tested-by: default avatarPeter Robinson <pbrobinson@gmail.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/20220310045535.224450-1-jeremy.linton@arm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      00b022f8
    • Jianglei Nie's avatar
      net: arc_emac: Fix use after free in arc_mdio_probe() · bc0e610a
      Jianglei Nie authored
      If bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free
      the "bus". But bus->name is still used in the next line, which will lead
      to a use after free.
      
      We can fix it by putting the name in a local variable and make the
      bus->name point to the rodata section "name",then use the name in the
      error message without referring to bus to avoid the uaf.
      
      Fixes: 95b5fc03 ("net: arc_emac: Make use of the helper function dev_err_probe()")
      Signed-off-by: default avatarJianglei Nie <niejianglei2021@163.com>
      Link: https://lore.kernel.org/r/20220309121824.36529-1-niejianglei2021@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      bc0e610a
    • Eric Dumazet's avatar
      sctp: fix kernel-infoleak for SCTP sockets · 633593a8
      Eric Dumazet authored
      syzbot reported a kernel infoleak [1] of 4 bytes.
      
      After analysis, it turned out r->idiag_expires is not initialized
      if inet_sctp_diag_fill() calls inet_diag_msg_common_fill()
      
      Make sure to clear idiag_timer/idiag_retrans/idiag_expires
      and let inet_diag_msg_sctpasoc_fill() fill them again if needed.
      
      [1]
      
      BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
      BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]
      BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
       instrument_copy_to_user include/linux/instrumented.h:121 [inline]
       copyout lib/iov_iter.c:154 [inline]
       _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
       copy_to_iter include/linux/uio.h:162 [inline]
       simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
       __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425
       skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
       skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]
       netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977
       sock_recvmsg_nosec net/socket.c:948 [inline]
       sock_recvmsg net/socket.c:966 [inline]
       __sys_recvfrom+0x795/0xa10 net/socket.c:2097
       __do_sys_recvfrom net/socket.c:2115 [inline]
       __se_sys_recvfrom net/socket.c:2111 [inline]
       __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was created at:
       slab_post_alloc_hook mm/slab.h:737 [inline]
       slab_alloc_node mm/slub.c:3247 [inline]
       __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975
       kmalloc_reserve net/core/skbuff.c:354 [inline]
       __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
       alloc_skb include/linux/skbuff.h:1158 [inline]
       netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248
       __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373
       netlink_dump_start include/linux/netlink.h:254 [inline]
       inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341
       sock_diag_rcv_msg+0x24a/0x620
       netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494
       sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277
       netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
       netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343
       netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919
       sock_sendmsg_nosec net/socket.c:705 [inline]
       sock_sendmsg net/socket.c:725 [inline]
       sock_write_iter+0x594/0x690 net/socket.c:1061
       do_iter_readv_writev+0xa7f/0xc70
       do_iter_write+0x52c/0x1500 fs/read_write.c:851
       vfs_writev fs/read_write.c:924 [inline]
       do_writev+0x645/0xe00 fs/read_write.c:967
       __do_sys_writev fs/read_write.c:1040 [inline]
       __se_sys_writev fs/read_write.c:1037 [inline]
       __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Bytes 68-71 of 2508 are uninitialized
      Memory access of size 2508 starts at ffff888114f9b000
      Data copied to user address 00007f7fe09ff2e0
      
      CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 8f840e47 ("sctp: add the sctp_diag.c file")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Link: https://lore.kernel.org/r/20220310001145.297371-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      633593a8