1. 15 Jul, 2022 10 commits
  2. 14 Jul, 2022 27 commits
    • Nathan Chancellor's avatar
      x86/speculation: Use DECLARE_PER_CPU for x86_spec_ctrl_current · db886979
      Nathan Chancellor authored
      Clang warns:
      
        arch/x86/kernel/cpu/bugs.c:58:21: error: section attribute is specified on redeclared variable [-Werror,-Wsection]
        DEFINE_PER_CPU(u64, x86_spec_ctrl_current);
                            ^
        arch/x86/include/asm/nospec-branch.h:283:12: note: previous declaration is here
        extern u64 x86_spec_ctrl_current;
                   ^
        1 error generated.
      
      The declaration should be using DECLARE_PER_CPU instead so all
      attributes stay in sync.
      
      Cc: stable@vger.kernel.org
      Fixes: fc02735b ("KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      db886979
    • Linus Torvalds's avatar
      Merge tag 'net-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 9bd572ec
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter, bpf and wireless.
      
        Still no major regressions, the release continues to be calm. An
        uptick of fixes this time around due to trivial data race fixes and
        patches flowing down from subtrees.
      
        There has been a few driver fixes (particularly a few fixes for false
        positives due to 66e4c8d9 which went into -next in May!) that make
        me worry the wide testing is not exactly fully through.
      
        So "calm" but not "let's just cut the final ASAP" vibes over here.
      
        Current release - regressions:
      
         - wifi: rtw88: fix write to const table of channel parameters
      
        Current release - new code bugs:
      
         - mac80211: add gfp_t arg to ieeee80211_obss_color_collision_notify
      
         - mlx5:
            - TC, allow offload from uplink to other PF's VF
            - Lag, decouple FDB selection and shared FDB
            - Lag, correct get the port select mode str
      
         - bnxt_en: fix and simplify XDP transmit path
      
         - r8152: fix accessing unset transport header
      
        Previous releases - regressions:
      
         - conntrack: fix crash due to confirmed bit load reordering (after
           atomic -> refcount conversion)
      
         - stmmac: dwc-qos: disable split header for Tegra194
      
        Previous releases - always broken:
      
         - mlx5e: ring the TX doorbell on DMA errors
      
         - bpf: make sure mac_header was set before using it
      
         - mac80211: do not wake queues on a vif that is being stopped
      
         - mac80211: fix queue selection for mesh/OCB interfaces
      
         - ip: fix dflt addr selection for connected nexthop
      
         - seg6: fix skb checksums for SRH encapsulation/insertion
      
         - xdp: fix spurious packet loss in generic XDP TX path
      
         - bunch of sysctl data race fixes
      
         - nf_log: incorrect offset to network header
      
        Misc:
      
         - bpf: add flags arg to bpf_dynptr_read and bpf_dynptr_write APIs"
      
      * tag 'net-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (87 commits)
        nfp: flower: configure tunnel neighbour on cmsg rx
        net/tls: Check for errors in tls_device_init
        MAINTAINERS: Add an additional maintainer to the AMD XGBE driver
        xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue
        selftests/net: test nexthop without gw
        ip: fix dflt addr selection for connected nexthop
        net: atlantic: remove aq_nic_deinit() when resume
        net: atlantic: remove deep parameter on suspend/resume functions
        sfc: fix kernel panic when creating VF
        seg6: bpf: fix skb checksum in bpf_push_seg6_encap()
        seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors
        seg6: fix skb checksum evaluation in SRH encapsulation/insertion
        sfc: fix use after free when disabling sriov
        net: sunhme: output link status with a single print.
        r8152: fix accessing unset transport header
        net: stmmac: fix leaks in probe
        net: ftgmac100: Hold reference returned by of_get_child_by_name()
        nexthop: Fix data-races around nexthop_compat_mode.
        ipv4: Fix data-races around sysctl_ip_dynaddr.
        tcp: Fix a data-race around sysctl_tcp_ecn_fallback.
        ...
      9bd572ec
    • Linus Torvalds's avatar
      Merge tag '5.19-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 · f41d5df5
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Three smb3 client fixes:
      
         - two multichannel fixes: fix a potential deadlock freeing a channel,
           and fix a race condition on failed creation of a new channel
      
         - mount failure fix: work around a server bug in some common older
           Samba servers by avoiding padding at the end of the negotiate
           protocol request"
      
      * tag '5.19-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: workaround negprot bug in some Samba servers
        cifs: remove unnecessary locking of chan_lock while freeing session
        cifs: fix race condition with delayed threads
      f41d5df5
    • Linus Torvalds's avatar
      Merge tag 'nfsd-5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · a24a6c05
      Linus Torvalds authored
      Pull nfsd fixes from Chuck Lever:
       "Notable regression fixes:
      
         - Enable SETATTR(time_create) to fix regression with Mac OS clients
      
         - Fix a lockd crasher and broken NLM UNLCK behavior"
      
      * tag 'nfsd-5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        lockd: fix nlm_close_files
        lockd: set fl_owner when unlocking files
        NFSD: Decode NFSv4 birth time attribute
      a24a6c05
    • Linus Torvalds's avatar
      Merge tag 'integrity-v5.19-fix' of... · 4adfa865
      Linus Torvalds authored
      Merge tag 'integrity-v5.19-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
      
      Pull integrity fixes from Mimi Zohar:
       "Here are a number of fixes for recently found bugs.
      
        Only 'ima: fix violation measurement list record' was introduced in
        the current release. The rest address existing bugs"
      
      * tag 'integrity-v5.19-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
        ima: Fix potential memory leak in ima_init_crypto()
        ima: force signature verification when CONFIG_KEXEC_SIG is configured
        ima: Fix a potential integer overflow in ima_appraise_measurement
        ima: fix violation measurement list record
        Revert "evm: Fix memleak in init_desc"
      4adfa865
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · 2eb5866c
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
      
       - quieten the spectre-bhb prints
      
       - mark flattened device tree sections as shareable
      
       - remove some obsolete CPU domain code and help text
      
       - fix thumb unaligned access abort emulation
      
       - fix amba_device_add() refcount underflow
      
       - fix literal placement
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 9208/1: entry: add .ltorg directive to keep literals in range
        ARM: 9207/1: amba: fix refcount underflow if amba_device_add() fails
        ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction
        ARM: 9213/1: Print message about disabled Spectre workarounds only once
        ARM: 9212/1: domain: Modify Kconfig help text
        ARM: 9211/1: domain: drop modify_domain()
        ARM: 9210/1: Mark the FDT_FIXED sections as shareable
        ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle
      2eb5866c
    • Guenter Roeck's avatar
      um: Replace to_phys() and to_virt() with less generic function names · 097da1a4
      Guenter Roeck authored
      The UML function names to_virt() and to_phys() are exposed by UML
      headers, and are very generic and may be defined by drivers.  As it
      turns out, commit 9409c9b6 ("pmem: refactor pmem_clear_poison()")
      did exactly that.
      
      This results in build errors such as the following when trying to build
      um:allmodconfig:
      
        drivers/nvdimm/pmem.c: In function ‘pmem_dax_zero_page_range’:
        ./arch/um/include/asm/page.h:105:20: error: too few arguments to function ‘to_phys’
          105 | #define __pa(virt) to_phys((void *) (unsigned long) (virt))
              |                    ^~~~~~~
      
      Use less generic function names for the um specific to_phys() and
      to_virt() functions to fix the problem and to avoid similar problems in
      the future.
      
      Fixes: 9409c9b6 ("pmem: refactor pmem_clear_poison()")
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      097da1a4
    • Linus Torvalds's avatar
      Merge tag 'sound-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · c4634a3c
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Hopefully the last one for 5.19. This became bigger than wished, but
        all changes are pretty device-specific small fixes, which look less
        worrisome.
      
        The majority of changes are about various ASoC fixes, while the usual
        HD-audio quirks are included as well"
      
      * tag 'sound-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (28 commits)
        ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
        ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221
        ALSA: hda/realtek: fix mute/micmute LEDs for HP machines
        ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671
        ALSA: hda - Add fixup for Dell Latitidue E5430
        ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model
        ALSA: hda/realtek: Fix headset mic for Acer SF313-51
        ASoC: Intel: Skylake: Correct the handling of fmt_config flexible array
        ASoC: Intel: Skylake: Correct the ssp rate discovery in skl_get_ssp_clks()
        ASoC: rt5640: Fix the wrong state of JD1 and JD2
        ASoC: Intel: sof_rt5682: fix out-of-bounds array access
        ASoC: qdsp6: fix potential memory leak in q6apm_get_audioreach_graph()
        ASoC: tas2764: Fix amp gain register offset & default
        ASoC: tas2764: Correct playback volume range
        ASoC: tas2764: Fix and extend FSYNC polarity handling
        ASoC: tas2764: Add post reset delays
        ASoC: dt-bindings: Fix description for msm8916
        ASoC: doc: Capitalize RESET line name
        ASoC: arizona: Update arizona_aif_cfg_changed to use RX_BCLK_RATE
        ASoC: cs47l92: Fix event generation for OUT1 demux
        ...
      c4634a3c
    • Tianyu Yuan's avatar
      nfp: flower: configure tunnel neighbour on cmsg rx · 656bd03a
      Tianyu Yuan authored
      nfp_tun_write_neigh() function will configure a tunnel neighbour when
      calling nfp_tun_neigh_event_handler() or nfp_flower_cmsg_process_one_rx()
      (with no tunnel neighbour type) from firmware.
      
      When configuring IP on physical port as a tunnel endpoint, no operation
      will be performed after receiving the cmsg mentioned above.
      
      Therefore, add a progress to configure tunnel neighbour in this case.
      
      v2: Correct format of fixes tag.
      
      Fixes: f1df7956 ("nfp: flower: rework tunnel neighbour configuration")
      Signed-off-by: default avatarTianyu Yuan <tianyu.yuan@corigine.com>
      Reviewed-by: default avatarLouis Peens <louis.peens@corigine.com>
      Reviewed-by: default avatarBaowen Zheng <baowen.zheng@corigine.com>
      Signed-off-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20220714081915.148378-1-simon.horman@corigine.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      656bd03a
    • Tariq Toukan's avatar
      net/tls: Check for errors in tls_device_init · 3d8c51b2
      Tariq Toukan authored
      Add missing error checks in tls_device_init.
      
      Fixes: e8f69799 ("net/tls: Add generic NIC offload infrastructure")
      Reported-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarMaxim Mikityanskiy <maximmi@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20220714070754.1428-1-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3d8c51b2
    • Tom Lendacky's avatar
      MAINTAINERS: Add an additional maintainer to the AMD XGBE driver · 51f1c31f
      Tom Lendacky authored
      Add Shyam Sundar S K as an additional maintainer to support the AMD XGBE
      network device driver.
      
      Cc: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Link: https://lore.kernel.org/r/db367f24089c2bbbcd1cec8e21af49922017a110.1657751501.git.thomas.lendacky@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      51f1c31f
    • Juergen Gross's avatar
      xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue · 94e81006
      Juergen Gross authored
      xenvif_rx_next_skb() is expecting the rx queue not being empty, but
      in case the loop in xenvif_rx_action() is doing multiple iterations,
      the availability of another skb in the rx queue is not being checked.
      
      This can lead to crashes:
      
      [40072.537261] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
      [40072.537407] IP: xenvif_rx_skb+0x23/0x590 [xen_netback]
      [40072.537534] PGD 0 P4D 0
      [40072.537644] Oops: 0000 [#1] SMP NOPTI
      [40072.537749] CPU: 0 PID: 12505 Comm: v1-c40247-q2-gu Not tainted 4.12.14-122.121-default #1 SLE12-SP5
      [40072.537867] Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 11/23/2021
      [40072.537999] task: ffff880433b38100 task.stack: ffffc90043d40000
      [40072.538112] RIP: e030:xenvif_rx_skb+0x23/0x590 [xen_netback]
      [40072.538217] RSP: e02b:ffffc90043d43de0 EFLAGS: 00010246
      [40072.538319] RAX: 0000000000000000 RBX: ffffc90043cd7cd0 RCX: 00000000000000f7
      [40072.538430] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffc90043d43df8
      [40072.538531] RBP: 000000000000003f R08: 000077ff80000000 R09: 0000000000000008
      [40072.538644] R10: 0000000000007ff0 R11: 00000000000008f6 R12: ffffc90043ce2708
      [40072.538745] R13: 0000000000000000 R14: ffffc90043d43ed0 R15: ffff88043ea748c0
      [40072.538861] FS: 0000000000000000(0000) GS:ffff880484600000(0000) knlGS:0000000000000000
      [40072.538988] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
      [40072.539088] CR2: 0000000000000080 CR3: 0000000407ac8000 CR4: 0000000000040660
      [40072.539211] Call Trace:
      [40072.539319] xenvif_rx_action+0x71/0x90 [xen_netback]
      [40072.539429] xenvif_kthread_guest_rx+0x14a/0x29c [xen_netback]
      
      Fix that by stopping the loop in case the rx queue becomes empty.
      
      Cc: stable@vger.kernel.org
      Fixes: 98f6d57c ("xen-netback: process guest rx packets in batches")
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Reviewed-by: default avatarPaul Durrant <paul@xen.org>
      Link: https://lore.kernel.org/r/20220713135322.19616-1-jgross@suse.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      94e81006
    • Linus Torvalds's avatar
      amdgpu: disable powerpc support for the newer display engine · d11219ad
      Linus Torvalds authored
      The DRM_AMD_DC_DCN display engine support (Raven, Navi, and newer) has
      not been building cleanly on powerpc and causes link errors due to
      mixing hard- and soft-float object files:
      
        powerpc64-linux-ld: drivers/gpu/drm/amd/amdgpu/../display/dc/dml/display_mode_lib.o uses hard float, drivers/gpu/drm/amd/amdgpu/../display/dc/dcn31/dcn31_resource.o uses soft float
        powerpc64-linux-ld: failed to merge target specific data of file drivers/gpu/drm/amd/amdgpu/../display/dc/dcn31/dcn31_resource.o
        [..]
      
      and while patches are floating around, it's not exactly obvious what is
      going on.
      
      The problem bisects to commit 41b7a347 ("powerpc: Book3S 64-bit
      outline-only KASAN support") but that is probably more about changing
      config variables than the fundamental cause.
      
      Despite the bisection result, a more directly related commit seems to be
      26f4712a ("drm/amd/display: move FPU related code from dcn31 to
      dml/dcn31 folder").  It's probably a combination of the two.
      
      This has been going on since the merge window, without any final word.
      So instead of blindly applying patches that may or may not be the right
      thing, let's disable this for now.
      
      As Michael Ellerman says:
       "IIUIC this code was never enabled on ppc before, so disabling it seems
        like a reasonable fix to get the build clean"
      
      and once we have more actual feedback (and find any potential users) we
      can always re-enable it with the patch that fixes the issues and
      back-port as necessary.
      
      Fixes: 41b7a347 ("powerpc: Book3S 64-bit outline-only KASAN support")
      Fixes: 26f4712a ("drm/amd/display: move FPU related code from dcn31 to dml/dcn31 folder")
      Reported-and-tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Link: https://lore.kernel.org/all/20220606153910.GA1773067@roeck-us.net/
      Link: https://lore.kernel.org/all/20220618232737.2036722-1-linux@roeck-us.net/
      Link: https://lore.kernel.org/all/20220713050724.GA2471738@roeck-us.net/Acked-by: default avatarMichael Ellerman <michael@ellerman.id.au>
      Acked-by: default avatarAlex Deucher <alexdeucher@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d11219ad
    • Nicolas Dichtel's avatar
      selftests/net: test nexthop without gw · cd72e61b
      Nicolas Dichtel authored
      This test implement the scenario described in the commit
      "ip: fix dflt addr selection for connected nexthop".
      The test configures a nexthop object with an output device only (no gateway
      address) and a route that uses this nexthop. The goal is to check if the
      kernel selects a valid source address.
      
      Link: https://lore.kernel.org/netdev/20220712095545.10947-1-nicolas.dichtel@6wind.com/Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Link: https://lore.kernel.org/r/20220713114853.29406-2-nicolas.dichtel@6wind.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      cd72e61b
    • Nicolas Dichtel's avatar
      ip: fix dflt addr selection for connected nexthop · 747c1430
      Nicolas Dichtel authored
      When a nexthop is added, without a gw address, the default scope was set
      to 'host'. Thus, when a source address is selected, 127.0.0.1 may be chosen
      but rejected when the route is used.
      
      When using a route without a nexthop id, the scope can be configured in the
      route, thus the problem doesn't exist.
      
      To explain more deeply: when a user creates a nexthop, it cannot specify
      the scope. To create it, the function nh_create_ipv4() calls fib_check_nh()
      with scope set to 0. fib_check_nh() calls fib_check_nh_nongw() wich was
      setting scope to 'host'. Then, nh_create_ipv4() calls
      fib_info_update_nhc_saddr() with scope set to 'host'. The src addr is
      chosen before the route is inserted.
      
      When a 'standard' route (ie without a reference to a nexthop) is added,
      fib_create_info() calls fib_info_update_nhc_saddr() with the scope set by
      the user. iproute2 set the scope to 'link' by default.
      
      Here is a way to reproduce the problem:
      ip netns add foo
      ip -n foo link set lo up
      ip netns add bar
      ip -n bar link set lo up
      sleep 1
      
      ip -n foo link add name eth0 type dummy
      ip -n foo link set eth0 up
      ip -n foo address add 192.168.0.1/24 dev eth0
      
      ip -n foo link add name veth0 type veth peer name veth1 netns bar
      ip -n foo link set veth0 up
      ip -n bar link set veth1 up
      
      ip -n bar address add 192.168.1.1/32 dev veth1
      ip -n bar route add default dev veth1
      
      ip -n foo nexthop add id 1 dev veth0
      ip -n foo route add 192.168.1.1 nhid 1
      
      Try to get/use the route:
      > $ ip -n foo route get 192.168.1.1
      > RTNETLINK answers: Invalid argument
      > $ ip netns exec foo ping -c1 192.168.1.1
      > ping: connect: Invalid argument
      
      Try without nexthop group (iproute2 sets scope to 'link' by dflt):
      ip -n foo route del 192.168.1.1
      ip -n foo route add 192.168.1.1 dev veth0
      
      Try to get/use the route:
      > $ ip -n foo route get 192.168.1.1
      > 192.168.1.1 dev veth0 src 192.168.0.1 uid 0
      >     cache
      > $ ip netns exec foo ping -c1 192.168.1.1
      > PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
      > 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.039 ms
      >
      > --- 192.168.1.1 ping statistics ---
      > 1 packets transmitted, 1 received, 0% packet loss, time 0ms
      > rtt min/avg/max/mdev = 0.039/0.039/0.039/0.000 ms
      
      CC: stable@vger.kernel.org
      Fixes: 597cfe4f ("nexthop: Add support for IPv4 nexthops")
      Reported-by: default avatarEdwin Brossette <edwin.brossette@6wind.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Link: https://lore.kernel.org/r/20220713114853.29406-1-nicolas.dichtel@6wind.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      747c1430
    • Ard Biesheuvel's avatar
      ARM: 9208/1: entry: add .ltorg directive to keep literals in range · 29589ca0
      Ard Biesheuvel authored
      LKP reports a build issue on Clang, related to a literal load of
      __current issued through the ldr_va macro. This turns out to be due to
      the fact that group relocations are disabled when CONFIG_COMPILE_TEST=y,
      which means that the ldr_va macro resolves to a pair of LDR
      instructions, the first one being a literal load issued too far from its
      literal pool.
      
      Due to the introduction of a couple of new uses of this macro in commit
      50807460 ("ARM: 9195/1: entry: avoid explicit literal loads"),
      the literal pools end up getting rearranged in a way that causes the
      literal for __current to go out of range. Let's fix this up by putting a
      .ltorg directive in a suitable place in the code.
      
      Link: https://lore.kernel.org/all/202205290805.1vZLAr36-lkp@intel.com/
      
      Fixes: 50807460 ("ARM: 9195/1: entry: avoid explicit literal loads")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Tested-by: default avatarNathan Chancellor <nathan@kernel.org>
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      29589ca0
    • Wang Kefeng's avatar
      ARM: 9207/1: amba: fix refcount underflow if amba_device_add() fails · 8030aa3c
      Wang Kefeng authored
      "ARM: 9192/1: amba: fix memory leak in amba_device_try_add()" leads
      to a refcount underflow if amba_device_add() fails, which called by
      of_amba_device_create(), the of_amba_device_create() already exists
      the error handling, so amba_put_device() only need to be added into
      amba_deferred_retry().
      
      Fixes: 7719a68b ("ARM: 9192/1: amba: fix memory leak in amba_device_try_add()")
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      8030aa3c
    • Chia-Lin Kao (AceLan)'s avatar
      net: atlantic: remove aq_nic_deinit() when resume · 2e15c51f
      Chia-Lin Kao (AceLan) authored
      aq_nic_deinit() has been called while suspending, so we don't have to call
      it again on resume.
      Actually, call it again leads to another hang issue when resuming from
      S3.
      
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992345] Call Trace:
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992346] <TASK>
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992348] aq_nic_deinit+0xb4/0xd0 [atlantic]
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992356] aq_pm_thaw+0x7f/0x100 [atlantic]
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992362] pci_pm_resume+0x5c/0x90
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992366] ? pci_pm_thaw+0x80/0x80
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992368] dpm_run_callback+0x4e/0x120
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992371] device_resume+0xad/0x200
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992373] async_resume+0x1e/0x40
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992374] async_run_entry_fn+0x33/0x120
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992377] process_one_work+0x220/0x3c0
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992380] worker_thread+0x4d/0x3f0
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992382] ? process_one_work+0x3c0/0x3c0
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992384] kthread+0x12a/0x150
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992386] ? set_kthread_struct+0x40/0x40
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992387] ret_from_fork+0x22/0x30
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992391] </TASK>
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992392] ---[ end trace 1ec8c79604ed5e0d ]---
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992394] PM: dpm_run_callback(): pci_pm_resume+0x0/0x90 returns -110
      Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992397] atlantic 0000:02:00.0: PM: failed to resume async: error -110
      
      Fixes: 1809c30b ("net: atlantic: always deep reset on pm op, fixing up my null deref regression")
      Signed-off-by: default avatarChia-Lin Kao (AceLan) <acelan.kao@canonical.com>
      Link: https://lore.kernel.org/r/20220713111224.1535938-2-acelan.kao@canonical.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      2e15c51f
    • Chia-Lin Kao (AceLan)'s avatar
      net: atlantic: remove deep parameter on suspend/resume functions · 0f332507
      Chia-Lin Kao (AceLan) authored
      Below commit claims that atlantic NIC requires to reset the device on pm
      op, and had set the deep to true for all suspend/resume functions.
      commit 1809c30b ("net: atlantic: always deep reset on pm op, fixing up my null deref regression")
      So, we could remove deep parameter on suspend/resume functions without
      any functional change.
      
      Fixes: 1809c30b ("net: atlantic: always deep reset on pm op, fixing up my null deref regression")
      Signed-off-by: default avatarChia-Lin Kao (AceLan) <acelan.kao@canonical.com>
      Link: https://lore.kernel.org/r/20220713111224.1535938-1-acelan.kao@canonical.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      0f332507
    • Íñigo Huguet's avatar
      sfc: fix kernel panic when creating VF · ada74c55
      Íñigo Huguet authored
      When creating VFs a kernel panic can happen when calling to
      efx_ef10_try_update_nic_stats_vf.
      
      When releasing a DMA coherent buffer, sometimes, I don't know in what
      specific circumstances, it has to unmap memory with vunmap. It is
      disallowed to do that in IRQ context or with BH disabled. Otherwise, we
      hit this line in vunmap, causing the crash:
        BUG_ON(in_interrupt());
      
      This patch reenables BH to release the buffer.
      
      Log messages when the bug is hit:
       kernel BUG at mm/vmalloc.c:2727!
       invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
       CPU: 6 PID: 1462 Comm: NetworkManager Kdump: loaded Tainted: G          I      --------- ---  5.14.0-119.el9.x86_64 #1
       Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020
       RIP: 0010:vunmap+0x2e/0x30
       ...skip...
       Call Trace:
        __iommu_dma_free+0x96/0x100
        efx_nic_free_buffer+0x2b/0x40 [sfc]
        efx_ef10_try_update_nic_stats_vf+0x14a/0x1c0 [sfc]
        efx_ef10_update_stats_vf+0x18/0x40 [sfc]
        efx_start_all+0x15e/0x1d0 [sfc]
        efx_net_open+0x5a/0xe0 [sfc]
        __dev_open+0xe7/0x1a0
        __dev_change_flags+0x1d7/0x240
        dev_change_flags+0x21/0x60
        ...skip...
      
      Fixes: d7788196 ("sfc: DMA the VF stats only when requested")
      Reported-by: default avatarMa Yuying <yuma@redhat.com>
      Signed-off-by: default avatarÍñigo Huguet <ihuguet@redhat.com>
      Acked-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Link: https://lore.kernel.org/r/20220713092116.21238-1-ihuguet@redhat.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ada74c55
    • Paolo Abeni's avatar
      Merge branch 'seg6-fix-skb-checksum-for-srh-encapsulation-insertion' · cc91b09b
      Paolo Abeni authored
      Andrea Mayer says:
      
      ====================
      seg6: fix skb checksum for SRH encapsulation/insertion
      
      The Linux kernel supports Segment Routing Header (SRH)
      encapsulation/insertion operations by providing the capability to: i)
      encapsulate a packet in an outer IPv6 header with a specified SRH; ii)
      insert a specified SRH directly after the IPv6 header of the packet.
      Note that the insertion operation is also referred to as 'injection'.
      
      The two operations are respectively supported by seg6_do_srh_encap() and
      seg6_do_srh_inline(), which operate on the skb associated to the packet as
      needed (e.g. adding the necessary headers and initializing them, while
      taking care to recalculate the skb checksum).
      
      seg6_do_srh_encap() and seg6_do_srh_inline() do not initialize the payload
      length of the IPv6 header, which is carried out by the caller functions.
      However, this approach causes the corruption of the skb checksum which
      needs to be updated only after initialization of headers is completed
      (thanks to Paolo Abeni for detecting this issue).
      
      The patchset fixes the skb checksum corruption by moving the IPv6 header
      payload length initialization from the callers of seg6_do_srh_encap() and
      seg6_do_srh_inline() directly into these functions.
      
      This patchset is organized as follows:
       - patch 1/3, seg6: fix skb checksum evaluation in SRH
         encapsulation/insertion;
          (* SRH encapsulation/insertion available since v4.10)
      
       - patch 2/3, seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps
         behaviors;
          (* SRv6 End.B6 and End.B6.Encaps behaviors available since v4.14)
      
       - patch 3/3, seg6: bpf: fix skb checksum in bpf_push_seg6_encap();
          (* bpf IPv6 Segment Routing helpers available since v4.18)
      
      ====================
      
      Link: https://lore.kernel.org/r/20220712175837.16267-1-andrea.mayer@uniroma2.itSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      cc91b09b
    • Andrea Mayer's avatar
      seg6: bpf: fix skb checksum in bpf_push_seg6_encap() · 4889fbd9
      Andrea Mayer authored
      Both helper functions bpf_lwt_seg6_action() and bpf_lwt_push_encap() use
      the bpf_push_seg6_encap() to encapsulate the packet in an IPv6 with Segment
      Routing Header (SRH) or insert an SRH between the IPv6 header and the
      payload.
      To achieve this result, such helper functions rely on bpf_push_seg6_encap()
      which, in turn, leverages seg6_do_srh_{encap,inline}() to perform the
      required operation (i.e. encap/inline).
      
      This patch removes the initialization of the IPv6 header payload length
      from bpf_push_seg6_encap(), as it is now handled properly by
      seg6_do_srh_{encap,inline}() to prevent corruption of the skb checksum.
      
      Fixes: fe94cc29 ("bpf: Add IPv6 Segment Routing helpers")
      Signed-off-by: default avatarAndrea Mayer <andrea.mayer@uniroma2.it>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4889fbd9
    • Andrea Mayer's avatar
      seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors · f048880f
      Andrea Mayer authored
      The SRv6 End.B6 and End.B6.Encaps behaviors rely on functions
      seg6_do_srh_{encap,inline}() to, respectively: i) encapsulate the
      packet within an outer IPv6 header with the specified Segment Routing
      Header (SRH); ii) insert the specified SRH directly after the IPv6
      header of the packet.
      
      This patch removes the initialization of the IPv6 header payload length
      from the input_action_end_b6{_encap}() functions, as it is now handled
      properly by seg6_do_srh_{encap,inline}() to avoid corruption of the skb
      checksum.
      
      Fixes: 140f04c3 ("ipv6: sr: implement several seg6local actions")
      Signed-off-by: default avatarAndrea Mayer <andrea.mayer@uniroma2.it>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f048880f
    • Andrea Mayer's avatar
      seg6: fix skb checksum evaluation in SRH encapsulation/insertion · df8386d1
      Andrea Mayer authored
      Support for SRH encapsulation and insertion was introduced with
      commit 6c8702c6 ("ipv6: sr: add support for SRH encapsulation and
      injection with lwtunnels"), through the seg6_do_srh_encap() and
      seg6_do_srh_inline() functions, respectively.
      The former encapsulates the packet in an outer IPv6 header along with
      the SRH, while the latter inserts the SRH between the IPv6 header and
      the payload. Then, the headers are initialized/updated according to the
      operating mode (i.e., encap/inline).
      Finally, the skb checksum is calculated to reflect the changes applied
      to the headers.
      
      The IPv6 payload length ('payload_len') is not initialized
      within seg6_do_srh_{inline,encap}() but is deferred in seg6_do_srh(), i.e.
      the caller of seg6_do_srh_{inline,encap}().
      However, this operation invalidates the skb checksum, since the
      'payload_len' is updated only after the checksum is evaluated.
      
      To solve this issue, the initialization of the IPv6 payload length is
      moved from seg6_do_srh() directly into the seg6_do_srh_{inline,encap}()
      functions and before the skb checksum update takes place.
      
      Fixes: 6c8702c6 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
      Reported-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/all/20220705190727.69d532417be7438b15404ee1@uniroma2.itSigned-off-by: default avatarAndrea Mayer <andrea.mayer@uniroma2.it>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      df8386d1
    • Jakub Kicinski's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · f46a5a9c
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2022-07-12
      
      This series contains updates to ice driver only.
      
      Paul fixes detection of E822 devices for firmware update and changes NVM
      read for snapshot creation to be done in chunks as some systems cannot
      read the entire NVM in the allotted time.
      ====================
      
      Link: https://lore.kernel.org/r/20220712164829.7275-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f46a5a9c
    • Íñigo Huguet's avatar
      sfc: fix use after free when disabling sriov · ebe41da5
      Íñigo Huguet authored
      Use after free is detected by kfence when disabling sriov. What was read
      after being freed was vf->pci_dev: it was freed from pci_disable_sriov
      and later read in efx_ef10_sriov_free_vf_vports, called from
      efx_ef10_sriov_free_vf_vswitching.
      
      Set the pointer to NULL at release time to not trying to read it later.
      
      Reproducer and dmesg log (note that kfence doesn't detect it every time):
      $ echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs
      $ echo 0 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs
      
       BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]
      
       Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224):
        efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]
        efx_ef10_pci_sriov_disable+0x38/0x70 [sfc]
        efx_pci_sriov_configure+0x24/0x40 [sfc]
        sriov_numvfs_store+0xfe/0x140
        kernfs_fop_write_iter+0x11c/0x1b0
        new_sync_write+0x11f/0x1b0
        vfs_write+0x1eb/0x280
        ksys_write+0x5f/0xe0
        do_syscall_64+0x5c/0x80
        entry_SYSCALL_64_after_hwframe+0x44/0xae
      
       kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k
      
       allocated by task 6771 on cpu 10 at 3137.860196s:
        pci_alloc_dev+0x21/0x60
        pci_iov_add_virtfn+0x2a2/0x320
        sriov_enable+0x212/0x3e0
        efx_ef10_sriov_configure+0x67/0x80 [sfc]
        efx_pci_sriov_configure+0x24/0x40 [sfc]
        sriov_numvfs_store+0xba/0x140
        kernfs_fop_write_iter+0x11c/0x1b0
        new_sync_write+0x11f/0x1b0
        vfs_write+0x1eb/0x280
        ksys_write+0x5f/0xe0
        do_syscall_64+0x5c/0x80
        entry_SYSCALL_64_after_hwframe+0x44/0xae
      
       freed by task 6771 on cpu 12 at 3170.991309s:
        device_release+0x34/0x90
        kobject_cleanup+0x3a/0x130
        pci_iov_remove_virtfn+0xd9/0x120
        sriov_disable+0x30/0xe0
        efx_ef10_pci_sriov_disable+0x57/0x70 [sfc]
        efx_pci_sriov_configure+0x24/0x40 [sfc]
        sriov_numvfs_store+0xfe/0x140
        kernfs_fop_write_iter+0x11c/0x1b0
        new_sync_write+0x11f/0x1b0
        vfs_write+0x1eb/0x280
        ksys_write+0x5f/0xe0
        do_syscall_64+0x5c/0x80
        entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Fixes: 3c5eb876 ("sfc: create vports for VFs and assign random MAC addresses")
      Reported-by: default avatarYanghang Liu <yanghliu@redhat.com>
      Signed-off-by: default avatarÍñigo Huguet <ihuguet@redhat.com>
      Acked-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Link: https://lore.kernel.org/r/20220712062642.6915-1-ihuguet@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ebe41da5
    • Steve French's avatar
      smb3: workaround negprot bug in some Samba servers · 32f31918
      Steve French authored
      Mount can now fail to older Samba servers due to a server
      bug handling padding at the end of the last negotiate
      context (negotiate contexts typically are rounded up to 8
      bytes by adding padding if needed). This server bug can
      be avoided by switching the order of negotiate contexts,
      placing a negotiate context at the end that does not
      require padding (prior to the recent netname context fix
      this was the case on the client).
      
      Fixes: 73130a7b ("smb3: fix empty netname context on secondary channels")
      Reported-by: default avatarJulian Sikorski <belegdol@gmail.com>
      Tested-by: default avatarJulian Sikorski <belegdol+github@gmail.com>
      Reviewed-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      32f31918
  3. 13 Jul, 2022 3 commits