1. 11 Oct, 2024 7 commits
    • Linus Torvalds's avatar
      Merge tag 'thermal-6.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · f8fafb69
      Linus Torvalds authored
      Pull thermal control fixes from Rafael Wysocki:
       "Address possible use-after-free scenarios during the processing of
        thermal netlink commands and during thermal zone removal (Rafael
        Wysocki)"
      
      * tag 'thermal-6.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        thermal: core: Free tzp copy along with the thermal zone
        thermal: core: Reference count the zone in thermal_zone_get_by_id()
      f8fafb69
    • Linus Torvalds's avatar
      Merge tag 'acpi-6.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 325354cf
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "Reduce the number of ACPI IRQ override DMI quirks by combining quirks
        that cover similar systems while making them cover additional models
        at the same time (Hans de Goede)"
      
      * tag 'acpi-6.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: resource: Fold Asus Vivobook Pro N6506M* DMI quirks together
        ACPI: resource: Fold Asus ExpertBook B1402C* and B1502C* DMI quirks together
        ACPI: resource: Make Asus ExpertBook B2502 matches cover more models
        ACPI: resource: Make Asus ExpertBook B2402 matches cover more models
      325354cf
    • Linus Torvalds's avatar
      Merge tag 'pmdomain-v6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm · 22e6abaa
      Linus Torvalds authored
      Pull pmdomain fixes from Ulf Hansson:
       "pmdomain core:
         - Fix alloc/free in dev_pm_domain_attach|detach_list()
      
        pmdomain providers:
         - qcom: Fix the return of uninitialized variable
      
        pmdomain consumers:
         - drm/tegra/gr3d: Revert conversion to dev_pm_domain_attach|detach_list()
      
        OPP core:
         - Fix error code in dev_pm_opp_set_config()"
      
      * tag 'pmdomain-v6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
        PM: domains: Fix alloc/free in dev_pm_domain_attach|detach_list()
        Revert "drm/tegra: gr3d: Convert into dev_pm_domain_attach|detach_list()"
        pmdomain: qcom-cpr: Fix the return of uninitialized variable
        OPP: fix error code in dev_pm_opp_set_config()
      22e6abaa
    • Linus Torvalds's avatar
      Merge tag 'mmc-v6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 7351a879
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC core:
         - Prevent splat from warning when setting maximum DMA segment
      
        MMC host:
         - mvsdio: Drop sg_miter support for PIO as it didn't work
         - sdhci-of-dwcmshc: Prevent stale interrupt for the T-Head 1520
           variant"
      
      * tag 'mmc-v6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-of-dwcmshc: Prevent stale command interrupt handling
        Revert "mmc: mvsdio: Use sg_miter for PIO"
        mmc: core: Only set maximum DMA segment size if DMA is supported
      7351a879
    • Linus Torvalds's avatar
      Merge tag 'ata-6.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux · 3700dc91
      Linus Torvalds authored
      Pull ata fixes from Niklas Cassel:
      
       - Fix a hibernate regression where the disk was needlessly spun down
         and then immediately spun up both when entering and when resuming
         from hibernation (me)
      
       - Update the MAINTAINERS file to remove remnants from Jens
         maintainership of libata (Damien)
      
      * tag 'ata-6.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux:
        ata: libata: Update MAINTAINERS file
        ata: libata: avoid superfluous disk spin down + spin up during hibernation
      3700dc91
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2024-10-11' of https://gitlab.freedesktop.org/drm/kernel · befcc893
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Weekly fixes haul for drm, lots of small fixes all over, amdgpu, xe
        lead the way, some minor nouveau and radeon fixes, and then a bunch of
        misc all over.
      
        Nothing too scary or out of the unusual.
      
        sched:
         - Avoid leaking lockdep map
      
        fbdev-dma:
         - Only clean up deferred I/O if instanciated
      
        amdgpu:
         - Fix invalid UBSAN warnings
         - Fix artifacts in MPO transitions
         - Hibernation fix
      
        amdkfd:
         - Fix an eviction fence leak
      
        radeon:
         - Add late register for connectors
         - Always set GEM function pointers
      
        i915:
         - HDCP refcount fix
      
        nouveau:
         - dmem: Fix privileged error in copy engine channel; Fix possible
           data leak in migrate_to_ram()
         - gsp: Fix coding style
      
        v3d:
         - Stop active perfmon before destroying it
      
        vc4:
         - Stop active perfmon before destroying it
      
        xe:
         - Drop GuC submit_wq pool
         - Fix error checking with xa_store()
         - Fix missing freq restore on GSC load error
         - Fix wedged_mode file permission
         - Fix use-after-free in ct communication"
      
      * tag 'drm-fixes-2024-10-11' of https://gitlab.freedesktop.org/drm/kernel:
        drm/fbdev-dma: Only cleanup deferred I/O if necessary
        drm/xe: Make wedged_mode debugfs writable
        drm/xe: Restore GT freq on GSC load error
        drm/xe/guc_submit: fix xa_store() error checking
        drm/xe/ct: fix xa_store() error checking
        drm/xe/ct: prevent UAF in send_recv()
        drm/radeon: always set GEM function pointer
        nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error
        nouveau/dmem: Fix privileged error in copy engine channel
        drm/amd/display: fix hibernate entry for DCN35+
        drm/amd/display: Clear update flags after update has been applied
        drm/amdgpu: partially revert powerplay `__counted_by` changes
        drm/radeon: add late_register for connector
        drm/amdkfd: Fix an eviction fence leak
        drm/vc4: Stop the active perfmon before being destroyed
        drm/v3d: Stop the active perfmon before being destroyed
        drm/i915/hdcp: fix connector refcounting
        drm/nouveau/gsp: remove extraneous ; after mutex
        drm/xe: Drop GuC submit_wq pool
        drm/sched: Use drm sched lockdep map for submit_wq
      befcc893
    • Dave Airlie's avatar
      Merge tag 'drm-xe-fixes-2024-10-10' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes · ac44ff7c
      Dave Airlie authored
      Driver Changes:
      - Fix error checking with xa_store() (Matthe Auld)
      - Fix missing freq restore on GSC load error (Vinay)
      - Fix wedged_mode file permission (Matt Roper)
      - Fix use-after-free in ct communication (Matthew Auld)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Lucas De Marchi <lucas.demarchi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/jri65tmv3bjbhqhxs5smv45nazssxzhtwphojem4uufwtjuliy@gsdhlh6kzsdy
      ac44ff7c
  2. 10 Oct, 2024 33 commits
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2024-10-10' of... · b634acb2
      Dave Airlie authored
      Merge tag 'drm-misc-fixes-2024-10-10' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes
      
      Short summary of fixes pull:
      
      fbdev-dma:
      - Only clean up deferred I/O if instanciated
      
      nouveau:
      - dmem: Fix privileged error in copy engine channel; Fix possible
      data leak in migrate_to_ram()
      - gsp: Fix coding style
      
      sched:
      - Avoid leaking lockdep map
      
      v3d:
      - Stop active perfmon before destroying it
      
      vc4:
      - Stop active perfmon before destroying it
      
      xe:
      - Drop GuC submit_wq pool
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Thomas Zimmermann <tzimmermann@suse.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/20241010133708.GA461532@localhost.localdomain
      b634acb2
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2024-10-10' of... · fe4a435b
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2024-10-10' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes
      
      - HDCP refcount fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/Zwd78Tnw8t3w9F16@jlahtine-mobl.ger.corp.intel.com
      fe4a435b
    • Linus Torvalds's avatar
      Merge tag 'net-6.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 1d227fcc
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bluetooth and netfilter.
      
        Current release - regressions:
      
         - dsa: sja1105: fix reception from VLAN-unaware bridges
      
         - Revert "net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is
           enabled"
      
         - eth: fec: don't save PTP state if PTP is unsupported
      
        Current release - new code bugs:
      
         - smc: fix lack of icsk_syn_mss with IPPROTO_SMC, prevent null-deref
      
         - eth: airoha: update Tx CPU DMA ring idx at the end of xmit loop
      
         - phy: aquantia: AQR115c fix up PMA capabilities
      
        Previous releases - regressions:
      
         - tcp: 3 fixes for retrans_stamp and undo logic
      
        Previous releases - always broken:
      
         - net: do not delay dst_entries_add() in dst_release()
      
         - netfilter: restrict xtables extensions to families that are safe,
           syzbot found a way to combine ebtables with extensions that are
           never used by userspace tools
      
         - sctp: ensure sk_state is set to CLOSED if hashing fails in
           sctp_listen_start
      
         - mptcp: handle consistently DSS corruption, and prevent corruption
           due to large pmtu xmit"
      
      * tag 'net-6.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (87 commits)
        MAINTAINERS: Add headers and mailing list to UDP section
        MAINTAINERS: consistently exclude wireless files from NETWORKING [GENERAL]
        slip: make slhc_remember() more robust against malicious packets
        net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC
        ppp: fix ppp_async_encode() illegal access
        docs: netdev: document guidance on cleanup patches
        phonet: Handle error of rtnl_register_module().
        mpls: Handle error of rtnl_register_module().
        mctp: Handle error of rtnl_register_module().
        bridge: Handle error of rtnl_register_module().
        vxlan: Handle error of rtnl_register_module().
        rtnetlink: Add bulk registration helpers for rtnetlink message handlers.
        net: do not delay dst_entries_add() in dst_release()
        mptcp: pm: do not remove closing subflows
        mptcp: fallback when MPTCP opts are dropped after 1st data
        tcp: fix mptcp DSS corruption due to large pmtu xmit
        mptcp: handle consistently DSS corruption
        net: netconsole: fix wrong warning
        net: dsa: refuse cross-chip mirroring operations
        net: fec: don't save PTP state if PTP is unsupported
        ...
      1d227fcc
    • Linus Torvalds's avatar
      Merge tag 'trace-ringbuffer-v6.12-rc2' of... · 0edab8d1
      Linus Torvalds authored
      Merge tag 'trace-ringbuffer-v6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
      
      Pull tracing fix from Steven Rostedt:
       "Ring-buffer fix: do not have boot-mapped buffers use CPU hotplug
        callbacks
      
        When a ring buffer is mapped to memory assigned at boot, it also
        splits it up evenly between the possible CPUs. But the allocation code
        still attached a CPU notifier callback to this ring buffer. When a CPU
        is added, the callback will happen and another per-cpu buffer is
        created for the ring buffer.
      
        But for boot mapped buffers, there is no room to add another one (as
        they were all created already). The result of calling the CPU hotplug
        notifier on a boot mapped ring buffer is unpredictable and could lead
        to a system crash.
      
        If the ring buffer is boot mapped simply do not attach the CPU
        notifier to it"
      
      * tag 'trace-ringbuffer-v6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        ring-buffer: Do not have boot mapped buffers hook to CPU hotplug
      0edab8d1
    • Linus Torvalds's avatar
      Merge tag 'for-6.12-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · eb952c47
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - update fstrim loop and add more cancellation points, fix reported
         delayed or blocked suspend if there's a huge chunk queued
      
       - fix error handling in recent qgroup xarray conversion
      
       - in zoned mode, fix warning printing device path without RCU
         protection
      
       - again fix invalid extent xarray state (6252690f), lost due to
         refactoring
      
      * tag 'for-6.12-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix clear_dirty and writeback ordering in submit_one_sector()
        btrfs: zoned: fix missing RCU locking in error message when loading zone info
        btrfs: fix missing error handling when adding delayed ref with qgroups enabled
        btrfs: add cancellation points to trim loops
        btrfs: split remaining space to discard in chunks
      eb952c47
    • Linus Torvalds's avatar
      Merge tag 'nfsd-6.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · 5870963f
      Linus Torvalds authored
      Pull nfsd fixes from Chuck Lever:
      
       - Fix NFSD bring-up / shutdown
      
       - Fix a UAF when releasing a stateid
      
      * tag 'nfsd-6.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        nfsd: fix possible badness in FREE_STATEID
        nfsd: nfsd_destroy_serv() must call svc_destroy() even if nfsd_startup_net() failed
        NFSD: Mark filecache "down" if init fails
      5870963f
    • Linus Torvalds's avatar
      Merge tag 'xfs-6.12-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 825ec756
      Linus Torvalds authored
      Pull xfs fixes from Carlos Maiolino:
      
       - A few small typo fixes
      
       - fstests xfs/538 DEBUG-only fix
      
       - Performance fix on blockgc on COW'ed files, by skipping trims on
         cowblock inodes currently opened for write
      
       - Prevent cowblocks to be freed under dirty pagecache during unshare
      
       - Update MAINTAINERS file to quote the new maintainer
      
      * tag 'xfs-6.12-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: fix a typo
        xfs: don't free cowblocks from under dirty pagecache on unshare
        xfs: skip background cowblock trims on inodes open for write
        xfs: support lowmode allocations in xfs_bmap_exact_minlen_extent_alloc
        xfs: call xfs_bmap_exact_minlen_extent_alloc from xfs_bmap_btalloc
        xfs: don't ifdef around the exact minlen allocations
        xfs: fold xfs_bmap_alloc_userdata into xfs_bmapi_allocate
        xfs: distinguish extra split from real ENOSPC from xfs_attr_node_try_addname
        xfs: distinguish extra split from real ENOSPC from xfs_attr3_leaf_split
        xfs: return bool from xfs_attr3_leaf_add
        xfs: merge xfs_attr_leaf_try_add into xfs_attr_leaf_addname
        xfs: Use try_cmpxchg() in xlog_cil_insert_pcp_aggregate()
        xfs: scrub: convert comma to semicolon
        xfs: Remove empty declartion in header file
        MAINTAINERS: add Carlos Maiolino as XFS release manager
      825ec756
    • Jakub Kicinski's avatar
      Merge branch 'maintainers-networking-file-coverage-updates' · 7b43ba65
      Jakub Kicinski authored
      Simon Horman says:
      
      ====================
      MAINTAINERS: Networking file coverage updates
      
      The aim of this proposal is to make the handling of some files,
      related to Networking and Wireless, more consistently. It does so by:
      
      1. Adding some more headers to the UDP section, making it consistent
         with the TCP section.
      
      2. Excluding some files relating to Wireless from NETWORKING [GENERAL],
         making their handling consistent with other files related to
         Wireless.
      
      The aim of this is to make things more consistent.  And for MAINTAINERS
      to better reflect the situation on the ground.  I am more than happy to
      be told that the current state of affairs is fine. Or for other ideas to
      be discussed.
      
      v1: https://lore.kernel.org/20241004-maint-net-hdrs-v1-0-41fd555aacc5@kernel.org
      ====================
      
      Link: https://patch.msgid.link/20241009-maint-net-hdrs-v2-0-f2c86e7309c8@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7b43ba65
    • Simon Horman's avatar
      MAINTAINERS: Add headers and mailing list to UDP section · 5404b5a2
      Simon Horman authored
      Add netdev mailing list and some more udp.h headers to the UDP section.
      This is now more consistent with the TCP section.
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://patch.msgid.link/20241009-maint-net-hdrs-v2-2-f2c86e7309c8@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5404b5a2
    • Simon Horman's avatar
      MAINTAINERS: consistently exclude wireless files from NETWORKING [GENERAL] · 9937aae3
      Simon Horman authored
      We already exclude wireless drivers from the netdev@ traffic, to
      delegate it to linux-wireless@, and avoid overwhelming netdev@.
      
      Many of the following wireless-related sections MAINTAINERS
      are already not included in the NETWORKING [GENERAL] section.
      For consistency, exclude those that are.
      
      * 802.11 (including CFG80211/NL80211)
      * MAC80211
      * RFKILL
      Acked-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://patch.msgid.link/20241009-maint-net-hdrs-v2-1-f2c86e7309c8@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9937aae3
    • Eric Dumazet's avatar
      slip: make slhc_remember() more robust against malicious packets · 7d3fce8c
      Eric Dumazet authored
      syzbot found that slhc_remember() was missing checks against
      malicious packets [1].
      
      slhc_remember() only checked the size of the packet was at least 20,
      which is not good enough.
      
      We need to make sure the packet includes the IPv4 and TCP header
      that are supposed to be carried.
      
      Add iph and th pointers to make the code more readable.
      
      [1]
      
      BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
        slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
        ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455
        ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]
        ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212
        ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327
        pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
        sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
        __release_sock+0x1da/0x330 net/core/sock.c:3072
        release_sock+0x6b/0x250 net/core/sock.c:3626
        pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
        sock_sendmsg_nosec net/socket.c:729 [inline]
        __sock_sendmsg+0x30f/0x380 net/socket.c:744
        ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
        ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
        __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
        __do_sys_sendmmsg net/socket.c:2771 [inline]
        __se_sys_sendmmsg net/socket.c:2768 [inline]
        __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
        x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      
      Uninit was created at:
        slab_post_alloc_hook mm/slub.c:4091 [inline]
        slab_alloc_node mm/slub.c:4134 [inline]
        kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
        kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
        __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
        alloc_skb include/linux/skbuff.h:1322 [inline]
        sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
        pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
        sock_sendmsg_nosec net/socket.c:729 [inline]
        __sock_sendmsg+0x30f/0x380 net/socket.c:744
        ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
        ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
        __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
        __do_sys_sendmmsg net/socket.c:2771 [inline]
        __se_sys_sendmmsg net/socket.c:2768 [inline]
        __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
        x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      
      CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
      
      Fixes: b5451d78 ("slip: Move the SLIP drivers")
      Reported-by: syzbot+2ada1bc857496353be5a@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/netdev/670646db.050a0220.3f80e.0027.GAE@google.com/T/#uSigned-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://patch.msgid.link/20241009091132.2136321-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7d3fce8c
    • D. Wythe's avatar
      net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC · 6fd27ea1
      D. Wythe authored
      Eric report a panic on IPPROTO_SMC, and give the facts
      that when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too.
      
      Bug: Unable to handle kernel NULL pointer dereference at virtual address
      0000000000000000
      Mem abort info:
      ESR = 0x0000000086000005
      EC = 0x21: IABT (current EL), IL = 32 bits
      SET = 0, FnV = 0
      EA = 0, S1PTW = 0
      FSC = 0x05: level 1 translation fault
      user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000
      [0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,
      pud=0000000000000000
      Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted
      6.11.0-rc7-syzkaller-g5f5673607153 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine,
      BIOS Google 08/06/2024
      pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      pc : 0x0
      lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910
      sp : ffff80009b887a90
      x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000
      x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00
      x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000
      x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee
      x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001
      x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003
      x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1
      x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f
      x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000
      x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000
      Call trace:
      0x0
      netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000
      smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593
      smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973
      security_socket_post_create+0x94/0xd4 security/security.c:4425
      __sock_create+0x4c8/0x884 net/socket.c:1587
      sock_create net/socket.c:1622 [inline]
      __sys_socket_create net/socket.c:1659 [inline]
      __sys_socket+0x134/0x340 net/socket.c:1706
      __do_sys_socket net/socket.c:1720 [inline]
      __se_sys_socket net/socket.c:1718 [inline]
      __arm64_sys_socket+0x7c/0x94 net/socket.c:1718
      __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
      invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
      el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
      do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
      el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
      el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
      el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
      Code: ???????? ???????? ???????? ???????? (????????)
      ---[ end trace 0000000000000000 ]---
      
      This patch add a toy implementation that performs a simple return to
      prevent such panic. This is because MSS can be set in sock_create_kern
      or smc_setsockopt, similar to how it's done in AF_SMC. However, for
      AF_SMC, there is currently no way to synchronize MSS within
      __sys_connect_file. This toy implementation lays the groundwork for us
      to support such feature for IPPROTO_SMC in the future.
      
      Fixes: d25a92cc ("net/smc: Introduce IPPROTO_SMC")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarD. Wythe <alibuda@linux.alibaba.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
      Link: https://patch.msgid.link/1728456916-67035-1-git-send-email-alibuda@linux.alibaba.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6fd27ea1
    • Eric Dumazet's avatar
      ppp: fix ppp_async_encode() illegal access · 40dddd4b
      Eric Dumazet authored
      syzbot reported an issue in ppp_async_encode() [1]
      
      In this case, pppoe_sendmsg() is called with a zero size.
      Then ppp_async_encode() is called with an empty skb.
      
      BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
       BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
        ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
        ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
        ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634
        ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]
        ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304
        pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
        sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
        __release_sock+0x1da/0x330 net/core/sock.c:3072
        release_sock+0x6b/0x250 net/core/sock.c:3626
        pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
        sock_sendmsg_nosec net/socket.c:729 [inline]
        __sock_sendmsg+0x30f/0x380 net/socket.c:744
        ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
        ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
        __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
        __do_sys_sendmmsg net/socket.c:2771 [inline]
        __se_sys_sendmmsg net/socket.c:2768 [inline]
        __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
        x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      
      Uninit was created at:
        slab_post_alloc_hook mm/slub.c:4092 [inline]
        slab_alloc_node mm/slub.c:4135 [inline]
        kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187
        kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
        __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
        alloc_skb include/linux/skbuff.h:1322 [inline]
        sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
        pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
        sock_sendmsg_nosec net/socket.c:729 [inline]
        __sock_sendmsg+0x30f/0x380 net/socket.c:744
        ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
        ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
        __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
        __do_sys_sendmmsg net/socket.c:2771 [inline]
        __se_sys_sendmmsg net/socket.c:2768 [inline]
        __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
        x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      
      CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: syzbot+1d121645899e7692f92a@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://patch.msgid.link/20241009185802.3763282-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      40dddd4b
    • Simon Horman's avatar
      docs: netdev: document guidance on cleanup patches · aeb218d9
      Simon Horman authored
      The purpose of this section is to document what is the current practice
      regarding clean-up patches which address checkpatch warnings and similar
      problems. I feel there is a value in having this documented so others
      can easily refer to it.
      
      Clearly this topic is subjective. And to some extent the current
      practice discourages a wider range of patches than is described here.
      But I feel it is best to start somewhere, with the most well established
      part of the current practice.
      Signed-off-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://patch.msgid.link/20241009-doc-mc-clean-v2-1-e637b665fa81@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aeb218d9
    • Paolo Abeni's avatar
      Merge branch 'rtnetlink-handle-error-of-rtnl_register_module' · ffc8fa91
      Paolo Abeni authored
      Kuniyuki Iwashima says:
      
      ====================
      rtnetlink: Handle error of rtnl_register_module().
      
      While converting phonet to per-netns RTNL, I found a weird comment
      
        /* Further rtnl_register_module() cannot fail */
      
      that was true but no longer true after commit addf9b90 ("net:
      rtnetlink: use rcu to free rtnl message handlers").
      
      Many callers of rtnl_register_module() just ignore the returned
      value but should handle them properly.
      
      This series introduces two helpers, rtnl_register_many() and
      rtnl_unregister_many(), to do that easily and fix such callers.
      
      All rtnl_register() and rtnl_register_module() will be converted
      to _many() variant and some rtnl_lock() will be saved in _many()
      later in net-next.
      
      Changes:
        v4:
          * Add more context in changelog of each patch
      
        v3: https://lore.kernel.org/all/20241007124459.5727-1-kuniyu@amazon.com/
          * Move module *owner to struct rtnl_msg_handler
          * Make struct rtnl_msg_handler args/vars const
          * Update mctp goto labels
      
        v2: https://lore.kernel.org/netdev/20241004222358.79129-1-kuniyu@amazon.com/
          * Remove __exit from mctp_neigh_exit().
      
        v1: https://lore.kernel.org/netdev/20241003205725.5612-1-kuniyu@amazon.com/
      ====================
      
      Link: https://patch.msgid.link/20241008184737.9619-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ffc8fa91
    • Kuniyuki Iwashima's avatar
      phonet: Handle error of rtnl_register_module(). · b5e837c8
      Kuniyuki Iwashima authored
      Before commit addf9b90 ("net: rtnetlink: use rcu to free rtnl
      message handlers"), once the first rtnl_register_module() allocated
      rtnl_msg_handlers[PF_PHONET], the following calls never failed.
      
      However, after the commit, rtnl_register_module() could fail silently
      to allocate rtnl_msg_handlers[PF_PHONET][msgtype] and requires error
      handling for each call.
      
      Handling the error allows users to view a module as an all-or-nothing
      thing in terms of the rtnetlink functionality.  This prevents syzkaller
      from reporting spurious errors from its tests, where OOM often occurs
      and module is automatically loaded.
      
      Let's use rtnl_register_many() to handle the errors easily.
      
      Fixes: addf9b90 ("net: rtnetlink: use rcu to free rtnl message handlers")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Acked-by: default avatarRémi Denis-Courmont <courmisch@gmail.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b5e837c8
    • Kuniyuki Iwashima's avatar
      mpls: Handle error of rtnl_register_module(). · 5be2062e
      Kuniyuki Iwashima authored
      Since introduced, mpls_init() has been ignoring the returned
      value of rtnl_register_module(), which could fail silently.
      
      Handling the error allows users to view a module as an all-or-nothing
      thing in terms of the rtnetlink functionality.  This prevents syzkaller
      from reporting spurious errors from its tests, where OOM often occurs
      and module is automatically loaded.
      
      Let's handle the errors by rtnl_register_many().
      
      Fixes: 03c05665 ("mpls: Netlink commands to add, remove, and dump routes")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      5be2062e
    • Kuniyuki Iwashima's avatar
      mctp: Handle error of rtnl_register_module(). · d5170561
      Kuniyuki Iwashima authored
      Since introduced, mctp has been ignoring the returned value of
      rtnl_register_module(), which could fail silently.
      
      Handling the error allows users to view a module as an all-or-nothing
      thing in terms of the rtnetlink functionality.  This prevents syzkaller
      from reporting spurious errors from its tests, where OOM often occurs
      and module is automatically loaded.
      
      Let's handle the errors by rtnl_register_many().
      
      Fixes: 583be982 ("mctp: Add device handling and netlink interface")
      Fixes: 831119f8 ("mctp: Add neighbour netlink interface")
      Fixes: 06d2f4c5 ("mctp: Add netlink route management")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarJeremy Kerr <jk@codeconstruct.com.au>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d5170561
    • Kuniyuki Iwashima's avatar
      bridge: Handle error of rtnl_register_module(). · cba5e43b
      Kuniyuki Iwashima authored
      Since introduced, br_vlan_rtnl_init() has been ignoring the returned
      value of rtnl_register_module(), which could fail silently.
      
      Handling the error allows users to view a module as an all-or-nothing
      thing in terms of the rtnetlink functionality.  This prevents syzkaller
      from reporting spurious errors from its tests, where OOM often occurs
      and module is automatically loaded.
      
      Let's handle the errors by rtnl_register_many().
      
      Fixes: 8dcea187 ("net: bridge: vlan: add rtm definitions and dump support")
      Fixes: f26b2965 ("net: bridge: vlan: add new rtm message support")
      Fixes: adb3ce9b ("net: bridge: vlan: add del rtm message support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      cba5e43b
    • Kuniyuki Iwashima's avatar
      vxlan: Handle error of rtnl_register_module(). · 78b7b991
      Kuniyuki Iwashima authored
      Since introduced, vxlan_vnifilter_init() has been ignoring the
      returned value of rtnl_register_module(), which could fail silently.
      
      Handling the error allows users to view a module as an all-or-nothing
      thing in terms of the rtnetlink functionality.  This prevents syzkaller
      from reporting spurious errors from its tests, where OOM often occurs
      and module is automatically loaded.
      
      Let's handle the errors by rtnl_register_many().
      
      Fixes: f9c4bb0b ("vxlan: vni filtering support on collect metadata device")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      78b7b991
    • Kuniyuki Iwashima's avatar
      rtnetlink: Add bulk registration helpers for rtnetlink message handlers. · 07cc7b0b
      Kuniyuki Iwashima authored
      Before commit addf9b90 ("net: rtnetlink: use rcu to free rtnl message
      handlers"), once rtnl_msg_handlers[protocol] was allocated, the following
      rtnl_register_module() for the same protocol never failed.
      
      However, after the commit, rtnl_msg_handler[protocol][msgtype] needs to
      be allocated in each rtnl_register_module(), so each call could fail.
      
      Many callers of rtnl_register_module() do not handle the returned error,
      and we need to add many error handlings.
      
      To handle that easily, let's add wrapper functions for bulk registration
      of rtnetlink message handlers.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      07cc7b0b
    • Ulf Hansson's avatar
      PM: domains: Fix alloc/free in dev_pm_domain_attach|detach_list() · 77385688
      Ulf Hansson authored
      The dev_pm_domain_attach|detach_list() functions are not resource managed,
      hence they should not use devm_* helpers to manage allocation/freeing of
      data. Let's fix this by converting to the traditional alloc/free functions.
      
      Fixes: 161e16a5 ("PM: domains: Add helper functions to attach/detach multiple PM domains")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Link: https://lore.kernel.org/r/20241002122232.194245-3-ulf.hansson@linaro.org
      77385688
    • Ulf Hansson's avatar
      Revert "drm/tegra: gr3d: Convert into dev_pm_domain_attach|detach_list()" · fa36b4bc
      Ulf Hansson authored
      This reverts commit f790b5c0.
      
      The reverted commit was not ready to be applied due to dependency on other
      OPP/pmdomain changes that didn't make it for the last release cycle. Let's
      revert it to fix the behaviour.
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Link: https://lore.kernel.org/r/20241002122232.194245-2-ulf.hansson@linaro.org
      fa36b4bc
    • Paolo Abeni's avatar
      Merge tag 'nf-24-10-09' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 9a3cd877
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Restrict xtables extensions to families that are safe, syzbot found
         a way to combine ebtables with extensions that are never used by
         userspace tools. From Florian Westphal.
      
      2) Set l3mdev inconditionally whenever possible in nft_fib to fix lookup
         mismatch, also from Florian.
      
      netfilter pull request 24-10-09
      
      * tag 'nf-24-10-09' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        selftests: netfilter: conntrack_vrf.sh: add fib test case
        netfilter: fib: check correct rtable in vrf setups
        netfilter: xtables: avoid NFPROTO_UNSPEC where needed
      ====================
      
      Link: https://patch.msgid.link/20241009213858.3565808-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      9a3cd877
    • Michal Wilczynski's avatar
      mmc: sdhci-of-dwcmshc: Prevent stale command interrupt handling · 27e8fe0d
      Michal Wilczynski authored
      While working with the T-Head 1520 LicheePi4A SoC, certain conditions
      arose that allowed me to reproduce a race issue in the sdhci code.
      
      To reproduce the bug, you need to enable the sdio1 controller in the
      device tree file
      `arch/riscv/boot/dts/thead/th1520-lichee-module-4a.dtsi` as follows:
      
      &sdio1 {
      	bus-width = <4>;
      	max-frequency = <100000000>;
      	no-sd;
      	no-mmc;
      	broken-cd;
      	cap-sd-highspeed;
      	post-power-on-delay-ms = <50>;
      	status = "okay";
      	wakeup-source;
      	keep-power-in-suspend;
      };
      
      When resetting the SoC using the reset button, the following messages
      appear in the dmesg log:
      
      [    8.164898] mmc2: Got command interrupt 0x00000001 even though no
      command operation was in progress.
      [    8.174054] mmc2: sdhci: ============ SDHCI REGISTER DUMP ===========
      [    8.180503] mmc2: sdhci: Sys addr:  0x00000000 | Version:  0x00000005
      [    8.186950] mmc2: sdhci: Blk size:  0x00000000 | Blk cnt:  0x00000000
      [    8.193395] mmc2: sdhci: Argument:  0x00000000 | Trn mode: 0x00000000
      [    8.199841] mmc2: sdhci: Present:   0x03da0000 | Host ctl: 0x00000000
      [    8.206287] mmc2: sdhci: Power:     0x0000000f | Blk gap:  0x00000000
      [    8.212733] mmc2: sdhci: Wake-up:   0x00000000 | Clock:    0x0000decf
      [    8.219178] mmc2: sdhci: Timeout:   0x00000000 | Int stat: 0x00000000
      [    8.225622] mmc2: sdhci: Int enab:  0x00ff1003 | Sig enab: 0x00ff1003
      [    8.232068] mmc2: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00000000
      [    8.238513] mmc2: sdhci: Caps:      0x3f69c881 | Caps_1:   0x08008177
      [    8.244959] mmc2: sdhci: Cmd:       0x00000502 | Max curr: 0x00191919
      [    8.254115] mmc2: sdhci: Resp[0]:   0x00001009 | Resp[1]:  0x00000000
      [    8.260561] mmc2: sdhci: Resp[2]:   0x00000000 | Resp[3]:  0x00000000
      [    8.267005] mmc2: sdhci: Host ctl2: 0x00001000
      [    8.271453] mmc2: sdhci: ADMA Err:  0x00000000 | ADMA Ptr:
      0x0000000000000000
      [    8.278594] mmc2: sdhci: ============================================
      
      I also enabled some traces to better understand the problem:
      
           kworker/3:1-62      [003] .....     8.163538: mmc_request_start:
      mmc2: start struct mmc_request[000000000d30cc0c]: cmd_opcode=5
      cmd_arg=0x0 cmd_flags=0x2e1 cmd_retries=0 stop_opcode=0 stop_arg=0x0
      stop_flags=0x0 stop_retries=0 sbc_opcode=0 sbc_arg=0x0 sbc_flags=0x0
      sbc_retires=0 blocks=0 block_size=0 blk_addr=0 data_flags=0x0 tag=0
      can_retune=0 doing_retune=0 retune_now=0 need_retune=0 hold_retune=1
      retune_period=0
                <idle>-0       [000] d.h2.     8.164816: sdhci_cmd_irq:
      hw_name=ffe70a0000.mmc quirks=0x2008008 quirks2=0x8 intmask=0x10000
      intmask_p=0x18000
           irq/24-mmc2-96      [000] .....     8.164840: sdhci_thread_irq:
      msg=
           irq/24-mmc2-96      [000] d.h2.     8.164896: sdhci_cmd_irq:
      hw_name=ffe70a0000.mmc quirks=0x2008008 quirks2=0x8 intmask=0x1
      intmask_p=0x1
           irq/24-mmc2-96      [000] .....     8.285142: mmc_request_done:
      mmc2: end struct mmc_request[000000000d30cc0c]: cmd_opcode=5
      cmd_err=-110 cmd_resp=0x0 0x0 0x0 0x0 cmd_retries=0 stop_opcode=0
      stop_err=0 stop_resp=0x0 0x0 0x0 0x0 stop_retries=0 sbc_opcode=0
      sbc_err=0 sbc_resp=0x0 0x0 0x0 0x0 sbc_retries=0 bytes_xfered=0
      data_err=0 tag=0 can_retune=0 doing_retune=0 retune_now=0 need_retune=0
      hold_retune=1 retune_period=0
      
      Here's what happens: the __mmc_start_request function is called with
      opcode 5. Since the power to the Wi-Fi card, which resides on this SDIO
      bus, is initially off after the reset, an interrupt SDHCI_INT_TIMEOUT is
      triggered. Immediately after that, a second interrupt SDHCI_INT_RESPONSE
      is triggered. Depending on the exact timing, these conditions can
      trigger the following race problem:
      
      1) The sdhci_cmd_irq top half handles the command as an error. It sets
         host->cmd to NULL and host->pending_reset to true.
      2) The sdhci_thread_irq bottom half is scheduled next and executes faster
         than the second interrupt handler for SDHCI_INT_RESPONSE. It clears
         host->pending_reset before the SDHCI_INT_RESPONSE handler runs.
      3) The pending interrupt SDHCI_INT_RESPONSE handler gets called, triggering
         a code path that prints: "mmc2: Got command interrupt 0x00000001 even
         though no command operation was in progress."
      
      To solve this issue, we need to clear pending interrupts when resetting
      host->pending_reset. This ensures that after sdhci_threaded_irq restores
      interrupts, there are no pending stale interrupts.
      
      The behavior observed here is non-compliant with the SDHCI standard.
      Place the code in the sdhci-of-dwcmshc driver to account for a
      hardware-specific quirk instead of the core SDHCI code.
      Signed-off-by: default avatarMichal Wilczynski <m.wilczynski@samsung.com>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Fixes: 43658a54 ("mmc: sdhci-of-dwcmshc: Add support for T-Head TH1520")
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20241008100327.4108895-1-m.wilczynski@samsung.comSigned-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      27e8fe0d
    • Eric Dumazet's avatar
      net: do not delay dst_entries_add() in dst_release() · ac888d58
      Eric Dumazet authored
      dst_entries_add() uses per-cpu data that might be freed at netns
      dismantle from ip6_route_net_exit() calling dst_entries_destroy()
      
      Before ip6_route_net_exit() can be called, we release all
      the dsts associated with this netns, via calls to dst_release(),
      which waits an rcu grace period before calling dst_destroy()
      
      dst_entries_add() use in dst_destroy() is racy, because
      dst_entries_destroy() could have been called already.
      
      Decrementing the number of dsts must happen sooner.
      
      Notes:
      
      1) in CONFIG_XFRM case, dst_destroy() can call
         dst_release_immediate(child), this might also cause UAF
         if the child does not have DST_NOCOUNT set.
         IPSEC maintainers might take a look and see how to address this.
      
      2) There is also discussion about removing this count of dst,
         which might happen in future kernels.
      
      Fixes: f8864972 ("ipv4: fix dst race in sk_dst_get()")
      Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL=w@mail.gmail.com/T/Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Tested-by: default avatarLinux Kernel Functional Testing <lkft@linaro.org>
      Tested-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Xin Long <lucien.xin@gmail.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ac888d58
    • Damien Le Moal's avatar
      ata: libata: Update MAINTAINERS file · 0df4b9d9
      Damien Le Moal authored
      Modify the entry for the ahci_platform driver (LIBATA SATA
      AHCI PLATFORM devices support) in the MAINTAINERS file to remove Jens
      as maintainer. Also remove all references to Jens block tree from the
      various LIBATA driver entries as the tree reference for these is defined
      by the LIBATA SUBSYSTEM entry.
      Signed-off-by: default avatarDamien Le Moal <dlemoal@kernel.org>
      Acked-by: default avatarJens Axboe <axboe@kernel.dk>
      Link: https://lore.kernel.org/r/20241010020117.416333-1-dlemoal@kernel.orgSigned-off-by: default avatarNiklas Cassel <cassel@kernel.org>
      0df4b9d9
    • Janne Grunau's avatar
      drm/fbdev-dma: Only cleanup deferred I/O if necessary · fcddc71e
      Janne Grunau authored
      Commit 5a498d4d ("drm/fbdev-dma: Only install deferred I/O if
      necessary") initializes deferred I/O only if it is used.
      drm_fbdev_dma_fb_destroy() however calls fb_deferred_io_cleanup()
      unconditionally with struct fb_info.fbdefio == NULL. KASAN with the
      out-of-tree Apple silicon display driver posts following warning from
      __flush_work() of a random struct work_struct instead of the expected
      NULL pointer derefs.
      
      [   22.053799] ------------[ cut here ]------------
      [   22.054832] WARNING: CPU: 2 PID: 1 at kernel/workqueue.c:4177 __flush_work+0x4d8/0x580
      [   22.056597] Modules linked in: uhid bnep uinput nls_ascii ip6_tables ip_tables i2c_dev loop fuse dm_multipath nfnetlink zram hid_magicmouse btrfs xor xor_neon brcmfmac_wcc raid6_pq hci_bcm4377 bluetooth brcmfmac hid_apple brcmutil nvmem_spmi_mfd simple_mfd_spmi dockchannel_hid cfg80211 joydev regmap_spmi nvme_apple ecdh_generic ecc macsmc_hid rfkill dwc3 appledrm snd_soc_macaudio macsmc_power nvme_core apple_isp phy_apple_atc apple_sart apple_rtkit_helper apple_dockchannel tps6598x macsmc_hwmon snd_soc_cs42l84 videobuf2_v4l2 spmi_apple_controller nvmem_apple_efuses videobuf2_dma_sg apple_z2 videobuf2_memops spi_nor panel_summit videobuf2_common asahi videodev pwm_apple apple_dcp snd_soc_apple_mca apple_admac spi_apple clk_apple_nco i2c_pasemi_platform snd_pcm_dmaengine mc i2c_pasemi_core mux_core ofpart adpdrm drm_dma_helper apple_dart apple_soc_cpufreq leds_pwm phram
      [   22.073768] CPU: 2 UID: 0 PID: 1 Comm: systemd-shutdow Not tainted 6.11.2-asahi+ #asahi-dev
      [   22.075612] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)
      [   22.077032] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
      [   22.078567] pc : __flush_work+0x4d8/0x580
      [   22.079471] lr : __flush_work+0x54/0x580
      [   22.080345] sp : ffffc000836ef820
      [   22.081089] x29: ffffc000836ef880 x28: 0000000000000000 x27: ffff80002ddb7128
      [   22.082678] x26: dfffc00000000000 x25: 1ffff000096f0c57 x24: ffffc00082d3e358
      [   22.084263] x23: ffff80004b7862b8 x22: dfffc00000000000 x21: ffff80005aa1d470
      [   22.085855] x20: ffff80004b786000 x19: ffff80004b7862a0 x18: 0000000000000000
      [   22.087439] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000005
      [   22.089030] x14: 1ffff800106ddf0a x13: 0000000000000000 x12: 0000000000000000
      [   22.090618] x11: ffffb800106ddf0f x10: dfffc00000000000 x9 : 1ffff800106ddf0e
      [   22.092206] x8 : 0000000000000000 x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000001
      [   22.093790] x5 : ffffc000836ef728 x4 : 0000000000000000 x3 : 0000000000000020
      [   22.095368] x2 : 0000000000000008 x1 : 00000000000000aa x0 : 0000000000000000
      [   22.096955] Call trace:
      [   22.097505]  __flush_work+0x4d8/0x580
      [   22.098330]  flush_delayed_work+0x80/0xb8
      [   22.099231]  fb_deferred_io_cleanup+0x3c/0x130
      [   22.100217]  drm_fbdev_dma_fb_destroy+0x6c/0xe0 [drm_dma_helper]
      [   22.101559]  unregister_framebuffer+0x210/0x2f0
      [   22.102575]  drm_fb_helper_unregister_info+0x48/0x60
      [   22.103683]  drm_fbdev_dma_client_unregister+0x4c/0x80 [drm_dma_helper]
      [   22.105147]  drm_client_dev_unregister+0x1cc/0x230
      [   22.106217]  drm_dev_unregister+0x58/0x570
      [   22.107125]  apple_drm_unbind+0x50/0x98 [appledrm]
      [   22.108199]  component_del+0x1f8/0x3a8
      [   22.109042]  dcp_platform_shutdown+0x24/0x38 [apple_dcp]
      [   22.110357]  platform_shutdown+0x70/0x90
      [   22.111219]  device_shutdown+0x368/0x4d8
      [   22.112095]  kernel_restart+0x6c/0x1d0
      [   22.112946]  __arm64_sys_reboot+0x1c8/0x328
      [   22.113868]  invoke_syscall+0x78/0x1a8
      [   22.114703]  do_el0_svc+0x124/0x1a0
      [   22.115498]  el0_svc+0x3c/0xe0
      [   22.116181]  el0t_64_sync_handler+0x70/0xc0
      [   22.117110]  el0t_64_sync+0x190/0x198
      [   22.117931] ---[ end trace 0000000000000000 ]---
      Signed-off-by: default avatarJanne Grunau <j@jannau.net>
      Fixes: 5a498d4d ("drm/fbdev-dma: Only install deferred I/O if necessary")
      Reviewed-by: default avatarThomas Zimmermann <tzimmermann@suse.de>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarThomas Zimmermann <tzimmermann@suse.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/ZwLNuZL-8Gh5UUQb@robin
      fcddc71e
    • Jakub Kicinski's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · a354733c
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2024-10-08 (ice, i40e, igb, e1000e)
      
      This series contains updates to ice, i40e, igb, and e1000e drivers.
      
      For ice:
      
      Marcin allows driver to load, into safe mode, when DDP package is
      missing or corrupted and adjusts the netif_is_ice() check to
      account for when the device is in safe mode. He also fixes an
      out-of-bounds issue when MSI-X are increased for VFs.
      
      Wojciech clears FDB entries on reset to match the hardware state.
      
      For i40e:
      
      Aleksandr adds locking around MACVLAN filters to prevent memory leaks
      due to concurrency issues.
      
      For igb:
      
      Mohamed Khalfella adds a check to not attempt to bring up an already
      running interface on non-fatal PCIe errors.
      
      For e1000e:
      
      Vitaly changes board type for I219 to more closely match the hardware
      and stop PHY issues.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        e1000e: change I219 (19) devices to ADP
        igb: Do not bring the device up after non-fatal error
        i40e: Fix macvlan leak by synchronizing access to mac_filter_hash
        ice: Fix increasing MSI-X on VF
        ice: Flush FDB entries before reset
        ice: Fix netif_is_ice() in Safe Mode
        ice: Fix entering Safe Mode
      ====================
      
      Link: https://patch.msgid.link/20241008230050.928245-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a354733c
    • Jakub Kicinski's avatar
      Merge branch 'mptcp-misc-fixes-involving-fallback-to-tcp' · 5151a35c
      Jakub Kicinski authored
      Matthieu Baerts says:
      
      ====================
      mptcp: misc. fixes involving fallback to TCP
      
      - Patch 1: better handle DSS corruptions from a bugged peer: reducing
        warnings, doing a fallback or a reset depending on the subflow state.
        For >= v5.7.
      
      - Patch 2: fix DSS corruption due to large pmtu xmit, where MPTCP was
        not taken into account. For >= v5.6.
      
      - Patch 3: fallback when MPTCP opts are dropped after the first data
        packet, instead of resetting the connection. For >= v5.6.
      
      - Patch 4: restrict the removal of a subflow to other closing states, a
        better fix, for a recent one. For >= v5.10.
      ====================
      
      Link: https://patch.msgid.link/20241008-net-mptcp-fallback-fixes-v1-0-c6fb8e93e551@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5151a35c
    • Matthieu Baerts (NGI0)'s avatar
      mptcp: pm: do not remove closing subflows · db0a37b7
      Matthieu Baerts (NGI0) authored
      In a previous fix, the in-kernel path-manager has been modified not to
      retrigger the removal of a subflow if it was already closed, e.g. when
      the initial subflow is removed, but kept in the subflows list.
      
      To be complete, this fix should also skip the subflows that are in any
      closing state: mptcp_close_ssk() will initiate the closure, but the
      switch to the TCP_CLOSE state depends on the other peer.
      
      Fixes: 58e1b66b ("mptcp: pm: do not remove already closed subflows")
      Cc: stable@vger.kernel.org
      Suggested-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Link: https://patch.msgid.link/20241008-net-mptcp-fallback-fixes-v1-4-c6fb8e93e551@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      db0a37b7
    • Matthieu Baerts (NGI0)'s avatar
      mptcp: fallback when MPTCP opts are dropped after 1st data · 119d51e2
      Matthieu Baerts (NGI0) authored
      As reported by Christoph [1], before this patch, an MPTCP connection was
      wrongly reset when a host received a first data packet with MPTCP
      options after the 3wHS, but got the next ones without.
      
      According to the MPTCP v1 specs [2], a fallback should happen in this
      case, because the host didn't receive a DATA_ACK from the other peer,
      nor receive data for more than the initial window which implies a
      DATA_ACK being received by the other peer.
      
      The patch here re-uses the same logic as the one used in other places:
      by looking at allow_infinite_fallback, which is disabled at the creation
      of an additional subflow. It's not looking at the first DATA_ACK (or
      implying one received from the other side) as suggested by the RFC, but
      it is in continuation with what was already done, which is safer, and it
      fixes the reported issue. The next step, looking at this first DATA_ACK,
      is tracked in [4].
      
      This patch has been validated using the following Packetdrill script:
      
         0 socket(..., SOCK_STREAM, IPPROTO_MPTCP) = 3
        +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
        +0 bind(3, ..., ...) = 0
        +0 listen(3, 1) = 0
      
        // 3WHS is OK
        +0.0 < S  0:0(0)       win 65535  <mss 1460, sackOK, nop, nop, nop, wscale 6, mpcapable v1 flags[flag_h] nokey>
        +0.0 > S. 0:0(0) ack 1            <mss 1460, nop, nop, sackOK, nop, wscale 8, mpcapable v1 flags[flag_h] key[skey]>
        +0.1 <  . 1:1(0) ack 1 win 2048                                              <mpcapable v1 flags[flag_h] key[ckey=2, skey]>
        +0 accept(3, ..., ...) = 4
      
        // Data from the client with valid MPTCP options (no DATA_ACK: normal)
        +0.1 < P. 1:501(500) ack 1 win 2048 <mpcapable v1 flags[flag_h] key[skey, ckey] mpcdatalen 500, nop, nop>
        // From here, the MPTCP options will be dropped by a middlebox
        +0.0 >  . 1:1(0)     ack 501        <dss dack8=501 dll=0 nocs>
      
        +0.1 read(4, ..., 500) = 500
        +0   write(4, ..., 100) = 100
      
        // The server replies with data, still thinking MPTCP is being used
        +0.0 > P. 1:101(100)   ack 501          <dss dack8=501 dsn8=1 ssn=1 dll=100 nocs, nop, nop>
        // But the client already did a fallback to TCP, because the two previous packets have been received without MPTCP options
        +0.1 <  . 501:501(0)   ack 101 win 2048
      
        +0.0 < P. 501:601(100) ack 101 win 2048
        // The server should fallback to TCP, not reset: it didn't get a DATA_ACK, nor data for more than the initial window
        +0.0 >  . 101:101(0)   ack 601
      
      Note that this script requires Packetdrill with MPTCP support, see [3].
      
      Fixes: dea2b1ea ("mptcp: do not reset MP_CAPABLE subflow on mapping errors")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/518 [1]
      Link: https://datatracker.ietf.org/doc/html/rfc8684#name-fallback [2]
      Link: https://github.com/multipath-tcp/packetdrill [3]
      Link: https://github.com/multipath-tcp/mptcp_net-next/issues/519 [4]
      Reviewed-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Link: https://patch.msgid.link/20241008-net-mptcp-fallback-fixes-v1-3-c6fb8e93e551@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      119d51e2
    • Paolo Abeni's avatar
      tcp: fix mptcp DSS corruption due to large pmtu xmit · 4dabcdf5
      Paolo Abeni authored
      Syzkaller was able to trigger a DSS corruption:
      
        TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies.
        ------------[ cut here ]------------
        WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695
        Modules linked in:
        CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191a #0
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
        RIP: 0010:__mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695
        Code: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff
        RSP: 0018:ffffc90000006db8 EFLAGS: 00010246
        RAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00
        RDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0
        RBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8
        R10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000
        R13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5
        FS:  000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         <IRQ>
         move_skbs_to_msk net/mptcp/protocol.c:811 [inline]
         mptcp_data_ready+0x29c/0xa90 net/mptcp/protocol.c:854
         subflow_data_ready+0x34a/0x920 net/mptcp/subflow.c:1490
         tcp_data_queue+0x20fd/0x76c0 net/ipv4/tcp_input.c:5283
         tcp_rcv_established+0xfba/0x2020 net/ipv4/tcp_input.c:6237
         tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915
         tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350
         ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205
         ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233
         NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
         NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
         __netif_receive_skb_one_core net/core/dev.c:5662 [inline]
         __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775
         process_backlog+0x662/0x15b0 net/core/dev.c:6107
         __napi_poll+0xcb/0x490 net/core/dev.c:6771
         napi_poll net/core/dev.c:6840 [inline]
         net_rx_action+0x89b/0x1240 net/core/dev.c:6962
         handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
         do_softirq+0x11b/0x1e0 kernel/softirq.c:455
         </IRQ>
         <TASK>
         __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
         local_bh_enable include/linux/bottom_half.h:33 [inline]
         rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
         __dev_queue_xmit+0x1764/0x3e80 net/core/dev.c:4451
         dev_queue_xmit include/linux/netdevice.h:3094 [inline]
         neigh_hh_output include/net/neighbour.h:526 [inline]
         neigh_output include/net/neighbour.h:540 [inline]
         ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236
         ip_local_out net/ipv4/ip_output.c:130 [inline]
         __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536
         __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466
         tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
         tcp_mtu_probe net/ipv4/tcp_output.c:2547 [inline]
         tcp_write_xmit+0x641d/0x6bf0 net/ipv4/tcp_output.c:2752
         __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015
         tcp_push_pending_frames include/net/tcp.h:2107 [inline]
         tcp_data_snd_check net/ipv4/tcp_input.c:5714 [inline]
         tcp_rcv_established+0x1026/0x2020 net/ipv4/tcp_input.c:6239
         tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915
         sk_backlog_rcv include/net/sock.h:1113 [inline]
         __release_sock+0x214/0x350 net/core/sock.c:3072
         release_sock+0x61/0x1f0 net/core/sock.c:3626
         mptcp_push_release net/mptcp/protocol.c:1486 [inline]
         __mptcp_push_pending+0x6b5/0x9f0 net/mptcp/protocol.c:1625
         mptcp_sendmsg+0x10bb/0x1b10 net/mptcp/protocol.c:1903
         sock_sendmsg_nosec net/socket.c:730 [inline]
         __sock_sendmsg+0x1a6/0x270 net/socket.c:745
         ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2603
         ___sys_sendmsg net/socket.c:2657 [inline]
         __sys_sendmsg+0x2aa/0x390 net/socket.c:2686
         do_syscall_x64 arch/x86/entry/common.c:52 [inline]
         do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
         entry_SYSCALL_64_after_hwframe+0x77/0x7f
        RIP: 0033:0x7fb06e9317f9
        Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
        RSP: 002b:00007ffe2cfd4f98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
        RAX: ffffffffffffffda RBX: 00007fb06e97f468 RCX: 00007fb06e9317f9
        RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000005
        RBP: 00007fb06e97f446 R08: 0000555500000000 R09: 0000555500000000
        R10: 0000555500000000 R11: 0000000000000246 R12: 00007fb06e97f406
        R13: 0000000000000001 R14: 00007ffe2cfd4fe0 R15: 0000000000000003
         </TASK>
      
      Additionally syzkaller provided a nice reproducer. The repro enables
      pmtu on the loopback device, leading to tcp_mtu_probe() generating
      very large probe packets.
      
      tcp_can_coalesce_send_queue_head() currently does not check for
      mptcp-level invariants, and allowed the creation of cross-DSS probes,
      leading to the mentioned corruption.
      
      Address the issue teaching tcp_can_coalesce_send_queue_head() about
      mptcp using the tcp_skb_can_collapse(), also reducing the code
      duplication.
      
      Fixes: 85712484 ("tcp: coalesce/collapse must respect MPTCP extensions")
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+d1bff73460e33101f0e7@syzkaller.appspotmail.com
      Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/513Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Link: https://patch.msgid.link/20241008-net-mptcp-fallback-fixes-v1-2-c6fb8e93e551@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4dabcdf5