1. 15 Oct, 2022 3 commits
    • Cezar Bulinaru's avatar
      net: hv_netvsc: Fix a warning triggered by memcpy in rndis_filter · 017e4254
      Cezar Bulinaru authored
      memcpy: detected field-spanning write (size 168) of single field "(void *)&request->response_msg + (sizeof(struct rndis_message) - sizeof(union rndis_message_container)) + sizeof(*req_id)" at drivers/net/hyperv/rndis_filter.c:338 (size 40)
      RSP: 0018:ffffc90000144de0 EFLAGS: 00010282
      RAX: 0000000000000000 RBX: ffff8881766b4000 RCX: 0000000000000000
      RDX: 0000000000000102 RSI: 0000000000009ffb RDI: 00000000ffffffff
      RBP: ffffc90000144e38 R08: 0000000000000000 R09: 00000000ffffdfff
      R10: ffffc90000144c48 R11: ffffffff82f56ac8 R12: ffff8881766b403c
      R13: 00000000000000a8 R14: ffff888100b75000 R15: ffff888179301d00
      FS:  0000000000000000(0000) GS:ffff8884d6280000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000055f8b024c418 CR3: 0000000176548001 CR4: 00000000003706e0
      Call Trace:
       <IRQ>
       ? _raw_spin_unlock_irqrestore+0x27/0x50
       netvsc_poll+0x556/0x940 [hv_netvsc]
       __napi_poll+0x2e/0x170
       net_rx_action+0x299/0x2f0
       __do_softirq+0xed/0x2ef
       __irq_exit_rcu+0x9f/0x110
       irq_exit_rcu+0xe/0x20
       sysvec_hyperv_callback+0xb0/0xd0
       </IRQ>
       <TASK>
       asm_sysvec_hyperv_callback+0x1b/0x20
      RIP: 0010:native_safe_halt+0xb/0x10
      
      Fixes: A warning triggered when the response message len exceeds
      the size of rndis_message. Inside the rndis_request structure
      these fields are however followed by a RNDIS_EXT_LEN padding
      so it is safe to use unsafe_memcpy.
      Reviewed-by: default avatarMichael Kelley <mikelley@microsoft.com>
      Signed-off-by: default avatarCezar Bulinaru <cbulinaru@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      017e4254
    • Xiaobo Liu's avatar
      net/atm: fix proc_mpc_write incorrect return value · d8bde3bf
      Xiaobo Liu authored
      Then the input contains '\0' or '\n', proc_mpc_write has read them,
      so the return value needs +1.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXiaobo Liu <cppcoffee@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d8bde3bf
    • Jonathan Cooper's avatar
      sfc: Change VF mac via PF as first preference if available. · a8aed7b3
      Jonathan Cooper authored
      Changing a VF's mac address through the VF (rather than via the PF)
      fails with EPERM because the latter part of efx_ef10_set_mac_address
      attempts to change the vport mac address list as the VF.
      Even with this fixed it still fails with EBUSY because the vadaptor
      is still assigned on the VF - the vadaptor reassignment must be within
      a section where the VF has torn down its state.
      
      A major reason this has broken is because we have two functions that
      ostensibly do the same thing - have a PF and VF cooperate to change a
      VF mac address. Rather than do this, if we are changing the mac of a VF
      that has a link to the PF in the same VM then simply call
      sriov_set_vf_mac instead, which is a proven working function that does
      that.
      
      If there is no PF available, or that fails non-fatally, then attempt to
      change the VF's mac address as we would a PF, without updating the PF's
      data.
      
      Test case:
      Create a VF:
        echo 1 > /sys/class/net/<if>/device/sriov_numvfs
      Set the mac address of the VF directly:
        ip link set <vf> addr 00:11:22:33:44:55
      Set the MAC address of the VF via the PF:
        ip link set <pf> vf 0 mac 00:11:22:33:44:66
      Without this patch the last command will fail with ENOENT.
      Signed-off-by: default avatarJonathan Cooper <jonathan.s.cooper@amd.com>
      Reported-by: default avatarÍñigo Huguet <ihuguet@redhat.com>
      Fixes: 910c8789 ("set the MAC address using MC_CMD_VADAPTOR_SET_MAC")
      Acked-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8aed7b3
  2. 14 Oct, 2022 9 commits
    • Krzysztof Kozlowski's avatar
      MAINTAINERS: nfc: s3fwrn5: Drop Krzysztof Opasiak · 0c934117
      Krzysztof Kozlowski authored
      Emails to Krzysztof Opasiak bounce ("Recipient address rejected: User
      unknown") so drop his email from maintainers of s3fwrn5 NFC bindings and
      driver.
      Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c934117
    • Palmer Dabbelt's avatar
      MAINTAINERS: git://github -> https://github.com for petkan · 9a9a5d80
      Palmer Dabbelt authored
      Github deprecated the git:// links about a year ago, so let's move to
      the https:// URLs instead.
      Reported-by: default avatarConor Dooley <conor.dooley@microchip.com>
      Link: https://github.blog/2021-09-01-improving-git-protocol-security-github/Signed-off-by: default avatarPalmer Dabbelt <palmer@rivosinc.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9a9a5d80
    • zhangxiangqian's avatar
      net: macvlan: change schedule system_wq to system_unbound_wq · 3d6642ea
      zhangxiangqian authored
      For FT2000+/64 devices,
      when four virtual machines share the same physical network interface,
      DROP will occur due to the single core CPU performance problem.
      
      ip_check_defrag and macvlan_process_broadcast is on the same CPU.
      When the MACVLAN PORT increases, the CPU usage reaches more than 90%.
      bc_queue > bc_queue_len_used (default 1000), causing DROP.
      Signed-off-by: default avatarzhangxiangqian <zhangxiangqian@kylinos.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d6642ea
    • Jakub Kicinski's avatar
      tls: strp: make sure the TCP skbs do not have overlapping data · 0d87bbd3
      Jakub Kicinski authored
      TLS tries to get away with using the TCP input queue directly.
      This does not work if there is duplicated data (multiple skbs
      holding bytes for the same seq number range due to retransmits).
      Check for this condition and fall back to copy mode, it should
      be rare.
      
      Fixes: 84c61fe1 ("tls: rx: do not use the standard strparser")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d87bbd3
    • Jan Sokolowski's avatar
      i40e: Fix DMA mappings leak · aae425ef
      Jan Sokolowski authored
      During reallocation of RX buffers, new DMA mappings are created for
      those buffers.
      
      steps for reproduction:
      while :
      do
      for ((i=0; i<=8160; i=i+32))
      do
      ethtool -G enp130s0f0 rx $i tx $i
      sleep 0.5
      ethtool -g enp130s0f0
      done
      done
      
      This resulted in crash:
      i40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536
      Driver BUG
      WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50
      Call Trace:
      i40e_free_rx_resources+0x70/0x80 [i40e]
      i40e_set_ringparam+0x27c/0x800 [i40e]
      ethnl_set_rings+0x1b2/0x290
      genl_family_rcv_msg_doit.isra.15+0x10f/0x150
      genl_family_rcv_msg+0xb3/0x160
      ? rings_fill_reply+0x1a0/0x1a0
      genl_rcv_msg+0x47/0x90
      ? genl_family_rcv_msg+0x160/0x160
      netlink_rcv_skb+0x4c/0x120
      genl_rcv+0x24/0x40
      netlink_unicast+0x196/0x230
      netlink_sendmsg+0x204/0x3d0
      sock_sendmsg+0x4c/0x50
      __sys_sendto+0xee/0x160
      ? handle_mm_fault+0xbe/0x1e0
      ? syscall_trace_enter+0x1d3/0x2c0
      __x64_sys_sendto+0x24/0x30
      do_syscall_64+0x5b/0x1a0
      entry_SYSCALL_64_after_hwframe+0x65/0xca
      RIP: 0033:0x7f5eac8b035b
      Missing register, driver bug
      WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140
      Call Trace:
      xdp_rxq_info_unreg+0x1e/0x50
      i40e_free_rx_resources+0x70/0x80 [i40e]
      i40e_set_ringparam+0x27c/0x800 [i40e]
      ethnl_set_rings+0x1b2/0x290
      genl_family_rcv_msg_doit.isra.15+0x10f/0x150
      genl_family_rcv_msg+0xb3/0x160
      ? rings_fill_reply+0x1a0/0x1a0
      genl_rcv_msg+0x47/0x90
      ? genl_family_rcv_msg+0x160/0x160
      netlink_rcv_skb+0x4c/0x120
      genl_rcv+0x24/0x40
      netlink_unicast+0x196/0x230
      netlink_sendmsg+0x204/0x3d0
      sock_sendmsg+0x4c/0x50
      __sys_sendto+0xee/0x160
      ? handle_mm_fault+0xbe/0x1e0
      ? syscall_trace_enter+0x1d3/0x2c0
      __x64_sys_sendto+0x24/0x30
      do_syscall_64+0x5b/0x1a0
      entry_SYSCALL_64_after_hwframe+0x65/0xca
      RIP: 0033:0x7f5eac8b035b
      
      This was caused because of new buffers with different RX ring count should
      substitute older ones, but those buffers were freed in
      i40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi,
      thus kfree on rx_bi caused leak of already mapped DMA.
      
      Fix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally
      reallocate back to rx_bi when BPF program unloads.
      
      If BPF program is loaded/unloaded and XSK pools are created, reallocate
      RX queues accordingly in XSP_SETUP_XSK_POOL handler.
      
      Fixes: be1222b5 ("i40e: Separate kernel allocated rx_bi rings from AF_XDP rings")
      Signed-off-by: default avatarJan Sokolowski <jan.sokolowski@intel.com>
      Signed-off-by: default avatarMateusz Palczewski <mateusz.palczewski@intel.com>
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Tested-by: Chandan <chandanx.rout@intel.com> (A Contingent Worker at Intel)
      Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aae425ef
    • Christian Marangi's avatar
      net: dsa: qca8k: fix ethtool autocast mib for big-endian systems · 0d4636f7
      Christian Marangi authored
      The switch sends autocast mib in little-endian. This is problematic for
      big-endian system as the values needs to be converted.
      
      Fix this by converting each mib value to cpu byte order.
      
      Fixes: 5c957c7c ("net: dsa: qca8k: add support for mib autocast in Ethernet packet")
      Tested-by: default avatarPawel Dembicki <paweldembicki@gmail.com>
      Tested-by: default avatarLech Perczak <lech.perczak@gmail.com>
      Signed-off-by: default avatarChristian Marangi <ansuelsmth@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d4636f7
    • Christian Marangi's avatar
      net: dsa: qca8k: fix inband mgmt for big-endian systems · a2550d3c
      Christian Marangi authored
      The header and the data of the skb for the inband mgmt requires
      to be in little-endian. This is problematic for big-endian system
      as the mgmt header is written in the cpu byte order.
      
      Fix this by converting each value for the mgmt header and data to
      little-endian, and convert to cpu byte order the mgmt header and
      data sent by the switch.
      
      Fixes: 5950c7c0 ("net: dsa: qca8k: add support for mgmt read/write in Ethernet packet")
      Tested-by: default avatarPawel Dembicki <paweldembicki@gmail.com>
      Tested-by: default avatarLech Perczak <lech.perczak@gmail.com>
      Signed-off-by: default avatarChristian Marangi <ansuelsmth@gmail.com>
      Reviewed-by: default avatarLech Perczak <lech.perczak@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a2550d3c
    • Alexander Potapenko's avatar
      tipc: fix an information leak in tipc_topsrv_kern_subscr · 777ecaab
      Alexander Potapenko authored
      Use a 8-byte write to initialize sub.usr_handle in
      tipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized
      when issuing setsockopt(..., SOL_TIPC, ...).
      This resulted in an infoleak reported by KMSAN when the packet was
      received:
      
        =====================================================
        BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169
         instrument_copy_to_user ./include/linux/instrumented.h:121
         copyout+0xbc/0x100 lib/iov_iter.c:169
         _copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527
         copy_to_iter ./include/linux/uio.h:176
         simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513
         __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
         skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527
         skb_copy_datagram_msg ./include/linux/skbuff.h:3903
         packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469
         ____sys_recvmsg+0x2c4/0x810 net/socket.c:?
         ___sys_recvmsg+0x217/0x840 net/socket.c:2743
         __sys_recvmsg net/socket.c:2773
         __do_sys_recvmsg net/socket.c:2783
         __se_sys_recvmsg net/socket.c:2780
         __x64_sys_recvmsg+0x364/0x540 net/socket.c:2780
         do_syscall_x64 arch/x86/entry/common.c:50
         do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
         entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120
      
        ...
      
        Uninit was stored to memory at:
         tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156
         tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375
         tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579
         tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190
         tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084
         tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201
         __sys_setsockopt+0x87f/0xdc0 net/socket.c:2252
         __do_sys_setsockopt net/socket.c:2263
         __se_sys_setsockopt net/socket.c:2260
         __x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260
         do_syscall_x64 arch/x86/entry/common.c:50
         do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
         entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120
      
        Local variable sub created at:
         tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562
         tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190
      
        Bytes 84-87 of 88 are uninitialized
        Memory access of size 88 starts at ffff88801ed57cd0
        Data copied to user address 0000000020000400
        ...
        =====================================================
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Fixes: 026321c6 ("tipc: rename tipc_server to tipc_topsrv")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      777ecaab
    • Mark Tomlinson's avatar
      tipc: Fix recognition of trial period · 28be7ca4
      Mark Tomlinson authored
      The trial period exists until jiffies is after addr_trial_end. But as
      jiffies will eventually overflow, just using time_after will eventually
      give incorrect results. As the node address is set once the trial period
      ends, this can be used to know that we are not in the trial period.
      
      Fixes: e415577f ("tipc: correct discovery message handling during address trial period")
      Signed-off-by: default avatarMark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      28be7ca4
  3. 13 Oct, 2022 23 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 66ae0436
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter, and wifi.
      
      Current release - regressions:
      
         - Revert "net/sched: taprio: make qdisc_leaf() see the
           per-netdev-queue pfifo child qdiscs", it may cause crashes when the
           qdisc is reconfigured
      
         - inet: ping: fix splat due to packet allocation refactoring in inet
      
         - tcp: clean up kernel listener's reqsk in inet_twsk_purge(), fix UAF
           due to races when per-netns hash table is used
      
        Current release - new code bugs:
      
         - eth: adin1110: check in netdev_event that netdev belongs to driver
      
         - fixes for PTR_ERR() vs NULL bugs in driver code, from Dan and co.
      
        Previous releases - regressions:
      
         - ipv4: handle attempt to delete multipath route when fib_info
           contains an nh reference, avoid oob access
      
         - wifi: fix handful of bugs in the new Multi-BSSID code
      
         - wifi: mt76: fix rate reporting / throughput regression on mt7915
           and newer, fix checksum offload
      
         - wifi: iwlwifi: mvm: fix double list_add at
           iwl_mvm_mac_wake_tx_queue (other cases)
      
         - wifi: mac80211: do not drop packets smaller than the LLC-SNAP
           header on fast-rx
      
        Previous releases - always broken:
      
         - ieee802154: don't warn zero-sized raw_sendmsg()
      
         - ipv6: ping: fix wrong checksum for large frames
      
         - mctp: prevent double key removal and unref
      
         - tcp/udp: fix memory leaks and races around IPV6_ADDRFORM
      
         - hv_netvsc: fix race between VF offering and VF association message
      
        Misc:
      
         - remove -Warray-bounds silencing in the drivers, compilers fixed"
      
      * tag 'net-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (73 commits)
        sunhme: fix an IS_ERR() vs NULL check in probe
        net: marvell: prestera: fix a couple NULL vs IS_ERR() checks
        kcm: avoid potential race in kcm_tx_work
        tcp: Clean up kernel listener's reqsk in inet_twsk_purge()
        net: phy: micrel: Fixes FIELD_GET assertion
        openvswitch: add nf_ct_is_confirmed check before assigning the helper
        tcp: Fix data races around icsk->icsk_af_ops.
        ipv6: Fix data races around sk->sk_prot.
        tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
        udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).
        tcp/udp: Fix memory leak in ipv6_renew_options().
        mctp: prevent double key removal and unref
        selftests: netfilter: Fix nft_fib.sh for all.rp_filter=1
        netfilter: rpfilter/fib: Populate flowic_l3mdev field
        selftests: netfilter: Test reverse path filtering
        net/mlx5: Make ASO poll CQ usable in atomic context
        tcp: cdg: allow tcp_cdg_release() to be called multiple times
        inet: ping: fix recent breakage
        ipv6: ping: fix wrong checksum for large frames
        net: ethernet: ti: am65-cpsw: set correct devlink flavour for unused ports
        ...
      66ae0436
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · d6f04f26
      Linus Torvalds authored
      Pull virtio fixes from Michael Tsirkin:
      
       - Fix a regression in virtio pci on power
      
       - Add a reviewer for ifcvf
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        vdpa/ifcvf: add reviewer
        virtio_pci: use irq to detect interrupt support
      d6f04f26
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · aa41478a
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Found that the synthetic events were using strlen/strscpy() on values
         that could have come from userspace, and that is bad.
      
         Consolidate the string logic of kprobe and eprobe and extend it to
         the synthetic events to safely process string addresses.
      
       - Clean up content of text dump in ftrace_bug() where the output does
         not make char reads into signed and sign extending the byte output.
      
       - Fix some kernel docs in the ring buffer code.
      
      * tag 'trace-v6.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing: Fix reading strings from synthetic events
        tracing: Add "(fault)" name injection to kernel probes
        tracing: Move duplicate code of trace_kprobe/eprobe.c into header
        ring-buffer: Fix kernel-doc
        ftrace: Fix char print issue in print_ip_ins()
      aa41478a
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-6.1-rc1' of git://www.linux-watchdog.org/linux-watchdog · 3d33e6dd
      Linus Torvalds authored
      Pull watchdog updates from Wim Van Sebroeck:
      
       - new driver for Exar/MaxLinear XR28V38x
      
       - support for exynosautov9 SoC
      
       - support for Renesas R-Car V5H (R8A779G0) and RZ/V2M (r9a09g011) SoC
      
       - support for imx93
      
       - several other fixes and improvements
      
      * tag 'linux-watchdog-6.1-rc1' of git://www.linux-watchdog.org/linux-watchdog: (36 commits)
        watchdog: twl4030_wdt: add missing mod_devicetable.h include
        dt-bindings: watchdog: migrate mt7621 text bindings to YAML
        watchdog: sp5100_tco: Add "action" module parameter
        watchdog: imx93: add watchdog timer on imx93
        watchdog: imx7ulp_wdt: init wdog when it was active
        watchdog: imx7ulp_wdt: Handle wdog reconfigure failure
        watchdog: imx7ulp_wdt: Fix RCS timeout issue
        watchdog: imx7ulp_wdt: Check CMD32EN in wdog init
        watchdog: imx7ulp: Add explict memory barrier for unlock sequence
        watchdog: imx7ulp: Move suspend/resume to noirq phase
        watchdog: rti-wdt:using the pm_runtime_resume_and_get to simplify the code
        dt-bindings: watchdog: rockchip: add rockchip,rk3128-wdt
        watchdog: s3c2410_wdt: support exynosautov9 watchdog
        dt-bindings: watchdog: add exynosautov9 compatible
        watchdog: npcm: Enable clock if provided
        watchdog: meson: keep running if already active
        watchdog: dt-bindings: atmel,at91sam9-wdt: convert to json-schema
        watchdog: armada_37xx_wdt: Fix .set_timeout callback
        watchdog: sa1100: make variable sa1100dog_driver static
        watchdog: w83977f_wdt: Fix comment typo
        ...
      3d33e6dd
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-6.1-rc1' of https://github.com/ceph/ceph-client · 524d0c68
      Linus Torvalds authored
      Pull ceph updates from Ilya Dryomov:
       "A quiet round this time: several assorted filesystem fixes, the most
        noteworthy one being some additional wakeups in cap handling code, and
        a messenger cleanup"
      
      * tag 'ceph-for-6.1-rc1' of https://github.com/ceph/ceph-client:
        ceph: remove Sage's git tree from documentation
        ceph: fix incorrectly showing the .snap size for stat
        ceph: fail the open_by_handle_at() if the dentry is being unlinked
        ceph: increment i_version when doing a setattr with caps
        ceph: Use kcalloc for allocating multiple elements
        ceph: no need to wait for transition RDCACHE|RD -> RD
        ceph: fail the request if the peer MDS doesn't support getvxattr op
        ceph: wake up the waiters if any new caps comes
        libceph: drop last_piece flag from ceph_msg_data_cursor
      524d0c68
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-6.1-1' of git://git.linux-nfs.org/projects/anna/linux-nfs · 66b83455
      Linus Torvalds authored
      Pull NFS client updates from Anna Schumaker:
       "New Features:
         - Add NFSv4.2 xattr tracepoints
         - Replace xprtiod WQ in rpcrdma
         - Flexfiles cancels I/O on layout recall or revoke
      
        Bugfixes and Cleanups:
         - Directly use ida_alloc() / ida_free()
         - Don't open-code max_t()
         - Prefer using strscpy over strlcpy
         - Remove unused forward declarations
         - Always return layout states on flexfiles layout return
         - Have LISTXATTR treat NFS4ERR_NOXATTR as an empty reply instead of
           error
         - Allow more xprtrdma memory allocations to fail without triggering a
           reclaim
         - Various other xprtrdma clean ups
         - Fix rpc_killall_tasks() races"
      
      * tag 'nfs-for-6.1-1' of git://git.linux-nfs.org/projects/anna/linux-nfs: (27 commits)
        NFSv4/flexfiles: Cancel I/O if the layout is recalled or revoked
        SUNRPC: Add API to force the client to disconnect
        SUNRPC: Add a helper to allow pNFS drivers to selectively cancel RPC calls
        SUNRPC: Fix races with rpc_killall_tasks()
        xprtrdma: Fix uninitialized variable
        xprtrdma: Prevent memory allocations from driving a reclaim
        xprtrdma: Memory allocation should be allowed to fail during connect
        xprtrdma: MR-related memory allocation should be allowed to fail
        xprtrdma: Clean up synopsis of rpcrdma_regbuf_alloc()
        xprtrdma: Clean up synopsis of rpcrdma_req_create()
        svcrdma: Clean up RPCRDMA_DEF_GFP
        SUNRPC: Replace the use of the xprtiod WQ in rpcrdma
        NFSv4.2: Add a tracepoint for listxattr
        NFSv4.2: Add tracepoints for getxattr, setxattr, and removexattr
        NFSv4.2: Move TRACE_DEFINE_ENUM(NFS4_CONTENT_*) under CONFIG_NFS_V4_2
        NFSv4.2: Add special handling for LISTXATTR receiving NFS4ERR_NOXATTR
        nfs: remove nfs_wait_atomic_killable() and nfs_write_prepare() declaration
        NFSv4: remove nfs4_renewd_prepare_shutdown() declaration
        fs/nfs/pnfs_nfs.c: fix spelling typo and syntax error in comment
        NFSv4/pNFS: Always return layout stats on layout return for flexfiles
        ...
      66b83455
    • Linus Torvalds's avatar
      Merge tag 'for-linus-6.1-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux · 531d3b5f
      Linus Torvalds authored
      Pull orangefs update from Mike Marshall:
       "Change iterate to iterate_shared"
      
      * tag 'for-linus-6.1-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux:
        Orangefs: change iterate to iterate_shared
      531d3b5f
    • Dan Carpenter's avatar
      sunhme: fix an IS_ERR() vs NULL check in probe · 99df45c9
      Dan Carpenter authored
      The devm_request_region() function does not return error pointers, it
      returns NULL on error.
      
      Fixes: 914d9b27 ("sunhme: switch to devres")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarSean Anderson <seanga2@gmail.com>
      Reviewed-by: default avatarRolf Eike Beer <eike-kernel@sf-tec.de>
      Link: https://lore.kernel.org/r/Y0bWzJL8JknX8MUf@kiliSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      99df45c9
    • Dan Carpenter's avatar
      net: marvell: prestera: fix a couple NULL vs IS_ERR() checks · 30e9672a
      Dan Carpenter authored
      The __prestera_nexthop_group_create() function returns NULL on error
      and the prestera_nexthop_group_get() returns error pointers.  Fix these
      two checks.
      
      Fixes: 0a23ae23 ("net: marvell: prestera: Add router nexthops ABI")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Link: https://lore.kernel.org/r/Y0bWq+7DoKK465z8@kiliSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      30e9672a
    • Eric Dumazet's avatar
      kcm: avoid potential race in kcm_tx_work · ec7eede3
      Eric Dumazet authored
      syzbot found that kcm_tx_work() could crash [1] in:
      
      	/* Primarily for SOCK_SEQPACKET sockets */
      	if (likely(sk->sk_socket) &&
      	    test_bit(SOCK_NOSPACE, &sk->sk_socket->flags)) {
      <<*>>	clear_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
      		sk->sk_write_space(sk);
      	}
      
      I think the reason is that another thread might concurrently
      run in kcm_release() and call sock_orphan(sk) while sk is not
      locked. kcm_tx_work() find sk->sk_socket being NULL.
      
      [1]
      BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:86 [inline]
      BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
      BUG: KASAN: null-ptr-deref in kcm_tx_work+0xff/0x160 net/kcm/kcmsock.c:742
      Write of size 8 at addr 0000000000000008 by task kworker/u4:3/53
      
      CPU: 0 PID: 53 Comm: kworker/u4:3 Not tainted 5.19.0-rc3-next-20220621-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: kkcmd kcm_tx_work
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
      kasan_report+0xbe/0x1f0 mm/kasan/report.c:495
      check_region_inline mm/kasan/generic.c:183 [inline]
      kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
      instrument_atomic_write include/linux/instrumented.h:86 [inline]
      clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
      kcm_tx_work+0xff/0x160 net/kcm/kcmsock.c:742
      process_one_work+0x996/0x1610 kernel/workqueue.c:2289
      worker_thread+0x665/0x1080 kernel/workqueue.c:2436
      kthread+0x2e9/0x3a0 kernel/kthread.c:376
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
      </TASK>
      
      Fixes: ab7ac4eb ("kcm: Kernel Connection Multiplexor module")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Tom Herbert <tom@herbertland.com>
      Link: https://lore.kernel.org/r/20221012133412.519394-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ec7eede3
    • Kuniyuki Iwashima's avatar
      tcp: Clean up kernel listener's reqsk in inet_twsk_purge() · 740ea3c4
      Kuniyuki Iwashima authored
      Eric Dumazet reported a use-after-free related to the per-netns ehash
      series. [0]
      
      When we create a TCP socket from userspace, the socket always holds a
      refcnt of the netns.  This guarantees that a reqsk timer is always fired
      before netns dismantle.  Each reqsk has a refcnt of its listener, so the
      listener is not freed before the reqsk, and the net is not freed before
      the listener as well.
      
      OTOH, when in-kernel users create a TCP socket, it might not hold a refcnt
      of its netns.  Thus, a reqsk timer can be fired after the netns dismantle
      and access freed per-netns ehash.
      
      To avoid the use-after-free, we need to clean up TCP_NEW_SYN_RECV sockets
      in inet_twsk_purge() if the netns uses a per-netns ehash.
      
      [0]: https://lore.kernel.org/netdev/CANn89iLXMup0dRD_Ov79Xt8N9FM0XdhCHEN05sf3eLwxKweM6w@mail.gmail.com/
      
      BUG: KASAN: use-after-free in tcp_or_dccp_get_hashinfo
      include/net/inet_hashtables.h:181 [inline]
      BUG: KASAN: use-after-free in reqsk_queue_unlink+0x320/0x350
      net/ipv4/inet_connection_sock.c:913
      Read of size 8 at addr ffff88807545bd80 by task syz-executor.2/8301
      
      CPU: 1 PID: 8301 Comm: syz-executor.2 Not tainted
      6.0.0-syzkaller-02757-gaf7d23f9 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine,
      BIOS Google 09/22/2022
      Call Trace:
      <IRQ>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:317 [inline]
      print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
      kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
      tcp_or_dccp_get_hashinfo include/net/inet_hashtables.h:181 [inline]
      reqsk_queue_unlink+0x320/0x350 net/ipv4/inet_connection_sock.c:913
      inet_csk_reqsk_queue_drop net/ipv4/inet_connection_sock.c:927 [inline]
      inet_csk_reqsk_queue_drop_and_put net/ipv4/inet_connection_sock.c:939 [inline]
      reqsk_timer_handler+0x724/0x1160 net/ipv4/inet_connection_sock.c:1053
      call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
      expire_timers kernel/time/timer.c:1519 [inline]
      __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
      __run_timers kernel/time/timer.c:1768 [inline]
      run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
      __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571
      invoke_softirq kernel/softirq.c:445 [inline]
      __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
      irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
      sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1107
      </IRQ>
      
      Fixes: d1e5e640 ("tcp: Introduce optional per-netns ehash.")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Suggested-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221012145036.74960-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      740ea3c4
    • Michael S. Tsirkin's avatar
      vdpa/ifcvf: add reviewer · be8ddea9
      Michael S. Tsirkin authored
      Zhu Lingshan has been writing and reviewing ifcvf patches for
      a while now, add as reviewer.
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarZhu Lingshan <lingshan.zhu@intel.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      be8ddea9
    • Michael S. Tsirkin's avatar
      virtio_pci: use irq to detect interrupt support · 2145ab51
      Michael S. Tsirkin authored
      commit 71491c54 ("virtio_pci: don't try to use intxif pin is zero")
      breaks virtio_pci on powerpc, when running as a qemu guest.
      
      vp_find_vqs() bails out because pci_dev->pin == 0.
      
      But pci_dev->irq is populated correctly, so vp_find_vqs_intx() would
      succeed if we called it - which is what the code used to do.
      
      This seems to happen because pci_dev->pin is not populated in
      pci_assign_irq(). A PCI core bug? Maybe.
      
      However Linus said:
      	I really think that that is basically the only time you should use
      	that 'pci_dev->pin' thing: it basically exists not for "does this
      	device have an IRQ", but for "what is the routing of this irq on this
      	device".
      
      and
      	The correct way to check for "no irq" doesn't use NO_IRQ at all, it just does
      		if (dev->irq) ...
      
      so let's just check irq and be done with it.
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Reported-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Fixes: 71491c54 ("virtio_pci: don't try to use intxif pin is zero")
      Cc: "Angus Chen" <angus.chen@jaguarmicro.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Tested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Message-Id: <20221012220312.308522-1-mst@redhat.com>
      2145ab51
    • Paolo Abeni's avatar
      Merge tag 'wireless-2022-10-13' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · ac85bc71
      Paolo Abeni authored
      Johannes Berg says:
      
      ====================
      More wireless fixes for 6.1
      
      This has only the fixes for the scan parsing issues.
      
      * tag 'wireless-2022-10-13' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: cfg80211: update hidden BSSes to avoid WARN_ON
        wifi: mac80211: fix crash in beacon protection for P2P-device
        wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
        wifi: cfg80211: avoid nontransmitted BSS list corruption
        wifi: cfg80211: fix BSS refcounting bugs
        wifi: cfg80211: ensure length byte is present before access
        wifi: mac80211: fix MBSSID parsing use-after-free
        wifi: cfg80211/mac80211: reject bad MBSSID elements
        wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
      ====================
      
      Link: https://lore.kernel.org/r/20221013100522.46346-1-johannes@sipsolutions.netSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ac85bc71
    • Johannes Berg's avatar
      Merge branch 'cve-fixes-2022-10-13' · e7ad651c
      Johannes Berg authored
      Pull in the fixes for various scan parsing bugs found by
      Sönke Huster by fuzzing.
      e7ad651c
    • Divya Koppera's avatar
      net: phy: micrel: Fixes FIELD_GET assertion · fa182ea2
      Divya Koppera authored
      FIELD_GET() must only be used with a mask that is a compile-time
      constant. Mark the functions as __always_inline to avoid the problem.
      
      Fixes: 21b688da ("net: phy: micrel: Cable Diag feature for lan8814 phy")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarDivya Koppera <Divya.Koppera@microchip.com>
      Link: https://lore.kernel.org/r/20221011095437.12580-1-Divya.Koppera@microchip.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fa182ea2
    • Xin Long's avatar
      openvswitch: add nf_ct_is_confirmed check before assigning the helper · 3c186054
      Xin Long authored
      A WARN_ON call trace would be triggered when 'ct(commit, alg=helper)'
      applies on a confirmed connection:
      
        WARNING: CPU: 0 PID: 1251 at net/netfilter/nf_conntrack_extend.c:98
        RIP: 0010:nf_ct_ext_add+0x12d/0x150 [nf_conntrack]
        Call Trace:
         <TASK>
         nf_ct_helper_ext_add+0x12/0x60 [nf_conntrack]
         __nf_ct_try_assign_helper+0xc4/0x160 [nf_conntrack]
         __ovs_ct_lookup+0x72e/0x780 [openvswitch]
         ovs_ct_execute+0x1d8/0x920 [openvswitch]
         do_execute_actions+0x4e6/0xb60 [openvswitch]
         ovs_execute_actions+0x60/0x140 [openvswitch]
         ovs_packet_cmd_execute+0x2ad/0x310 [openvswitch]
         genl_family_rcv_msg_doit.isra.15+0x113/0x150
         genl_rcv_msg+0xef/0x1f0
      
      which can be reproduced with these OVS flows:
      
        table=0, in_port=veth1,tcp,tcp_dst=2121,ct_state=-trk
        actions=ct(commit, table=1)
        table=1, in_port=veth1,tcp,tcp_dst=2121,ct_state=+trk+new
        actions=ct(commit, alg=ftp),normal
      
      The issue was introduced by commit 248d45f1 ("openvswitch: Allow
      attaching helper in later commit") where it somehow removed the check
      of nf_ct_is_confirmed before asigning the helper. This patch is to fix
      it by bringing it back.
      
      Fixes: 248d45f1 ("openvswitch: Allow attaching helper in later commit")
      Reported-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarAaron Conole <aconole@redhat.com>
      Tested-by: default avatarAaron Conole <aconole@redhat.com>
      Link: https://lore.kernel.org/r/c5c9092a22a2194650222bffaf786902613deb16.1665085502.git.lucien.xin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3c186054
    • Jakub Kicinski's avatar
      Merge branch 'tcp-udp-fix-memory-leaks-and-data-races-around-ipv6_addrform' · 4f0f2121
      Jakub Kicinski authored
      Kuniyuki Iwashima says:
      
      ====================
      tcp/udp: Fix memory leaks and data races around IPV6_ADDRFORM.
      
      This series fixes some memory leaks and data races caused in the
      same scenario where one thread converts an IPv6 socket into IPv4
      with IPV6_ADDRFORM and another accesses the socket concurrently.
      
        v4: https://lore.kernel.org/netdev/20221004171802.40968-1-kuniyu@amazon.com/
        v3 (Resend): https://lore.kernel.org/netdev/20221003154425.49458-1-kuniyu@amazon.com/
        v3: https://lore.kernel.org/netdev/20220929012542.55424-1-kuniyu@amazon.com/
        v2: https://lore.kernel.org/netdev/20220928002741.64237-1-kuniyu@amazon.com/
        v1: https://lore.kernel.org/netdev/20220927161209.32939-1-kuniyu@amazon.com/
      ====================
      
      Link: https://lore.kernel.org/r/20221006185349.74777-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4f0f2121
    • Kuniyuki Iwashima's avatar
      tcp: Fix data races around icsk->icsk_af_ops. · f49cd2f4
      Kuniyuki Iwashima authored
      setsockopt(IPV6_ADDRFORM) and tcp_v6_connect() change icsk->icsk_af_ops
      under lock_sock(), but tcp_(get|set)sockopt() read it locklessly.  To
      avoid load/store tearing, we need to add READ_ONCE() and WRITE_ONCE()
      for the reads and writes.
      
      Thanks to Eric Dumazet for providing the syzbot report:
      
      BUG: KCSAN: data-race in tcp_setsockopt / tcp_v6_connect
      
      write to 0xffff88813c624518 of 8 bytes by task 23936 on cpu 0:
      tcp_v6_connect+0x5b3/0xce0 net/ipv6/tcp_ipv6.c:240
      __inet_stream_connect+0x159/0x6d0 net/ipv4/af_inet.c:660
      inet_stream_connect+0x44/0x70 net/ipv4/af_inet.c:724
      __sys_connect_file net/socket.c:1976 [inline]
      __sys_connect+0x197/0x1b0 net/socket.c:1993
      __do_sys_connect net/socket.c:2003 [inline]
      __se_sys_connect net/socket.c:2000 [inline]
      __x64_sys_connect+0x3d/0x50 net/socket.c:2000
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      read to 0xffff88813c624518 of 8 bytes by task 23937 on cpu 1:
      tcp_setsockopt+0x147/0x1c80 net/ipv4/tcp.c:3789
      sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3585
      __sys_setsockopt+0x212/0x2b0 net/socket.c:2252
      __do_sys_setsockopt net/socket.c:2263 [inline]
      __se_sys_setsockopt net/socket.c:2260 [inline]
      __x64_sys_setsockopt+0x62/0x70 net/socket.c:2260
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      value changed: 0xffffffff8539af68 -> 0xffffffff8539aff8
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 23937 Comm: syz-executor.5 Not tainted
      6.0.0-rc4-syzkaller-00331-g4ed9c1e9-dirty #0
      
      Hardware name: Google Google Compute Engine/Google Compute Engine,
      BIOS Google 08/26/2022
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f49cd2f4
    • Kuniyuki Iwashima's avatar
      ipv6: Fix data races around sk->sk_prot. · 364f997b
      Kuniyuki Iwashima authored
      Commit 086d4905 ("ipv6: annotate some data-races around sk->sk_prot")
      fixed some data-races around sk->sk_prot but it was not enough.
      
      Some functions in inet6_(stream|dgram)_ops still access sk->sk_prot
      without lock_sock() or rtnl_lock(), so they need READ_ONCE() to avoid
      load tearing.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      364f997b
    • Kuniyuki Iwashima's avatar
      tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). · d38afeec
      Kuniyuki Iwashima authored
      Originally, inet6_sk(sk)->XXX were changed under lock_sock(), so we were
      able to clean them up by calling inet6_destroy_sock() during the IPv6 ->
      IPv4 conversion by IPV6_ADDRFORM.  However, commit 03485f2a ("udpv6:
      Add lockless sendmsg() support") added a lockless memory allocation path,
      which could cause a memory leak:
      
      setsockopt(IPV6_ADDRFORM)                 sendmsg()
      +-----------------------+                 +-------+
      - do_ipv6_setsockopt(sk, ...)             - udpv6_sendmsg(sk, ...)
        - sockopt_lock_sock(sk)                   ^._ called via udpv6_prot
          - lock_sock(sk)                             before WRITE_ONCE()
        - WRITE_ONCE(sk->sk_prot, &tcp_prot)
        - inet6_destroy_sock()                    - if (!corkreq)
        - sockopt_release_sock(sk)                  - ip6_make_skb(sk, ...)
          - release_sock(sk)                          ^._ lockless fast path for
                                                          the non-corking case
      
                                                      - __ip6_append_data(sk, ...)
                                                        - ipv6_local_rxpmtu(sk, ...)
                                                          - xchg(&np->rxpmtu, skb)
                                                            ^._ rxpmtu is never freed.
      
                                                      - goto out_no_dst;
      
                                                  - lock_sock(sk)
      
      For now, rxpmtu is only the case, but not to miss the future change
      and a similar bug fixed in commit e2732600 ("net: ping6: Fix
      memleak in ipv6_renew_options()."), let's set a new function to IPv6
      sk->sk_destruct() and call inet6_cleanup_sock() there.  Since the
      conversion does not change sk->sk_destruct(), we can guarantee that
      we can clean up IPv6 resources finally.
      
      We can now remove all inet6_destroy_sock() calls from IPv6 protocol
      specific ->destroy() functions, but such changes are invasive to
      backport.  So they can be posted as a follow-up later for net-next.
      
      Fixes: 03485f2a ("udpv6: Add lockless sendmsg() support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d38afeec
    • Kuniyuki Iwashima's avatar
      udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM). · 21985f43
      Kuniyuki Iwashima authored
      Commit 4b340ae2 ("IPv6: Complete IPV6_DONTFRAG support") forgot
      to add a change to free inet6_sk(sk)->rxpmtu while converting an IPv6
      socket into IPv4 with IPV6_ADDRFORM.  After conversion, sk_prot is
      changed to udp_prot and ->destroy() never cleans it up, resulting in
      a memory leak.
      
      This is due to the discrepancy between inet6_destroy_sock() and
      IPV6_ADDRFORM, so let's call inet6_destroy_sock() from IPV6_ADDRFORM
      to remove the difference.
      
      However, this is not enough for now because rxpmtu can be changed
      without lock_sock() after commit 03485f2a ("udpv6: Add lockless
      sendmsg() support").  We will fix this case in the following patch.
      
      Note we will rename inet6_destroy_sock() to inet6_cleanup_sock() and
      remove unnecessary inet6_destroy_sock() calls in sk_prot->destroy()
      in the future.
      
      Fixes: 4b340ae2 ("IPv6: Complete IPV6_DONTFRAG support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      21985f43
    • Kuniyuki Iwashima's avatar
      tcp/udp: Fix memory leak in ipv6_renew_options(). · 3c52c6bb
      Kuniyuki Iwashima authored
      syzbot reported a memory leak [0] related to IPV6_ADDRFORM.
      
      The scenario is that while one thread is converting an IPv6 socket into
      IPv4 with IPV6_ADDRFORM, another thread calls do_ipv6_setsockopt() and
      allocates memory to inet6_sk(sk)->XXX after conversion.
      
      Then, the converted sk with (tcp|udp)_prot never frees the IPv6 resources,
      which inet6_destroy_sock() should have cleaned up.
      
      setsockopt(IPV6_ADDRFORM)                 setsockopt(IPV6_DSTOPTS)
      +-----------------------+                 +----------------------+
      - do_ipv6_setsockopt(sk, ...)
        - sockopt_lock_sock(sk)                 - do_ipv6_setsockopt(sk, ...)
          - lock_sock(sk)                         ^._ called via tcpv6_prot
        - WRITE_ONCE(sk->sk_prot, &tcp_prot)          before WRITE_ONCE()
        - xchg(&np->opt, NULL)
        - txopt_put(opt)
        - sockopt_release_sock(sk)
          - release_sock(sk)                      - sockopt_lock_sock(sk)
                                                    - lock_sock(sk)
                                                  - ipv6_set_opt_hdr(sk, ...)
                                                    - ipv6_update_options(sk, opt)
                                                      - xchg(&inet6_sk(sk)->opt, opt)
                                                        ^._ opt is never freed.
      
                                                  - sockopt_release_sock(sk)
                                                    - release_sock(sk)
      
      Since IPV6_DSTOPTS allocates options under lock_sock(), we can avoid this
      memory leak by testing whether sk_family is changed by IPV6_ADDRFORM after
      acquiring the lock.
      
      This issue exists from the initial commit between IPV6_ADDRFORM and
      IPV6_PKTOPTIONS.
      
      [0]:
      BUG: memory leak
      unreferenced object 0xffff888009ab9f80 (size 96):
        comm "syz-executor583", pid 328, jiffies 4294916198 (age 13.034s)
        hex dump (first 32 bytes):
          01 00 00 00 48 00 00 00 08 00 00 00 00 00 00 00  ....H...........
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<000000002ee98ae1>] kmalloc include/linux/slab.h:605 [inline]
          [<000000002ee98ae1>] sock_kmalloc+0xb3/0x100 net/core/sock.c:2566
          [<0000000065d7b698>] ipv6_renew_options+0x21e/0x10b0 net/ipv6/exthdrs.c:1318
          [<00000000a8c756d7>] ipv6_set_opt_hdr net/ipv6/ipv6_sockglue.c:354 [inline]
          [<00000000a8c756d7>] do_ipv6_setsockopt.constprop.0+0x28b7/0x4350 net/ipv6/ipv6_sockglue.c:668
          [<000000002854d204>] ipv6_setsockopt+0xdf/0x190 net/ipv6/ipv6_sockglue.c:1021
          [<00000000e69fdcf8>] tcp_setsockopt+0x13b/0x2620 net/ipv4/tcp.c:3789
          [<0000000090da4b9b>] __sys_setsockopt+0x239/0x620 net/socket.c:2252
          [<00000000b10d192f>] __do_sys_setsockopt net/socket.c:2263 [inline]
          [<00000000b10d192f>] __se_sys_setsockopt net/socket.c:2260 [inline]
          [<00000000b10d192f>] __x64_sys_setsockopt+0xbe/0x160 net/socket.c:2260
          [<000000000a80d7aa>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
          [<000000000a80d7aa>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
          [<000000004562b5c6>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3c52c6bb
  4. 12 Oct, 2022 5 commits
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-kunit-6.1-rc1-2' of... · a185a099
      Linus Torvalds authored
      Merge tag 'linux-kselftest-kunit-6.1-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull more KUnit updates from Shuah Khan:
       "Features and fixes:
      
         - simplify resource use
      
         - make kunit_malloc() and kunit_free() allocations and frees
           consistent. kunit_free() frees only the memory allocated by
           kunit_malloc()
      
         - stop downloading risc-v opensbi binaries using wget
      
         - other fixes and improvements to tool and KUnit framework"
      
      * tag 'linux-kselftest-kunit-6.1-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        Documentation: kunit: Update description of --alltests option
        kunit: declare kunit_assert structs as const
        kunit: rename base KUNIT_ASSERTION macro to _KUNIT_FAILED
        kunit: remove format func from struct kunit_assert, get it to 0 bytes
        kunit: tool: Don't download risc-v opensbi firmware with wget
        kunit: make kunit_kfree(NULL) a no-op to match kfree()
        kunit: make kunit_kfree() not segfault on invalid inputs
        kunit: make kunit_kfree() only work on pointers from kunit_malloc() and friends
        kunit: drop test pointer in string_stream_fragment
        kunit: string-stream: Simplify resource use
      a185a099
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-next-6.1-rc1-2' of... · 661e0096
      Linus Torvalds authored
      Merge tag 'linux-kselftest-next-6.1-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull more Kselftest updates from Shuah Khan:
       "This consists of fixes and improvements to memory-hotplug test and a
        minor spelling fix to ftrace test"
      
      * tag 'linux-kselftest-next-6.1-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        docs: notifier-error-inject: Correct test's name
        selftests/memory-hotplug: Adjust log info for maintainability
        selftests/memory-hotplug: Restore memory before exit
        selftests/memory-hotplug: Add checking after online or offline
        selftests/ftrace: func_event_triggers: fix typo in user message
      661e0096
    • Linus Torvalds's avatar
      Merge tag 'vfio-v6.1-rc1' of https://github.com/awilliam/linux-vfio · d3cf4051
      Linus Torvalds authored
      Pull VFIO updates from Alex Williamson:
      
       - Prune private items from vfio_pci_core.h to a new internal header,
         fix missed function rename, and refactor vfio-pci interrupt defines
         (Jason Gunthorpe)
      
       - Create consistent naming and handling of ioctls with a function per
         ioctl for vfio-pci and vfio group handling, use proper type args
         where available (Jason Gunthorpe)
      
       - Implement a set of low power device feature ioctls allowing userspace
         to make use of power states such as D3cold where supported (Abhishek
         Sahu)
      
       - Remove device counter on vfio groups, which had restricted the page
         pinning interface to singleton groups to account for limitations in
         the type1 IOMMU backend. Document usage as limited to emulated IOMMU
         devices, ie. traditional mdev devices where this restriction is
         consistent (Jason Gunthorpe)
      
       - Correct function prefix in hisi_acc driver incurred during previous
         refactoring (Shameer Kolothum)
      
       - Correct typo and remove redundant warning triggers in vfio-fsl driver
         (Christophe JAILLET)
      
       - Introduce device level DMA dirty tracking uAPI and implementation in
         the mlx5 variant driver (Yishai Hadas & Joao Martins)
      
       - Move much of the vfio_device life cycle management into vfio core,
         simplifying and avoiding duplication across drivers. This also
         facilitates adding a struct device to vfio_device which begins the
         introduction of device rather than group level user support and fills
         a gap allowing userspace identify devices as vfio capable without
         implicit knowledge of the driver (Kevin Tian & Yi Liu)
      
       - Split vfio container handling to a separate file, creating a more
         well defined API between the core and container code, masking IOMMU
         backend implementation from the core, allowing for an easier future
         transition to an iommufd based implementation of the same (Jason
         Gunthorpe)
      
       - Attempt to resolve race accessing the iommu_group for a device
         between vfio releasing DMA ownership and removal of the device from
         the IOMMU driver. Follow-up with support to allow vfio_group to exist
         with NULL iommu_group pointer to support existing userspace use cases
         of holding the group file open (Jason Gunthorpe)
      
       - Fix error code and hi/lo register manipulation issues in the hisi_acc
         variant driver, along with various code cleanups (Longfang Liu)
      
       - Fix a prior regression in GVT-g group teardown, resulting in
         unreleased resources (Jason Gunthorpe)
      
       - A significant cleanup and simplification of the mdev interface,
         consolidating much of the open coded per driver sysfs interface
         support into the mdev core (Christoph Hellwig)
      
       - Simplification of tracking and locking around vfio_groups that fall
         out from previous refactoring (Jason Gunthorpe)
      
       - Replace trivial open coded f_ops tests with new helper (Alex
         Williamson)
      
      * tag 'vfio-v6.1-rc1' of https://github.com/awilliam/linux-vfio: (77 commits)
        vfio: More vfio_file_is_group() use cases
        vfio: Make the group FD disassociate from the iommu_group
        vfio: Hold a reference to the iommu_group in kvm for SPAPR
        vfio: Add vfio_file_is_group()
        vfio: Change vfio_group->group_rwsem to a mutex
        vfio: Remove the vfio_group->users and users_comp
        vfio/mdev: add mdev available instance checking to the core
        vfio/mdev: consolidate all the description sysfs into the core code
        vfio/mdev: consolidate all the available_instance sysfs into the core code
        vfio/mdev: consolidate all the name sysfs into the core code
        vfio/mdev: consolidate all the device_api sysfs into the core code
        vfio/mdev: remove mtype_get_parent_dev
        vfio/mdev: remove mdev_parent_dev
        vfio/mdev: unexport mdev_bus_type
        vfio/mdev: remove mdev_from_dev
        vfio/mdev: simplify mdev_type handling
        vfio/mdev: embedd struct mdev_parent in the parent data structure
        vfio/mdev: make mdev.h standalone includable
        drm/i915/gvt: simplify vgpu configuration management
        drm/i915/gvt: fix a memory leak in intel_gvt_init_vgpu_types
        ...
      d3cf4051
    • Linus Torvalds's avatar
      Merge tag 'for-linus-6.1-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 778ce723
      Linus Torvalds authored
      Pull xen updates from Juergen Gross:
      
       - Some minor typo fixes
      
       - A fix of the Xen pcifront driver for supporting the device model to
         run in a Linux stub domain
      
       - A cleanup of the pcifront driver
      
       - A series to enable grant-based virtio with Xen on x86
      
       - A cleanup of Xen PV guests to distinguish between safe and faulting
         MSR accesses
      
       - Two fixes of the Xen gntdev driver
      
       - Two fixes of the new xen grant DMA driver
      
      * tag 'for-linus-6.1-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen: Kconfig: Fix spelling mistake "Maxmium" -> "Maximum"
        xen/pv: support selecting safe/unsafe msr accesses
        xen/pv: refactor msr access functions to support safe and unsafe accesses
        xen/pv: fix vendor checks for pmu emulation
        xen/pv: add fault recovery control to pmu msr accesses
        xen/virtio: enable grant based virtio on x86
        xen/virtio: use dom0 as default backend for CONFIG_XEN_VIRTIO_FORCE_GRANT
        xen/virtio: restructure xen grant dma setup
        xen/pcifront: move xenstore config scanning into sub-function
        xen/gntdev: Accommodate VMA splitting
        xen/gntdev: Prevent leaking grants
        xen/virtio: Fix potential deadlock when accessing xen_grant_dma_devices
        xen/virtio: Fix n_pages calculation in xen_grant_dma_map(unmap)_page()
        xen/xenbus: Fix spelling mistake "hardward" -> "hardware"
        xen-pcifront: Handle missed Connected state
      778ce723
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2022-10-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm · 1440f576
      Linus Torvalds authored
      Pull misc hotfixes from Andrew Morton:
       "Five hotfixes - three for nilfs2, two for MM. For are cc:stable, one
        is not"
      
      * tag 'mm-hotfixes-stable-2022-10-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
        nilfs2: fix leak of nilfs_root in case of writer thread creation failure
        nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()
        nilfs2: fix use-after-free bug of struct nilfs_root
        mm/damon/core: initialize damon_target->list in damon_new_target()
        mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page
      1440f576