1. 05 Jan, 2023 10 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 50011c32
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf, wifi, and netfilter.
      
        Current release - regressions:
      
         - bpf: fix nullness propagation for reg to reg comparisons, avoid
           null-deref
      
         - inet: control sockets should not use current thread task_frag
      
         - bpf: always use maximal size for copy_array()
      
         - eth: bnxt_en: don't link netdev to a devlink port for VFs
      
        Current release - new code bugs:
      
         - rxrpc: fix a couple of potential use-after-frees
      
         - netfilter: conntrack: fix IPv6 exthdr error check
      
         - wifi: iwlwifi: fw: skip PPAG for JF, avoid FW crashes
      
         - eth: dsa: qca8k: various fixes for the in-band register access
      
         - eth: nfp: fix schedule in atomic context when sync mc address
      
         - eth: renesas: rswitch: fix getting mac address from device tree
      
         - mobile: ipa: use proper endpoint mask for suspend
      
        Previous releases - regressions:
      
         - tcp: add TIME_WAIT sockets in bhash2, fix regression caught by
           Jiri / python tests
      
         - net: tc: don't intepret cls results when asked to drop, fix
           oob-access
      
         - vrf: determine the dst using the original ifindex for multicast
      
         - eth: bnxt_en:
            - fix XDP RX path if BPF adjusted packet length
            - fix HDS (header placement) and jumbo thresholds for RX packets
      
         - eth: ice: xsk: do not use xdp_return_frame() on tx_buf->raw_buf,
           avoid memory corruptions
      
        Previous releases - always broken:
      
         - ulp: prevent ULP without clone op from entering the LISTEN status
      
         - veth: fix race with AF_XDP exposing old or uninitialized
           descriptors
      
         - bpf:
            - pull before calling skb_postpull_rcsum() (fix checksum support
              and avoid a WARN())
            - fix panic due to wrong pageattr of im->image (when livepatch and
              kretfunc coexist)
            - keep a reference to the mm, in case the task is dead
      
         - mptcp: fix deadlock in fastopen error path
      
         - netfilter:
            - nf_tables: perform type checking for existing sets
            - nf_tables: honor set timeout and garbage collection updates
            - ipset: fix hash:net,port,net hang with /0 subnet
            - ipset: avoid hung task warning when adding/deleting entries
      
         - selftests: net:
            - fix cmsg_so_mark.sh test hang on non-x86 systems
            - fix the arp_ndisc_evict_nocarrier test for IPv6
      
         - usb: rndis_host: secure rndis_query check against int overflow
      
         - eth: r8169: fix dmar pte write access during suspend/resume with
           WOL
      
         - eth: lan966x: fix configuration of the PCS
      
         - eth: sparx5: fix reading of the MAC address
      
         - eth: qed: allow sleep in qed_mcp_trace_dump()
      
         - eth: hns3:
            - fix interrupts re-initialization after VF FLR
            - fix handling of promisc when MAC addr table gets full
            - refine the handling for VF heartbeat
      
         - eth: mlx5:
            - properly handle ingress QinQ-tagged packets on VST
            - fix io_eq_size and event_eq_size params validation on big endian
            - fix RoCE setting at HCA level if not supported at all
            - don't turn CQE compression on by default for IPoIB
      
         - eth: ena:
            - fix toeplitz initial hash key value
            - account for the number of XDP-processed bytes in interface stats
            - fix rx_copybreak value update
      
        Misc:
      
         - ethtool: harden phy stat handling against buggy drivers
      
         - docs: netdev: convert maintainer's doc from FAQ to a normal
           document"
      
      * tag 'net-6.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (112 commits)
        caif: fix memory leak in cfctrl_linkup_request()
        inet: control sockets should not use current thread task_frag
        net/ulp: prevent ULP without clone op from entering the LISTEN status
        qed: allow sleep in qed_mcp_trace_dump()
        MAINTAINERS: Update maintainers for ptp_vmw driver
        usb: rndis_host: Secure rndis_query check against int overflow
        net: dpaa: Fix dtsec check for PCS availability
        octeontx2-pf: Fix lmtst ID used in aura free
        drivers/net/bonding/bond_3ad: return when there's no aggregator
        netfilter: ipset: Rework long task execution when adding/deleting entries
        netfilter: ipset: fix hash:net,port,net hang with /0 subnet
        net: sparx5: Fix reading of the MAC address
        vxlan: Fix memory leaks in error path
        net: sched: htb: fix htb_classify() kernel-doc
        net: sched: cbq: dont intepret cls results when asked to drop
        net: sched: atm: dont intepret cls results when asked to drop
        dt-bindings: net: marvell,orion-mdio: Fix examples
        dt-bindings: net: sun8i-emac: Add phy-supply property
        net: ipa: use proper endpoint mask for suspend
        selftests: net: return non-zero for failures reported in arp_ndisc_evict_nocarrier
        ...
      50011c32
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v6.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · aa01a183
      Linus Torvalds authored
      Pull gpio fixes from Bartosz Golaszewski:
       "A reference leak fix, two fixes for using uninitialized variables and
        more drivers converted to using immutable irqchips:
      
         - fix a reference leak in gpio-sifive
      
         - fix a potential use of an uninitialized variable in core gpiolib
      
         - fix a potential use of an uninitialized variable in gpio-pca953x
      
         - make GPIO irqchips immutable in gpio-pmic-eic-sprd, gpio-eic-sprd
           and gpio-sprd"
      
      * tag 'gpio-fixes-for-v6.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpio: sifive: Fix refcount leak in sifive_gpio_probe
        gpio: sprd: Make the irqchip immutable
        gpio: pmic-eic-sprd: Make the irqchip immutable
        gpio: eic-sprd: Make the irqchip immutable
        gpio: pca953x: avoid to use uninitialized value pinctrl
        gpiolib: Fix using uninitialized lookup-flags on ACPI platforms
      aa01a183
    • Linus Torvalds's avatar
      Merge tag 'fbdev-for-6.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev · 5e9af4b4
      Linus Torvalds authored
      Pull fbdev fixes from Helge Deller:
      
       - Fix Matrox G200eW initialization failure
      
       - Fix build failure of offb driver when built as module
      
       - Optimize stack usage in omapfb
      
      * tag 'fbdev-for-6.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev:
        fbdev: omapfb: avoid stack overflow warning
        fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB
        fbdev: atyfb: use strscpy() to instead of strncpy()
        fbdev: omapfb: use strscpy() to instead of strncpy()
        fbdev: make offb driver tristate
      5e9af4b4
    • Arnd Bergmann's avatar
      fbdev: omapfb: avoid stack overflow warning · 634cf6ea
      Arnd Bergmann authored
      The dsi_irq_stats structure is a little too big to fit on the
      stack of a 32-bit task, depending on the specific gcc options:
      
      fbdev/omap2/omapfb/dss/dsi.c: In function 'dsi_dump_dsidev_irqs':
      fbdev/omap2/omapfb/dss/dsi.c:1621:1: error: the frame size of 1064 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      
      Since this is only a debugfs file, performance is not critical,
      so just dynamically allocate it, and print an error message
      in there in place of a failure code when the allocation fails.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      634cf6ea
    • Zhengchao Shao's avatar
      caif: fix memory leak in cfctrl_linkup_request() · fe69230f
      Zhengchao Shao authored
      When linktype is unknown or kzalloc failed in cfctrl_linkup_request(),
      pkt is not released. Add release process to error path.
      
      Fixes: b482cd20 ("net-caif: add CAIF core protocol stack")
      Fixes: 8d545c8f ("caif: Disconnect without waiting for response")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/20230104065146.1153009-1-shaozhengchao@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      fe69230f
    • Eric Dumazet's avatar
      inet: control sockets should not use current thread task_frag · 1ac88557
      Eric Dumazet authored
      Because ICMP handlers run from softirq contexts,
      they must not use current thread task_frag.
      
      Previously, all sockets allocated by inet_ctl_sock_create()
      would use the per-socket page fragment, with no chance of
      recursion.
      
      Fixes: 98123866 ("Treewide: Stop corrupting socket's task_frag")
      Reported-by: syzbot+bebc6f1acdf4cbb79b03@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Benjamin Coddington <bcodding@redhat.com>
      Acked-by: default avatarGuillaume Nault <gnault@redhat.com>
      Link: https://lore.kernel.org/r/20230103192736.454149-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1ac88557
    • Paolo Abeni's avatar
      net/ulp: prevent ULP without clone op from entering the LISTEN status · 2c02d41d
      Paolo Abeni authored
      When an ULP-enabled socket enters the LISTEN status, the listener ULP data
      pointer is copied inside the child/accepted sockets by sk_clone_lock().
      
      The relevant ULP can take care of de-duplicating the context pointer via
      the clone() operation, but only MPTCP and SMC implement such op.
      
      Other ULPs may end-up with a double-free at socket disposal time.
      
      We can't simply clear the ULP data at clone time, as TLS replaces the
      socket ops with custom ones assuming a valid TLS ULP context is
      available.
      
      Instead completely prevent clone-less ULP sockets from entering the
      LISTEN status.
      
      Fixes: 734942cc ("tcp: ULP infrastructure")
      Reported-by: default avatarslipper <slipper.alive@gmail.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2c02d41d
    • Caleb Sander's avatar
      qed: allow sleep in qed_mcp_trace_dump() · 5401c3e0
      Caleb Sander authored
      By default, qed_mcp_cmd_and_union() delays 10us at a time in a loop
      that can run 500K times, so calls to qed_mcp_nvm_rd_cmd()
      may block the current thread for over 5s.
      We observed thread scheduling delays over 700ms in production,
      with stacktraces pointing to this code as the culprit.
      
      qed_mcp_trace_dump() is called from ethtool, so sleeping is permitted.
      It already can sleep in qed_mcp_halt(), which calls qed_mcp_cmd().
      Add a "can sleep" parameter to qed_find_nvram_image() and
      qed_nvram_read() so they can sleep during qed_mcp_trace_dump().
      qed_mcp_trace_get_meta_info() and qed_mcp_trace_read_meta(),
      called only by qed_mcp_trace_dump(), allow these functions to sleep.
      I can't tell if the other caller (qed_grc_dump_mcp_hw_dump()) can sleep,
      so keep b_can_sleep set to false when it calls these functions.
      
      An example stacktrace from a custom warning we added to the kernel
      showing a thread that has not scheduled despite long needing resched:
      [ 2745.362925,17] ------------[ cut here ]------------
      [ 2745.362941,17] WARNING: CPU: 23 PID: 5640 at arch/x86/kernel/irq.c:233 do_IRQ+0x15e/0x1a0()
      [ 2745.362946,17] Thread not rescheduled for 744 ms after irq 99
      [ 2745.362956,17] Modules linked in: ...
      [ 2745.363339,17] CPU: 23 PID: 5640 Comm: lldpd Tainted: P           O    4.4.182+ #202104120910+6d1da174272d.61x
      [ 2745.363343,17] Hardware name: FOXCONN MercuryB/Quicksilver Controller, BIOS H11P1N09 07/08/2020
      [ 2745.363346,17]  0000000000000000 ffff885ec07c3ed8 ffffffff8131eb2f ffff885ec07c3f20
      [ 2745.363358,17]  ffffffff81d14f64 ffff885ec07c3f10 ffffffff81072ac2 ffff88be98ed0000
      [ 2745.363369,17]  0000000000000063 0000000000000174 0000000000000074 0000000000000000
      [ 2745.363379,17] Call Trace:
      [ 2745.363382,17]  <IRQ>  [<ffffffff8131eb2f>] dump_stack+0x8e/0xcf
      [ 2745.363393,17]  [<ffffffff81072ac2>] warn_slowpath_common+0x82/0xc0
      [ 2745.363398,17]  [<ffffffff81072b4c>] warn_slowpath_fmt+0x4c/0x50
      [ 2745.363404,17]  [<ffffffff810d5a8e>] ? rcu_irq_exit+0xae/0xc0
      [ 2745.363408,17]  [<ffffffff817c99fe>] do_IRQ+0x15e/0x1a0
      [ 2745.363413,17]  [<ffffffff817c7ac9>] common_interrupt+0x89/0x89
      [ 2745.363416,17]  <EOI>  [<ffffffff8132aa74>] ? delay_tsc+0x24/0x50
      [ 2745.363425,17]  [<ffffffff8132aa04>] __udelay+0x34/0x40
      [ 2745.363457,17]  [<ffffffffa04d45ff>] qed_mcp_cmd_and_union+0x36f/0x7d0 [qed]
      [ 2745.363473,17]  [<ffffffffa04d5ced>] qed_mcp_nvm_rd_cmd+0x4d/0x90 [qed]
      [ 2745.363490,17]  [<ffffffffa04e1dc7>] qed_mcp_trace_dump+0x4a7/0x630 [qed]
      [ 2745.363504,17]  [<ffffffffa04e2556>] ? qed_fw_asserts_dump+0x1d6/0x1f0 [qed]
      [ 2745.363520,17]  [<ffffffffa04e4ea7>] qed_dbg_mcp_trace_get_dump_buf_size+0x37/0x80 [qed]
      [ 2745.363536,17]  [<ffffffffa04ea881>] qed_dbg_feature_size+0x61/0xa0 [qed]
      [ 2745.363551,17]  [<ffffffffa04eb427>] qed_dbg_all_data_size+0x247/0x260 [qed]
      [ 2745.363560,17]  [<ffffffffa0482c10>] qede_get_regs_len+0x30/0x40 [qede]
      [ 2745.363566,17]  [<ffffffff816c9783>] ethtool_get_drvinfo+0xe3/0x190
      [ 2745.363570,17]  [<ffffffff816cc152>] dev_ethtool+0x1362/0x2140
      [ 2745.363575,17]  [<ffffffff8109bcc6>] ? finish_task_switch+0x76/0x260
      [ 2745.363580,17]  [<ffffffff817c2116>] ? __schedule+0x3c6/0x9d0
      [ 2745.363585,17]  [<ffffffff810dbd50>] ? hrtimer_start_range_ns+0x1d0/0x370
      [ 2745.363589,17]  [<ffffffff816c1e5b>] ? dev_get_by_name_rcu+0x6b/0x90
      [ 2745.363594,17]  [<ffffffff816de6a8>] dev_ioctl+0xe8/0x710
      [ 2745.363599,17]  [<ffffffff816a58a8>] sock_do_ioctl+0x48/0x60
      [ 2745.363603,17]  [<ffffffff816a5d87>] sock_ioctl+0x1c7/0x280
      [ 2745.363608,17]  [<ffffffff8111f393>] ? seccomp_phase1+0x83/0x220
      [ 2745.363612,17]  [<ffffffff811e3503>] do_vfs_ioctl+0x2b3/0x4e0
      [ 2745.363616,17]  [<ffffffff811e3771>] SyS_ioctl+0x41/0x70
      [ 2745.363619,17]  [<ffffffff817c6ffe>] entry_SYSCALL_64_fastpath+0x1e/0x79
      [ 2745.363622,17] ---[ end trace f6954aa440266421 ]---
      
      Fixes: c965db44 ("qed: Add support for debug data collection")
      Signed-off-by: default avatarCaleb Sander <csander@purestorage.com>
      Acked-by: default avatarAlok Prasad <palok@marvell.com>
      Link: https://lore.kernel.org/r/20230103233021.1457646-1-csander@purestorage.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5401c3e0
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 49d9601b
      Jakub Kicinski authored
      Alexei Starovoitov says:
      
      ====================
      bpf 2023-01-04
      
      We've added 5 non-merge commits during the last 8 day(s) which contain
      a total of 5 files changed, 112 insertions(+), 18 deletions(-).
      
      The main changes are:
      
      1) Always use maximal size for copy_array in the verifier to fix
         KASAN tracking, from Kees.
      
      2) Fix bpf task iterator walking through dead tasks, from Kui-Feng.
      
      3) Make sure livepatch and bpf fexit can coexist, from Chuang.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf: Always use maximal size for copy_array()
        selftests/bpf: add a test for iter/task_vma for short-lived processes
        bpf: keep a reference to the mm, in case the task is dead.
        selftests/bpf: Temporarily disable part of btf_dump:var_data test.
        bpf: Fix panic due to wrong pageattr of im->image
      ====================
      
      Link: https://lore.kernel.org/r/20230104215500.79435-1-alexei.starovoitov@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      49d9601b
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · 41c03ba9
      Linus Torvalds authored
      Pull virtio updates from Michael Tsirkin:
       "Mostly fixes all over the place, a couple of cleanups"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: (32 commits)
        virtio_blk: Fix signedness bug in virtblk_prep_rq()
        vdpa_sim_net: should not drop the multicast/broadcast packet
        vdpasim: fix memory leak when freeing IOTLBs
        vdpa: conditionally fill max max queue pair for stats
        vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove
        vduse: Validate vq_num in vduse_validate_config()
        tools/virtio: remove smp_read_barrier_depends()
        tools/virtio: remove stray characters
        vhost_vdpa: fix the crash in unmap a large memory
        virtio: Implementing attribute show with sysfs_emit
        virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session()
        tools/virtio: Variable type completion
        vdpa_sim: fix vringh initialization in vdpasim_queue_ready()
        virtio_blk: use UINT_MAX instead of -1U
        vhost-vdpa: fix an iotlb memory leak
        vhost: fix range used in translate_desc()
        vringh: fix range used in iotlb_translate()
        vhost/vsock: Fix error handling in vhost_vsock_init()
        vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()
        tools: Delete the unneeded semicolon after curly braces
        ...
      41c03ba9
  2. 04 Jan, 2023 5 commits
  3. 03 Jan, 2023 12 commits
  4. 02 Jan, 2023 13 commits
    • Linus Torvalds's avatar
      Merge tag 'for-6.2-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 69b41ac8
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "First batch of regression and regular fixes:
      
         - regressions:
             - fix error handling after conversion to qstr for paths
             - fix raid56/scrub recovery caused by uninitialized variable
               after conversion to error bitmaps
             - restore qgroup backref lookup behaviour after recent
               refactoring
             - fix leak of device lists at module exit time
      
         - fix resolving backrefs for inline extent followed by prealloc
      
         - reset defrag ioctl buffer on memory allocation error"
      
      * tag 'for-6.2-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix fscrypt name leak after failure to join log transaction
        btrfs: scrub: fix uninitialized return value in recover_scrub_rbio
        btrfs: fix resolving backrefs for inline extent followed by prealloc
        btrfs: fix trace event name typo for FLUSH_DELAYED_REFS
        btrfs: restore BTRFS_SEQ_LAST when looking up qgroup backref lookup
        btrfs: fix leak of fs devices after removing btrfs module
        btrfs: fix an error handling path in btrfs_defrag_leaves()
        btrfs: fix an error handling path in btrfs_rename()
      69b41ac8
    • Tetsuo Handa's avatar
      fs/ntfs3: don't hold ni_lock when calling truncate_setsize() · 0226635c
      Tetsuo Handa authored
      syzbot is reporting hung task at do_user_addr_fault() [1], for there is
      a silent deadlock between PG_locked bit and ni_lock lock.
      
      Since filemap_update_page() calls filemap_read_folio() after calling
      folio_trylock() which will set PG_locked bit, ntfs_truncate() must not
      call truncate_setsize() which will wait for PG_locked bit to be cleared
      when holding ni_lock lock.
      
      Link: https://lore.kernel.org/all/00000000000060d41f05f139aa44@google.com/
      Link: https://syzkaller.appspot.com/bug?extid=bed15dbf10294aa4f2ae [1]
      Reported-by: default avatarsyzbot <syzbot+bed15dbf10294aa4f2ae@syzkaller.appspotmail.com>
      Debugged-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Co-developed-by: default avatarHillf Danton <hdanton@sina.com>
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Fixes: 4342306f ("fs/ntfs3: Add file operations and implementation")
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0226635c
    • Takashi Iwai's avatar
      x86/kexec: Fix double-free of elf header buffer · d00dd2f2
      Takashi Iwai authored
      After
      
        b3e34a47 ("x86/kexec: fix memory leak of elf header buffer"),
      
      freeing image->elf_headers in the error path of crash_load_segments()
      is not needed because kimage_file_post_load_cleanup() will take
      care of that later. And not clearing it could result in a double-free.
      
      Drop the superfluous vfree() call at the error path of
      crash_load_segments().
      
      Fixes: b3e34a47 ("x86/kexec: fix memory leak of elf header buffer")
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
      Acked-by: default avatarBaoquan He <bhe@redhat.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Cc: <stable@kernel.org>
      Link: https://lore.kernel.org/r/20221122115122.13937-1-tiwai@suse.de
      d00dd2f2
    • Jeff Layton's avatar
      nfsd: fix handling of readdir in v4root vs. mount upcall timeout · cad85337
      Jeff Layton authored
      If v4 READDIR operation hits a mountpoint and gets back an error,
      then it will include that entry in the reply and set RDATTR_ERROR for it
      to the error.
      
      That's fine for "normal" exported filesystems, but on the v4root, we
      need to be more careful to only expose the existence of dentries that
      lead to exports.
      
      If the mountd upcall times out while checking to see whether a
      mountpoint on the v4root is exported, then we have no recourse other
      than to fail the whole operation.
      
      Cc: Steve Dickson <steved@redhat.com>
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216777Reported-by: default avatarJianHong Yin <yin-jianhong@163.com>
      Signed-off-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Cc: <stable@vger.kernel.org>
      cad85337
    • Paul Menzel's avatar
      fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB · f685dd7a
      Paul Menzel authored
      Commit 62d89a7d ("video: fbdev: matroxfb: set maxvram of vbG200eW to
      the same as vbG200 to avoid black screen") accidently decreases the
      maximum memory size for the Matrox G200eW (102b:0532) from 8 MB to 1 MB
      by missing one zero. This caused the driver initialization to fail with
      the messages below, as the minimum required VRAM size is 2 MB:
      
           [    9.436420] matroxfb: Matrox MGA-G200eW (PCI) detected
           [    9.444502] matroxfb: cannot determine memory size
           [    9.449316] matroxfb: probe of 0000:0a:03.0 failed with error -1
      
      So, add the missing 0 to make it the intended 16 MB. Successfully tested on
      the Dell PowerEdge R910/0KYD3D, BIOS 2.10.0 08/29/2013, that the warning is
      gone.
      
      While at it, add a leading 0 to the maxdisplayable entry, so it’s aligned
      properly. The value could probably also be increased from 8 MB to 16 MB, as
      the G200 uses the same values, but I have not checked any datasheet.
      
      Note, matroxfb is obsolete and superseded by the maintained DRM driver
      mga200, which is used by default on most systems where both drivers are
      available. Therefore, on most systems it was only a cosmetic issue.
      
      Fixes: 62d89a7d ("video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen")
      Link: https://lore.kernel.org/linux-fbdev/972999d3-b75d-5680-fcef-6e6905c52ac5@suse.de/T/#mb6953a9995ebd18acc8552f99d6db39787aec775
      Cc: it+linux-fbdev@molgen.mpg.de
      Cc: Z. Liu <liuzx@knownsec.com>
      Cc: Rich Felker <dalias@libc.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      f685dd7a
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: Rework long task execution when adding/deleting entries · 5e29dc36
      Jozsef Kadlecsik authored
      When adding/deleting large number of elements in one step in ipset, it can
      take a reasonable amount of time and can result in soft lockup errors. The
      patch 5f7b51bf ("netfilter: ipset: Limit the maximal range of
      consecutive elements to add/delete") tried to fix it by limiting the max
      elements to process at all. However it was not enough, it is still possible
      that we get hung tasks. Lowering the limit is not reasonable, so the
      approach in this patch is as follows: rely on the method used at resizing
      sets and save the state when we reach a smaller internal batch limit,
      unlock/lock and proceed from the saved state. Thus we can avoid long
      continuous tasks and at the same time removed the limit to add/delete large
      number of elements in one step.
      
      The nfnl mutex is held during the whole operation which prevents one to
      issue other ipset commands in parallel.
      
      Fixes: 5f7b51bf ("netfilter: ipset: Limit the maximal range of consecutive elements to add/delete")
      Reported-by: syzbot+9204e7399656300bf271@syzkaller.appspotmail.com
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      5e29dc36
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: fix hash:net,port,net hang with /0 subnet · a31d47be
      Jozsef Kadlecsik authored
      The hash:net,port,net set type supports /0 subnets. However, the patch
      commit 5f7b51bf titled "netfilter: ipset: Limit the maximal range
      of consecutive elements to add/delete" did not take into account it and
      resulted in an endless loop. The bug is actually older but the patch
      5f7b51bf brings it out earlier.
      
      Handle /0 subnets properly in hash:net,port,net set types.
      
      Fixes: 5f7b51bf ("netfilter: ipset: Limit the maximal range of consecutive elements to add/delete")
      Reported-by: default avatarМарк Коренберг <socketpair@gmail.com>
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a31d47be
    • Horatiu Vultur's avatar
      net: sparx5: Fix reading of the MAC address · 588ab2dc
      Horatiu Vultur authored
      There is an issue with the checking of the return value of
      'of_get_mac_address', which returns 0 on success and negative value on
      failure. The driver interpretated the result the opposite way. Therefore
      if there was a MAC address defined in the DT, then the driver was
      generating a random MAC address otherwise it would use address 0.
      Fix this by checking correctly the return value of 'of_get_mac_address'
      
      Fixes: b74ef9f9 ("net: sparx5: Do not use mac_addr uninitialized in mchp_sparx5_probe()")
      Signed-off-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      588ab2dc
    • Ido Schimmel's avatar
      vxlan: Fix memory leaks in error path · 06bf6294
      Ido Schimmel authored
      The memory allocated by vxlan_vnigroup_init() is not freed in the error
      path, leading to memory leaks [1]. Fix by calling
      vxlan_vnigroup_uninit() in the error path.
      
      The leaks can be reproduced by annotating gro_cells_init() with
      ALLOW_ERROR_INJECTION() and then running:
      
       # echo "100" > /sys/kernel/debug/fail_function/probability
       # echo "1" > /sys/kernel/debug/fail_function/times
       # echo "gro_cells_init" > /sys/kernel/debug/fail_function/inject
       # printf %#x -12 > /sys/kernel/debug/fail_function/gro_cells_init/retval
       # ip link add name vxlan0 type vxlan dstport 4789 external vnifilter
       RTNETLINK answers: Cannot allocate memory
      
      [1]
      unreferenced object 0xffff88810db84a00 (size 512):
        comm "ip", pid 330, jiffies 4295010045 (age 66.016s)
        hex dump (first 32 bytes):
          f8 d5 76 0e 81 88 ff ff 01 00 00 00 00 00 00 02  ..v.............
          03 00 04 00 48 00 00 00 00 00 00 01 04 00 01 00  ....H...........
        backtrace:
          [<ffffffff81a3097a>] kmalloc_trace+0x2a/0x60
          [<ffffffff82f049fc>] vxlan_vnigroup_init+0x4c/0x160
          [<ffffffff82ecd69e>] vxlan_init+0x1ae/0x280
          [<ffffffff836858ca>] register_netdevice+0x57a/0x16d0
          [<ffffffff82ef67b7>] __vxlan_dev_create+0x7c7/0xa50
          [<ffffffff82ef6ce6>] vxlan_newlink+0xd6/0x130
          [<ffffffff836d02ab>] __rtnl_newlink+0x112b/0x18a0
          [<ffffffff836d0a8c>] rtnl_newlink+0x6c/0xa0
          [<ffffffff836c0ddf>] rtnetlink_rcv_msg+0x43f/0xd40
          [<ffffffff83908ce0>] netlink_rcv_skb+0x170/0x440
          [<ffffffff839066af>] netlink_unicast+0x53f/0x810
          [<ffffffff839072d8>] netlink_sendmsg+0x958/0xe70
          [<ffffffff835c319f>] ____sys_sendmsg+0x78f/0xa90
          [<ffffffff835cd6da>] ___sys_sendmsg+0x13a/0x1e0
          [<ffffffff835cd94c>] __sys_sendmsg+0x11c/0x1f0
          [<ffffffff8424da78>] do_syscall_64+0x38/0x80
      unreferenced object 0xffff88810e76d5f8 (size 192):
        comm "ip", pid 330, jiffies 4295010045 (age 66.016s)
        hex dump (first 32 bytes):
          04 00 00 00 00 00 00 00 db e1 4f e7 00 00 00 00  ..........O.....
          08 d6 76 0e 81 88 ff ff 08 d6 76 0e 81 88 ff ff  ..v.......v.....
        backtrace:
          [<ffffffff81a3162e>] __kmalloc_node+0x4e/0x90
          [<ffffffff81a0e166>] kvmalloc_node+0xa6/0x1f0
          [<ffffffff8276e1a3>] bucket_table_alloc.isra.0+0x83/0x460
          [<ffffffff8276f18b>] rhashtable_init+0x43b/0x7c0
          [<ffffffff82f04a1c>] vxlan_vnigroup_init+0x6c/0x160
          [<ffffffff82ecd69e>] vxlan_init+0x1ae/0x280
          [<ffffffff836858ca>] register_netdevice+0x57a/0x16d0
          [<ffffffff82ef67b7>] __vxlan_dev_create+0x7c7/0xa50
          [<ffffffff82ef6ce6>] vxlan_newlink+0xd6/0x130
          [<ffffffff836d02ab>] __rtnl_newlink+0x112b/0x18a0
          [<ffffffff836d0a8c>] rtnl_newlink+0x6c/0xa0
          [<ffffffff836c0ddf>] rtnetlink_rcv_msg+0x43f/0xd40
          [<ffffffff83908ce0>] netlink_rcv_skb+0x170/0x440
          [<ffffffff839066af>] netlink_unicast+0x53f/0x810
          [<ffffffff839072d8>] netlink_sendmsg+0x958/0xe70
          [<ffffffff835c319f>] ____sys_sendmsg+0x78f/0xa90
      
      Fixes: f9c4bb0b ("vxlan: vni filtering support on collect metadata device")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      06bf6294
    • Randy Dunlap's avatar
      net: sched: htb: fix htb_classify() kernel-doc · 43d25378
      Randy Dunlap authored
      Fix W=1 kernel-doc warning:
      
      net/sched/sch_htb.c:214: warning: expecting prototype for htb_classify(). Prototype was for HTB_DIRECT() instead
      
      by moving the HTB_DIRECT() macro above the function.
      Add kernel-doc notation for function parameters as well.
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43d25378
    • David S. Miller's avatar
      Merge branch 'cls_drop-fix' · 819fcf4a
      David S. Miller authored
      Jamal Hadi Salim says:
      
      ====================
      net: dont intepret cls results when asked to drop
      
      It is possible that an error in processing may occur in tcf_classify() which
      will result in res.classid being some garbage value. Example of such a code path
      is when the classifier goes into a loop due to bad policy. See patch 1/2
      for a sample splat.
      While the core code reacts correctly and asks the caller to drop the packet
      (by returning TC_ACT_SHOT) some callers first intepret the res.class as
      a pointer to memory and end up dropping the packet only after some activity with
      the pointer. There is likelihood of this resulting in an exploit. So lets fix
      all the known qdiscs that behave this way.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      819fcf4a
    • Jamal Hadi Salim's avatar
      net: sched: cbq: dont intepret cls results when asked to drop · caa4b35b
      Jamal Hadi Salim authored
      If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume that
      res.class contains a valid pointer
      
      Sample splat reported by Kyle Zeng
      
      [    5.405624] 0: reclassify loop, rule prio 0, protocol 800
      [    5.406326] ==================================================================
      [    5.407240] BUG: KASAN: slab-out-of-bounds in cbq_enqueue+0x54b/0xea0
      [    5.407987] Read of size 1 at addr ffff88800e3122aa by task poc/299
      [    5.408731]
      [    5.408897] CPU: 0 PID: 299 Comm: poc Not tainted 5.10.155+ #15
      [    5.409516] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS 1.15.0-1 04/01/2014
      [    5.410439] Call Trace:
      [    5.410764]  dump_stack+0x87/0xcd
      [    5.411153]  print_address_description+0x7a/0x6b0
      [    5.411687]  ? vprintk_func+0xb9/0xc0
      [    5.411905]  ? printk+0x76/0x96
      [    5.412110]  ? cbq_enqueue+0x54b/0xea0
      [    5.412323]  kasan_report+0x17d/0x220
      [    5.412591]  ? cbq_enqueue+0x54b/0xea0
      [    5.412803]  __asan_report_load1_noabort+0x10/0x20
      [    5.413119]  cbq_enqueue+0x54b/0xea0
      [    5.413400]  ? __kasan_check_write+0x10/0x20
      [    5.413679]  __dev_queue_xmit+0x9c0/0x1db0
      [    5.413922]  dev_queue_xmit+0xc/0x10
      [    5.414136]  ip_finish_output2+0x8bc/0xcd0
      [    5.414436]  __ip_finish_output+0x472/0x7a0
      [    5.414692]  ip_finish_output+0x5c/0x190
      [    5.414940]  ip_output+0x2d8/0x3c0
      [    5.415150]  ? ip_mc_finish_output+0x320/0x320
      [    5.415429]  __ip_queue_xmit+0x753/0x1760
      [    5.415664]  ip_queue_xmit+0x47/0x60
      [    5.415874]  __tcp_transmit_skb+0x1ef9/0x34c0
      [    5.416129]  tcp_connect+0x1f5e/0x4cb0
      [    5.416347]  tcp_v4_connect+0xc8d/0x18c0
      [    5.416577]  __inet_stream_connect+0x1ae/0xb40
      [    5.416836]  ? local_bh_enable+0x11/0x20
      [    5.417066]  ? lock_sock_nested+0x175/0x1d0
      [    5.417309]  inet_stream_connect+0x5d/0x90
      [    5.417548]  ? __inet_stream_connect+0xb40/0xb40
      [    5.417817]  __sys_connect+0x260/0x2b0
      [    5.418037]  __x64_sys_connect+0x76/0x80
      [    5.418267]  do_syscall_64+0x31/0x50
      [    5.418477]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
      [    5.418770] RIP: 0033:0x473bb7
      [    5.418952] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00
      00 00 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2a 00 00
      00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 18 89 54 24 0c 48 89 34
      24 89
      [    5.420046] RSP: 002b:00007fffd20eb0f8 EFLAGS: 00000246 ORIG_RAX:
      000000000000002a
      [    5.420472] RAX: ffffffffffffffda RBX: 00007fffd20eb578 RCX: 0000000000473bb7
      [    5.420872] RDX: 0000000000000010 RSI: 00007fffd20eb110 RDI: 0000000000000007
      [    5.421271] RBP: 00007fffd20eb150 R08: 0000000000000001 R09: 0000000000000004
      [    5.421671] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
      [    5.422071] R13: 00007fffd20eb568 R14: 00000000004fc740 R15: 0000000000000002
      [    5.422471]
      [    5.422562] Allocated by task 299:
      [    5.422782]  __kasan_kmalloc+0x12d/0x160
      [    5.423007]  kasan_kmalloc+0x5/0x10
      [    5.423208]  kmem_cache_alloc_trace+0x201/0x2e0
      [    5.423492]  tcf_proto_create+0x65/0x290
      [    5.423721]  tc_new_tfilter+0x137e/0x1830
      [    5.423957]  rtnetlink_rcv_msg+0x730/0x9f0
      [    5.424197]  netlink_rcv_skb+0x166/0x300
      [    5.424428]  rtnetlink_rcv+0x11/0x20
      [    5.424639]  netlink_unicast+0x673/0x860
      [    5.424870]  netlink_sendmsg+0x6af/0x9f0
      [    5.425100]  __sys_sendto+0x58d/0x5a0
      [    5.425315]  __x64_sys_sendto+0xda/0xf0
      [    5.425539]  do_syscall_64+0x31/0x50
      [    5.425764]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
      [    5.426065]
      [    5.426157] The buggy address belongs to the object at ffff88800e312200
      [    5.426157]  which belongs to the cache kmalloc-128 of size 128
      [    5.426955] The buggy address is located 42 bytes to the right of
      [    5.426955]  128-byte region [ffff88800e312200, ffff88800e312280)
      [    5.427688] The buggy address belongs to the page:
      [    5.427992] page:000000009875fabc refcount:1 mapcount:0
      mapping:0000000000000000 index:0x0 pfn:0xe312
      [    5.428562] flags: 0x100000000000200(slab)
      [    5.428812] raw: 0100000000000200 dead000000000100 dead000000000122
      ffff888007843680
      [    5.429325] raw: 0000000000000000 0000000000100010 00000001ffffffff
      ffff88800e312401
      [    5.429875] page dumped because: kasan: bad access detected
      [    5.430214] page->mem_cgroup:ffff88800e312401
      [    5.430471]
      [    5.430564] Memory state around the buggy address:
      [    5.430846]  ffff88800e312180: fc fc fc fc fc fc fc fc fc fc fc fc
      fc fc fc fc
      [    5.431267]  ffff88800e312200: 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 fc
      [    5.431705] >ffff88800e312280: fc fc fc fc fc fc fc fc fc fc fc fc
      fc fc fc fc
      [    5.432123]                                   ^
      [    5.432391]  ffff88800e312300: 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 fc
      [    5.432810]  ffff88800e312380: fc fc fc fc fc fc fc fc fc fc fc fc
      fc fc fc fc
      [    5.433229] ==================================================================
      [    5.433648] Disabling lock debugging due to kernel taint
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarKyle Zeng <zengyhkyle@gmail.com>
      Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      caa4b35b
    • Jamal Hadi Salim's avatar
      net: sched: atm: dont intepret cls results when asked to drop · a2965c7b
      Jamal Hadi Salim authored
      If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume
      res.class contains a valid pointer
      Fixes: b0188d4d ("[NET_SCHED]: sch_atm: Lindent")
      Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a2965c7b