1. 03 Dec, 2022 5 commits
  2. 02 Dec, 2022 14 commits
    • Luiz Augusto von Dentz's avatar
      Bluetooth: Fix crash when replugging CSR fake controllers · b5ca3387
      Luiz Augusto von Dentz authored
      It seems fake CSR 5.0 clones can cause the suspend notifier to be
      registered twice causing the following kernel panic:
      
      [   71.986122] Call Trace:
      [   71.986124]  <TASK>
      [   71.986125]  blocking_notifier_chain_register+0x33/0x60
      [   71.986130]  hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da]
      [   71.986154]  btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477]
      [   71.986159]  ? __pm_runtime_set_status+0x1a9/0x300
      [   71.986162]  ? ktime_get_mono_fast_ns+0x3e/0x90
      [   71.986167]  usb_probe_interface+0xe3/0x2b0
      [   71.986171]  really_probe+0xdb/0x380
      [   71.986174]  ? pm_runtime_barrier+0x54/0x90
      [   71.986177]  __driver_probe_device+0x78/0x170
      [   71.986180]  driver_probe_device+0x1f/0x90
      [   71.986183]  __device_attach_driver+0x89/0x110
      [   71.986186]  ? driver_allows_async_probing+0x70/0x70
      [   71.986189]  bus_for_each_drv+0x8c/0xe0
      [   71.986192]  __device_attach+0xb2/0x1e0
      [   71.986195]  bus_probe_device+0x92/0xb0
      [   71.986198]  device_add+0x422/0x9a0
      [   71.986201]  ? sysfs_merge_group+0xd4/0x110
      [   71.986205]  usb_set_configuration+0x57a/0x820
      [   71.986208]  usb_generic_driver_probe+0x4f/0x70
      [   71.986211]  usb_probe_device+0x3a/0x110
      [   71.986213]  really_probe+0xdb/0x380
      [   71.986216]  ? pm_runtime_barrier+0x54/0x90
      [   71.986219]  __driver_probe_device+0x78/0x170
      [   71.986221]  driver_probe_device+0x1f/0x90
      [   71.986224]  __device_attach_driver+0x89/0x110
      [   71.986227]  ? driver_allows_async_probing+0x70/0x70
      [   71.986230]  bus_for_each_drv+0x8c/0xe0
      [   71.986232]  __device_attach+0xb2/0x1e0
      [   71.986235]  bus_probe_device+0x92/0xb0
      [   71.986237]  device_add+0x422/0x9a0
      [   71.986239]  ? _dev_info+0x7d/0x98
      [   71.986242]  ? blake2s_update+0x4c/0xc0
      [   71.986246]  usb_new_device.cold+0x148/0x36d
      [   71.986250]  hub_event+0xa8a/0x1910
      [   71.986255]  process_one_work+0x1c4/0x380
      [   71.986259]  worker_thread+0x51/0x390
      [   71.986262]  ? rescuer_thread+0x3b0/0x3b0
      [   71.986264]  kthread+0xdb/0x110
      [   71.986266]  ? kthread_complete_and_exit+0x20/0x20
      [   71.986268]  ret_from_fork+0x1f/0x30
      [   71.986273]  </TASK>
      [   71.986274] ---[ end trace 0000000000000000 ]---
      [   71.986284] btusb: probe of 2-1.6:1.0 failed with error -17
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216683
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Tested-by: default avatarLeonardo Eugênio <lelgenio@disroot.org>
      b5ca3387
    • Chen Zhongjin's avatar
      Bluetooth: Fix not cleanup led when bt_init fails · 2f3957c7
      Chen Zhongjin authored
      bt_init() calls bt_leds_init() to register led, but if it fails later,
      bt_leds_cleanup() is not called to unregister it.
      
      This can cause panic if the argument "bluetooth-power" in text is freed
      and then another led_trigger_register() tries to access it:
      
      BUG: unable to handle page fault for address: ffffffffc06d3bc0
      RIP: 0010:strcmp+0xc/0x30
        Call Trace:
          <TASK>
          led_trigger_register+0x10d/0x4f0
          led_trigger_register_simple+0x7d/0x100
          bt_init+0x39/0xf7 [bluetooth]
          do_one_initcall+0xd0/0x4e0
      
      Fixes: e64c97b5 ("Bluetooth: Add combined LED trigger for controller power")
      Signed-off-by: default avatarChen Zhongjin <chenzhongjin@huawei.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      2f3957c7
    • Chethan T N's avatar
      Bluetooth: Fix support for Read Local Supported Codecs V2 · 828cea2b
      Chethan T N authored
      Handling of Read Local Supported Codecs was broken during the
      HCI serialization design change patches.
      
      Fixes: d0b13706 ("Bluetooth: hci_sync: Rework init stages")
      Signed-off-by: default avatarChethan T N <chethan.tumkur.narayan@intel.com>
      Signed-off-by: default avatarKiran K <kiran.k@intel.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      828cea2b
    • Chethan T N's avatar
      Bluetooth: Remove codec id field in vendor codec definition · 93df7d56
      Chethan T N authored
      As per the specfication vendor codec id is defined.
      BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2127
      
      Fixes: 9ae66402 ("Bluetooth: Add support for Read Local Supported Codecs V2")
      Signed-off-by: default avatarChethan T N <chethan.tumkur.narayan@intel.com>
      Signed-off-by: default avatarKiran K <kiran.k@intel.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      93df7d56
    • Sungwoo Kim's avatar
      Bluetooth: L2CAP: Fix u8 overflow · bcd70260
      Sungwoo Kim authored
      By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases
      multiple times and eventually it will wrap around the maximum number
      (i.e., 255).
      This patch prevents this by adding a boundary check with
      L2CAP_MAX_CONF_RSP
      
      Btmon log:
      Bluetooth monitor ver 5.64
      = Note: Linux version 6.1.0-rc2 (x86_64)                               0.264594
      = Note: Bluetooth subsystem version 2.22                               0.264636
      @ MGMT Open: btmon (privileged) version 1.22                  {0x0001} 0.272191
      = New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0)          [hci0] 13.877604
      @ RAW Open: 9496 (privileged) version 2.22                   {0x0002} 13.890741
      = Open Index: 00:00:00:00:00:00                                [hci0] 13.900426
      (...)
      > ACL Data RX: Handle 200 flags 0x00 dlen 1033             #32 [hci0] 14.273106
              invalid packet size (12 != 1033)
              08 00 01 00 02 01 04 00 01 10 ff ff              ............
      > ACL Data RX: Handle 200 flags 0x00 dlen 1547             #33 [hci0] 14.273561
              invalid packet size (14 != 1547)
              0a 00 01 00 04 01 06 00 40 00 00 00 00 00        ........@.....
      > ACL Data RX: Handle 200 flags 0x00 dlen 2061             #34 [hci0] 14.274390
              invalid packet size (16 != 2061)
              0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04  ........@.......
      > ACL Data RX: Handle 200 flags 0x00 dlen 2061             #35 [hci0] 14.274932
              invalid packet size (16 != 2061)
              0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00  ........@.......
      = bluetoothd: Bluetooth daemon 5.43                                   14.401828
      > ACL Data RX: Handle 200 flags 0x00 dlen 1033             #36 [hci0] 14.275753
              invalid packet size (12 != 1033)
              08 00 01 00 04 01 04 00 40 00 00 00              ........@...
      Signed-off-by: default avatarSungwoo Kim <iam@sung-woo.kim>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      bcd70260
    • Mateusz Jończyk's avatar
      Bluetooth: silence a dmesg error message in hci_request.c · 696bd362
      Mateusz Jończyk authored
      On kernel 6.1-rcX, I have been getting the following dmesg error message
      on every boot, resume from suspend and rfkill unblock of the Bluetooth
      device:
      
      	Bluetooth: hci0: HCI_REQ-0xfcf0
      
      After some investigation, it turned out to be caused by
      commit dd50a864 ("Bluetooth: Delete unreferenced hci_request code")
      which modified hci_req_add() in net/bluetooth/hci_request.c to always
      print an error message when it is executed. In my case, the function was
      executed by msft_set_filter_enable() in net/bluetooth/msft.c, which
      provides support for Microsoft vendor opcodes.
      
      As explained by Brian Gix, "the error gets logged because it is using a
      deprecated (but still working) mechanism to issue HCI opcodes" [1]. So
      this is just a debugging tool to show that a deprecated function is
      executed. As such, it should not be included in the mainline kernel.
      See for example
      commit 771c0353 ("deprecate the '__deprecated' attribute warnings entirely and for good")
      Additionally, this error message is cryptic and the user is not able to
      do anything about it.
      
      [1]
      Link: https://lore.kernel.org/lkml/beb8dcdc3aee4c5c833aa382f35995f17e7961a1.camel@intel.com/
      
      Fixes: dd50a864 ("Bluetooth: Delete unreferenced hci_request code")
      Signed-off-by: default avatarMateusz Jończyk <mat.jonczyk@o2.pl>
      Cc: Brian Gix <brian.gix@intel.com>
      Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      696bd362
    • Wang ShaoBo's avatar
      Bluetooth: hci_conn: add missing hci_dev_put() in iso_listen_bis() · 7e7df2c1
      Wang ShaoBo authored
      hci_get_route() takes reference, we should use hci_dev_put() to release
      it when not need anymore.
      
      Fixes: f764a6c2 ("Bluetooth: ISO: Add broadcast support")
      Signed-off-by: default avatarWang ShaoBo <bobo.shaobowang@huawei.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7e7df2c1
    • Wang ShaoBo's avatar
      Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() · 747da130
      Wang ShaoBo authored
      hci_get_route() takes reference, we should use hci_dev_put() to release
      it when not need anymore.
      
      Fixes: 6b8d4a6a ("Bluetooth: 6LoWPAN: Use connected oriented channel instead of fixed one")
      Signed-off-by: default avatarWang ShaoBo <bobo.shaobowang@huawei.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      747da130
    • Ismael Ferreras Morezuelas's avatar
      Bluetooth: btusb: Add debug message for CSR controllers · 955aebd4
      Ismael Ferreras Morezuelas authored
      The rationale of showing this is that it's potentially critical
      information to diagnose and find more CSR compatibility bugs in the
      future and it will save a lot of headaches.
      
      Given that clones come from a wide array of vendors (some are actually
      Barrot, some are something else) and these numbers are what let us find
      differences between actual and fake ones, it will be immensely helpful
      to scour the Internet looking for this pattern and building an actual
      database to find correlations and improve the checks.
      
      Cc: stable@vger.kernel.org
      Cc: Hans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarIsmael Ferreras Morezuelas <swyterzone@gmail.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      955aebd4
    • Ismael Ferreras Morezuelas's avatar
      Bluetooth: btusb: Fix CSR clones again by re-adding ERR_DATA_REPORTING quirk · 42d7731e
      Ismael Ferreras Morezuelas authored
      A patch series by a Qualcomm engineer essentially removed my
      quirk/workaround because they thought it was unnecessary.
      
      It wasn't, and it broke everything again:
      
      https://patchwork.kernel.org/project/netdevbpf/list/?series=661703&archive=both&state=*
      
      He argues that the quirk is not necessary because the code should check
      if the dongle says if it's supported or not. The problem is that for
      these Chinese CSR clones they say that it would work:
      
      = New Index: 00:00:00:00:00:00 (Primary,USB,hci0)
      = Open Index: 00:00:00:00:00:00
      < HCI Command: Read Local Version Information (0x04|0x0001) plen 0
      > HCI Event: Command Complete (0x0e) plen 12
      > [hci0] 11.276039
            Read Local Version Information (0x04|0x0001) ncmd 1
              Status: Success (0x00)
              HCI version: Bluetooth 5.0 (0x09) - Revision 2064 (0x0810)
              LMP version: Bluetooth 5.0 (0x09) - Subversion 8978 (0x2312)
              Manufacturer: Cambridge Silicon Radio (10)
      ...
      < HCI Command: Read Local Supported Features (0x04|0x0003) plen 0
      > HCI Event: Command Complete (0x0e) plen 68
      > [hci0] 11.668030
            Read Local Supported Commands (0x04|0x0002) ncmd 1
              Status: Success (0x00)
              Commands: 163 entries
                ...
                Read Default Erroneous Data Reporting (Octet 18 - Bit 2)
                Write Default Erroneous Data Reporting (Octet 18 - Bit 3)
                ...
      ...
      < HCI Command: Read Default Erroneous Data Reporting (0x03|0x005a) plen 0
      = Close Index: 00:1A:7D:DA:71:XX
      
      So bring it back wholesale.
      
      Fixes: 63b1a7dd ("Bluetooth: hci_sync: Remove HCI_QUIRK_BROKEN_ERR_DATA_REPORTING")
      Fixes: e168f690 ("Bluetooth: btusb: Remove HCI_QUIRK_BROKEN_ERR_DATA_REPORTING for fake CSR")
      Fixes: 766ae242 ("Bluetooth: hci_sync: Check LMP feature bit instead of quirk")
      Cc: stable@vger.kernel.org
      Cc: Zijun Hu <quic_zijuhu@quicinc.com>
      Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Cc: Hans de Goede <hdegoede@redhat.com>
      Tested-by: default avatarIsmael Ferreras Morezuelas <swyterzone@gmail.com>
      Signed-off-by: default avatarIsmael Ferreras Morezuelas <swyterzone@gmail.com>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      42d7731e
    • David S. Miller's avatar
      Merge branch 'vmxnet3-fixes' · e931a173
      David S. Miller authored
      Ronak Doshi says:
      
      ====================
      vmxnet3: couple of fixes
      
      This series fixes following issues:
      
      Patch 1:
        This patch provides a fix to correctly report encapsulated LRO'ed
        packet.
      
      Patch 2:
        This patch provides a fix to use correct intrConf reference.
      
      Changes in v2:
      - declare generic descriptor to be used
      - remove white spaces
      - remove single quote around commit reference in patch 2
      - remove if check for encap_lro
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e931a173
    • Ronak Doshi's avatar
      vmxnet3: use correct intrConf reference when using extended queues · 409e8ec8
      Ronak Doshi authored
      Commit 39f9895a ("vmxnet3: add support for 32 Tx/Rx queues")
      added support for 32Tx/Rx queues. As a part of this patch, intrConf
      structure was extended to incorporate increased queues.
      
      This patch fixes the issue where incorrect reference is being used.
      
      Fixes: 39f9895a ("vmxnet3: add support for 32 Tx/Rx queues")
      Signed-off-by: default avatarRonak Doshi <doshir@vmware.com>
      Acked-by: default avatarGuolin Yang <gyang@vmware.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      409e8ec8
    • Ronak Doshi's avatar
      vmxnet3: correctly report encapsulated LRO packet · 40b8c2a1
      Ronak Doshi authored
      Commit dacce2be ("vmxnet3: add geneve and vxlan tunnel offload
      support") added support for encapsulation offload. However, the
      pathc did not report correctly the encapsulated packet which is
      LRO'ed by the hypervisor.
      
      This patch fixes this issue by using correct callback for the LRO'ed
      encapsulated packet.
      
      Fixes: dacce2be ("vmxnet3: add geneve and vxlan tunnel offload support")
      Signed-off-by: default avatarRonak Doshi <doshir@vmware.com>
      Acked-by: default avatarGuolin Yang <gyang@vmware.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40b8c2a1
    • Jakub Kicinski's avatar
      Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 4eb0c285
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2022-11-30 (e1000e, igb)
      
      This series contains updates to e1000e and igb drivers.
      
      Akihiko Odaki fixes calculation for checking whether space for next
      frame exists for e1000e and properly sets MSI-X vector to fix failing
      ethtool interrupt test for igb.
      
      * '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        igb: Allocate MSI-X vector when testing
        e1000e: Fix TX dispatch condition
      ====================
      
      Link: https://lore.kernel.org/r/20221130194228.3257787-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4eb0c285
  3. 01 Dec, 2022 7 commits
    • Florian Westphal's avatar
      inet: ping: use hlist_nulls rcu iterator during lookup · c25b7a7a
      Florian Westphal authored
      ping_lookup() does not acquire the table spinlock, so iteration should
      use hlist_nulls_for_each_entry_rcu().
      
      Spotted during code review.
      
      Fixes: dbca1596 ("ping: convert to RCU lookups, get rid of rwlock")
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Link: https://lore.kernel.org/r/20221129140644.28525-1-fw@strlen.deSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c25b7a7a
    • Paolo Abeni's avatar
      Merge branch 'af_unix-fix-a-null-deref-in-sk_diag_dump_uid' · 9aff0ec5
      Paolo Abeni authored
      Kuniyuki Iwashima says:
      
      ====================
      af_unix: Fix a NULL deref in sk_diag_dump_uid().
      
      The first patch fixes a NULL deref when we dump a AF_UNIX socket's UID,
      and the second patch adds a repro/test for such a case.
      ====================
      
      Link: https://lore.kernel.org/r/20221127012412.37969-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      9aff0ec5
    • Kuniyuki Iwashima's avatar
      af_unix: Add test for sock_diag and UDIAG_SHOW_UID. · ac011361
      Kuniyuki Iwashima authored
      The test prog dumps a single AF_UNIX socket's UID with and without
      unshare(CLONE_NEWUSER) and checks if it matches the result of getuid().
      
      Without the preceding patch, the test prog is killed by a NULL deref
      in sk_diag_dump_uid().
      
        # ./diag_uid
        TAP version 13
        1..2
        # Starting 2 tests from 3 test cases.
        #  RUN           diag_uid.uid.1 ...
        BUG: kernel NULL pointer dereference, address: 0000000000000270
        #PF: supervisor read access in kernel mode
        #PF: error_code(0x0000) - not-present page
        PGD 105212067 P4D 105212067 PUD 1051fe067 PMD 0
        Oops: 0000 [#1] PREEMPT SMP NOPTI
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014
        RIP: 0010:sk_diag_fill (./include/net/sock.h:920 net/unix/diag.c:119 net/unix/diag.c:170)
        ...
        # 1: Test terminated unexpectedly by signal 9
        #          FAIL  diag_uid.uid.1
        not ok 1 diag_uid.uid.1
        #  RUN           diag_uid.uid_unshare.1 ...
        # 1: Test terminated by timeout
        #          FAIL  diag_uid.uid_unshare.1
        not ok 2 diag_uid.uid_unshare.1
        # FAILED: 0 / 2 tests passed.
        # Totals: pass:0 fail:2 xfail:0 xpass:0 skip:0 error:0
      
      With the patch, the test succeeds.
      
        # ./diag_uid
        TAP version 13
        1..2
        # Starting 2 tests from 3 test cases.
        #  RUN           diag_uid.uid.1 ...
        #            OK  diag_uid.uid.1
        ok 1 diag_uid.uid.1
        #  RUN           diag_uid.uid_unshare.1 ...
        #            OK  diag_uid.uid_unshare.1
        ok 2 diag_uid.uid_unshare.1
        # PASSED: 2 / 2 tests passed.
        # Totals: pass:2 fail:0 xfail:0 xpass:0 skip:0 error:0
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ac011361
    • Kuniyuki Iwashima's avatar
      af_unix: Get user_ns from in_skb in unix_diag_get_exact(). · b3abe42e
      Kuniyuki Iwashima authored
      Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed
      the root cause: in unix_diag_get_exact(), the newly allocated skb does not
      have sk. [2]
      
      We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to
      sk_diag_fill().
      
      [0]:
      BUG: kernel NULL pointer dereference, address: 0000000000000270
      #PF: supervisor read access in kernel mode
      #PF: error_code(0x0000) - not-present page
      PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP
      CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
      RIP: 0010:sk_user_ns include/net/sock.h:920 [inline]
      RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]
      RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170
      Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8
      54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b
      9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d
      RSP: 0018:ffffc90000d67968 EFLAGS: 00010246
      RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d
      RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270
      RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000
      R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800
      R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940
      FS:  00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       unix_diag_get_exact net/unix/diag.c:285 [inline]
       unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317
       __sock_diag_cmd net/core/sock_diag.c:235 [inline]
       sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266
       netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564
       sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277
       netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
       netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356
       netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg net/socket.c:734 [inline]
       ____sys_sendmsg+0x38f/0x500 net/socket.c:2476
       ___sys_sendmsg net/socket.c:2530 [inline]
       __sys_sendmsg+0x197/0x230 net/socket.c:2559
       __do_sys_sendmsg net/socket.c:2568 [inline]
       __se_sys_sendmsg net/socket.c:2566 [inline]
       __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x4697f9
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
      89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
      01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9
      RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
      RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
      R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0
       </TASK>
      Modules linked in:
      CR2: 0000000000000270
      
      [1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/
      [2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/
      
      Fixes: cae9910e ("net: Add UNIX_DIAG_UID to Netlink UNIX socket diagnostics.")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reported-by: default avatarWei Chen <harperchen1110@gmail.com>
      Diagnosed-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b3abe42e
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · d68d7d20
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      1) Check for interval validity in all concatenation fields in
         nft_set_pipapo, from Stefano Brivio.
      
      2) Missing preemption disabled in conntrack and flowtable stat
         updates, from Xin Long.
      
      3) Fix compilation warning when CONFIG_NF_CONNTRACK_MARK=n.
      
      Except for 3) which was a bug introduced in a recent fix in 6.1-rc
      - anything else, broken for several releases.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark
        netfilter: conntrack: fix using __this_cpu_add in preemptible
        netfilter: flowtable_offload: fix using __this_cpu_add in preemptible
        netfilter: nft_set_pipapo: Actually validate intervals in fields after the first one
      ====================
      
      Link: https://lore.kernel.org/r/20221130121934.1125-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d68d7d20
    • Siddharth Vadapalli's avatar
      net: ethernet: ti: am65-cpsw: Fix RGMII configuration at SPEED_10 · 6c681f89
      Siddharth Vadapalli authored
      The am65-cpsw driver supports configuring all RGMII variants at interface
      speed of 10 Mbps. However, in the process of shifting to the PHYLINK
      framework, the support for all variants of RGMII except the
      PHY_INTERFACE_MODE_RGMII variant was accidentally removed.
      
      Fix this by using phy_interface_mode_is_rgmii() to check for all variants
      of RGMII mode.
      
      Fixes: e8609e69 ("net: ethernet: ti: am65-cpsw: Convert to PHYLINK")
      Reported-by: default avatarSchuyler Patton <spatton@ti.com>
      Signed-off-by: default avatarSiddharth Vadapalli <s-vadapalli@ti.com>
      Link: https://lore.kernel.org/r/20221129050639.111142-1-s-vadapalli@ti.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6c681f89
    • YueHaibing's avatar
      net: broadcom: Add PTP_1588_CLOCK_OPTIONAL dependency for BCMGENET under ARCH_BCM2835 · 421f8663
      YueHaibing authored
      commit 8d820bc9 ("net: broadcom: Fix BCMGENET Kconfig") fixes the build
      that contain 99addbe3 ("net: broadcom: Select BROADCOM_PHY for BCMGENET")
      and enable BCMGENET=y but PTP_1588_CLOCK_OPTIONAL=m, which otherwise
      leads to a link failure. However this may trigger a runtime failure.
      
      Fix the original issue by propagating the PTP_1588_CLOCK_OPTIONAL dependency
      of BROADCOM_PHY down to BCMGENET.
      
      Fixes: 8d820bc9 ("net: broadcom: Fix BCMGENET Kconfig")
      Fixes: 99addbe3 ("net: broadcom: Select BROADCOM_PHY for BCMGENET")
      Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20221125115003.30308-1-yuehaibing@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      421f8663
  4. 30 Nov, 2022 4 commits
    • Akihiko Odaki's avatar
      igb: Allocate MSI-X vector when testing · 28e96556
      Akihiko Odaki authored
      Without this change, the interrupt test fail with MSI-X environment:
      
      $ sudo ethtool -t enp0s2 offline
      [   43.921783] igb 0000:00:02.0: offline testing starting
      [   44.855824] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Down
      [   44.961249] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
      [   51.272202] igb 0000:00:02.0: testing shared interrupt
      [   56.996975] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
      The test result is FAIL
      The test extra info:
      Register test  (offline)	 0
      Eeprom test    (offline)	 0
      Interrupt test (offline)	 4
      Loopback test  (offline)	 0
      Link test   (on/offline)	 0
      
      Here, "4" means an expected interrupt was not delivered.
      
      To fix this, route IRQs correctly to the first MSI-X vector by setting
      IVAR_MISC. Also, set bit 0 of EIMS so that the vector will not be
      masked. The interrupt test now runs properly with this change:
      
      $ sudo ethtool -t enp0s2 offline
      [   42.762985] igb 0000:00:02.0: offline testing starting
      [   50.141967] igb 0000:00:02.0: testing shared interrupt
      [   56.163957] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
      The test result is PASS
      The test extra info:
      Register test  (offline)	 0
      Eeprom test    (offline)	 0
      Interrupt test (offline)	 0
      Loopback test  (offline)	 0
      Link test   (on/offline)	 0
      
      Fixes: 4eefa8f0 ("igb: add single vector msi-x testing to interrupt test")
      Signed-off-by: default avatarAkihiko Odaki <akihiko.odaki@daynix.com>
      Reviewed-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      28e96556
    • Akihiko Odaki's avatar
      e1000e: Fix TX dispatch condition · eed913f6
      Akihiko Odaki authored
      e1000_xmit_frame is expected to stop the queue and dispatch frames to
      hardware if there is not sufficient space for the next frame in the
      buffer, but sometimes it failed to do so because the estimated maximum
      size of frame was wrong. As the consequence, the later invocation of
      e1000_xmit_frame failed with NETDEV_TX_BUSY, and the frame in the buffer
      remained forever, resulting in a watchdog failure.
      
      This change fixes the estimated size by making it match with the
      condition for NETDEV_TX_BUSY. Apparently, the old estimation failed to
      account for the following lines which determines the space requirement
      for not causing NETDEV_TX_BUSY:
          ```
          	/* reserve a descriptor for the offload context */
          	if ((mss) || (skb->ip_summed == CHECKSUM_PARTIAL))
          		count++;
          	count++;
      
          	count += DIV_ROUND_UP(len, adapter->tx_fifo_limit);
          ```
      
      This issue was found when running http-stress02 test included in Linux
      Test Project 20220930 on QEMU with the following commandline:
      ```
      qemu-system-x86_64 -M q35,accel=kvm -m 8G -smp 8
      	-drive if=virtio,format=raw,file=root.img,file.locking=on
      	-device e1000e,netdev=netdev
      	-netdev tap,script=ifup,downscript=no,id=netdev
      ```
      
      Fixes: bc7f75fa ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
      Signed-off-by: default avatarAkihiko Odaki <akihiko.odaki@daynix.com>
      Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
      Tested-by: default avatarNaama Meir <naamax.meir@linux.intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      eed913f6
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark · 1feeae07
      Pablo Neira Ayuso authored
      All warnings (new ones prefixed by >>):
      
         net/netfilter/nf_conntrack_netlink.c: In function '__ctnetlink_glue_build':
      >> net/netfilter/nf_conntrack_netlink.c:2674:13: warning: unused variable 'mark' [-Wunused-variable]
          2674 |         u32 mark;
               |             ^~~~
      
      Fixes: 52d1aa8b ("netfilter: conntrack: Fix data-races around ct mark")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Tested-by: default avatarIvan Babrou <ivan@ivan.computer>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1feeae07
    • Xin Long's avatar
      netfilter: conntrack: fix using __this_cpu_add in preemptible · 9464d0b6
      Xin Long authored
      Currently in nf_conntrack_hash_check_insert(), when it fails in
      nf_ct_ext_valid_pre/post(), NF_CT_STAT_INC() will be called in the
      preemptible context, a call trace can be triggered:
      
         BUG: using __this_cpu_add() in preemptible [00000000] code: conntrack/1636
         caller is nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]
         Call Trace:
          <TASK>
          dump_stack_lvl+0x33/0x46
          check_preemption_disabled+0xc3/0xf0
          nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]
          ctnetlink_create_conntrack+0x3cd/0x4e0 [nf_conntrack_netlink]
          ctnetlink_new_conntrack+0x1c0/0x450 [nf_conntrack_netlink]
          nfnetlink_rcv_msg+0x277/0x2f0 [nfnetlink]
          netlink_rcv_skb+0x50/0x100
          nfnetlink_rcv+0x65/0x144 [nfnetlink]
          netlink_unicast+0x1ae/0x290
          netlink_sendmsg+0x257/0x4f0
          sock_sendmsg+0x5f/0x70
      
      This patch is to fix it by changing to use NF_CT_STAT_INC_ATOMIC() for
      nf_ct_ext_valid_pre/post() check in nf_conntrack_hash_check_insert(),
      as well as nf_ct_ext_valid_post() in __nf_conntrack_confirm().
      
      Note that nf_ct_ext_valid_pre() check in __nf_conntrack_confirm() is
      safe to use NF_CT_STAT_INC(), as it's under local_bh_disable().
      
      Fixes: c56716c6 ("netfilter: extensions: introduce extension genid count")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9464d0b6
  5. 29 Nov, 2022 10 commits