1. 13 Apr, 2024 4 commits
    • Asbjørn Sloth Tønnesen's avatar
      net: sparx5: flower: fix fragment flags handling · 68aba004
      Asbjørn Sloth Tønnesen authored
      I noticed that only 3 out of the 4 input bits were used,
      mt.key->flags & FLOW_DIS_IS_FRAGMENT was never checked.
      
      In order to avoid a complicated maze, I converted it to
      use a 16 byte mapping table.
      
      As shown in the table below the old heuristics doesn't
      always do the right thing, ie. when FLOW_DIS_IS_FRAGMENT=1/1
      then it used to only match follow-up fragment packets.
      
      Here are all the combinations, and their resulting new/old
      VCAP key/mask filter:
      
        /- FLOW_DIS_IS_FRAGMENT (key/mask)
        |    /- FLOW_DIS_FIRST_FRAG (key/mask)
        |    |    /-- new VCAP fragment (key/mask)
        v    v    v    v- old VCAP fragment (key/mask)
      
       0/0  0/0  -/-  -/-     impossible (due to entry cond. on mask)
       0/0  0/1  -/-  0/3 !!  invalid (can't match non-fragment + follow-up frag)
       0/0  1/0  -/-  -/-     impossible (key > mask)
       0/0  1/1  1/3  1/3     first fragment
      
       0/1  0/0  0/3  3/3 !!  not fragmented
       0/1  0/1  0/3  3/3 !!  not fragmented (+ not first fragment)
       0/1  1/0  -/-  -/-     impossible (key > mask)
       0/1  1/1  -/-  1/3 !!  invalid (non-fragment and first frag)
      
       1/0  0/0  -/-  -/-     impossible (key > mask)
       1/0  0/1  -/-  -/-     impossible (key > mask)
       1/0  1/0  -/-  -/-     impossible (key > mask)
       1/0  1/1  -/-  -/-     impossible (key > mask)
      
       1/1  0/0  1/1  3/3 !!  some fragment
       1/1  0/1  3/3  3/3     follow-up fragment
       1/1  1/0  -/-  -/-     impossible (key > mask)
       1/1  1/1  1/3  1/3     first fragment
      
      In the datasheet the VCAP fragment values are documented as:
       0 = no fragment
       1 = initial fragment
       2 = suspicious fragment
       3 = valid follow-up fragment
      
      Result: 3 combinations match the old behavior,
              3 combinations have been corrected,
              2 combinations are now invalid, and fail,
              8 combinations are impossible.
      
      It should now be aligned with how FLOW_DIS_IS_FRAGMENT
      and FLOW_DIS_FIRST_FRAG is set in __skb_flow_dissect() in
      net/core/flow_dissector.c
      
      Since the VCAP fragment values are not a bitfield, we have
      to ignore the suspicious fragment value, eg. when matching
      on any kind of fragment with FLOW_DIS_IS_FRAGMENT=1/1.
      
      Only compile tested, and logic tested in userspace, as I
      unfortunately don't have access to this switch chip (yet).
      
      Fixes: d6c2964d ("net: microchip: sparx5: Adding more tc flower keys for the IS2 VCAP")
      Signed-off-by: default avatarAsbjørn Sloth Tønnesen <ast@fiberby.net>
      Reviewed-by: default avatarSteen Hegelund <Steen.Hegelund@microchip.com>
      Tested-by: default avatarDaniel Machon <daniel.machon@microchip.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Link: https://lore.kernel.org/r/20240411111321.114095-1-ast@fiberby.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      68aba004
    • Jakub Kicinski's avatar
      Merge branch 'af_unix-fix-msg_oob-bugs-with-msg_peek' · 27f58f7f
      Jakub Kicinski authored
      Kuniyuki Iwashima says:
      
      ====================
      af_unix: Fix MSG_OOB bugs with MSG_PEEK.
      
      Currently, OOB data can be read without MSG_OOB accidentally
      in two cases, and this seris fixes the bugs.
      
      v1: https://lore.kernel.org/netdev/20240409225209.58102-1-kuniyu@amazon.com/
      ====================
      
      Link: https://lore.kernel.org/r/20240410171016.7621-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      27f58f7f
    • Kuniyuki Iwashima's avatar
      af_unix: Don't peek OOB data without MSG_OOB. · 22dd70eb
      Kuniyuki Iwashima authored
      Currently, we can read OOB data without MSG_OOB by using MSG_PEEK
      when OOB data is sitting on the front row, which is apparently
      wrong.
      
        >>> from socket import *
        >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
        >>> c1.send(b'a', MSG_OOB)
        1
        >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
        b'a'
      
      If manage_oob() is called when no data has been copied, we only
      check if the socket enables SO_OOBINLINE or MSG_PEEK is not used.
      Otherwise, the skb is returned as is.
      
      However, here we should return NULL if MSG_PEEK is set and no data
      has been copied.
      
      Also, in such a case, we should not jump to the redo label because
      we will be caught in the loop and hog the CPU until normal data
      comes in.
      
      Then, we need to handle skb == NULL case with the if-clause below
      the manage_oob() block.
      
      With this patch:
      
        >>> from socket import *
        >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
        >>> c1.send(b'a', MSG_OOB)
        1
        >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
        Traceback (most recent call last):
          File "<stdin>", line 1, in <module>
        BlockingIOError: [Errno 11] Resource temporarily unavailable
      
      Fixes: 314001f0 ("af_unix: Add OOB support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240410171016.7621-3-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      22dd70eb
    • Kuniyuki Iwashima's avatar
      af_unix: Call manage_oob() for every skb in unix_stream_read_generic(). · 283454c8
      Kuniyuki Iwashima authored
      When we call recv() for AF_UNIX socket, we first peek one skb and
      calls manage_oob() to check if the skb is sent with MSG_OOB.
      
      However, when we fetch the next (and the following) skb, manage_oob()
      is not called now, leading a wrong behaviour.
      
      Let's say a socket send()s "hello" with MSG_OOB and the peer tries
      to recv() 5 bytes with MSG_PEEK.  Here, we should get only "hell"
      without 'o', but actually not:
      
        >>> from socket import *
        >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
        >>> c1.send(b'hello', MSG_OOB)
        5
        >>> c2.recv(5, MSG_PEEK)
        b'hello'
      
      The first skb fills 4 bytes, and the next skb is peeked but not
      properly checked by manage_oob().
      
      Let's move up the again label to call manage_oob() for evry skb.
      
      With this patch:
      
        >>> from socket import *
        >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
        >>> c1.send(b'hello', MSG_OOB)
        5
        >>> c2.recv(5, MSG_PEEK)
        b'hell'
      
      Fixes: 314001f0 ("af_unix: Add OOB support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240410171016.7621-2-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      283454c8
  2. 12 Apr, 2024 1 commit
    • David S. Miller's avatar
      Merge tag 'nf-24-04-11' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 90be7a5c
      David S. Miller authored
      netfilter pull request 24-04-11
      
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      Patches #1 and #2 add missing rcu read side lock when iterating over
      expression and object type list which could race with module removal.
      
      Patch #3 prevents promisc packet from visiting the bridge/input hook
      	 to amend a recent fix to address conntrack confirmation race
      	 in br_netfilter and nf_conntrack_bridge.
      
      Patch #4 adds and uses iterate decorator type to fetch the current
      	 pipapo set backend datastructure view when netlink dumps the
      	 set elements.
      
      Patch #5 fixes removal of duplicate elements in the pipapo set backend.
      
      Patch #6 flowtable validates pppoe header before accessing it.
      
      Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
               fails and pppoe packets follow classic path.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      90be7a5c
  3. 11 Apr, 2024 35 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 2ae9a897
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bluetooth.
      
        Current release - new code bugs:
      
         - netfilter: complete validation of user input
      
         - mlx5: disallow SRIOV switchdev mode when in multi-PF netdev
      
        Previous releases - regressions:
      
         - core: fix u64_stats_init() for lockdep when used repeatedly in one
           file
      
         - ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
      
         - bluetooth: fix memory leak in hci_req_sync_complete()
      
         - batman-adv: avoid infinite loop trying to resize local TT
      
         - drv: geneve: fix header validation in geneve[6]_xmit_skb
      
         - drv: bnxt_en: fix possible memory leak in
           bnxt_rdma_aux_device_init()
      
         - drv: mlx5: offset comp irq index in name by one
      
         - drv: ena: avoid double-free clearing stale tx_info->xdpf value
      
         - drv: pds_core: fix pdsc_check_pci_health deadlock
      
        Previous releases - always broken:
      
         - xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
      
         - bluetooth: fix setsockopt not validating user input
      
         - af_unix: clear stale u->oob_skb.
      
         - nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies
      
         - drv: virtio_net: fix guest hangup on invalid RSS update
      
         - drv: mlx5e: Fix mlx5e_priv_init() cleanup flow
      
         - dsa: mt7530: trap link-local frames regardless of ST Port State"
      
      * tag 'net-6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (59 commits)
        net: ena: Set tx_info->xdpf value to NULL
        net: ena: Fix incorrect descriptor free behavior
        net: ena: Wrong missing IO completions check order
        net: ena: Fix potential sign extension issue
        af_unix: Fix garbage collector racing against connect()
        net: dsa: mt7530: trap link-local frames regardless of ST Port State
        Revert "s390/ism: fix receive message buffer allocation"
        net: sparx5: fix wrong config being used when reconfiguring PCS
        net/mlx5: fix possible stack overflows
        net/mlx5: Disallow SRIOV switchdev mode when in multi-PF netdev
        net/mlx5e: RSS, Block XOR hash with over 128 channels
        net/mlx5e: Do not produce metadata freelist entries in Tx port ts WQE xmit
        net/mlx5e: HTB, Fix inconsistencies with QoS SQs number
        net/mlx5e: Fix mlx5e_priv_init() cleanup flow
        net/mlx5e: RSS, Block changing channels number when RXFH is configured
        net/mlx5: Correctly compare pkt reformat ids
        net/mlx5: Properly link new fs rules into the tree
        net/mlx5: offset comp irq index in name by one
        net/mlx5: Register devlink first under devlink lock
        net/mlx5: E-switch, store eswitch pointer before registering devlink_param
        ...
      2ae9a897
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · ab4319fd
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "The most important fix is the sg one because the regression it fixes
        (spurious warning and use after final put) is already backported to
        stable.
      
        The next biggest impact is the target fix for wrong credentials used
        to load a module because it's affecting new kernels installed on
        selinux based distributions.
      
        The other three fixes are an obvious off by one and SATA protocol
        issues"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla2xxx: Fix off by one in qla_edif_app_getstats()
        scsi: hisi_sas: Modify the deadline for ata_wait_after_reset()
        scsi: hisi_sas: Handle the NCQ error returned by D2H frame
        scsi: target: Fix SELinux error when systemd-modules loads the target module
        scsi: sg: Avoid race in error handling & drop bogus warn
      ab4319fd
    • Linus Torvalds's avatar
      Merge tag 'loongarch-fixes-6.9-1' of... · 5de6b467
      Linus Torvalds authored
      Merge tag 'loongarch-fixes-6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
      
      Pull LoongArch fixes from Huacai Chen:
      
       - make {virt, phys, page, pfn} translation work with KFENCE for
         LoongArch (otherwise NVMe and virtio-blk cannot work with KFENCE
         enabled)
      
       - update dts files for Loongson-2K series to make devices work
         correctly
      
       - fix a build error
      
      * tag 'loongarch-fixes-6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:
        LoongArch: Include linux/sizes.h in addrspace.h to prevent build errors
        LoongArch: Update dts for Loongson-2K2000 to support GMAC/GNET
        LoongArch: Update dts for Loongson-2K2000 to support PCI-MSI
        LoongArch: Update dts for Loongson-2K2000 to support ISA/LPC
        LoongArch: Update dts for Loongson-2K1000 to support ISA/LPC
        LoongArch: Make virt_addr_valid()/__virt_addr_valid() work with KFENCE
        LoongArch: Make {virt, phys, page, pfn} translation work with KFENCE
        mm: Move lowmem_page_address() a little later
      5de6b467
    • Linus Torvalds's avatar
      Merge tag 'bcachefs-2024-04-10' of https://evilpiepirate.org/git/bcachefs · e1dc191d
      Linus Torvalds authored
      Pull more bcachefs fixes from Kent Overstreet:
       "Notable user impacting bugs
      
         - On multi device filesystems, recovery was looping in
           btree_trans_too_many_iters(). This checks if a transaction has
           touched too many btree paths (because of iteration over many keys),
           and isuses a restart to drop unneeded paths.
      
           But it's now possible for some paths to exceed the previous limit
           without iteration in the interior btree update path, since the
           transaction commit will do alloc updates for every old and new
           btree node, and during journal replay we don't use the btree write
           buffer for locking reasons and thus those updates use btree paths
           when they wouldn't normally.
      
         - Fix a corner case in rebalance when moving extents on a
           durability=0 device. This wouldn't be hit when a device was
           formatted with durability=0 since in that case we'll only use it as
           a write through cache (only cached extents will live on it), but
           durability can now be changed on an existing device.
      
         - bch2_get_acl() could rarely forget to handle a transaction restart;
           this manifested as the occasional missing acl that came back after
           dropping caches.
      
         - Fix a major performance regression on high iops multithreaded write
           workloads (only since 6.9-rc1); a previous fix for a deadlock in
           the interior btree update path to check the journal watermark
           introduced a dependency on the state of btree write buffer flushing
           that we didn't want.
      
         - Assorted other repair paths and recovery fixes"
      
      * tag 'bcachefs-2024-04-10' of https://evilpiepirate.org/git/bcachefs: (25 commits)
        bcachefs: Fix __bch2_btree_and_journal_iter_init_node_iter()
        bcachefs: Kill read lock dropping in bch2_btree_node_lock_write_nofail()
        bcachefs: Fix a race in btree_update_nodes_written()
        bcachefs: btree_node_scan: Respect member.data_allowed
        bcachefs: Don't scan for btree nodes when we can reconstruct
        bcachefs: Fix check_topology() when using node scan
        bcachefs: fix eytzinger0_find_gt()
        bcachefs: fix bch2_get_acl() transaction restart handling
        bcachefs: fix the count of nr_freed_pcpu after changing bc->freed_nonpcpu list
        bcachefs: Fix gap buffer bug in bch2_journal_key_insert_take()
        bcachefs: Rename struct field swap to prevent macro naming collision
        MAINTAINERS: Add entry for bcachefs documentation
        Documentation: filesystems: Add bcachefs toctree
        bcachefs: JOURNAL_SPACE_LOW
        bcachefs: Disable errors=panic for BCH_IOCTL_FSCK_OFFLINE
        bcachefs: Fix BCH_IOCTL_FSCK_OFFLINE for encrypted filesystems
        bcachefs: fix rand_delete unit test
        bcachefs: fix ! vs ~ typo in __clear_bit_le64()
        bcachefs: Fix rebalance from durability=0 device
        bcachefs: Print shutdown journal sequence number
        ...
      e1dc191d
    • Linus Torvalds's avatar
      Merge tag 'tag-chrome-platform-fixes-for-v6.9-rc4' of... · 346668f0
      Linus Torvalds authored
      Merge tag 'tag-chrome-platform-fixes-for-v6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux
      
      Pull chrome platform fix from Tzung-Bi Shih:
       "Fix a NULL pointer dereference"
      
      * tag 'tag-chrome-platform-fixes-for-v6.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux:
        platform/chrome: cros_ec_uart: properly fix race condition
      346668f0
    • Pablo Neira Ayuso's avatar
      netfilter: flowtable: incorrect pppoe tuple · 6db5dc7b
      Pablo Neira Ayuso authored
      pppoe traffic reaching ingress path does not match the flowtable entry
      because the pppoe header is expected to be at the network header offset.
      This bug causes a mismatch in the flow table lookup, so pppoe packets
      enter the classical forwarding path.
      
      Fixes: 72efd585 ("netfilter: flowtable: add pppoe support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      6db5dc7b
    • Pablo Neira Ayuso's avatar
      netfilter: flowtable: validate pppoe header · 87b3593b
      Pablo Neira Ayuso authored
      Ensure there is sufficient room to access the protocol field of the
      PPPoe header. Validate it once before the flowtable lookup, then use a
      helper function to access protocol field.
      
      Reported-by: syzbot+b6f07e1c07ef40199081@syzkaller.appspotmail.com
      Fixes: 72efd585 ("netfilter: flowtable: add pppoe support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      87b3593b
    • Florian Westphal's avatar
      netfilter: nft_set_pipapo: do not free live element · 3cfc9ec0
      Florian Westphal authored
      Pablo reports a crash with large batches of elements with a
      back-to-back add/remove pattern.  Quoting Pablo:
      
        add_elem("00000000") timeout 100 ms
        ...
        add_elem("0000000X") timeout 100 ms
        del_elem("0000000X") <---------------- delete one that was just added
        ...
        add_elem("00005000") timeout 100 ms
      
        1) nft_pipapo_remove() removes element 0000000X
        Then, KASAN shows a splat.
      
      Looking at the remove function there is a chance that we will drop a
      rule that maps to a non-deactivated element.
      
      Removal happens in two steps, first we do a lookup for key k and return the
      to-be-removed element and mark it as inactive in the next generation.
      Then, in a second step, the element gets removed from the set/map.
      
      The _remove function does not work correctly if we have more than one
      element that share the same key.
      
      This can happen if we insert an element into a set when the set already
      holds an element with same key, but the element mapping to the existing
      key has timed out or is not active in the next generation.
      
      In such case its possible that removal will unmap the wrong element.
      If this happens, we will leak the non-deactivated element, it becomes
      unreachable.
      
      The element that got deactivated (and will be freed later) will
      remain reachable in the set data structure, this can result in
      a crash when such an element is retrieved during lookup (stale
      pointer).
      
      Add a check that the fully matching key does in fact map to the element
      that we have marked as inactive in the deactivation step.
      If not, we need to continue searching.
      
      Add a bug/warn trap at the end of the function as well, the remove
      function must not ever be called with an invisible/unreachable/non-existent
      element.
      
      v2: avoid uneeded temporary variable (Stefano)
      
      Fixes: 3c4287f6 ("nf_tables: Add set type for arbitrary concatenation of ranges")
      Reported-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      3cfc9ec0
    • Pablo Neira Ayuso's avatar
      netfilter: nft_set_pipapo: walk over current view on netlink dump · 29b359cf
      Pablo Neira Ayuso authored
      The generation mask can be updated while netlink dump is in progress.
      The pipapo set backend walk iterator cannot rely on it to infer what
      view of the datastructure is to be used. Add notation to specify if user
      wants to read/update the set.
      
      Based on patch from Florian Westphal.
      
      Fixes: 2b84e215 ("netfilter: nft_set_pipapo: .walk does not deal with generations")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      29b359cf
    • Pablo Neira Ayuso's avatar
      netfilter: br_netfilter: skip conntrack input hook for promisc packets · 751de201
      Pablo Neira Ayuso authored
      For historical reasons, when bridge device is in promisc mode, packets
      that are directed to the taps follow bridge input hook path. This patch
      adds a workaround to reset conntrack for these packets.
      
      Jianbo Liu reports warning splats in their test infrastructure where
      cloned packets reach the br_netfilter input hook to confirm the
      conntrack object.
      
      Scratch one bit from BR_INPUT_SKB_CB to annotate that this packet has
      reached the input hook because it is passed up to the bridge device to
      reach the taps.
      
      [   57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]
      [   57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core
      [   57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19
      [   57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      [   57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]
      [   57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1
      [   57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202
      [   57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000
      [   57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000
      [   57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003
      [   57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000
      [   57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800
      [   57.582313] FS:  0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000
      [   57.583040] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0
      [   57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
      0000000000000000
      [   57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
      0000000000000400
      [   57.585440] Call Trace:
      [   57.585721]  <IRQ>
      [   57.585976]  ? __warn+0x7d/0x130
      [   57.586323]  ? br_nf_local_in+0x157/0x180 [br_netfilter]
      [   57.586811]  ? report_bug+0xf1/0x1c0
      [   57.587177]  ? handle_bug+0x3f/0x70
      [   57.587539]  ? exc_invalid_op+0x13/0x60
      [   57.587929]  ? asm_exc_invalid_op+0x16/0x20
      [   57.588336]  ? br_nf_local_in+0x157/0x180 [br_netfilter]
      [   57.588825]  nf_hook_slow+0x3d/0xd0
      [   57.589188]  ? br_handle_vlan+0x4b/0x110
      [   57.589579]  br_pass_frame_up+0xfc/0x150
      [   57.589970]  ? br_port_flags_change+0x40/0x40
      [   57.590396]  br_handle_frame_finish+0x346/0x5e0
      [   57.590837]  ? ipt_do_table+0x32e/0x430
      [   57.591221]  ? br_handle_local_finish+0x20/0x20
      [   57.591656]  br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]
      [   57.592286]  ? br_handle_local_finish+0x20/0x20
      [   57.592802]  br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]
      [   57.593348]  ? br_handle_local_finish+0x20/0x20
      [   57.593782]  ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]
      [   57.594279]  br_nf_pre_routing+0x24c/0x550 [br_netfilter]
      [   57.594780]  ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]
      [   57.595280]  br_handle_frame+0x1f3/0x3d0
      [   57.595676]  ? br_handle_local_finish+0x20/0x20
      [   57.596118]  ? br_handle_frame_finish+0x5e0/0x5e0
      [   57.596566]  __netif_receive_skb_core+0x25b/0xfc0
      [   57.597017]  ? __napi_build_skb+0x37/0x40
      [   57.597418]  __netif_receive_skb_list_core+0xfb/0x220
      
      Fixes: 62e7151a ("netfilter: bridge: confirm multicast packets before passing them up the stack")
      Reported-by: default avatarJianbo Liu <jianbol@nvidia.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      751de201
    • Ziyang Xuan's avatar
      netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() · d78d867d
      Ziyang Xuan authored
      nft_unregister_obj() can concurrent with __nft_obj_type_get(),
      and there is not any protection when iterate over nf_tables_objects
      list in __nft_obj_type_get(). Therefore, there is potential data-race
      of nf_tables_objects list entry.
      
      Use list_for_each_entry_rcu() to iterate over nf_tables_objects
      list in __nft_obj_type_get(), and use rcu_read_lock() in the caller
      nft_obj_type_get() to protect the entire type query process.
      
      Fixes: e5009240 ("netfilter: nf_tables: add stateful objects")
      Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d78d867d
    • Ziyang Xuan's avatar
      netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() · f969eb84
      Ziyang Xuan authored
      nft_unregister_expr() can concurrent with __nft_expr_type_get(),
      and there is not any protection when iterate over nf_tables_expressions
      list in __nft_expr_type_get(). Therefore, there is potential data-race
      of nf_tables_expressions list entry.
      
      Use list_for_each_entry_rcu() to iterate over nf_tables_expressions
      list in __nft_expr_type_get(), and use rcu_read_lock() in the caller
      nft_expr_type_get() to protect the entire type query process.
      
      Fixes: ef1f7df9 ("netfilter: nf_tables: expression ops overloading")
      Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f969eb84
    • Paolo Abeni's avatar
      Merge branch 'ena-driver-bug-fixes' · 4e1ad31c
      Paolo Abeni authored
      David Arinzon says:
      
      ====================
      ENA driver bug fixes
      
      From: David Arinzon <darinzon@amazon.com>
      
      This patchset contains multiple bug fixes for the
      ENA driver.
      ====================
      
      Link: https://lore.kernel.org/r/20240410091358.16289-1-darinzon@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4e1ad31c
    • David Arinzon's avatar
      net: ena: Set tx_info->xdpf value to NULL · 36a1ca01
      David Arinzon authored
      The patch mentioned in the `Fixes` tag removed the explicit assignment
      of tx_info->xdpf to NULL with the justification that there's no need
      to set tx_info->xdpf to NULL and tx_info->num_of_bufs to 0 in case
      of a mapping error. Both values won't be used once the mapping function
      returns an error, and their values would be overridden by the next
      transmitted packet.
      
      While both values do indeed get overridden in the next transmission
      call, the value of tx_info->xdpf is also used to check whether a TX
      descriptor's transmission has been completed (i.e. a completion for it
      was polled).
      
      An example scenario:
      1. Mapping failed, tx_info->xdpf wasn't set to NULL
      2. A VF reset occurred leading to IO resource destruction and
         a call to ena_free_tx_bufs() function
      3. Although the descriptor whose mapping failed was freed by the
         transmission function, it still passes the check
           if (!tx_info->skb)
      
         (skb and xdp_frame are in a union)
      4. The xdp_frame associated with the descriptor is freed twice
      
      This patch returns the assignment of NULL to tx_info->xdpf to make the
      cleaning function knows that the descriptor is already freed.
      
      Fixes: 504fd6a5 ("net: ena: fix DMA mapping function issues in XDP")
      Signed-off-by: default avatarShay Agroskin <shayagr@amazon.com>
      Signed-off-by: default avatarDavid Arinzon <darinzon@amazon.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      36a1ca01
    • David Arinzon's avatar
      net: ena: Fix incorrect descriptor free behavior · bf02d9fe
      David Arinzon authored
      ENA has two types of TX queues:
      - queues which only process TX packets arriving from the network stack
      - queues which only process TX packets forwarded to it by XDP_REDIRECT
        or XDP_TX instructions
      
      The ena_free_tx_bufs() cycles through all descriptors in a TX queue
      and unmaps + frees every descriptor that hasn't been acknowledged yet
      by the device (uncompleted TX transactions).
      The function assumes that the processed TX queue is necessarily from
      the first category listed above and ends up using napi_consume_skb()
      for descriptors belonging to an XDP specific queue.
      
      This patch solves a bug in which, in case of a VF reset, the
      descriptors aren't freed correctly, leading to crashes.
      
      Fixes: 548c4940 ("net: ena: Implement XDP_TX action")
      Signed-off-by: default avatarShay Agroskin <shayagr@amazon.com>
      Signed-off-by: default avatarDavid Arinzon <darinzon@amazon.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      bf02d9fe
    • David Arinzon's avatar
      net: ena: Wrong missing IO completions check order · f7e41718
      David Arinzon authored
      Missing IO completions check is called every second (HZ jiffies).
      This commit fixes several issues with this check:
      
      1. Duplicate queues check:
         Max of 4 queues are scanned on each check due to monitor budget.
         Once reaching the budget, this check exits under the assumption that
         the next check will continue to scan the remainder of the queues,
         but in practice, next check will first scan the last already scanned
         queue which is not necessary and may cause the full queue scan to
         last a couple of seconds longer.
         The fix is to start every check with the next queue to scan.
         For example, on 8 IO queues:
         Bug: [0,1,2,3], [3,4,5,6], [6,7]
         Fix: [0,1,2,3], [4,5,6,7]
      
      2. Unbalanced queues check:
         In case the number of active IO queues is not a multiple of budget,
         there will be checks which don't utilize the full budget
         because the full scan exits when reaching the last queue id.
         The fix is to run every TX completion check with exact queue budget
         regardless of the queue id.
         For example, on 7 IO queues:
         Bug: [0,1,2,3], [4,5,6], [0,1,2,3]
         Fix: [0,1,2,3], [4,5,6,0], [1,2,3,4]
         The budget may be lowered in case the number of IO queues is less
         than the budget (4) to make sure there are no duplicate queues on
         the same check.
         For example, on 3 IO queues:
         Bug: [0,1,2,0], [1,2,0,1]
         Fix: [0,1,2], [0,1,2]
      
      Fixes: 1738cd3e ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
      Signed-off-by: default avatarAmit Bernstein <amitbern@amazon.com>
      Signed-off-by: default avatarDavid Arinzon <darinzon@amazon.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f7e41718
    • David Arinzon's avatar
      net: ena: Fix potential sign extension issue · 713a8519
      David Arinzon authored
      Small unsigned types are promoted to larger signed types in
      the case of multiplication, the result of which may overflow.
      In case the result of such a multiplication has its MSB
      turned on, it will be sign extended with '1's.
      This changes the multiplication result.
      
      Code example of the phenomenon:
      -------------------------------
      u16 x, y;
      size_t z1, z2;
      
      x = y = 0xffff;
      printk("x=%x y=%x\n",x,y);
      
      z1 = x*y;
      z2 = (size_t)x*y;
      
      printk("z1=%lx z2=%lx\n", z1, z2);
      
      Output:
      -------
      x=ffff y=ffff
      z1=fffffffffffe0001 z2=fffe0001
      
      The expected result of ffff*ffff is fffe0001, and without the
      explicit casting to avoid the unwanted sign extension we got
      fffffffffffe0001.
      
      This commit adds an explicit casting to avoid the sign extension
      issue.
      
      Fixes: 689b2bda ("net: ena: add functions for handling Low Latency Queues in ena_com")
      Signed-off-by: default avatarArthur Kiyanovski <akiyano@amazon.com>
      Signed-off-by: default avatarDavid Arinzon <darinzon@amazon.com>
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      713a8519
    • Paolo Abeni's avatar
      Merge tag 'for-net-2024-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · fe3eb406
      Paolo Abeni authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
        - L2CAP: Don't double set the HCI_CONN_MGMT_CONNECTED bit
        - Fix memory leak in hci_req_sync_complete
        - hci_sync: Fix using the same interval and window for Coded PHY
        - Fix not validating setsockopt user input
      
      * tag 'for-net-2024-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: l2cap: Don't double set the HCI_CONN_MGMT_CONNECTED bit
        Bluetooth: hci_sock: Fix not validating setsockopt user input
        Bluetooth: ISO: Fix not validating setsockopt user input
        Bluetooth: L2CAP: Fix not validating setsockopt user input
        Bluetooth: RFCOMM: Fix not validating setsockopt user input
        Bluetooth: SCO: Fix not validating setsockopt user input
        Bluetooth: Fix memory leak in hci_req_sync_complete()
        Bluetooth: hci_sync: Fix using the same interval and window for Coded PHY
        Bluetooth: ISO: Don't reject BT_ISO_QOS if parameters are unset
      ====================
      
      Link: https://lore.kernel.org/r/20240410191610.4156653-1-luiz.dentz@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      fe3eb406
    • Michal Luczaj's avatar
      af_unix: Fix garbage collector racing against connect() · 47d8ac01
      Michal Luczaj authored
      Garbage collector does not take into account the risk of embryo getting
      enqueued during the garbage collection. If such embryo has a peer that
      carries SCM_RIGHTS, two consecutive passes of scan_children() may see a
      different set of children. Leading to an incorrectly elevated inflight
      count, and then a dangling pointer within the gc_inflight_list.
      
      sockets are AF_UNIX/SOCK_STREAM
      S is an unconnected socket
      L is a listening in-flight socket bound to addr, not in fdtable
      V's fd will be passed via sendmsg(), gets inflight count bumped
      
      connect(S, addr)	sendmsg(S, [V]); close(V)	__unix_gc()
      ----------------	-------------------------	-----------
      
      NS = unix_create1()
      skb1 = sock_wmalloc(NS)
      L = unix_find_other(addr)
      unix_state_lock(L)
      unix_peer(S) = NS
      			// V count=1 inflight=0
      
       			NS = unix_peer(S)
       			skb2 = sock_alloc()
      			skb_queue_tail(NS, skb2[V])
      
      			// V became in-flight
      			// V count=2 inflight=1
      
      			close(V)
      
      			// V count=1 inflight=1
      			// GC candidate condition met
      
      						for u in gc_inflight_list:
      						  if (total_refs == inflight_refs)
      						    add u to gc_candidates
      
      						// gc_candidates={L, V}
      
      						for u in gc_candidates:
      						  scan_children(u, dec_inflight)
      
      						// embryo (skb1) was not
      						// reachable from L yet, so V's
      						// inflight remains unchanged
      __skb_queue_tail(L, skb1)
      unix_state_unlock(L)
      						for u in gc_candidates:
      						  if (u.inflight)
      						    scan_children(u, inc_inflight_move_tail)
      
      						// V count=1 inflight=2 (!)
      
      If there is a GC-candidate listening socket, lock/unlock its state. This
      makes GC wait until the end of any ongoing connect() to that socket. After
      flipping the lock, a possibly SCM-laden embryo is already enqueued. And if
      there is another embryo coming, it can not possibly carry SCM_RIGHTS. At
      this point, unix_inflight() can not happen because unix_gc_lock is already
      taken. Inflight graph remains unaffected.
      
      Fixes: 1fd05ba5 ("[AF_UNIX]: Rewrite garbage collector, fixes race.")
      Signed-off-by: default avatarMichal Luczaj <mhal@rbox.co>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20240409201047.1032217-1-mhal@rbox.coSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      47d8ac01
    • Arınç ÜNAL's avatar
      net: dsa: mt7530: trap link-local frames regardless of ST Port State · 17c56011
      Arınç ÜNAL authored
      In Clause 5 of IEEE Std 802-2014, two sublayers of the data link layer
      (DLL) of the Open Systems Interconnection basic reference model (OSI/RM)
      are described; the medium access control (MAC) and logical link control
      (LLC) sublayers. The MAC sublayer is the one facing the physical layer.
      
      In 8.2 of IEEE Std 802.1Q-2022, the Bridge architecture is described. A
      Bridge component comprises a MAC Relay Entity for interconnecting the Ports
      of the Bridge, at least two Ports, and higher layer entities with at least
      a Spanning Tree Protocol Entity included.
      
      Each Bridge Port also functions as an end station and shall provide the MAC
      Service to an LLC Entity. Each instance of the MAC Service is provided to a
      distinct LLC Entity that supports protocol identification, multiplexing,
      and demultiplexing, for protocol data unit (PDU) transmission and reception
      by one or more higher layer entities.
      
      It is described in 8.13.9 of IEEE Std 802.1Q-2022 that in a Bridge, the LLC
      Entity associated with each Bridge Port is modeled as being directly
      connected to the attached Local Area Network (LAN).
      
      On the switch with CPU port architecture, CPU port functions as Management
      Port, and the Management Port functionality is provided by software which
      functions as an end station. Software is connected to an IEEE 802 LAN that
      is wholly contained within the system that incorporates the Bridge.
      Software provides access to the LLC Entity associated with each Bridge Port
      by the value of the source port field on the special tag on the frame
      received by software.
      
      We call frames that carry control information to determine the active
      topology and current extent of each Virtual Local Area Network (VLAN),
      i.e., spanning tree or Shortest Path Bridging (SPB) and Multiple VLAN
      Registration Protocol Data Units (MVRPDUs), and frames from other link
      constrained protocols, such as Extensible Authentication Protocol over LAN
      (EAPOL) and Link Layer Discovery Protocol (LLDP), link-local frames. They
      are not forwarded by a Bridge. Permanently configured entries in the
      filtering database (FDB) ensure that such frames are discarded by the
      Forwarding Process. In 8.6.3 of IEEE Std 802.1Q-2022, this is described in
      detail:
      
      Each of the reserved MAC addresses specified in Table 8-1
      (01-80-C2-00-00-[00,01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F]) shall be
      permanently configured in the FDB in C-VLAN components and ERs.
      
      Each of the reserved MAC addresses specified in Table 8-2
      (01-80-C2-00-00-[01,02,03,04,05,06,07,08,09,0A,0E]) shall be permanently
      configured in the FDB in S-VLAN components.
      
      Each of the reserved MAC addresses specified in Table 8-3
      (01-80-C2-00-00-[01,02,04,0E]) shall be permanently configured in the FDB
      in TPMR components.
      
      The FDB entries for reserved MAC addresses shall specify filtering for all
      Bridge Ports and all VIDs. Management shall not provide the capability to
      modify or remove entries for reserved MAC addresses.
      
      The addresses in Table 8-1, Table 8-2, and Table 8-3 determine the scope of
      propagation of PDUs within a Bridged Network, as follows:
      
        The Nearest Bridge group address (01-80-C2-00-00-0E) is an address that
        no conformant Two-Port MAC Relay (TPMR) component, Service VLAN (S-VLAN)
        component, Customer VLAN (C-VLAN) component, or MAC Bridge can forward.
        PDUs transmitted using this destination address, or any other addresses
        that appear in Table 8-1, Table 8-2, and Table 8-3
        (01-80-C2-00-00-[00,01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F]), can
        therefore travel no further than those stations that can be reached via a
        single individual LAN from the originating station.
      
        The Nearest non-TPMR Bridge group address (01-80-C2-00-00-03), is an
        address that no conformant S-VLAN component, C-VLAN component, or MAC
        Bridge can forward; however, this address is relayed by a TPMR component.
        PDUs using this destination address, or any of the other addresses that
        appear in both Table 8-1 and Table 8-2 but not in Table 8-3
        (01-80-C2-00-00-[00,03,05,06,07,08,09,0A,0B,0C,0D,0F]), will be relayed
        by any TPMRs but will propagate no further than the nearest S-VLAN
        component, C-VLAN component, or MAC Bridge.
      
        The Nearest Customer Bridge group address (01-80-C2-00-00-00) is an
        address that no conformant C-VLAN component, MAC Bridge can forward;
        however, it is relayed by TPMR components and S-VLAN components. PDUs
        using this destination address, or any of the other addresses that appear
        in Table 8-1 but not in either Table 8-2 or Table 8-3
        (01-80-C2-00-00-[00,0B,0C,0D,0F]), will be relayed by TPMR components and
        S-VLAN components but will propagate no further than the nearest C-VLAN
        component or MAC Bridge.
      
      Because the LLC Entity associated with each Bridge Port is provided via CPU
      port, we must not filter these frames but forward them to CPU port.
      
      In a Bridge, the transmission Port is majorly decided by ingress and egress
      rules, FDB, and spanning tree Port State functions of the Forwarding
      Process. For link-local frames, only CPU port should be designated as
      destination port in the FDB, and the other functions of the Forwarding
      Process must not interfere with the decision of the transmission Port. We
      call this process trapping frames to CPU port.
      
      Therefore, on the switch with CPU port architecture, link-local frames must
      be trapped to CPU port, and certain link-local frames received by a Port of
      a Bridge comprising a TPMR component or an S-VLAN component must be
      excluded from it.
      
      A Bridge of the switch with CPU port architecture cannot comprise a
      Two-Port MAC Relay (TPMR) component as a TPMR component supports only a
      subset of the functionality of a MAC Bridge. A Bridge comprising two Ports
      (Management Port doesn't count) of this architecture will either function
      as a standard MAC Bridge or a standard VLAN Bridge.
      
      Therefore, a Bridge of this architecture can only comprise S-VLAN
      components, C-VLAN components, or MAC Bridge components. Since there's no
      TPMR component, we don't need to relay PDUs using the destination addresses
      specified on the Nearest non-TPMR section, and the proportion of the
      Nearest Customer Bridge section where they must be relayed by TPMR
      components.
      
      One option to trap link-local frames to CPU port is to add static FDB
      entries with CPU port designated as destination port. However, because that
      Independent VLAN Learning (IVL) is being used on every VID, each entry only
      applies to a single VLAN Identifier (VID). For a Bridge comprising a MAC
      Bridge component or a C-VLAN component, there would have to be 16 times
      4096 entries. This switch intellectual property can only hold a maximum of
      2048 entries. Using this option, there also isn't a mechanism to prevent
      link-local frames from being discarded when the spanning tree Port State of
      the reception Port is discarding.
      
      The remaining option is to utilise the BPC, RGAC1, RGAC2, RGAC3, and RGAC4
      registers. Whilst this applies to every VID, it doesn't contain all of the
      reserved MAC addresses without affecting the remaining Standard Group MAC
      Addresses. The REV_UN frame tag utilised using the RGAC4 register covers
      the remaining 01-80-C2-00-00-[04,05,06,07,08,09,0A,0B,0C,0D,0F] destination
      addresses. It also includes the 01-80-C2-00-00-22 to 01-80-C2-00-00-FF
      destination addresses which may be relayed by MAC Bridges or VLAN Bridges.
      The latter option provides better but not complete conformance.
      
      This switch intellectual property also does not provide a mechanism to trap
      link-local frames with specific destination addresses to CPU port by
      Bridge, to conform to the filtering rules for the distinct Bridge
      components.
      
      Therefore, regardless of the type of the Bridge component, link-local
      frames with these destination addresses will be trapped to CPU port:
      
      01-80-C2-00-00-[00,01,02,03,0E]
      
      In a Bridge comprising a MAC Bridge component or a C-VLAN component:
      
        Link-local frames with these destination addresses won't be trapped to
        CPU port which won't conform to IEEE Std 802.1Q-2022:
      
        01-80-C2-00-00-[04,05,06,07,08,09,0A,0B,0C,0D,0F]
      
      In a Bridge comprising an S-VLAN component:
      
        Link-local frames with these destination addresses will be trapped to CPU
        port which won't conform to IEEE Std 802.1Q-2022:
      
        01-80-C2-00-00-00
      
        Link-local frames with these destination addresses won't be trapped to
        CPU port which won't conform to IEEE Std 802.1Q-2022:
      
        01-80-C2-00-00-[04,05,06,07,08,09,0A]
      
      Currently on this switch intellectual property, if the spanning tree Port
      State of the reception Port is discarding, link-local frames will be
      discarded.
      
      To trap link-local frames regardless of the spanning tree Port State, make
      the switch regard them as Bridge Protocol Data Units (BPDUs). This switch
      intellectual property only lets the frames regarded as BPDUs bypass the
      spanning tree Port State function of the Forwarding Process.
      
      With this change, the only remaining interference is the ingress rules.
      When the reception Port has no PVID assigned on software, VLAN-untagged
      frames won't be allowed in. There doesn't seem to be a mechanism on the
      switch intellectual property to have link-local frames bypass this function
      of the Forwarding Process.
      
      Fixes: b8f126a8 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
      Reviewed-by: default avatarDaniel Golle <daniel@makrotopia.org>
      Signed-off-by: default avatarArınç ÜNAL <arinc.unal@arinc9.com>
      Link: https://lore.kernel.org/r/20240409-b4-for-net-mt7530-fix-link-local-when-stp-discarding-v2-1-07b1150164ac@arinc9.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      17c56011
    • Gerd Bayer's avatar
      Revert "s390/ism: fix receive message buffer allocation" · d51dc8dd
      Gerd Bayer authored
      This reverts commit 58effa34.
      Review was not finished on this patch. So it's not ready for
      upstreaming.
      Signed-off-by: default avatarGerd Bayer <gbayer@linux.ibm.com>
      Link: https://lore.kernel.org/r/20240409113753.2181368-1-gbayer@linux.ibm.com
      Fixes: 58effa34 ("s390/ism: fix receive message buffer allocation")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d51dc8dd
    • Daniel Machon's avatar
      net: sparx5: fix wrong config being used when reconfiguring PCS · 33623113
      Daniel Machon authored
      The wrong port config is being used if the PCS is reconfigured. Fix this
      by correctly using the new config instead of the old one.
      
      Fixes: 946e7fd5 ("net: sparx5: add port module support")
      Signed-off-by: default avatarDaniel Machon <daniel.machon@microchip.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Link: https://lore.kernel.org/r/20240409-link-mode-reconfiguration-fix-v2-1-db6a507f3627@microchip.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      33623113
    • Arnd Bergmann's avatar
      net/mlx5: fix possible stack overflows · fe87922c
      Arnd Bergmann authored
      A couple of debug functions use a 512 byte temporary buffer and call another
      function that has another buffer of the same size, which in turn exceeds the
      usual warning limit for excessive stack usage:
      
      drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c:1073:1: error: stack frame size (1448) exceeds limit (1024) in 'dr_dump_start' [-Werror,-Wframe-larger-than]
      dr_dump_start(struct seq_file *file, loff_t *pos)
      drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c:1009:1: error: stack frame size (1120) exceeds limit (1024) in 'dr_dump_domain' [-Werror,-Wframe-larger-than]
      dr_dump_domain(struct seq_file *file, struct mlx5dr_domain *dmn)
      drivers/net/ethernet/mellanox/mlx5/core/steering/dr_dbg.c:705:1: error: stack frame size (1104) exceeds limit (1024) in 'dr_dump_matcher_rx_tx' [-Werror,-Wframe-larger-than]
      dr_dump_matcher_rx_tx(struct seq_file *file, bool is_rx,
      
      Rework these so that each of the various code paths only ever has one of
      these buffers in it, and exactly the functions that declare one have
      the 'noinline_for_stack' annotation that prevents them from all being
      inlined into the same caller.
      
      Fixes: 917d1e79 ("net/mlx5: DR, Change SWS usage to debug fs seq_file interface")
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/all/20240219100506.648089-1-arnd@kernel.org/Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240408074142.3007036-1-arnd@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fe87922c
    • Jakub Kicinski's avatar
      Merge branch 'mlx5-misc-fixes' · 186abfcd
      Jakub Kicinski authored
      Tariq Toukan says:
      
      ====================
      mlx5 misc fixes
      
      This patchset provides bug fixes to mlx5 driver.
      
      This is V2 of the series previously submitted as PR by Saeed:
      https://lore.kernel.org/netdev/20240326144646.2078893-1-saeed@kernel.org/T/
      
      Series generated against:
      commit 237f3cf1 ("xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING")
      ====================
      
      Link: https://lore.kernel.org/r/20240409190820.227554-1-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      186abfcd
    • Tariq Toukan's avatar
      net/mlx5: Disallow SRIOV switchdev mode when in multi-PF netdev · 7772dc74
      Tariq Toukan authored
      Adaptations need to be made for the auxiliary device management in the
      core driver level. Block this combination for now.
      
      Fixes: 678eb448 ("net/mlx5: SD, Implement basic query and instantiation")
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Reviewed-by: default avatarDragos Tatulea <dtatulea@nvidia.com>
      Reviewed-by: default avatarGal Pressman <gal@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-12-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7772dc74
    • Carolina Jubran's avatar
      net/mlx5e: RSS, Block XOR hash with over 128 channels · 49e6c938
      Carolina Jubran authored
      When supporting more than 128 channels, the RQT size is
      calculated by multiplying the number of channels by 2
      and rounding up to the nearest power of 2.
      
      The index of the RQT is derived from the RSS hash
      calculations. If XOR8 is used as the RSS hash function,
      there are only 256 possible hash results, and therefore,
      only 256 indexes can be reached in the RQT.
      
      Block setting the RSS hash function to XOR when the number
      of channels exceeds 128.
      
      Fixes: 74a8dada ("net/mlx5e: Preparations for supporting larger number of channels")
      Signed-off-by: default avatarCarolina Jubran <cjubran@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-11-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      49e6c938
    • Rahul Rameshbabu's avatar
      net/mlx5e: Do not produce metadata freelist entries in Tx port ts WQE xmit · 86b0ca5b
      Rahul Rameshbabu authored
      Free Tx port timestamping metadata entries in the NAPI poll context and
      consume metadata enties in the WQE xmit path. Do not free a Tx port
      timestamping metadata entry in the WQE xmit path even in the error path to
      avoid a race between two metadata entry producers.
      
      Fixes: 3178308a ("net/mlx5e: Make tx_port_ts logic resilient to out-of-order CQEs")
      Signed-off-by: default avatarRahul Rameshbabu <rrameshbabu@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-10-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      86b0ca5b
    • Carolina Jubran's avatar
      net/mlx5e: HTB, Fix inconsistencies with QoS SQs number · 2f436f18
      Carolina Jubran authored
      When creating a new HTB class while the interface is down,
      the variable that follows the number of QoS SQs (htb_max_qos_sqs)
      may not be consistent with the number of HTB classes.
      
      Previously, we compared these two values to ensure that
      the node_qid is lower than the number of QoS SQs, and we
      allocated stats for that SQ when they are equal.
      
      Change the check to compare the node_qid with the current
      number of leaf nodes and fix the checking conditions to
      ensure allocation of stats_list and stats for each node.
      
      Fixes: 214baf22 ("net/mlx5e: Support HTB offload")
      Signed-off-by: default avatarCarolina Jubran <cjubran@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Reviewed-by: default avatarDragos Tatulea <dtatulea@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-9-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2f436f18
    • Carolina Jubran's avatar
      net/mlx5e: Fix mlx5e_priv_init() cleanup flow · ecb82945
      Carolina Jubran authored
      When mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which
      calls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using
      lockdep_is_held().
      
      Acquire the state_lock in mlx5e_selq_cleanup().
      
      Kernel log:
      =============================
      WARNING: suspicious RCU usage
      6.8.0-rc3_net_next_841a9b5 #1 Not tainted
      -----------------------------
      drivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      2 locks held by systemd-modules/293:
       #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]
       #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]
      
      stack backtrace:
      CPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      Call Trace:
       <TASK>
       dump_stack_lvl+0x8a/0xa0
       lockdep_rcu_suspicious+0x154/0x1a0
       mlx5e_selq_apply+0x94/0xa0 [mlx5_core]
       mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]
       mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]
       mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]
       rdma_init_netdev+0x4e/0x80 [ib_core]
       ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]
       ipoib_intf_init+0x64/0x550 [ib_ipoib]
       ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]
       ipoib_add_one+0xb0/0x360 [ib_ipoib]
       add_client_context+0x112/0x1c0 [ib_core]
       ib_register_client+0x166/0x1b0 [ib_core]
       ? 0xffffffffa0573000
       ipoib_init_module+0xeb/0x1a0 [ib_ipoib]
       do_one_initcall+0x61/0x250
       do_init_module+0x8a/0x270
       init_module_from_file+0x8b/0xd0
       idempotent_init_module+0x17d/0x230
       __x64_sys_finit_module+0x61/0xb0
       do_syscall_64+0x71/0x140
       entry_SYSCALL_64_after_hwframe+0x46/0x4e
       </TASK>
      
      Fixes: 8bf30be7 ("net/mlx5e: Introduce select queue parameters")
      Signed-off-by: default avatarCarolina Jubran <cjubran@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Reviewed-by: default avatarDragos Tatulea <dtatulea@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-8-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ecb82945
    • Carolina Jubran's avatar
      net/mlx5e: RSS, Block changing channels number when RXFH is configured · ee357240
      Carolina Jubran authored
      Changing the channels number after configuring the receive flow hash
      indirection table may affect the RSS table size. The previous
      configuration may no longer be compatible with the new receive flow
      hash indirection table.
      
      Block changing the channels number when RXFH is configured and changing
      the channels number requires resizing the RSS table size.
      
      Fixes: 74a8dada ("net/mlx5e: Preparations for supporting larger number of channels")
      Signed-off-by: default avatarCarolina Jubran <cjubran@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-7-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ee357240
    • Cosmin Ratiu's avatar
      net/mlx5: Correctly compare pkt reformat ids · 9eca93f4
      Cosmin Ratiu authored
      struct mlx5_pkt_reformat contains a naked union of a u32 id and a
      dr_action pointer which is used when the action is SW-managed (when
      pkt_reformat.owner is set to MLX5_FLOW_RESOURCE_OWNER_SW). Using id
      directly in that case is incorrect, as it maps to the least significant
      32 bits of the 64-bit pointer in mlx5_fs_dr_action and not to the pkt
      reformat id allocated in firmware.
      
      For the purpose of comparing whether two rules are identical,
      interpreting the least significant 32 bits of the mlx5_fs_dr_action
      pointer as an id mostly works... until it breaks horribly and produces
      the outcome described in [1].
      
      This patch fixes mlx5_flow_dests_cmp to correctly compare ids using
      mlx5_fs_dr_action_get_pkt_reformat_id for the SW-managed rules.
      
      Link: https://lore.kernel.org/netdev/ea5264d6-6b55-4449-a602-214c6f509c1e@163.com/T/#u [1]
      
      Fixes: 6a48faee ("net/mlx5: Add direct rule fs_cmd implementation")
      Signed-off-by: default avatarCosmin Ratiu <cratiu@nvidia.com>
      Reviewed-by: default avatarMark Bloch <mbloch@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-6-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9eca93f4
    • Cosmin Ratiu's avatar
      net/mlx5: Properly link new fs rules into the tree · 7c6782ad
      Cosmin Ratiu authored
      Previously, add_rule_fg would only add newly created rules from the
      handle into the tree when they had a refcount of 1. On the other hand,
      create_flow_handle tries hard to find and reference already existing
      identical rules instead of creating new ones.
      
      These two behaviors can result in a situation where create_flow_handle
      1) creates a new rule and references it, then
      2) in a subsequent step during the same handle creation references it
         again,
      resulting in a rule with a refcount of 2 that is not linked into the
      tree, will have a NULL parent and root and will result in a crash when
      the flow group is deleted because del_sw_hw_rule, invoked on rule
      deletion, assumes node->parent is != NULL.
      
      This happened in the wild, due to another bug related to incorrect
      handling of duplicate pkt_reformat ids, which lead to the code in
      create_flow_handle incorrectly referencing a just-added rule in the same
      flow handle, resulting in the problem described above. Full details are
      at [1].
      
      This patch changes add_rule_fg to add new rules without parents into
      the tree, properly initializing them and avoiding the crash. This makes
      it more consistent with how rules are added to an FTE in
      create_flow_handle.
      
      Fixes: 74491de9 ("net/mlx5: Add multi dest support")
      Link: https://lore.kernel.org/netdev/ea5264d6-6b55-4449-a602-214c6f509c1e@163.com/T/#u [1]
      Signed-off-by: default avatarCosmin Ratiu <cratiu@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Reviewed-by: default avatarMark Bloch <mbloch@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-5-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7c6782ad
    • Michael Liang's avatar
      net/mlx5: offset comp irq index in name by one · 9f7e8fbb
      Michael Liang authored
      The mlx5 comp irq name scheme is changed a little bit between
      commit 3663ad34 ("net/mlx5: Shift control IRQ to the last index")
      and commit 3354822c ("net/mlx5: Use dynamic msix vectors allocation").
      The index in the comp irq name used to start from 0 but now it starts
      from 1. There is nothing critical here, but it's harmless to change
      back to the old behavior, a.k.a starting from 0.
      
      Fixes: 3354822c ("net/mlx5: Use dynamic msix vectors allocation")
      Reviewed-by: default avatarMohamed Khalfella <mkhalfella@purestorage.com>
      Reviewed-by: default avatarYuanyuan Zhong <yzhong@purestorage.com>
      Signed-off-by: default avatarMichael Liang <mliang@purestorage.com>
      Reviewed-by: default avatarShay Drory <shayd@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-4-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9f7e8fbb
    • Shay Drory's avatar
      net/mlx5: Register devlink first under devlink lock · c6e77aa9
      Shay Drory authored
      In case device is having a non fatal FW error during probe, the
      driver will report the error to user via devlink. This will trigger
      a WARN_ON, since mlx5 is calling devlink_register() last.
      In order to avoid the WARN_ON[1], change mlx5 to invoke devl_register()
      first under devlink lock.
      
      [1]
      WARNING: CPU: 5 PID: 227 at net/devlink/health.c:483 devlink_recover_notify.constprop.0+0xb8/0xc0
      CPU: 5 PID: 227 Comm: kworker/u16:3 Not tainted 6.4.0-rc5_for_upstream_min_debug_2023_06_12_12_38 #1
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      Workqueue: mlx5_health0000:08:00.0 mlx5_fw_reporter_err_work [mlx5_core]
      RIP: 0010:devlink_recover_notify.constprop.0+0xb8/0xc0
      Call Trace:
       <TASK>
       ? __warn+0x79/0x120
       ? devlink_recover_notify.constprop.0+0xb8/0xc0
       ? report_bug+0x17c/0x190
       ? handle_bug+0x3c/0x60
       ? exc_invalid_op+0x14/0x70
       ? asm_exc_invalid_op+0x16/0x20
       ? devlink_recover_notify.constprop.0+0xb8/0xc0
       devlink_health_report+0x4a/0x1c0
       mlx5_fw_reporter_err_work+0xa4/0xd0 [mlx5_core]
       process_one_work+0x1bb/0x3c0
       ? process_one_work+0x3c0/0x3c0
       worker_thread+0x4d/0x3c0
       ? process_one_work+0x3c0/0x3c0
       kthread+0xc6/0xf0
       ? kthread_complete_and_exit+0x20/0x20
       ret_from_fork+0x1f/0x30
       </TASK>
      
      Fixes: cf530217 ("devlink: Notify users when objects are accessible")
      Signed-off-by: default avatarShay Drory <shayd@nvidia.com>
      Reviewed-by: default avatarMoshe Shemesh <moshe@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-3-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c6e77aa9
    • Shay Drory's avatar
      net/mlx5: E-switch, store eswitch pointer before registering devlink_param · 0553e753
      Shay Drory authored
      Next patch will move devlink register to be first. Therefore, whenever
      mlx5 will register a param, the user will be notified.
      In order to notify the user, devlink is using the get() callback of
      the param. Hence, resources that are being used by the get() callback
      must be set before the devlink param is registered.
      
      Therefore, store eswitch pointer inside mdev before registering the
      param.
      Signed-off-by: default avatarShay Drory <shayd@nvidia.com>
      Reviewed-by: default avatarMoshe Shemesh <moshe@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Link: https://lore.kernel.org/r/20240409190820.227554-2-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0553e753