1. 30 May, 2023 14 commits
  2. 26 May, 2023 9 commits
    • Osama Muhammad's avatar
      nfcsim.c: Fix error checking for debugfs_create_dir · 9b9e46aa
      Osama Muhammad authored
      This patch fixes the error checking in nfcsim.c.
      The DebugFS kernel API is developed in
      a way that the caller can safely ignore the errors that
      occur during the creation of DebugFS nodes.
      Signed-off-by: default avatarOsama Muhammad <osmtendev@gmail.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9b9e46aa
    • Raju Rangoju's avatar
      amd-xgbe: fix the false linkup in xgbe_phy_status · dc362e20
      Raju Rangoju authored
      In the event of a change in XGBE mode, the current auto-negotiation
      needs to be reset and the AN cycle needs to be re-triggerred. However,
      the current code ignores the return value of xgbe_set_mode(), leading to
      false information as the link is declared without checking the status
      register.
      
      Fix this by propagating the mode switch status information to
      xgbe_phy_status().
      
      Fixes: e57f7a3f ("amd-xgbe: Prepare for working with more than one type of phy")
      Co-developed-by: default avatarSudheesh Mavila <sudheesh.mavila@amd.com>
      Signed-off-by: default avatarSudheesh Mavila <sudheesh.mavila@amd.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Acked-by: default avatarShyam Sundar S K <Shyam-sundar.S-k@amd.com>
      Signed-off-by: default avatarRaju Rangoju <Raju.Rangoju@amd.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc362e20
    • Jakub Kicinski's avatar
      tls: improve lockless access safety of tls_err_abort() · 8a0d57df
      Jakub Kicinski authored
      Most protos' poll() methods insert a memory barrier between
      writes to sk_err and sk_error_report(). This dates back to
      commit a4d25803 ("tcp: Fix race in tcp_poll").
      
      I guess we should do the same thing in TLS, tcp_poll() does
      not hold the socket lock.
      
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a0d57df
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2023-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · aa866ee4
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2023-05-24
      
      This series includes bug fixes for the mlx5 driver.
      
      * tag 'mlx5-fixes-2023-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        Documentation: net/mlx5: Wrap notes in admonition blocks
        Documentation: net/mlx5: Add blank line separator before numbered lists
        Documentation: net/mlx5: Use bullet and definition lists for vnic counters description
        Documentation: net/mlx5: Wrap vnic reporter devlink commands in code blocks
        net/mlx5: Fix check for allocation failure in comp_irqs_request_pci()
        net/mlx5: DR, Add missing mutex init/destroy in pattern manager
        net/mlx5e: Move Ethernet driver debugfs to profile init callback
        net/mlx5e: Don't attach netdev profile while handling internal error
        net/mlx5: Fix post parse infra to only parse every action once
        net/mlx5e: Use query_special_contexts cmd only once per mdev
        net/mlx5: fw_tracer, Fix event handling
        net/mlx5: SF, Drain health before removing device
        net/mlx5: Drain health before unregistering devlink
        net/mlx5e: Do not update SBCM when prio2buffer command is invalid
        net/mlx5e: Consider internal buffers size in port buffer calculations
        net/mlx5e: Prevent encap offload when neigh update is running
        net/mlx5e: Extract remaining tunnel encap code to dedicated file
      ====================
      
      Link: https://lore.kernel.org/r/20230525034847.99268-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aa866ee4
    • Kuniyuki Iwashima's avatar
      af_packet: Fix data-races of pkt_sk(sk)->num. · 822b5a1c
      Kuniyuki Iwashima authored
      syzkaller found a data race of pkt_sk(sk)->num.
      
      The value is changed under lock_sock() and po->bind_lock, so we
      need READ_ONCE() to access pkt_sk(sk)->num without these locks in
      packet_bind_spkt(), packet_bind(), and sk_diag_fill().
      
      Note that WRITE_ONCE() is already added by commit c7d2ef5d
      ("net/packet: annotate accesses to po->bind").
      
      BUG: KCSAN: data-race in packet_bind / packet_do_bind
      
      write (marked) to 0xffff88802ffd1cee of 2 bytes by task 7322 on cpu 0:
       packet_do_bind+0x446/0x640 net/packet/af_packet.c:3236
       packet_bind+0x99/0xe0 net/packet/af_packet.c:3321
       __sys_bind+0x19b/0x1e0 net/socket.c:1803
       __do_sys_bind net/socket.c:1814 [inline]
       __se_sys_bind net/socket.c:1812 [inline]
       __x64_sys_bind+0x40/0x50 net/socket.c:1812
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      read to 0xffff88802ffd1cee of 2 bytes by task 7318 on cpu 1:
       packet_bind+0xbf/0xe0 net/packet/af_packet.c:3322
       __sys_bind+0x19b/0x1e0 net/socket.c:1803
       __do_sys_bind net/socket.c:1814 [inline]
       __se_sys_bind net/socket.c:1812 [inline]
       __x64_sys_bind+0x40/0x50 net/socket.c:1812
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      value changed: 0x0300 -> 0x0000
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 7318 Comm: syz-executor.4 Not tainted 6.3.0-13380-g7fddb5b5300c #4
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      
      Fixes: 96ec6327 ("packet: Diag core and basic socket info dumping")
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://lore.kernel.org/r/20230524232934.50950-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      822b5a1c
    • Jakub Kicinski's avatar
      tools: ynl: avoid dict errors on older Python versions · 081e8df6
      Jakub Kicinski authored
      Python 3.9.0 or newer supports combining dicts() with |,
      but older versions of Python are still used in the wild
      (e.g. on CentOS 8, which goes EoL May 31, 2024).
      With Python 3.6.8 we get:
      
        TypeError: unsupported operand type(s) for |: 'dict' and 'dict'
      
      Use older syntax. Tested with non-legacy families only.
      
      Fixes: f036d936 ("tools: ynl: Add fixed-header support to ynl")
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarDonald Hunter <donald.hunter@gmail.com>
      Tested-by: default avatarDonald Hunter <donald.hunter@gmail.com>
      Link: https://lore.kernel.org/r/20230524170712.2036128-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      081e8df6
    • Eric Dumazet's avatar
      netrom: fix info-leak in nr_write_internal() · 31642e70
      Eric Dumazet authored
      Simon Kapadia reported the following issue:
      
      <quote>
      
      The Online Amateur Radio Community (OARC) has recently been experimenting
      with building a nationwide packet network in the UK.
      As part of our experimentation, we have been testing out packet on 300bps HF,
      and playing with net/rom.  For HF packet at this baud rate you really need
      to make sure that your MTU is relatively low; AX.25 suggests a PACLEN of 60,
      and a net/rom PACLEN of 40 to go with that.
      However the Linux net/rom support didn't work with a low PACLEN;
      the mkiss module would truncate packets if you set the PACLEN below about 200 or so, e.g.:
      
      Apr 19 14:00:51 radio kernel: [12985.747310] mkiss: ax1: truncating oversized transmit packet!
      
      This didn't make any sense to me (if the packets are smaller why would they
      be truncated?) so I started investigating.
      I looked at the packets using ethereal, and found that many were just huge
      compared to what I would expect.
      A simple net/rom connection request packet had the request and then a bunch
      of what appeared to be random data following it:
      
      </quote>
      
      Simon provided a patch that I slightly revised:
      Not only we must not use skb_tailroom(), we also do
      not want to count NR_NETWORK_LEN twice.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Co-Developed-by: default avatarSimon Kapadia <szymon@kapadia.pl>
      Signed-off-by: default avatarSimon Kapadia <szymon@kapadia.pl>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Tested-by: default avatarSimon Kapadia <szymon@kapadia.pl>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230524141456.1045467-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      31642e70
    • Wei Fang's avatar
      net: stmmac: fix call trace when stmmac_xdp_xmit() is invoked · ffb33221
      Wei Fang authored
      We encountered a kernel call trace issue which was related to
      ndo_xdp_xmit callback on our i.MX8MP platform. The reproduce
      steps show as follows.
      1. The FEC port (eth0) connects to a PC port, and the PC uses
      pktgen_sample03_burst_single_flow.sh to generate packets and
      send these packets to the FEC port. Notice that the script must
      be executed before step 2.
      2. Run the "./xdp_redirect eth0 eth1" command on i.MX8MP, the
      eth1 interface is the dwmac. Then there will be a call trace
      issue soon. Please see the log for more details.
      The root cause is that the NETDEV_XDP_ACT_NDO_XMIT feature is
      enabled by default, so when the step 2 command is exexcuted
      and packets have already been sent to eth0, the stmmac_xdp_xmit()
      starts running before the stmmac_xdp_set_prog() finishes. To
      resolve this issue, we disable the NETDEV_XDP_ACT_NDO_XMIT
      feature by default and turn on/off this feature when the bpf
      program is installed/uninstalled which just like the other
      ethernet drivers.
      
      Call Trace log:
      [  306.311271] ------------[ cut here ]------------
      [  306.315910] WARNING: CPU: 0 PID: 15 at lib/timerqueue.c:55 timerqueue_del+0x68/0x70
      [  306.323590] Modules linked in:
      [  306.326654] CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.4.0-rc1+ #37
      [  306.333277] Hardware name: NXP i.MX8MPlus EVK board (DT)
      [  306.338591] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      [  306.345561] pc : timerqueue_del+0x68/0x70
      [  306.349577] lr : __remove_hrtimer+0x5c/0xa0
      [  306.353777] sp : ffff80000b7c3920
      [  306.357094] x29: ffff80000b7c3920 x28: 0000000000000000 x27: 0000000000000001
      [  306.364244] x26: ffff80000a763a40 x25: ffff0000d0285a00 x24: 0000000000000001
      [  306.371390] x23: 0000000000000001 x22: ffff000179389a40 x21: 0000000000000000
      [  306.378537] x20: ffff000179389aa0 x19: ffff0000d2951308 x18: 0000000000001000
      [  306.385686] x17: f1d3000000000000 x16: 00000000c39c1000 x15: 55e99bbe00001a00
      [  306.392835] x14: 09000900120aa8c0 x13: e49af1d300000000 x12: 000000000000c39c
      [  306.399987] x11: 100055e99bbe0000 x10: ffff8000090b1048 x9 : ffff8000081603fc
      [  306.407133] x8 : 000000000000003c x7 : 000000000000003c x6 : 0000000000000001
      [  306.414284] x5 : ffff0000d2950980 x4 : 0000000000000000 x3 : 0000000000000000
      [  306.421432] x2 : 0000000000000001 x1 : ffff0000d2951308 x0 : ffff0000d2951308
      [  306.428585] Call trace:
      [  306.431035]  timerqueue_del+0x68/0x70
      [  306.434706]  __remove_hrtimer+0x5c/0xa0
      [  306.438549]  hrtimer_start_range_ns+0x2bc/0x370
      [  306.443089]  stmmac_xdp_xmit+0x174/0x1b0
      [  306.447021]  bq_xmit_all+0x194/0x4b0
      [  306.450612]  __dev_flush+0x4c/0x98
      [  306.454024]  xdp_do_flush+0x18/0x38
      [  306.457522]  fec_enet_rx_napi+0x6c8/0xc68
      [  306.461539]  __napi_poll+0x40/0x220
      [  306.465038]  net_rx_action+0xf8/0x240
      [  306.468707]  __do_softirq+0x128/0x3a8
      [  306.472378]  run_ksoftirqd+0x40/0x58
      [  306.475961]  smpboot_thread_fn+0x1c4/0x288
      [  306.480068]  kthread+0x124/0x138
      [  306.483305]  ret_from_fork+0x10/0x20
      [  306.486889] ---[ end trace 0000000000000000 ]---
      
      Fixes: 66c0e13a ("drivers: net: turn on XDP features")
      Signed-off-by: default avatarWei Fang <wei.fang@nxp.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230524125714.357337-1-wei.fang@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ffb33221
    • Thomas Bogendoerfer's avatar
      net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure · d68cb7cf
      Thomas Bogendoerfer authored
      Do skb_put() after a new skb has been successfully allocated otherwise
      the reused skb leads to skb_panics or incorrect packet sizes.
      
      Fixes: f92e1869 ("Add Mellanox BlueField Gigabit Ethernet driver")
      Signed-off-by: default avatarThomas Bogendoerfer <tbogendoerfer@suse.de>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230524194908.147145-1-tbogendoerfer@suse.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d68cb7cf
  3. 25 May, 2023 17 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.4-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 50fb587e
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bluetooth and bpf.
      
        Current release - regressions:
      
         - net: fix skb leak in __skb_tstamp_tx()
      
         - eth: mtk_eth_soc: fix QoS on DSA MAC on non MTK_NETSYS_V2 SoCs
      
        Current release - new code bugs:
      
         - handshake:
            - fix sock->file allocation
            - fix handshake_dup() ref counting
      
         - bluetooth:
            - fix potential double free caused by hci_conn_unlink
            - fix UAF in hci_conn_hash_flush
      
        Previous releases - regressions:
      
         - core: fix stack overflow when LRO is disabled for virtual
           interfaces
      
         - tls: fix strparser rx issues
      
         - bpf:
            - fix many sockmap/TCP related issues
            - fix a memory leak in the LRU and LRU_PERCPU hash maps
            - init the offload table earlier
      
         - eth: mlx5e:
            - do as little as possible in napi poll when budget is 0
            - fix using eswitch mapping in nic mode
            - fix deadlock in tc route query code
      
        Previous releases - always broken:
      
         - udplite: fix NULL pointer dereference in __sk_mem_raise_allocated()
      
         - raw: fix output xfrm lookup wrt protocol
      
         - smc: reset connection when trying to use SMCRv2 fails
      
         - phy: mscc: enable VSC8501/2 RGMII RX clock
      
         - eth: octeontx2-pf: fix TSOv6 offload
      
         - eth: cdc_ncm: deal with too low values of dwNtbOutMaxSize"
      
      * tag 'net-6.4-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (79 commits)
        udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
        net: phy: mscc: enable VSC8501/2 RGMII RX clock
        net: phy: mscc: remove unnecessary phydev locking
        net: phy: mscc: add support for VSC8501
        net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE
        net/handshake: Enable the SNI extension to work properly
        net/handshake: Unpin sock->file if a handshake is cancelled
        net/handshake: handshake_genl_notify() shouldn't ignore @flags
        net/handshake: Fix uninitialized local variable
        net/handshake: Fix handshake_dup() ref counting
        net/handshake: Remove unneeded check from handshake_dup()
        ipv6: Fix out-of-bounds access in ipv6_find_tlv()
        net: ethernet: mtk_eth_soc: fix QoS on DSA MAC on non MTK_NETSYS_V2 SoCs
        docs: netdev: document the existence of the mail bot
        net: fix skb leak in __skb_tstamp_tx()
        r8169: Use a raw_spinlock_t for the register locks.
        page_pool: fix inconsistency for page_pool_ring_[un]lock()
        bpf, sockmap: Test progs verifier error with latest clang
        bpf, sockmap: Test FIONREAD returns correct bytes in rx buffer with drops
        bpf, sockmap: Test FIONREAD returns correct bytes in rx buffer
        ...
      50fb587e
    • Linus Torvalds's avatar
      Merge tag 'for-v6.4-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply · eb03e318
      Linus Torvalds authored
      Pull power supply fixes from Sebastian Reichel:
      
       - Fix power_supply_get_battery_info for devices without parent devices
         resulting in NULL pointer dereference
      
       - Fix desktop systems reporting to run on battery once a power-supply
         device with device scope appears (e.g. a HID keyboard with a battery)
      
       - Ratelimit debug print about driver not providing data
      
       - Fix race condition related to external_power_changed in multiple
         drivers (ab8500, axp288, bq25890, sc27xx, bq27xxx)
      
       - Fix LED trigger switching from blinking to solid-on when charging
         finishes
      
       - Fix multiple races in bq27xxx battery driver
      
       - mt6360: handle potential ENOMEM from devm_work_autocancel
      
       - sbs-charger: Fix SBS_CHARGER_STATUS_CHARGE_INHIBITED bit
      
       - rt9467: avoid passing 0 to dev_err_probe
      
      * tag 'for-v6.4-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply: (21 commits)
        power: supply: Fix logic checking if system is running from battery
        power: supply: mt6360: add a check of devm_work_autocancel in mt6360_charger_probe
        power: supply: sbs-charger: Fix INHIBITED bit for Status reg
        power: supply: rt9467: Fix passing zero to 'dev_err_probe'
        power: supply: Ratelimit no data debug output
        power: supply: Fix power_supply_get_battery_info() if parent is NULL
        power: supply: bq24190: Call power_supply_changed() after updating input current
        power: supply: bq25890: Call power_supply_changed() after updating input current or voltage
        power: supply: bq27xxx: Use mod_delayed_work() instead of cancel() + schedule()
        power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize
        power: supply: bq27xxx: Ensure power_supply_changed() is called on current sign changes
        power: supply: bq27xxx: Move bq27xxx_battery_update() down
        power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status()
        power: supply: bq27xxx: Fix poll_interval handling and races on remove
        power: supply: bq27xxx: Fix I2C IRQ race on remove
        power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
        power: supply: leds: Fix blink to LED on transition
        power: supply: sc27xx: Fix external_power_changed race
        power: supply: bq25890: Fix external_power_changed race
        power: supply: axp288_fuel_gauge: Fix external_power_changed race
        ...
      eb03e318
    • Linus Torvalds's avatar
      Merge tag 'sound-6.4-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 029c77f8
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of small fixes:
      
         - HD-audio runtime PM bug fix
      
         - A couple of HD-audio quirks
      
         - Fix series of ASoC Intel AVS drivers
      
         - ASoC DPCM fix for a bug found on new Intel systems
      
         - A few other ASoC device-specific small fixes"
      
      * tag 'sound-6.4-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek: Enable headset onLenovo M70/M90
        ASoC: dwc: move DMA init to snd_soc_dai_driver probe()
        ASoC: cs35l41: Fix default regmap values for some registers
        ALSA: hda: Fix unhandled register update during auto-suspend period
        ASoC: dt-bindings: tlv320aic32x4: Fix supply names
        ASoC: Intel: avs: Add missing checks on FE startup
        ASoC: Intel: avs: Fix avs_path_module::instance_id size
        ASoC: Intel: avs: Account for UID of ACPI device
        ASoC: Intel: avs: Fix declaration of enum avs_channel_config
        ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg
        ASoC: Intel: avs: Access path components under lock
        ASoC: Intel: avs: Fix module lookup
        ALSA: hda/ca0132: add quirk for EVGA X299 DARK
        ASoC: soc-pcm: test if a BE can be prepared
        ASoC: rt5682: Disable jack detection interrupt during suspend
        ASoC: lpass: Fix for KASAN use_after_free out of bounds
      029c77f8
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.4-3' of... · ecea3ba2
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Hans de Goede:
       "Nothing special to report just a few small fixes"
      
      * tag 'platform-drivers-x86-v6.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86/intel/ifs: Annotate work queue on stack so object debug does not complain
        platform/x86: ISST: Remove 8 socket limit
        platform/mellanox: mlxbf-pmc: fix sscanf() error checking
        platform/x86/amd/pmf: Fix CnQF and auto-mode after resume
        platform/x86: asus-wmi: Ignore WMI events with codes 0x7B, 0xC0
      ecea3ba2
    • Linus Torvalds's avatar
      Merge tag 'm68k-for-v6.4-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k · 5566051f
      Linus Torvalds authored
      Pull m68k fix from Geert Uytterhoeven:
      
       - Fix signal frame issue causing user-space crashes on 68020/68030
      
      * tag 'm68k-for-v6.4-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k:
        m68k: Move signal frame following exception on 68020/030
      5566051f
    • Kuniyuki Iwashima's avatar
      udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). · ad42a35b
      Kuniyuki Iwashima authored
      syzbot reported [0] a null-ptr-deref in sk_get_rmem0() while using
      IPPROTO_UDPLITE (0x88):
      
        14:25:52 executing program 1:
        r0 = socket$inet6(0xa, 0x80002, 0x88)
      
      We had a similar report [1] for probably sk_memory_allocated_add()
      in __sk_mem_raise_allocated(), and commit c915fe13 ("udplite: fix
      NULL pointer dereference") fixed it by setting .memory_allocated for
      udplite_prot and udplitev6_prot.
      
      To fix the variant, we need to set either .sysctl_wmem_offset or
      .sysctl_rmem.
      
      Now UDP and UDPLITE share the same value for .memory_allocated, so we
      use the same .sysctl_wmem_offset for UDP and UDPLITE.
      
      [0]:
      general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
      CPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
      RIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline]
      RIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006
      Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b
      RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000
      RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8
      RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000
      R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001
      FS:  0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40
      CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0
      Call Trace:
       <TASK>
       __sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077
       udp_rmem_schedule net/ipv4/udp.c:1539 [inline]
       __udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581
       __udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline]
       udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775
       udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793
       __udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline]
       __udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013
       ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437
       ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482
       NF_HOOK include/linux/netfilter.h:303 [inline]
       NF_HOOK include/linux/netfilter.h:297 [inline]
       ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491
       ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585
       dst_input include/net/dst.h:468 [inline]
       ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
       NF_HOOK include/linux/netfilter.h:303 [inline]
       NF_HOOK include/linux/netfilter.h:297 [inline]
       ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309
       __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491
       __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605
       netif_receive_skb_internal net/core/dev.c:5691 [inline]
       netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750
       tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553
       tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989
       tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035
       call_write_iter include/linux/fs.h:1868 [inline]
       new_sync_write fs/read_write.c:491 [inline]
       vfs_write+0x945/0xd50 fs/read_write.c:584
       ksys_write+0x12b/0x250 fs/read_write.c:637
       do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
       __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
       do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
       entry_SYSENTER_compat_after_hwframe+0x70/0x82
      RIP: 0023:0xf7f21579
      Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
      RSP: 002b:00000000f7f1c590 EFLAGS: 00000282 ORIG_RAX: 0000000000000004
      RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000020000040
      RDX: 0000000000000083 RSI: 00000000f734e000 RDI: 0000000000000000
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
       </TASK>
      Modules linked in:
      
      Link: https://lore.kernel.org/netdev/CANaxB-yCk8hhP68L4Q2nFOJht8sqgXGGQO2AftpHs0u1xyGG5A@mail.gmail.com/ [1]
      Fixes: 850cbadd ("udp: use it's own memory accounting schema")
      Reported-by: syzbot+444ca0907e96f7c5e48b@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=444ca0907e96f7c5e48bSigned-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20230523163305.66466-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ad42a35b
    • Jakub Kicinski's avatar
      Merge branch 'net-phy-mscc-support-vsc8501' · aa015a20
      Jakub Kicinski authored
      David Epping says:
      
      ====================
      net: phy: mscc: support VSC8501
      
      this updated series of patches adds support for the VSC8501 Ethernet
      PHY and fixes support for the VSC8502 PHY in cases where no other
      software (like U-Boot) has initialized the PHY after power up.
      
      The first patch simply adds the VSC8502 to the MODULE_DEVICE_TABLE,
      where I guess it was unintentionally missing. I have no hardware to
      test my change.
      
      The second patch adds the VSC8501 PHY with exactly the same driver
      implementation as the existing VSC8502.
      
      The (new) third patch removes phydev locking from
      vsc85xx_rgmii_set_skews(), as discussed for v2 of the patch set.
      
      The (now) fourth patch fixes the initialization for VSC8501 and VSC8502.
      I have tested this patch with VSC8501 on hardware in RGMII mode only.
      https://ww1.microchip.com/downloads/aemDocuments/documents/UNG/ProductDocuments/DataSheets/VSC8501-03_Datasheet_60001741A.PDF
      https://ww1.microchip.com/downloads/aemDocuments/documents/UNG/ProductDocuments/DataSheets/VSC8502-03_Datasheet_60001742B.pdf
      Table 4-42 "RGMII CONTROL, ADDRESS 20E2 (0X14)" Bit 11 for each of
      them.
      By default the RX_CLK is disabled for these PHYs. In cases where no
      other software, like U-Boot, enabled the clock, this results in no
      received packets being handed to the MAC.
      The patch enables this clock output.
      According to Microchip support (case number 01268776) this applies
      to all modes (RGMII, GMII, and MII).
      
      Other PHYs sharing the same register map and code, like
      VSC8530/31/40/41 have the clock enabled and the relevant bit 11 is
      reserved and read-only for them. As per previous discussion the
      patch still clears the bit on these PHYs, too, possibly more easily
      supporting other future PHYs implementing this functionality.
      
      For the VSC8572 family of PHYs, having a different register map,
      no such changes are applied.
      ====================
      
      Link: https://lore.kernel.org/r/20230523153108.18548-1-david.epping@missinglinkelectronics.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aa015a20
    • David Epping's avatar
      net: phy: mscc: enable VSC8501/2 RGMII RX clock · 71460c9e
      David Epping authored
      By default the VSC8501 and VSC8502 RGMII/GMII/MII RX_CLK output is
      disabled. To allow packet forwarding towards the MAC it needs to be
      enabled.
      
      For other PHYs supported by this driver the clock output is enabled
      by default.
      
      Fixes: d3169863 ("net: phy: mscc: add support for VSC8502")
      Signed-off-by: default avatarDavid Epping <david.epping@missinglinkelectronics.com>
      Reviewed-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      71460c9e
    • David Epping's avatar
      net: phy: mscc: remove unnecessary phydev locking · 7df0b33d
      David Epping authored
      Holding the struct phy_device (phydev) lock is unnecessary when
      accessing phydev->interface in the PHY driver .config_init method,
      which is the only place that vsc85xx_rgmii_set_skews() is called from.
      
      The phy_modify_paged() function implements required MDIO bus level
      locking, which can not be achieved by a phydev lock.
      Signed-off-by: default avatarDavid Epping <david.epping@missinglinkelectronics.com>
      Reviewed-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7df0b33d
    • David Epping's avatar
      net: phy: mscc: add support for VSC8501 · fb055ce4
      David Epping authored
      The VSC8501 PHY can use the same driver implementation as the VSC8502.
      Adding the PHY ID and copying the handler functions of VSC8502 is
      sufficient to operate it.
      Signed-off-by: default avatarDavid Epping <david.epping@missinglinkelectronics.com>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fb055ce4
    • David Epping's avatar
      net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE · 57fb54ab
      David Epping authored
      The mscc driver implements support for VSC8502, so its ID should be in
      the MODULE_DEVICE_TABLE for automatic loading.
      Signed-off-by: default avatarDavid Epping <david.epping@missinglinkelectronics.com>
      Fixes: d3169863 ("net: phy: mscc: add support for VSC8502")
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      57fb54ab
    • Jakub Kicinski's avatar
      Merge branch 'bug-fixes-for-net-handshake' · 1de5900c
      Jakub Kicinski authored
      Chuck Lever says:
      
      ====================
      Bug fixes for net/handshake
      
      Paolo observed that there is a possible leak of sock->file. I
      haven't looked into that yet, but it seems to be separate from
      the fixes in this series, so no need to hold these up.
      ====================
      
      The submissions mentions net-next but it means netdev (perhaps
      merge window left over when trees are converged). In any case,
      it should have gone into net, but was instead applied to net-next
      as commit deb2e484 ("Merge branch 'net-handshake-fixes'").
      These are fixes tho, and Chuck needs them to make progress with
      the client so double-merging them into net... it is what it is :(
      
      Link: https://lore.kernel.org/r/168381978252.84244.1933636428135211300.stgit@91.116.238.104.host.secureserver.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1de5900c
    • Chuck Lever's avatar
      net/handshake: Enable the SNI extension to work properly · 26fb5480
      Chuck Lever authored
      Enable the upper layer protocol to specify the SNI peername. This
      avoids the need for tlshd to use a DNS lookup, which can return a
      hostname that doesn't match the incoming certificate's SubjectName.
      
      Fixes: 2fd55320 ("net/handshake: Add a kernel API for requesting a TLSv1.3 handshake")
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      26fb5480
    • Chuck Lever's avatar
      net/handshake: Unpin sock->file if a handshake is cancelled · 1ce77c99
      Chuck Lever authored
      If user space never calls DONE, sock->file's reference count remains
      elevated. Enable sock->file to be freed eventually in this case.
      Reported-by: default avatarJakub Kacinski <kuba@kernel.org>
      Fixes: 3b3009ea ("net/handshake: Create a NETLINK service for handling handshake requests")
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1ce77c99
    • Chuck Lever's avatar
      net/handshake: handshake_genl_notify() shouldn't ignore @flags · fc490880
      Chuck Lever authored
      Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Fixes: 3b3009ea ("net/handshake: Create a NETLINK service for handling handshake requests")
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fc490880
    • Chuck Lever's avatar
      net/handshake: Fix uninitialized local variable · 7afc6d0a
      Chuck Lever authored
      trace_handshake_cmd_done_err() simply records the pointer in @req,
      so initializing it to NULL is sufficient and safe.
      Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Fixes: 3b3009ea ("net/handshake: Create a NETLINK service for handling handshake requests")
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7afc6d0a
    • Chuck Lever's avatar
      net/handshake: Fix handshake_dup() ref counting · 7ea9c1ec
      Chuck Lever authored
      If get_unused_fd_flags() fails, we ended up calling fput(sock->file)
      twice.
      Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Suggested-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Fixes: 3b3009ea ("net/handshake: Create a NETLINK service for handling handshake requests")
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7ea9c1ec