1. 13 Nov, 2023 3 commits
  2. 11 Nov, 2023 2 commits
  3. 10 Nov, 2023 7 commits
    • Shigeru Yoshida's avatar
      tty: Fix uninit-value access in ppp_sync_receive() · 71963985
      Shigeru Yoshida authored
      KMSAN reported the following uninit-value access issue:
      
      =====================================================
      BUG: KMSAN: uninit-value in ppp_sync_input drivers/net/ppp/ppp_synctty.c:690 [inline]
      BUG: KMSAN: uninit-value in ppp_sync_receive+0xdc9/0xe70 drivers/net/ppp/ppp_synctty.c:334
       ppp_sync_input drivers/net/ppp/ppp_synctty.c:690 [inline]
       ppp_sync_receive+0xdc9/0xe70 drivers/net/ppp/ppp_synctty.c:334
       tiocsti+0x328/0x450 drivers/tty/tty_io.c:2295
       tty_ioctl+0x808/0x1920 drivers/tty/tty_io.c:2694
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:871 [inline]
       __se_sys_ioctl+0x211/0x400 fs/ioctl.c:857
       __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:857
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Uninit was created at:
       __alloc_pages+0x75d/0xe80 mm/page_alloc.c:4591
       __alloc_pages_node include/linux/gfp.h:238 [inline]
       alloc_pages_node include/linux/gfp.h:261 [inline]
       __page_frag_cache_refill+0x9a/0x2c0 mm/page_alloc.c:4691
       page_frag_alloc_align+0x91/0x5d0 mm/page_alloc.c:4722
       page_frag_alloc include/linux/gfp.h:322 [inline]
       __netdev_alloc_skb+0x215/0x6d0 net/core/skbuff.c:728
       netdev_alloc_skb include/linux/skbuff.h:3225 [inline]
       dev_alloc_skb include/linux/skbuff.h:3238 [inline]
       ppp_sync_input drivers/net/ppp/ppp_synctty.c:669 [inline]
       ppp_sync_receive+0x237/0xe70 drivers/net/ppp/ppp_synctty.c:334
       tiocsti+0x328/0x450 drivers/tty/tty_io.c:2295
       tty_ioctl+0x808/0x1920 drivers/tty/tty_io.c:2694
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:871 [inline]
       __se_sys_ioctl+0x211/0x400 fs/ioctl.c:857
       __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:857
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      CPU: 0 PID: 12950 Comm: syz-executor.1 Not tainted 6.6.0-14500-g1c410411 #10
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
      =====================================================
      
      ppp_sync_input() checks the first 2 bytes of the data are PPP_ALLSTATIONS
      and PPP_UI. However, if the data length is 1 and the first byte is
      PPP_ALLSTATIONS, an access to an uninitialized value occurs when checking
      PPP_UI. This patch resolves this issue by checking the data length.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarShigeru Yoshida <syoshida@redhat.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      71963985
    • Eric Dumazet's avatar
      ipvlan: add ipvlan_route_v6_outbound() helper · 18f03942
      Eric Dumazet authored
      Inspired by syzbot reports using a stack of multiple ipvlan devices.
      
      Reduce stack size needed in ipvlan_process_v6_outbound() by moving
      the flowi6 struct used for the route lookup in an non inlined
      helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,
      immediately reclaimed.
      
      Also make sure ipvlan_process_v4_outbound() is not inlined.
      
      We might also have to lower MAX_NEST_DEV, because only syzbot uses
      setups with more than four stacked devices.
      
      BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)
      stack guard page: 0000 [#1] SMP KASAN
      CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
      RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188
      Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89
      RSP: 0018:ffffc9000e804000 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2
      RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568
      RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c
      R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000
      FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <#DF>
      </#DF>
      <TASK>
      [<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31
      [<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline]
      [<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
      [<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline]
      [<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline]
      [<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline]
      [<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632
      [<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306
      [<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline]
      [<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221
      [<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606
      [<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline]
      [<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116
      [<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638
      [<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651
      [<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline]
      [<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]
      [<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
      [<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
      [<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
      [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
      [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
      [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]
      [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
      [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
      [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
      [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]
      [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline]
      [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
      [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
      [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
      [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
      [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
      [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline]
      [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
      [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
      [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
      [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
      [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
      [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
      [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
      [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]
      [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
      [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
      [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
      [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]
      [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline]
      [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
      [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
      [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
      [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
      [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
      [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline]
      [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
      [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
      [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
      [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
      [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
      [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
      [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
      [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]
      [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
      [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
      [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
      [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]
      [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline]
      [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
      [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
      [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
      [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
      [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
      [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline]
      [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
      [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
      [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
      [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
      [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
      [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
      [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
      [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]
      [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
      [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
      [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
      [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]
      [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline]
      [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
      [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
      [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
      [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
      [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
      [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline]
      [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
      [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
      [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
      [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
      [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
      [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
      [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
      [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]
      [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
      [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
      [<ffffffff84d4a65e>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
      [<ffffffff84d4a65e>] neigh_resolve_output+0x64e/0x750 net/core/neighbour.c:1560
      [<ffffffff855ce503>] neigh_output include/net/neighbour.h:545 [inline]
      [<ffffffff855ce503>] ip6_finish_output2+0x1643/0x1ae0 net/ipv6/ip6_output.c:139
      [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
      [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
      [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
      [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
      [<ffffffff855b9ce4>] dst_output include/net/dst.h:444 [inline]
      [<ffffffff855b9ce4>] NF_HOOK include/linux/netfilter.h:309 [inline]
      [<ffffffff855b9ce4>] ip6_xmit+0x11a4/0x1b20 net/ipv6/ip6_output.c:352
      [<ffffffff8597984e>] sctp_v6_xmit+0x9ae/0x1230 net/sctp/ipv6.c:250
      [<ffffffff8594623e>] sctp_packet_transmit+0x25de/0x2bc0 net/sctp/output.c:653
      [<ffffffff858f5142>] sctp_packet_singleton+0x202/0x310 net/sctp/outqueue.c:783
      [<ffffffff858ea411>] sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
      [<ffffffff858ea411>] sctp_outq_flush+0x661/0x3d40 net/sctp/outqueue.c:1212
      [<ffffffff858f02f9>] sctp_outq_uncork+0x79/0xb0 net/sctp/outqueue.c:764
      [<ffffffff8589f060>] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
      [<ffffffff8589f060>] sctp_do_sm+0x55c0/0x5c30 net/sctp/sm_sideeffect.c:1170
      [<ffffffff85941567>] sctp_primitive_ASSOCIATE+0x97/0xc0 net/sctp/primitive.c:73
      [<ffffffff859408b2>] sctp_sendmsg_to_asoc+0xf62/0x17b0 net/sctp/socket.c:1839
      [<ffffffff85910b5e>] sctp_sendmsg+0x212e/0x33b0 net/sctp/socket.c:2029
      [<ffffffff8544d559>] inet_sendmsg+0x149/0x310 net/ipv4/af_inet.c:849
      [<ffffffff84c6c4d2>] sock_sendmsg_nosec net/socket.c:716 [inline]
      [<ffffffff84c6c4d2>] sock_sendmsg net/socket.c:736 [inline]
      [<ffffffff84c6c4d2>] ____sys_sendmsg+0x572/0x8c0 net/socket.c:2504
      [<ffffffff84c6ca91>] ___sys_sendmsg net/socket.c:2558 [inline]
      [<ffffffff84c6ca91>] __sys_sendmsg+0x271/0x360 net/socket.c:2587
      [<ffffffff84c6cbff>] __do_sys_sendmsg net/socket.c:2596 [inline]
      [<ffffffff84c6cbff>] __se_sys_sendmsg net/socket.c:2594 [inline]
      [<ffffffff84c6cbff>] __x64_sys_sendmsg+0x7f/0x90 net/socket.c:2594
      [<ffffffff85b32553>] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      [<ffffffff85b32553>] do_syscall_64+0x53/0x80 arch/x86/entry/common.c:84
      [<ffffffff85c00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: 2ad7bf36 ("ipvlan: Initial check-in of the IPVLAN driver.")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      18f03942
    • Ravi Gunasekaran's avatar
      MAINTAINERS: net: Update reviewers for TI's Ethernet drivers · cbe9e68e
      Ravi Gunasekaran authored
      Grygorii is no longer associated with TI and messages addressed to
      him bounce.
      
      Add Siddharth, Roger and myself as reviewers.
      Signed-off-by: default avatarRavi Gunasekaran <r-gunasekaran@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cbe9e68e
    • Stanislav Fomichev's avatar
      net: set SOCK_RCU_FREE before inserting socket into hashtable · 871019b2
      Stanislav Fomichev authored
      We've started to see the following kernel traces:
      
       WARNING: CPU: 83 PID: 0 at net/core/filter.c:6641 sk_lookup+0x1bd/0x1d0
      
       Call Trace:
        <IRQ>
        __bpf_skc_lookup+0x10d/0x120
        bpf_sk_lookup+0x48/0xd0
        bpf_sk_lookup_tcp+0x19/0x20
        bpf_prog_<redacted>+0x37c/0x16a3
        cls_bpf_classify+0x205/0x2e0
        tcf_classify+0x92/0x160
        __netif_receive_skb_core+0xe52/0xf10
        __netif_receive_skb_list_core+0x96/0x2b0
        napi_complete_done+0x7b5/0xb70
        <redacted>_poll+0x94/0xb0
        net_rx_action+0x163/0x1d70
        __do_softirq+0xdc/0x32e
        asm_call_irq_on_stack+0x12/0x20
        </IRQ>
        do_softirq_own_stack+0x36/0x50
        do_softirq+0x44/0x70
      
      __inet_hash can race with lockless (rcu) readers on the other cpus:
      
        __inet_hash
          __sk_nulls_add_node_rcu
          <- (bpf triggers here)
          sock_set_flag(SOCK_RCU_FREE)
      
      Let's move the SOCK_RCU_FREE part up a bit, before we are inserting
      the socket into hashtables. Note, that the race is really harmless;
      the bpf callers are handling this situation (where listener socket
      doesn't have SOCK_RCU_FREE set) correctly, so the only
      annoyance is a WARN_ONCE.
      
      More details from Eric regarding SOCK_RCU_FREE timeline:
      
      Commit 3b24d854 ("tcp/dccp: do not touch listener sk_refcnt under
      synflood") added SOCK_RCU_FREE. At that time, the precise location of
      sock_set_flag(sk, SOCK_RCU_FREE) did not matter, because the thread calling
      __inet_hash() owns a reference on sk. SOCK_RCU_FREE was only tested
      at dismantle time.
      
      Commit 6acc9b43 ("bpf: Add helper to retrieve socket in BPF")
      started checking SOCK_RCU_FREE _after_ the lookup to infer whether
      the refcount has been taken care of.
      
      Fixes: 6acc9b43 ("bpf: Add helper to retrieve socket in BPF")
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarStanislav Fomichev <sdf@google.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      871019b2
    • Yuran Pereira's avatar
      ptp: Fixes a null pointer dereference in ptp_ioctl · 8a4f030d
      Yuran Pereira authored
      Syzkaller found a null pointer dereference in ptp_ioctl
      originating from the lack of a null check for tsevq.
      
      ```
      general protection fault, probably for non-canonical
      	address 0xdffffc000000020b: 0000 [#1] PREEMPT SMP KASAN
      KASAN: probably user-memory-access in range
      	[0x0000000000001058-0x000000000000105f]
      CPU: 0 PID: 5053 Comm: syz-executor353 Not tainted
      	6.6.0-syzkaller-10396-g4652b8e4 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine,
      	BIOS Google 10/09/2023
      RIP: 0010:ptp_ioctl+0xcb7/0x1d10 drivers/ptp/ptp_chardev.c:476
      ...
      Call Trace:
       <TASK>
       posix_clock_ioctl+0xf8/0x160 kernel/time/posix-clock.c:86
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:871 [inline]
       __se_sys_ioctl fs/ioctl.c:857 [inline]
       __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      ```
      
      This patch fixes the issue by adding a check for tsevq and
      ensuring ptp_ioctl returns with an error if tsevq is null.
      
      Reported-by: syzbot+8a78ecea7ac1a2ea26e5@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=8a78ecea7ac1a2ea26e5
      Fixes: c5a445b1 ("ptp: support event queue reader channel masks")
      Signed-off-by: default avatarYuran Pereira <yuran.pereira@hotmail.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a4f030d
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 89cdf9d5
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter and bpf.
      
        Current release - regressions:
      
         - sched: fix SKB_NOT_DROPPED_YET splat under debug config
      
        Current release - new code bugs:
      
         - tcp:
             - fix usec timestamps with TCP fastopen
             - fix possible out-of-bounds reads in tcp_hash_fail()
             - fix SYN option room calculation for TCP-AO
      
         - tcp_sigpool: fix some off by one bugs
      
         - bpf: fix compilation error without CGROUPS
      
         - ptp:
             - ptp_read() should not release queue
             - fix tsevqs corruption
      
        Previous releases - regressions:
      
         - llc: verify mac len before reading mac header
      
        Previous releases - always broken:
      
         - bpf:
             - fix check_stack_write_fixed_off() to correctly spill imm
             - fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
             - check map->usercnt after timer->timer is assigned
      
         - dsa: lan9303: consequently nested-lock physical MDIO
      
         - dccp/tcp: call security_inet_conn_request() after setting IP addr
      
         - tg3: fix the TX ring stall due to incorrect full ring handling
      
         - phylink: initialize carrier state at creation
      
         - ice: fix direction of VF rules in switchdev mode
      
        Misc:
      
         - fill in a bunch of missing MODULE_DESCRIPTION()s, more to come"
      
      * tag 'net-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits)
        net: ti: icss-iep: fix setting counter value
        ptp: fix corrupted list in ptp_open
        ptp: ptp_read should not release queue
        net_sched: sch_fq: better validate TCA_FQ_WEIGHTS and TCA_FQ_PRIOMAP
        net: kcm: fill in MODULE_DESCRIPTION()
        net/sched: act_ct: Always fill offloading tuple iifidx
        netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
        netfilter: xt_recent: fix (increase) ipv6 literal buffer length
        ipvs: add missing module descriptions
        netfilter: nf_tables: remove catchall element in GC sync path
        netfilter: add missing module descriptions
        drivers/net/ppp: use standard array-copy-function
        net: enetc: shorten enetc_setup_xdp_prog() error message to fit NETLINK_MAX_FMTMSG_LEN
        virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()
        r8169: respect userspace disabling IFF_MULTICAST
        selftests/bpf: get trusted cgrp from bpf_iter__cgroup directly
        bpf: Let verifier consider {task,cgroup} is trusted in bpf_iter_reg
        net: phylink: initialize carrier state at creation
        test/vsock: add dobule bind connect test
        test/vsock: refactor vsock_accept
        ...
      89cdf9d5
    • Linus Torvalds's avatar
      Merge tag 'v6.7-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 3b220413
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes a regression in ahash and hides the Kconfig sub-options for
        the jitter RNG"
      
      * tag 'v6.7-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: ahash - Set using_shash for cloned ahash wrapper over shash
        crypto: jitterentropy - Hide esoteric Kconfig options under FIPS and EXPERT
      3b220413
  4. 09 Nov, 2023 15 commits
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.7-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · a12deb44
      Linus Torvalds authored
      Pull input updates from Dmitry Torokhov:
      
       - a number of input drivers has been converted to use facilities
         provided by the device core to instantiate driver-specific attributes
         instead of using devm_device_add_group() and similar APIs
      
       - platform input devices have been converted to use remove() callback
         returning void
      
       - a fix for use-after-free when tearing down a Synaptics RMI device
      
       - a few flexible arrays in input structures have been annotated with
         __counted_by to help hardening efforts
      
       - handling of vddio supply in cyttsp5 driver
      
       - other miscellaneous fixups
      
      * tag 'input-for-v6.7-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: (86 commits)
        Input: walkera0701 - use module_parport_driver macro to simplify the code
        Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
        dt-bindings: input: fsl,scu-key: Document wakeup-source
        Input: cyttsp5 - add handling for vddio regulator
        dt-bindings: input: cyttsp5: document vddio-supply
        Input: tegra-kbc - use device_get_match_data()
        Input: Annotate struct ff_device with __counted_by
        Input: axp20x-pek - avoid needless newline removal
        Input: mt - annotate struct input_mt with __counted_by
        Input: leds - annotate struct input_leds with __counted_by
        Input: evdev - annotate struct evdev_client with __counted_by
        Input: synaptics-rmi4 - replace deprecated strncpy
        Input: wm97xx-core - convert to platform remove callback returning void
        Input: wm831x-ts - convert to platform remove callback returning void
        Input: ti_am335x_tsc - convert to platform remove callback returning void
        Input: sun4i-ts - convert to platform remove callback returning void
        Input: stmpe-ts - convert to platform remove callback returning void
        Input: pcap_ts - convert to platform remove callback returning void
        Input: mc13783_ts - convert to platform remove callback returning void
        Input: mainstone-wm97xx - convert to platform remove callback returning void
        ...
      a12deb44
    • Linus Torvalds's avatar
      Merge tag 'for-6.7-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · ace92fd9
      Linus Torvalds authored
      Pull more i2c updates from Wolfram Sang:
       "This contains one patch which slipped through the cracks (iproc), a
        core sanitizing improvement as the new memdup_array_user() helper went
        upstream (i2c-dev), and two driver bugfixes (designware, cp2615)"
      
      * tag 'for-6.7-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: cp2615: Fix 'assignment to __be16' warning
        i2c: dev: copy userspace array safely
        i2c: designware: Disable TX_EMPTY irq while waiting for block length byte
        i2c: iproc: handle invalid slave state
      ace92fd9
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-6.7-rc1' of git://www.linux-watchdog.org/linux-watchdog · 12418ece
      Linus Torvalds authored
      Pull watchdog updates from Wim Van Sebroeck:
      
       - add support for Amlogic C3 and S4 SoCs
      
       - add IT8613 ID
      
       - add MSM8226 and MSM8974 compatibles
      
       - other small fixes and improvements
      
      * tag 'linux-watchdog-6.7-rc1' of git://www.linux-watchdog.org/linux-watchdog: (24 commits)
        dt-bindings: watchdog: Add support for Amlogic C3 and S4 SoCs
        watchdog: mlx-wdt: Parameter desctiption warning fix
        watchdog: aspeed: Add support for aspeed,reset-mask DT property
        dt-bindings: watchdog: aspeed-wdt: Add aspeed,reset-mask property
        watchdog: apple: Deactivate on suspend
        dt-bindings: watchdog: qcom-wdt: Add MSM8226 and MSM8974 compatibles
        dt-bindings: watchdog: fsl-imx7ulp-wdt: Add 'fsl,ext-reset-output'
        wdog: imx7ulp: Enable wdog int_en bit for watchdog any reset
        drivers: watchdog: marvell_gti: Program the max_hw_heartbeat_ms
        drivers: watchdog: marvell_gti: fix zero pretimeout handling
        watchdog: marvell_gti: Replace of_platform.h with explicit includes
        watchdog: imx_sc_wdt: continue if the wdog already enabled
        watchdog: st_lpc: Use device_get_match_data()
        watchdog: wdat_wdt: Add timeout value as a param in ping method
        watchdog: gpio_wdt: Make use of device properties
        sbsa_gwdt: Calculate timeout with 64-bit math
        watchdog: ixp4xx: Make sure restart always works
        watchdog: it87_wdt: add IT8613 ID
        watchdog: marvell_gti_wdt: Fix error code in probe()
        Watchdog: marvell_gti_wdt: Remove redundant dev_err_probe() for platform_get_irq()
        ...
      12418ece
    • Linus Torvalds's avatar
      Merge tag 'pwm/for-6.7-rc1' of... · f3bfe643
      Linus Torvalds authored
      Merge tag 'pwm/for-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm
      
      Pull pwm updates from Thierry Reding:
       "This contains a few fixes and a bunch of cleanups, a lot of which is
        in preparation for Uwe's character device support that may be ready in
        time for the next merge window"
      
      * tag 'pwm/for-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm: (37 commits)
        pwm: samsung: Document new member .channel in struct samsung_pwm_chip
        pwm: bcm2835: Add support for suspend/resume
        pwm: brcmstb: Checked clk_prepare_enable() return value
        pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
        pwm: pxa: Explicitly include correct DT includes
        pwm: cros-ec: Simplify using devm_pwmchip_add() and dev_err_probe()
        pwm: samsung: Consistently use the same name for driver data
        pwm: vt8500: Simplify using devm functions
        pwm: sprd: Simplify using devm_pwmchip_add() and dev_err_probe()
        pwm: sprd: Provide a helper to cast a chip to driver data
        pwm: spear: Simplify using devm functions
        pwm: mtk-disp: Simplify using devm_pwmchip_add()
        pwm: imx-tpm: Simplify using devm functions
        pwm: brcmstb: Simplify using devm functions
        pwm: bcm2835: Simplify using devm functions
        pwm: bcm-iproc: Simplify using devm functions
        pwm: Adapt sysfs API documentation to reality
        pwm: dwc: add PWM bit unset in get_state call
        pwm: dwc: make timer clock configurable
        pwm: dwc: split pci out of core driver
        ...
      f3bfe643
    • Linus Torvalds's avatar
      Merge tag 'iommu-updates-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 4bbdb725
      Linus Torvalds authored
      Pull iommu updates from Joerg Roedel:
       "Core changes:
         - Make default-domains mandatory for all IOMMU drivers
         - Remove group refcounting
         - Add generic_single_device_group() helper and consolidate drivers
         - Cleanup map/unmap ops
         - Scaling improvements for the IOVA rcache depot
         - Convert dart & iommufd to the new domain_alloc_paging()
      
        ARM-SMMU:
         - Device-tree binding update:
             - Add qcom,sm7150-smmu-v2 for Adreno on SM7150 SoC
         - SMMUv2:
             - Support for Qualcomm SDM670 (MDSS) and SM7150 SoCs
         - SMMUv3:
             - Large refactoring of the context descriptor code to move the CD
               table into the master, paving the way for '->set_dev_pasid()'
               support on non-SVA domains
         - Minor cleanups to the SVA code
      
        Intel VT-d:
         - Enable debugfs to dump domain attached to a pasid
         - Remove an unnecessary inline function
      
        AMD IOMMU:
         - Initial patches for SVA support (not complete yet)
      
        S390 IOMMU:
         - DMA-API conversion and optimized IOTLB flushing
      
        And some smaller fixes and improvements"
      
      * tag 'iommu-updates-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: (102 commits)
        iommu/dart: Remove the force_bypass variable
        iommu/dart: Call apple_dart_finalize_domain() as part of alloc_paging()
        iommu/dart: Convert to domain_alloc_paging()
        iommu/dart: Move the blocked domain support to a global static
        iommu/dart: Use static global identity domains
        iommufd: Convert to alloc_domain_paging()
        iommu/vt-d: Use ops->blocked_domain
        iommu/vt-d: Update the definition of the blocking domain
        iommu: Move IOMMU_DOMAIN_BLOCKED global statics to ops->blocked_domain
        Revert "iommu/vt-d: Remove unused function"
        iommu/amd: Remove DMA_FQ type from domain allocation path
        iommu: change iommu_map_sgtable to return signed values
        iommu/virtio: Add __counted_by for struct viommu_request and use struct_size()
        iommu/vt-d: debugfs: Support dumping a specified page table
        iommu/vt-d: debugfs: Create/remove debugfs file per {device, pasid}
        iommu/vt-d: debugfs: Dump entry pointing to huge page
        iommu/vt-d: Remove unused function
        iommu/arm-smmu-v3-sva: Remove bond refcount
        iommu/arm-smmu-v3-sva: Remove unused iommu_sva handle
        iommu/arm-smmu-v3: Rename cdcfg to cd_table
        ...
      4bbdb725
    • Diogo Ivo's avatar
      net: ti: icss-iep: fix setting counter value · 83b9dda8
      Diogo Ivo authored
      Currently icss_iep_set_counter() writes the upper 32-bits of the
      counter value to both the lower and upper counter registers, so
      fix this by writing the appropriate value to the lower register.
      
      Fixes: c1e0230e ("net: ti: icss-iep: Add IEP driver")
      Signed-off-by: default avatarDiogo Ivo <diogo.ivo@siemens.com>
      Link: https://lore.kernel.org/r/20231107120037.1513546-1-diogo.ivo@siemens.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      83b9dda8
    • Edward Adam Davis's avatar
      ptp: fix corrupted list in ptp_open · 1bea2c3e
      Edward Adam Davis authored
      There is no lock protection when writing ptp->tsevqs in ptp_open() and
      ptp_release(), which can cause data corruption, use spin lock to avoid this
      issue.
      
      Moreover, ptp_release() should not be used to release the queue in ptp_read(),
      and it should be deleted altogether.
      Acked-by: default avatarRichard Cochran <richardcochran@gmail.com>
      Reported-and-tested-by: syzbot+df3f3ef31f60781fa911@syzkaller.appspotmail.com
      Fixes: 8f5de6fb ("ptp: support multiple timestamp event readers")
      Signed-off-by: default avatarEdward Adam Davis <eadavis@qq.com>
      Link: https://lore.kernel.org/r/tencent_CD19564FFE8DA8A5918DFE92325D92DD8107@qq.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1bea2c3e
    • Edward Adam Davis's avatar
      ptp: ptp_read should not release queue · b714ca2c
      Edward Adam Davis authored
      Firstly, queue is not the memory allocated in ptp_read;
      Secondly, other processes may block at ptp_read and wait for conditions to be
      met to perform read operations.
      Acked-by: default avatarRichard Cochran <richardcochran@gmail.com>
      Reported-and-tested-by: syzbot+df3f3ef31f60781fa911@syzkaller.appspotmail.com
      Fixes: 8f5de6fb ("ptp: support multiple timestamp event readers")
      Signed-off-by: default avatarEdward Adam Davis <eadavis@qq.com>
      Link: https://lore.kernel.org/r/tencent_18747D76F1675A3C633772960237544AAA09@qq.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b714ca2c
    • Jakub Kicinski's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 9b818a34
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-11-06 (ice)
      
      This series contains updates to ice driver only.
      
      Dave removes SR-IOV LAG attribute for only the interface being disabled
      to allow for proper unwinding of all interfaces.
      
      Michal Schmidt changes some LAG allocations from GFP_KERNEL to GFP_ATOMIC
      due to non-allowed sleeping.
      
      Aniruddha and Marcin fix redirection and drop rules for switchdev by
      properly setting and marking egress/ingress type.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        ice: Fix VF-VF direction matching in drop rule in switchdev
        ice: Fix VF-VF filter rules in switchdev mode
        ice: lag: in RCU, use atomic allocation
        ice: Fix SRIOV LAG disable on non-compliant aggregate
      ====================
      
      Link: https://lore.kernel.org/r/20231107004844.655549-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9b818a34
    • Eric Dumazet's avatar
      net_sched: sch_fq: better validate TCA_FQ_WEIGHTS and TCA_FQ_PRIOMAP · f1a3b283
      Eric Dumazet authored
      syzbot was able to trigger the following report while providing
      too small TCA_FQ_WEIGHTS attribute [1]
      
      Fix is to use NLA_POLICY_EXACT_LEN() to ensure user space
      provided correct sizes.
      
      Apply the same fix to TCA_FQ_PRIOMAP.
      
      [1]
      BUG: KMSAN: uninit-value in fq_load_weights net/sched/sch_fq.c:960 [inline]
      BUG: KMSAN: uninit-value in fq_change+0x1348/0x2fe0 net/sched/sch_fq.c:1071
      fq_load_weights net/sched/sch_fq.c:960 [inline]
      fq_change+0x1348/0x2fe0 net/sched/sch_fq.c:1071
      fq_init+0x68e/0x780 net/sched/sch_fq.c:1159
      qdisc_create+0x12f3/0x1be0 net/sched/sch_api.c:1326
      tc_modify_qdisc+0x11ef/0x2c20
      rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6558
      netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545
      rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6576
      netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
      netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368
      netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg net/socket.c:745 [inline]
      ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2588
      ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2642
      __sys_sendmsg net/socket.c:2671 [inline]
      __do_sys_sendmsg net/socket.c:2680 [inline]
      __se_sys_sendmsg net/socket.c:2678 [inline]
      __x64_sys_sendmsg+0x307/0x490 net/socket.c:2678
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Uninit was created at:
      slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
      slab_alloc_node mm/slub.c:3478 [inline]
      kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
      kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
      __alloc_skb+0x318/0x740 net/core/skbuff.c:651
      alloc_skb include/linux/skbuff.h:1286 [inline]
      netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]
      netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg net/socket.c:745 [inline]
      ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2588
      ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2642
      __sys_sendmsg net/socket.c:2671 [inline]
      __do_sys_sendmsg net/socket.c:2680 [inline]
      __se_sys_sendmsg net/socket.c:2678 [inline]
      __x64_sys_sendmsg+0x307/0x490 net/socket.c:2678
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      CPU: 1 PID: 5001 Comm: syz-executor300 Not tainted 6.6.0-syzkaller-12401-g8f6f76a6 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
      
      Fixes: 29f834aa ("net_sched: sch_fq: add 3 bands and WRR scheduling")
      Fixes: 49e7265f ("net_sched: sch_fq: add TCA_FQ_WEIGHTS attribute")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: Jamal Hadi Salim<jhs@mojatatu.com>
      Link: https://lore.kernel.org/r/20231107160440.1992526-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f1a3b283
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 09699f19
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-11-06 (i40e)
      
      This series contains updates to i40e driver only.
      
      Ivan Vecera resolves a couple issues with devlink; removing a call to
      devlink_port_type_clear() and ensuring devlink port is unregistered
      after the net device.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        i40e: Fix devlink port unregistering
        i40e: Do not call devlink_port_type_clear()
      ====================
      
      Link: https://lore.kernel.org/r/20231107003600.653796-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      09699f19
    • Jakub Kicinski's avatar
      net: kcm: fill in MODULE_DESCRIPTION() · 31356547
      Jakub Kicinski authored
      W=1 builds now warn if module is built without a MODULE_DESCRIPTION().
      
      Link: https://lore.kernel.org/r/20231108020305.537293-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      31356547
    • Jakub Kicinski's avatar
      Merge tag 'nf-23-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 0613736e
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Add missing netfilter modules description to fix W=1, from Florian Westphal.
      
      2) Fix catch-all element GC with timeout when use with the pipapo set
         backend, this remained broken since I tried to fix it this summer,
         then another attempt to fix it recently.
      
      3) Add missing IPVS modules descriptions to fix W=1, also from Florian.
      
      4) xt_recent allocated a too small buffer to store an IPv4-mapped IPv6
         address which can be parsed by in6_pton(), from Maciej Zenczykowski.
         Broken for many releases.
      
      5) Skip IPv4-mapped IPv6, IPv4-compat IPv6, site/link local scoped IPv6
         addressses to set up IPv6 NAT redirect, also from Florian. This is
         broken since 2012.
      
      * tag 'nf-23-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
        netfilter: xt_recent: fix (increase) ipv6 literal buffer length
        ipvs: add missing module descriptions
        netfilter: nf_tables: remove catchall element in GC sync path
        netfilter: add missing module descriptions
      ====================
      
      Link: https://lore.kernel.org/r/20231108155802.84617-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0613736e
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 942b8b38
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2023-11-08
      
      We've added 16 non-merge commits during the last 6 day(s) which contain
      a total of 30 files changed, 341 insertions(+), 130 deletions(-).
      
      The main changes are:
      
      1) Fix a BPF verifier issue in precision tracking for BPF_ALU | BPF_TO_BE |
         BPF_END where the source register was incorrectly marked as precise,
         from Shung-Hsi Yu.
      
      2) Fix a concurrency issue in bpf_timer where the former could still have
         been alive after an application releases or unpins the map, from Hou Tao.
      
      3) Fix a BPF verifier issue where immediates are incorrectly cast to u32
         before being spilled and therefore losing sign information, from Hao Sun.
      
      4) Fix a misplaced BPF_TRACE_ITER in check_css_task_iter_allowlist which
         incorrectly compared bpf_prog_type with bpf_attach_type, from Chuyi Zhou.
      
      5) Add __bpf_hook_{start,end} as well as __bpf_kfunc_{start,end}_defs macros,
         migrate all BPF-related __diag callsites over to it, and add a new
         __diag_ignore_all for -Wmissing-declarations to the macros to address
         recent build warnings, from Dave Marchevsky.
      
      6) Fix broken BPF selftest build of xdp_hw_metadata test on architectures
         where char is not signed, from Björn Töpel.
      
      7) Fix test_maps selftest to properly use LIBBPF_OPTS() macro to initialize
         the bpf_map_create_opts, from Andrii Nakryiko.
      
      8) Fix bpffs selftest to avoid unmounting /sys/kernel/debug as it may have
         been mounted and used by other applications already, from Manu Bretelle.
      
      9) Fix a build issue without CONFIG_CGROUPS wrt css_task open-coded
         iterators, from Matthieu Baerts.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        selftests/bpf: get trusted cgrp from bpf_iter__cgroup directly
        bpf: Let verifier consider {task,cgroup} is trusted in bpf_iter_reg
        selftests/bpf: Fix broken build where char is unsigned
        selftests/bpf: precision tracking test for BPF_NEG and BPF_END
        bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
        selftests/bpf: Add test for using css_task iter in sleepable progs
        selftests/bpf: Add tests for css_task iter combining with cgroup iter
        bpf: Relax allowlist for css_task iter
        selftests/bpf: fix test_maps' use of bpf_map_create_opts
        bpf: Check map->usercnt after timer->timer is assigned
        bpf: Add __bpf_hook_{start,end} macros
        bpf: Add __bpf_kfunc_{start,end}_defs macros
        selftests/bpf: fix test_bpffs
        selftests/bpf: Add test for immediate spilled to stack
        bpf: Fix check_stack_write_fixed_off() to correctly spill imm
        bpf: fix compilation error without CGROUPS
      ====================
      
      Link: https://lore.kernel.org/r/20231108132448.1970-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      942b8b38
    • Vlad Buslov's avatar
      net/sched: act_ct: Always fill offloading tuple iifidx · 9bc64bd0
      Vlad Buslov authored
      Referenced commit doesn't always set iifidx when offloading the flow to
      hardware. Fix the following cases:
      
      - nf_conn_act_ct_ext_fill() is called before extension is created with
      nf_conn_act_ct_ext_add() in tcf_ct_act(). This can cause rule offload with
      unspecified iifidx when connection is offloaded after only single
      original-direction packet has been processed by tc data path. Always fill
      the new nf_conn_act_ct_ext instance after creating it in
      nf_conn_act_ct_ext_add().
      
      - Offloading of unidirectional UDP NEW connections is now supported, but ct
      flow iifidx field is not updated when connection is promoted to
      bidirectional which can result reply-direction iifidx to be zero when
      refreshing the connection. Fill in the extension and update flow iifidx
      before calling flow_offload_refresh().
      
      Fixes: 9795ded7 ("net/sched: act_ct: Fill offloading tuple iifidx")
      Reviewed-by: default avatarPaul Blakey <paulb@nvidia.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Fixes: 6a9bad00 ("net/sched: act_ct: offload UDP NEW connections")
      Link: https://lore.kernel.org/r/20231103151410.764271-1-vladbu@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9bc64bd0
  5. 08 Nov, 2023 13 commits
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-6.7-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 6bc986ab
      Linus Torvalds authored
      Pull NFS client updates from Trond Myklebust:
       "Bugfixes:
      
         - SUNRPC:
             - re-probe the target RPC port after an ECONNRESET error
             - handle allocation errors from rpcb_call_async()
             - fix a use-after-free condition in rpc_pipefs
             - fix up various checks for timeouts
      
         - NFSv4.1:
             - Handle NFS4ERR_DELAY errors during session trunking
             - fix SP4_MACH_CRED protection for pnfs IO
      
         - NFSv4:
             - Ensure that we test all delegations when the server notifies
               us that it may have revoked some of them
      
        Features:
      
         - Allow knfsd processes to break out of NFS4ERR_DELAY loops when
           re-exporting NFSv4.x by setting appropriate values for the
           'delay_retrans' module parameter
      
         - nfs: Convert nfs_symlink() to use a folio"
      
      * tag 'nfs-for-6.7-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        nfs: Convert nfs_symlink() to use a folio
        SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
        NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
        SUNRPC: Add an IS_ERR() check back to where it was
        NFSv4.1: fix handling NFS4ERR_DELAY when testing for session trunking
        nfs41: drop dependency between flexfiles layout driver and NFSv3 modules
        NFSv4: fairly test all delegations on a SEQ4_ revocation
        SUNRPC: SOFTCONN tasks should time out when on the sending list
        SUNRPC: Force close the socket when a hard error is reported
        SUNRPC: Don't skip timeout checks in call_connect_status()
        SUNRPC: ECONNRESET might require a rebind
        NFSv4/pnfs: Allow layoutget to return EAGAIN for softerr mounts
        NFSv4: Add a parameter to limit the number of retries after NFS4ERR_DELAY
      6bc986ab
    • Linus Torvalds's avatar
      Merge tag 'exfat-for-6.7-rc1-part2' of... · 67c0afb6
      Linus Torvalds authored
      Merge tag 'exfat-for-6.7-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat
      
      Pull exfat updates from Namjae Jeon:
      
       - Fix an issue that exfat timestamps are not updated caused by new
         timestamp accessor function patch
      
      * tag 'exfat-for-6.7-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat:
        exfat: fix ctime is not updated
        exfat: fix setting uninitialized time to ctime/atime
      67c0afb6
    • Linus Torvalds's avatar
      Merge tag 'xfs-6.7-merge-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 34f76326
      Linus Torvalds authored
      Pull xfs updates from Chandan Babu:
      
       - Realtime device subsystem:
          - Cleanup usage of xfs_rtblock_t and xfs_fsblock_t data types
          - Replace open coded conversions between rt blocks and rt extents
            with calls to static inline helpers
          - Replace open coded realtime geometry compuation and macros with
            helper functions
          - CPU usage optimizations for realtime allocator
          - Misc bug fixes associated with Realtime device
      
       - Allow read operations to execute while an FICLONE ioctl is being
         serviced
      
       - Misc bug fixes:
          - Alert user when xfs_droplink() encounters an inode with a link
            count of zero
          - Handle the case where the allocator could return zero extents when
            servicing an fallocate request
      
      * tag 'xfs-6.7-merge-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: (40 commits)
        xfs: allow read IO and FICLONE to run concurrently
        xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space
        xfs: introduce protection for drop nlink
        xfs: don't look for end of extent further than necessary in xfs_rtallocate_extent_near()
        xfs: don't try redundant allocations in xfs_rtallocate_extent_near()
        xfs: limit maxlen based on available space in xfs_rtallocate_extent_near()
        xfs: return maximum free size from xfs_rtany_summary()
        xfs: invert the realtime summary cache
        xfs: simplify rt bitmap/summary block accessor functions
        xfs: simplify xfs_rtbuf_get calling conventions
        xfs: cache last bitmap block in realtime allocator
        xfs: use accessor functions for summary info words
        xfs: consolidate realtime allocation arguments
        xfs: create helpers for rtsummary block/wordcount computations
        xfs: use accessor functions for bitmap words
        xfs: create helpers for rtbitmap block/wordcount computations
        xfs: create a helper to handle logging parts of rt bitmap/summary blocks
        xfs: convert rt summary macros to helpers
        xfs: convert open-coded xfs_rtword_t pointer accesses to helper
        xfs: remove XFS_BLOCKWSIZE and XFS_BLOCKWMASK macros
        ...
      34f76326
    • Konstantin Ryabitsev's avatar
      MAINTAINERS: update lists.linuxfoundation.org migrated lists · 6d795e2a
      Konstantin Ryabitsev authored
      The mailman-2 system behind lists.linux[-]foundation.org is being
      retired, so the lists are being migrated to lists.linux.dev.
      
      Since both domains belong to LF and setting up proper forwards is
      possible, the old addresses will continue to work for a while, but all
      new patches should be sent to the new canonical addresses for each list.
      Signed-off-by: default avatarKonstantin Ryabitsev <konstantin@linuxfoundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6d795e2a
    • Linus Torvalds's avatar
      Merge tag 's390-6.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 1995a536
      Linus Torvalds authored
      Pull more s390 updates from Vasily Gorbik:
      
       - Get rid of s390 specific use of two PTEs per 4KB page with complex
         half-used pages tracking. Using full 4KB pages for 2KB PTEs increases
         the memory footprint of page tables but drastically simplify mm code,
         removing a common blocker for common code changes and adaptations
      
       - Simplify and rework "cmma no-dat" handling. This is a follow up for
         recent fixes which prevent potential incorrect guest TLB flushes
      
       - Add perf user stack unwinding as well as USER_STACKTRACE support for
         user space built with -mbackchain compile option
      
       - Add few missing conversion from tlb_remove_table to tlb_remove_ptdesc
      
       - Fix crypto cards vanishing in a secure execution environment due to
         asynchronous errors
      
       - Avoid reporting crypto cards or queues in check-stop state as online
      
       - Fix null-ptr deference in AP bus code triggered by early config
         change via SCLP
      
       - Couple of stability improvements in AP queue interrupt handling
      
      * tag 's390-6.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/mm: make pte_free_tlb() similar to pXd_free_tlb()
        s390/mm: use compound page order to distinguish page tables
        s390/mm: use full 4KB page for 2KB PTE
        s390/cmma: rework no-dat handling
        s390/cmma: move arch_set_page_dat() to header file
        s390/cmma: move set_page_stable() and friends to header file
        s390/cmma: move parsing of cmma kernel parameter to early boot code
        s390/cmma: cleanup inline assemblies
        s390/ap: fix vanishing crypto cards in SE environment
        s390/zcrypt: don't report online if card or queue is in check-stop state
        s390: add USER_STACKTRACE support
        s390/perf: implement perf_callchain_user()
        s390/ap: fix AP bus crash on early config change callback invocation
        s390/ap: re-enable interrupt for AP queues
        s390/ap: rework to use irq info from ap queue status
        s390/mm: add missing conversion to use ptdescs
      1995a536
    • Linus Torvalds's avatar
      Merge tag 'rcu-fixes-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/frederic/linux-dynticks · 90450a06
      Linus Torvalds authored
      Pull RCU fixes from Frederic Weisbecker:
      
       - Fix a lock inversion between scheduler and RCU introduced in
         v6.2-rc4. The scenario could trigger on any user of RCU_NOCB
         (mostly Android but also nohz_full)
      
       - Fix PF_IDLE semantic changes introduced in v6.6-rc3 breaking
         some RCU-Tasks and RCU-Tasks-Trace expectations as to what
         exactly is an idle task. This resulted in potential spurious
         stalls and warnings.
      
      * tag 'rcu-fixes-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/frederic/linux-dynticks:
        rcu/tasks-trace: Handle new PF_IDLE semantics
        rcu/tasks: Handle new PF_IDLE semantics
        rcu: Introduce rcu_cpu_online()
        rcu: Break rcu_node_0 --> &rq->__lock order
      90450a06
    • Linus Torvalds's avatar
      Merge tag 'memblock-v6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock · 447cec03
      Linus Torvalds authored
      Pull memblock update from Mike Rapoport:
       "Report failures when memblock_can_resize is not set.
      
        Numerous memblock reservations at early boot may exhaust static
        memblock.reserved array and it is unnoticed because most of the
        callers don't check memblock_reserve() return value.
      
        In this case the system will crash later, but the reason is hard to
        identify.
      
        Replace return of an error with panic() when memblock.reserved is
        exhausted before it can be resized"
      
      * tag 'memblock-v6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock:
        memblock: report failures when memblock_can_resize is not set
      447cec03
    • Linus Torvalds's avatar
      Merge tag 'kgdb-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/danielt/linux · c1ef4df1
      Linus Torvalds authored
      Pull kgdb updates from Daniel Thompson:
       "Just two patches for you this time!
      
         - During a panic, flush the console before entering kgdb.
      
           This makes things a little easier to comprehend, especially if an
           NMI backtrace was triggered on all CPUs just before we enter the
           panic routines
      
         - Correcting a couple of misleading (a.k.a. plain wrong) comments"
      
      * tag 'kgdb-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/danielt/linux:
        kdb: Corrects comment for kdballocenv
        kgdb: Flush console before entering kgdb on panic
      c1ef4df1
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · d46392bb
      Linus Torvalds authored
      Pull RISC-V updates from Palmer Dabbelt:
      
       - Support for cbo.zero in userspace
      
       - Support for CBOs on ACPI-based systems
      
       - A handful of improvements for the T-Head cache flushing ops
      
       - Support for software shadow call stacks
      
       - Various cleanups and fixes
      
      * tag 'riscv-for-linus-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: (31 commits)
        RISC-V: hwprobe: Fix vDSO SIGSEGV
        riscv: configs: defconfig: Enable configs required for RZ/Five SoC
        riscv: errata: prefix T-Head mnemonics with th.
        riscv: put interrupt entries into .irqentry.text
        riscv: mm: Update the comment of CONFIG_PAGE_OFFSET
        riscv: Using TOOLCHAIN_HAS_ZIHINTPAUSE marco replace zihintpause
        riscv/mm: Fix the comment for swap pte format
        RISC-V: clarify the QEMU workaround in ISA parser
        riscv: correct pt_level name via pgtable_l5/4_enabled
        RISC-V: Provide pgtable_l5_enabled on rv32
        clocksource: timer-riscv: Increase rating of clock_event_device for Sstc
        clocksource: timer-riscv: Don't enable/disable timer interrupt
        lkdtm: Fix CFI_BACKWARD on RISC-V
        riscv: Use separate IRQ shadow call stacks
        riscv: Implement Shadow Call Stack
        riscv: Move global pointer loading to a macro
        riscv: Deduplicate IRQ stack switching
        riscv: VMAP_STACK overflow detection thread-safe
        RISC-V: cacheflush: Initialize CBO variables on ACPI systems
        RISC-V: ACPI: RHCT: Add function to get CBO block sizes
        ...
      d46392bb
    • Florian Westphal's avatar
      netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses · 80abbe8a
      Florian Westphal authored
      The ipv6 redirect target was derived from the ipv4 one, i.e. its
      identical to a 'dnat' with the first (primary) address assigned to the
      network interface.  The code has been moved around to make it usable
      from nf_tables too, but its still the same as it was back when this
      was added in 2012.
      
      IPv6, however, has different types of addresses, if the 'wrong' address
      comes first the redirection does not work.
      
      In Daniels case, the addresses are:
        inet6 ::ffff:192 ...
        inet6 2a01: ...
      
      ... so the function attempts to redirect to the mapped address.
      
      Add more checks before the address is deemed correct:
      1. If the packets' daddr is scoped, search for a scoped address too
      2. skip tentative addresses
      3. skip mapped addresses
      
      Use the first address that appears to match our needs.
      Reported-by: default avatarDaniel Huhardeaux <tech@tootai.net>
      Closes: https://lore.kernel.org/netfilter/71be06b8-6aa0-4cf9-9e0b-e2839b01b22f@tootai.net/
      Fixes: 115e23ac ("netfilter: ip6tables: add REDIRECT target")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      80abbe8a
    • Maciej Żenczykowski's avatar
      netfilter: xt_recent: fix (increase) ipv6 literal buffer length · 7b308feb
      Maciej Żenczykowski authored
      in6_pton() supports 'low-32-bit dot-decimal representation'
      (this is useful with DNS64/NAT64 networks for example):
      
        # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:1.2.3.4 > /proc/self/net/xt_recent/DEFAULT
        # cat /proc/self/net/xt_recent/DEFAULT
        src=aaaa:bbbb:cccc:dddd:eeee:ffff:0102:0304 ttl: 0 last_seen: 9733848829 oldest_pkt: 1 9733848829
      
      but the provided buffer is too short:
      
        # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255 > /proc/self/net/xt_recent/DEFAULT
        -bash: echo: write error: Invalid argument
      
      Fixes: 079aa88f ("netfilter: xt_recent: IPv6 support")
      Signed-off-by: default avatarMaciej Żenczykowski <zenczykowski@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7b308feb
    • Florian Westphal's avatar
      ipvs: add missing module descriptions · 17cd01e4
      Florian Westphal authored
      W=1 builds warn on missing MODULE_DESCRIPTION, add them.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      17cd01e4
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: remove catchall element in GC sync path · 93995bf4
      Pablo Neira Ayuso authored
      The expired catchall element is not deactivated and removed from GC sync
      path. This path holds mutex so just call nft_setelem_data_deactivate()
      and nft_setelem_catchall_remove() before queueing the GC work.
      
      Fixes: 4a9e12ea ("netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC")
      Reported-by: default avatarlonial con <kongln9170@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      93995bf4