1. 05 Sep, 2024 6 commits
  2. 04 Sep, 2024 5 commits
    • Jonas Gorski's avatar
      net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN · bee2ef94
      Jonas Gorski authored
      When userspace wants to take over a fdb entry by setting it as
      EXTERN_LEARNED, we set both flags BR_FDB_ADDED_BY_EXT_LEARN and
      BR_FDB_ADDED_BY_USER in br_fdb_external_learn_add().
      
      If the bridge updates the entry later because its port changed, we clear
      the BR_FDB_ADDED_BY_EXT_LEARN flag, but leave the BR_FDB_ADDED_BY_USER
      flag set.
      
      If userspace then wants to take over the entry again,
      br_fdb_external_learn_add() sees that BR_FDB_ADDED_BY_USER and skips
      setting the BR_FDB_ADDED_BY_EXT_LEARN flags, thus silently ignores the
      update.
      
      Fix this by always allowing to set BR_FDB_ADDED_BY_EXT_LEARN regardless
      if this was a user fdb entry or not.
      
      Fixes: 710ae728 ("net: bridge: Mark FDB entries that were added by user as such")
      Signed-off-by: default avatarJonas Gorski <jonas.gorski@bisdn.de>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Link: https://patch.msgid.link/20240903081958.29951-1-jonas.gorski@bisdn.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      bee2ef94
    • Hayes Wang's avatar
      r8152: fix the firmware doesn't work · 8487b4af
      Hayes Wang authored
      generic_ocp_write() asks the parameter "size" must be 4 bytes align.
      Therefore, write the bp would fail, if the mac->bp_num is odd. Align the
      size to 4 for fixing it. The way may write an extra bp, but the
      rtl8152_is_fw_mac_ok() makes sure the value must be 0 for the bp whose
      index is more than mac->bp_num. That is, there is no influence for the
      firmware.
      
      Besides, I check the return value of generic_ocp_write() to make sure
      everything is correct.
      
      Fixes: e5c266a6 ("r8152: set bp in bulk")
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Link: https://patch.msgid.link/20240903063333.4502-1-hayeswang@realtek.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8487b4af
    • Kuniyuki Iwashima's avatar
      fou: Fix null-ptr-deref in GRO. · 7e419693
      Kuniyuki Iwashima authored
      We observed a null-ptr-deref in fou_gro_receive() while shutting down
      a host.  [0]
      
      The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol
      in struct fou.
      
      When fou_release() is called due to netns dismantle or explicit tunnel
      teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data.
      Then, the tunnel socket is destroyed after a single RCU grace period.
      
      So, in-flight udp4_gro_receive() could find the socket and execute the
      FOU GRO handler, where sk->sk_user_data could be NULL.
      
      Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL
      checks in FOU GRO handlers.
      
      [0]:
      BUG: kernel NULL pointer dereference, address: 0000000000000008
       PF: supervisor read access in kernel mode
       PF: error_code(0x0000) - not-present page
      PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0
      SMP PTI
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1
      Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017
      RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou]
      Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42
      RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297
      RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010
      RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08
      RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002
      R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400
      R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0
      FS:  0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       <IRQ>
       ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
       ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)
       ? no_context (arch/x86/mm/fault.c:752)
       ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483)
       ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571)
       ? fou_gro_receive (net/ipv4/fou.c:233) [fou]
       udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559)
       udp4_gro_receive (net/ipv4/udp_offload.c:604)
       inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7))
       dev_gro_receive (net/core/dev.c:6035 (discriminator 4))
       napi_gro_receive (net/core/dev.c:6170)
       ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena]
       ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena]
       napi_poll (net/core/dev.c:6847)
       net_rx_action (net/core/dev.c:6917)
       __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299)
       asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809)
      </IRQ>
       do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77)
       irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435)
       common_interrupt (arch/x86/kernel/irq.c:239)
       asm_common_interrupt (arch/x86/include/asm/idtentry.h:626)
      RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575)
      Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 <fa> c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00
      RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246
      RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900
      RDX: ffff93daee800000 RSI: ffff93daee87dc00 RDI: ffff93daee87dc64
      RBP: 0000000000000001 R08: ffffffffb5e7b6c0 R09: 0000000000000044
      R10: ffff93daee831b04 R11: 00000000000001cd R12: 0000000000000001
      R13: ffffffffb5e7b740 R14: 0000000000000001 R15: 0000000000000000
       ? sched_clock_cpu (kernel/sched/clock.c:371)
       acpi_idle_enter (drivers/acpi/processor_idle.c:712 (discriminator 3))
       cpuidle_enter_state (drivers/cpuidle/cpuidle.c:237)
       cpuidle_enter (drivers/cpuidle/cpuidle.c:353)
       cpuidle_idle_call (kernel/sched/idle.c:158 kernel/sched/idle.c:239)
       do_idle (kernel/sched/idle.c:302)
       cpu_startup_entry (kernel/sched/idle.c:395 (discriminator 1))
       start_kernel (init/main.c:1048)
       secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:310)
      Modules linked in: udp_diag tcp_diag inet_diag nft_nat ipip tunnel4 dummy fou ip_tunnel nft_masq nft_chain_nat nf_nat wireguard nft_ct curve25519_x86_64 libcurve25519_generic nf_conntrack libchacha20poly1305 nf_defrag_ipv6 nf_defrag_ipv4 nft_objref chacha_x86_64 nft_counter nf_tables nfnetlink poly1305_x86_64 ip6_udp_tunnel udp_tunnel libchacha crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper mousedev psmouse button ena ptp pps_core crc32c_intel
      CR2: 0000000000000008
      
      Fixes: d92283e3 ("fou: change to use UDP socket GRO")
      Reported-by: default avatarAlphonse Kurian <alkurian@amazon.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://patch.msgid.link/20240902173927.62706-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7e419693
    • Guillaume Nault's avatar
      bareudp: Fix device stats updates. · 4963d234
      Guillaume Nault authored
      Bareudp devices update their stats concurrently.
      Therefore they need proper atomic increments.
      
      Fixes: 571912c6 ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
      Signed-off-by: default avatarGuillaume Nault <gnault@redhat.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://patch.msgid.link/04b7b9d0b480158eb3ab4366ec80aa2ab7e41fcb.1725031794.git.gnault@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4963d234
    • Souradeep Chakrabarti's avatar
      net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup · b6ecc662
      Souradeep Chakrabarti authored
      Currently napi_disable() gets called during rxq and txq cleanup,
      even before napi is enabled and hrtimer is initialized. It causes
      kernel panic.
      
      ? page_fault_oops+0x136/0x2b0
        ? page_counter_cancel+0x2e/0x80
        ? do_user_addr_fault+0x2f2/0x640
        ? refill_obj_stock+0xc4/0x110
        ? exc_page_fault+0x71/0x160
        ? asm_exc_page_fault+0x27/0x30
        ? __mmdrop+0x10/0x180
        ? __mmdrop+0xec/0x180
        ? hrtimer_active+0xd/0x50
        hrtimer_try_to_cancel+0x2c/0xf0
        hrtimer_cancel+0x15/0x30
        napi_disable+0x65/0x90
        mana_destroy_rxq+0x4c/0x2f0
        mana_create_rxq.isra.0+0x56c/0x6d0
        ? mana_uncfg_vport+0x50/0x50
        mana_alloc_queues+0x21b/0x320
        ? skb_dequeue+0x5f/0x80
      
      Cc: stable@vger.kernel.org
      Fixes: e1b5683f ("net: mana: Move NAPI from EQ to CQ")
      Signed-off-by: default avatarSouradeep Chakrabarti <schakrabarti@linux.microsoft.com>
      Reviewed-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Reviewed-by: default avatarShradha Gupta <shradhagupta@linux.microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6ecc662
  3. 03 Sep, 2024 23 commits
  4. 02 Sep, 2024 4 commits
  5. 01 Sep, 2024 2 commits
    • David S. Miller's avatar
      Merge branch 'mctp-serial-tx-escapes' · 9b087428
      David S. Miller authored
      Matt Johnston says:
      
      ====================
      net: mctp-serial: Fix for missing tx escapes
      
      The mctp-serial code to add escape characters was incorrect due to an
      off-by-one error. This series adds a test for the chunking which splits
      by escape characters, and fixes the bug.
      
      v2: Fix kunit param const pointer
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9b087428
    • Matt Johnston's avatar
      net: mctp-serial: Fix missing escapes on transmit · f962e836
      Matt Johnston authored
      0x7d and 0x7e bytes are meant to be escaped in the data portion of
      frames, but this didn't occur since next_chunk_len() had an off-by-one
      error. That also resulted in the final byte of a payload being written
      as a separate tty write op.
      
      The chunk prior to an escaped byte would be one byte short, and the
      next call would never test the txpos+1 case, which is where the escaped
      byte was located. That meant it never hit the escaping case in
      mctp_serial_tx_work().
      
      Example Input: 01 00 08 c8 7e 80 02
      
      Previous incorrect chunks from next_chunk_len():
      
      01 00 08
      c8 7e 80
      02
      
      With this fix:
      
      01 00 08 c8
      7e
      80 02
      
      Cc: stable@vger.kernel.org
      Fixes: a0c2ccd9 ("mctp: Add MCTP-over-serial transport binding")
      Signed-off-by: default avatarMatt Johnston <matt@codeconstruct.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f962e836