1. 22 Aug, 2024 11 commits
    • Sava Jakovljev's avatar
      net: phy: realtek: Fix setting of PHY LEDs Mode B bit on RTL8211F · a2f5c505
      Sava Jakovljev authored
      The current implementation incorrectly sets the mode bit of the PHY chip.
      Bit 15 (RTL8211F_LEDCR_MODE) should not be shifted together with the
      configuration nibble of a LED- it should be set independently of the
      index of the LED being configured.
      As a consequence, the RTL8211F LED control is actually operating in Mode A.
      Fix the error by or-ing final register value to write with a const-value of
      RTL8211F_LEDCR_MODE, thus setting Mode bit explicitly.
      
      Fixes: 17784801 ("net: phy: realtek: Add support for PHY LEDs on RTL8211F")
      Signed-off-by: default avatarSava Jakovljev <savaj@meyersound.com>
      Reviewed-by: default avatarMarek Vasut <marex@denx.de>
      Link: https://patch.msgid.link/PAWP192MB21287372F30C4E55B6DF6158C38E2@PAWP192MB2128.EURP192.PROD.OUTLOOK.COMSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a2f5c505
    • Mengyuan Lou's avatar
      net: ngbe: Fix phy mode set to external phy · f2916c83
      Mengyuan Lou authored
      The MAC only has add the TX delay and it can not be modified.
      MAC and PHY are both set the TX delay cause transmission problems.
      So just disable TX delay in PHY, when use rgmii to attach to
      external phy, set PHY_INTERFACE_MODE_RGMII_RXID to phy drivers.
      And it is does not matter to internal phy.
      
      Fixes: bc2426d7 ("net: ngbe: convert phylib to phylink")
      Signed-off-by: default avatarMengyuan Lou <mengyuanlou@net-swift.com>
      Cc: stable@vger.kernel.org # 6.3+
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Link: https://patch.msgid.link/E6759CF1387CF84C+20240820030425.93003-1-mengyuanlou@net-swift.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f2916c83
    • Jakub Kicinski's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · a0b4a80e
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2024-08-20 (ice)
      
      This series contains updates to ice driver only.
      
      Maciej fixes issues with Rx data path on architectures with
      PAGE_SIZE >= 8192; correcting page reuse usage and calculations for
      last offset and truesize.
      
      Michal corrects assignment of devlink port number to use PF id.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        ice: use internal pf id instead of function number
        ice: fix truesize operations for PAGE_SIZE >= 8192
        ice: fix ICE_LAST_OFFSET formula
        ice: fix page reuse when PAGE_SIZE is over 8k
      ====================
      
      Link: https://patch.msgid.link/20240820215620.1245310-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a0b4a80e
    • Somnath Kotur's avatar
      bnxt_en: Fix double DMA unmapping for XDP_REDIRECT · 8baeef76
      Somnath Kotur authored
      Remove the dma_unmap_page_attrs() call in the driver's XDP_REDIRECT
      code path.  This should have been removed when we let the page pool
      handle the DMA mapping.  This bug causes the warning:
      
      WARNING: CPU: 7 PID: 59 at drivers/iommu/dma-iommu.c:1198 iommu_dma_unmap_page+0xd5/0x100
      CPU: 7 PID: 59 Comm: ksoftirqd/7 Tainted: G        W          6.8.0-1010-gcp #11-Ubuntu
      Hardware name: Dell Inc. PowerEdge R7525/0PYVT1, BIOS 2.15.2 04/02/2024
      RIP: 0010:iommu_dma_unmap_page+0xd5/0x100
      Code: 89 ee 48 89 df e8 cb f2 69 ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 31 f6 31 ff 45 31 c0 e9 ab 17 71 00 <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9
      RSP: 0018:ffffab1fc0597a48 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff99ff838280c8 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: ffffab1fc0597a78 R08: 0000000000000002 R09: ffffab1fc0597c1c
      R10: ffffab1fc0597cd3 R11: ffff99ffe375acd8 R12: 00000000e65b9000
      R13: 0000000000000050 R14: 0000000000001000 R15: 0000000000000002
      FS:  0000000000000000(0000) GS:ffff9a06efb80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000565c34c37210 CR3: 00000005c7e3e000 CR4: 0000000000350ef0
      ? show_regs+0x6d/0x80
      ? __warn+0x89/0x150
      ? iommu_dma_unmap_page+0xd5/0x100
      ? report_bug+0x16a/0x190
      ? handle_bug+0x51/0xa0
      ? exc_invalid_op+0x18/0x80
      ? iommu_dma_unmap_page+0xd5/0x100
      ? iommu_dma_unmap_page+0x35/0x100
      dma_unmap_page_attrs+0x55/0x220
      ? bpf_prog_4d7e87c0d30db711_xdp_dispatcher+0x64/0x9f
      bnxt_rx_xdp+0x237/0x520 [bnxt_en]
      bnxt_rx_pkt+0x640/0xdd0 [bnxt_en]
      __bnxt_poll_work+0x1a1/0x3d0 [bnxt_en]
      bnxt_poll+0xaa/0x1e0 [bnxt_en]
      __napi_poll+0x33/0x1e0
      net_rx_action+0x18a/0x2f0
      
      Fixes: 578fcfd2 ("bnxt_en: Let the page pool manage the DMA mapping")
      Reviewed-by: default avatarAndy Gospodarek <andrew.gospodarek@broadcom.com>
      Reviewed-by: default avatarKalesh AP <kalesh-anakkur.purayil@broadcom.com>
      Signed-off-by: default avatarSomnath Kotur <somnath.kotur@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Link: https://patch.msgid.link/20240820203415.168178-1-michael.chan@broadcom.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8baeef76
    • Jakub Kicinski's avatar
      Merge branch 'ipv6-fix-possible-uaf-in-output-paths' · 58652e24
      Jakub Kicinski authored
      Eric Dumazet says:
      
      ====================
      ipv6: fix possible UAF in output paths
      
      First patch fixes an issue spotted by syzbot, and the two
      other patches fix error paths after skb_expand_head()
      adoption.
      ====================
      
      Link: https://patch.msgid.link/20240820160859.3786976-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      58652e24
    • Eric Dumazet's avatar
      ipv6: prevent possible UAF in ip6_xmit() · 2d5ff7e3
      Eric Dumazet authored
      If skb_expand_head() returns NULL, skb has been freed
      and the associated dst/idev could also have been freed.
      
      We must use rcu_read_lock() to prevent a possible UAF.
      
      Fixes: 0c9f227b ("ipv6: use skb_expand_head in ip6_xmit")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Vasily Averin <vasily.averin@linux.dev>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://patch.msgid.link/20240820160859.3786976-4-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2d5ff7e3
    • Eric Dumazet's avatar
      ipv6: fix possible UAF in ip6_finish_output2() · da273b37
      Eric Dumazet authored
      If skb_expand_head() returns NULL, skb has been freed
      and associated dst/idev could also have been freed.
      
      We need to hold rcu_read_lock() to make sure the dst and
      associated idev are alive.
      
      Fixes: 5796015f ("ipv6: allocate enough headroom in ip6_finish_output2()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Vasily Averin <vasily.averin@linux.dev>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://patch.msgid.link/20240820160859.3786976-3-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      da273b37
    • Eric Dumazet's avatar
      ipv6: prevent UAF in ip6_send_skb() · faa389b2
      Eric Dumazet authored
      syzbot reported an UAF in ip6_send_skb() [1]
      
      After ip6_local_out() has returned, we no longer can safely
      dereference rt, unless we hold rcu_read_lock().
      
      A similar issue has been fixed in commit
      a688caa3 ("ipv6: take rcu lock in rawv6_send_hdrinc()")
      
      Another potential issue in ip6_finish_output2() is handled in a
      separate patch.
      
      [1]
       BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
      Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530
      
      CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
      Call Trace:
       <TASK>
        __dump_stack lib/dump_stack.c:93 [inline]
        dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
        print_address_description mm/kasan/report.c:377 [inline]
        print_report+0x169/0x550 mm/kasan/report.c:488
        kasan_report+0x143/0x180 mm/kasan/report.c:601
        ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
        rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588
        rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926
        sock_sendmsg_nosec net/socket.c:730 [inline]
        __sock_sendmsg+0x1a6/0x270 net/socket.c:745
        sock_write_iter+0x2dd/0x400 net/socket.c:1160
       do_iter_readv_writev+0x60a/0x890
        vfs_writev+0x37c/0xbb0 fs/read_write.c:971
        do_writev+0x1b1/0x350 fs/read_write.c:1018
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      RIP: 0033:0x7f936bf79e79
      Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
      RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79
      RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004
      RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8
       </TASK>
      
      Allocated by task 6530:
        kasan_save_stack mm/kasan/common.c:47 [inline]
        kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
        unpoison_slab_object mm/kasan/common.c:312 [inline]
        __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
        kasan_slab_alloc include/linux/kasan.h:201 [inline]
        slab_post_alloc_hook mm/slub.c:3988 [inline]
        slab_alloc_node mm/slub.c:4037 [inline]
        kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044
        dst_alloc+0x12b/0x190 net/core/dst.c:89
        ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670
        make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]
        xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313
        ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257
        rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898
        sock_sendmsg_nosec net/socket.c:730 [inline]
        __sock_sendmsg+0x1a6/0x270 net/socket.c:745
        ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
        ___sys_sendmsg net/socket.c:2651 [inline]
        __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      
      Freed by task 45:
        kasan_save_stack mm/kasan/common.c:47 [inline]
        kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
        kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
        poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
        __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
        kasan_slab_free include/linux/kasan.h:184 [inline]
        slab_free_hook mm/slub.c:2252 [inline]
        slab_free mm/slub.c:4473 [inline]
        kmem_cache_free+0x145/0x350 mm/slub.c:4548
        dst_destroy+0x2ac/0x460 net/core/dst.c:124
        rcu_do_batch kernel/rcu/tree.c:2569 [inline]
        rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2843
        handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
        __do_softirq kernel/softirq.c:588 [inline]
        invoke_softirq kernel/softirq.c:428 [inline]
        __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
        irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
        instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
        sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
        asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
      
      Last potentially related work creation:
        kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
        __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
        __call_rcu_common kernel/rcu/tree.c:3106 [inline]
        call_rcu+0x167/0xa70 kernel/rcu/tree.c:3210
        refdst_drop include/net/dst.h:263 [inline]
        skb_dst_drop include/net/dst.h:275 [inline]
        nf_ct_frag6_queue net/ipv6/netfilter/nf_conntrack_reasm.c:306 [inline]
        nf_ct_frag6_gather+0xb9a/0x2080 net/ipv6/netfilter/nf_conntrack_reasm.c:485
        ipv6_defrag+0x2c8/0x3c0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:67
        nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
        nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
        nf_hook include/linux/netfilter.h:269 [inline]
        __ip6_local_out+0x6fa/0x800 net/ipv6/output_core.c:143
        ip6_local_out+0x26/0x70 net/ipv6/output_core.c:153
        ip6_send_skb+0x112/0x230 net/ipv6/ip6_output.c:1959
        rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588
        rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926
        sock_sendmsg_nosec net/socket.c:730 [inline]
        __sock_sendmsg+0x1a6/0x270 net/socket.c:745
        sock_write_iter+0x2dd/0x400 net/socket.c:1160
       do_iter_readv_writev+0x60a/0x890
      
      Fixes: 06254914 ("ipv6: ip6_push_pending_frames() should increment IPSTATS_MIB_OUTDISCARDS")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://patch.msgid.link/20240820160859.3786976-2-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      faa389b2
    • Eric Dumazet's avatar
      netpoll: do not export netpoll_poll_[disable|enable]() · 007d4271
      Eric Dumazet authored
      netpoll_poll_disable() and netpoll_poll_enable() are only used
      from core networking code, there is no need to export them.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://patch.msgid.link/20240820162053.3870927-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      007d4271
    • Ido Schimmel's avatar
      selftests: mlxsw: ethtool_lanes: Source ethtool lib from correct path · f8669d7b
      Ido Schimmel authored
      Source the ethtool library from the correct path and avoid the following
      error:
      
      ./ethtool_lanes.sh: line 14: ./../../../net/forwarding/ethtool_lib.sh: No such file or directory
      
      Fixes: 40d269c0 ("selftests: forwarding: Move several selftests")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://patch.msgid.link/2112faff02e536e1ac14beb4c2be09c9574b90ae.1724150067.git.petrm@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f8669d7b
    • Felix Fietkau's avatar
      udp: fix receiving fraglist GSO packets · b128ed5a
      Felix Fietkau authored
      When assembling fraglist GSO packets, udp4_gro_complete does not set
      skb->csum_start, which makes the extra validation in __udp_gso_segment fail.
      
      Fixes: 89add400 ("net: drop bad gso csum_start and offset in virtio_net_hdr")
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://patch.msgid.link/20240819150621.59833-1-nbd@nbd.nameSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b128ed5a
  2. 21 Aug, 2024 16 commits
  3. 20 Aug, 2024 13 commits