1. 20 Feb, 2023 6 commits
    • Doug Berger's avatar
      net: bcmgenet: fix MoCA LED control · a7515af9
      Doug Berger authored
      When the bcmgenet_mii_config() code was refactored it was missed
      that the LED control for the MoCA interface got overwritten by
      the port_ctrl value. Its previous programming is restored here.
      
      Fixes: 4f8d81b7 ("net: bcmgenet: Refactor register access in bcmgenet_mii_config")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7515af9
    • Shigeru Yoshida's avatar
      l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register() · 9ca5e7ec
      Shigeru Yoshida authored
      When a file descriptor of pppol2tp socket is passed as file descriptor
      of UDP socket, a recursive deadlock occurs in l2tp_tunnel_register().
      This situation is reproduced by the following program:
      
      int main(void)
      {
      	int sock;
      	struct sockaddr_pppol2tp addr;
      
      	sock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
      	if (sock < 0) {
      		perror("socket");
      		return 1;
      	}
      
      	addr.sa_family = AF_PPPOX;
      	addr.sa_protocol = PX_PROTO_OL2TP;
      	addr.pppol2tp.pid = 0;
      	addr.pppol2tp.fd = sock;
      	addr.pppol2tp.addr.sin_family = PF_INET;
      	addr.pppol2tp.addr.sin_port = htons(0);
      	addr.pppol2tp.addr.sin_addr.s_addr = inet_addr("192.168.0.1");
      	addr.pppol2tp.s_tunnel = 1;
      	addr.pppol2tp.s_session = 0;
      	addr.pppol2tp.d_tunnel = 0;
      	addr.pppol2tp.d_session = 0;
      
      	if (connect(sock, (const struct sockaddr *)&addr, sizeof(addr)) < 0) {
      		perror("connect");
      		return 1;
      	}
      
      	return 0;
      }
      
      This program causes the following lockdep warning:
      
       ============================================
       WARNING: possible recursive locking detected
       6.2.0-rc5-00205-gc9661827 #56 Not tainted
       --------------------------------------------
       repro/8607 is trying to acquire lock:
       ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0
      
       but task is already holding lock:
       ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30
      
       other info that might help us debug this:
        Possible unsafe locking scenario:
      
              CPU0
              ----
         lock(sk_lock-AF_PPPOX);
         lock(sk_lock-AF_PPPOX);
      
        *** DEADLOCK ***
      
        May be due to missing lock nesting notation
      
       1 lock held by repro/8607:
        #0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30
      
       stack backtrace:
       CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc9661827 #56
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
       Call Trace:
        <TASK>
        dump_stack_lvl+0x100/0x178
        __lock_acquire.cold+0x119/0x3b9
        ? lockdep_hardirqs_on_prepare+0x410/0x410
        lock_acquire+0x1e0/0x610
        ? l2tp_tunnel_register+0x2b7/0x11c0
        ? lock_downgrade+0x710/0x710
        ? __fget_files+0x283/0x3e0
        lock_sock_nested+0x3a/0xf0
        ? l2tp_tunnel_register+0x2b7/0x11c0
        l2tp_tunnel_register+0x2b7/0x11c0
        ? sprintf+0xc4/0x100
        ? l2tp_tunnel_del_work+0x6b0/0x6b0
        ? debug_object_deactivate+0x320/0x320
        ? lockdep_init_map_type+0x16d/0x7a0
        ? lockdep_init_map_type+0x16d/0x7a0
        ? l2tp_tunnel_create+0x2bf/0x4b0
        ? l2tp_tunnel_create+0x3c6/0x4b0
        pppol2tp_connect+0x14e1/0x1a30
        ? pppol2tp_put_sk+0xd0/0xd0
        ? aa_sk_perm+0x2b7/0xa80
        ? aa_af_perm+0x260/0x260
        ? bpf_lsm_socket_connect+0x9/0x10
        ? pppol2tp_put_sk+0xd0/0xd0
        __sys_connect_file+0x14f/0x190
        __sys_connect+0x133/0x160
        ? __sys_connect_file+0x190/0x190
        ? lockdep_hardirqs_on+0x7d/0x100
        ? ktime_get_coarse_real_ts64+0x1b7/0x200
        ? ktime_get_coarse_real_ts64+0x147/0x200
        ? __audit_syscall_entry+0x396/0x500
        __x64_sys_connect+0x72/0xb0
        do_syscall_64+0x38/0xb0
        entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      This patch fixes the issue by getting/creating the tunnel before
      locking the pppol2tp socket.
      
      Fixes: 0b2c5972 ("l2tp: close all race conditions in l2tp_tunnel_register()")
      Cc: Cong Wang <cong.wang@bytedance.com>
      Signed-off-by: default avatarShigeru Yoshida <syoshida@redhat.com>
      Reviewed-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9ca5e7ec
    • Jakub Sitnicki's avatar
      selftests/net: Interpret UDP_GRO cmsg data as an int value · 43686409
      Jakub Sitnicki authored
      Data passed to user-space with a (SOL_UDP, UDP_GRO) cmsg carries an
      int (see udp_cmsg_recv), not a u16 value, as strace confirms:
      
        recvmsg(8, {msg_name=...,
                    msg_iov=[{iov_base="\0\0..."..., iov_len=96000}],
                    msg_iovlen=1,
                    msg_control=[{cmsg_len=20,         <-- sizeof(cmsghdr) + 4
                                  cmsg_level=SOL_UDP,
                                  cmsg_type=0x68}],    <-- UDP_GRO
                                  msg_controllen=24,
                                  msg_flags=0}, 0) = 11200
      
      Interpreting the data as an u16 value won't work on big-endian platforms.
      Since it is too late to back out of this API decision [1], fix the test.
      
      [1]: https://lore.kernel.org/netdev/20230131174601.203127-1-jakub@cloudflare.com/
      
      Fixes: 3327a9c4 ("selftests: add functionals test for UDP GRO")
      Suggested-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43686409
    • Manish Chopra's avatar
      qede: fix interrupt coalescing configuration · 908d4bb7
      Manish Chopra authored
      On default driver load device gets configured with unexpected
      higher interrupt coalescing values instead of default expected
      values as memory allocated from krealloc() is not supposed to
      be zeroed out and may contain garbage values.
      
      Fix this by allocating the memory of required size first with
      kcalloc() and then use krealloc() to resize and preserve the
      contents across down/up of the interface.
      Signed-off-by: default avatarManish Chopra <manishc@marvell.com>
      Fixes: b0ec5489 ("qede: preserve per queue stats across up/down of interface")
      Cc: stable@vger.kernel.org
      Cc: Bhaskar Upadhaya <bupadhaya@marvell.com>
      Cc: David S. Miller <davem@davemloft.net>
      Link: https://bugzilla.redhat.com/show_bug.cgi?id=2160054Signed-off-by: default avatarAlok Prasad <palok@marvell.com>
      Signed-off-by: default avatarAriel Elior <aelior@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      908d4bb7
    • D. Wythe's avatar
      net/smc: fix application data exception · 475f9ff6
      D. Wythe authored
      There is a certain probability that following
      exceptions will occur in the wrk benchmark test:
      
      Running 10s test @ http://11.213.45.6:80
        8 threads and 64 connections
        Thread Stats   Avg      Stdev     Max   +/- Stdev
          Latency     3.72ms   13.94ms 245.33ms   94.17%
          Req/Sec     1.96k   713.67     5.41k    75.16%
        155262 requests in 10.10s, 23.10MB read
      Non-2xx or 3xx responses: 3
      
      We will find that the error is HTTP 400 error, which is a serious
      exception in our test, which means the application data was
      corrupted.
      
      Consider the following scenarios:
      
      CPU0                            CPU1
      
      buf_desc->used = 0;
                                      cmpxchg(buf_desc->used, 0, 1)
                                      deal_with(buf_desc)
      
      memset(buf_desc->cpu_addr,0);
      
      This will cause the data received by a victim connection to be cleared,
      thus triggering an HTTP 400 error in the server.
      
      This patch exchange the order between clear used and memset, add
      barrier to ensure memory consistency.
      
      Fixes: 1c552696 ("net/smc: Clear memory when release and reuse buffer")
      Signed-off-by: default avatarD. Wythe <alibuda@linux.alibaba.com>
      Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      475f9ff6
    • D. Wythe's avatar
      net/smc: fix potential panic dues to unprotected smc_llc_srv_add_link() · e40b801b
      D. Wythe authored
      There is a certain chance to trigger the following panic:
      
      PID: 5900   TASK: ffff88c1c8af4100  CPU: 1   COMMAND: "kworker/1:48"
       #0 [ffff9456c1cc79a0] machine_kexec at ffffffff870665b7
       #1 [ffff9456c1cc79f0] __crash_kexec at ffffffff871b4c7a
       #2 [ffff9456c1cc7ab0] crash_kexec at ffffffff871b5b60
       #3 [ffff9456c1cc7ac0] oops_end at ffffffff87026ce7
       #4 [ffff9456c1cc7ae0] page_fault_oops at ffffffff87075715
       #5 [ffff9456c1cc7b58] exc_page_fault at ffffffff87ad0654
       #6 [ffff9456c1cc7b80] asm_exc_page_fault at ffffffff87c00b62
          [exception RIP: ib_alloc_mr+19]
          RIP: ffffffffc0c9cce3  RSP: ffff9456c1cc7c38  RFLAGS: 00010202
          RAX: 0000000000000000  RBX: 0000000000000002  RCX: 0000000000000004
          RDX: 0000000000000010  RSI: 0000000000000000  RDI: 0000000000000000
          RBP: ffff88c1ea281d00   R8: 000000020a34ffff   R9: ffff88c1350bbb20
          R10: 0000000000000000  R11: 0000000000000001  R12: 0000000000000000
          R13: 0000000000000010  R14: ffff88c1ab040a50  R15: ffff88c1ea281d00
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
       #7 [ffff9456c1cc7c60] smc_ib_get_memory_region at ffffffffc0aff6df [smc]
       #8 [ffff9456c1cc7c88] smcr_buf_map_link at ffffffffc0b0278c [smc]
       #9 [ffff9456c1cc7ce0] __smc_buf_create at ffffffffc0b03586 [smc]
      
      The reason here is that when the server tries to create a second link,
      smc_llc_srv_add_link() has no protection and may add a new link to
      link group. This breaks the security environment protected by
      llc_conf_mutex.
      
      Fixes: 2d2209f2 ("net/smc: first part of add link processing as SMC server")
      Signed-off-by: default avatarD. Wythe <alibuda@linux.alibaba.com>
      Reviewed-by: default avatarLarysa Zaremba <larysa.zaremba@intel.com>
      Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e40b801b
  2. 17 Feb, 2023 1 commit
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-02-17' of git://anongit.freedesktop.org/drm/drm · ec35307e
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Just a final collection of misc fixes, the biggest disables the
        recently added dynamic debugging support, it has a regression that
        needs some bigger fixes.
      
        Otherwise a bunch of fixes across the board, vc4, amdgpu and vmwgfx
        mostly, with some smaller i915 and ast fixes.
      
        drm:
         - dynamic debug disable for now
      
        fbdev:
         - deferred i/o device close fix
      
        amdgpu:
         - Fix GC11.x suspend warning
         - Fix display warning
      
        vc4:
         - YUV planes fix
         - hdmi display fix
         - crtc reduced blanking fix
      
        ast:
         - fix start address computation
      
        vmwgfx:
         - fix bo/handle races
      
        i915:
         - gen11 WA fix"
      
      * tag 'drm-fixes-2023-02-17' of git://anongit.freedesktop.org/drm/drm:
        drm/amd/display: Fail atomic_check early on normalize_zpos error
        drm/amd/amdgpu: fix warning during suspend
        drm/vmwgfx: Do not drop the reference to the handle too soon
        drm/vmwgfx: Stop accessing buffer objects which failed init
        drm/i915/gen11: Wa_1408615072/Wa_1407596294 should be on GT list
        drm: Disable dynamic debug as broken
        drm/ast: Fix start address computation
        fbdev: Fix invalid page access after closing deferred I/O devices
        drm/vc4: crtc: Increase setup cost in core clock calculation to handle extreme reduced blanking
        drm/vc4: hdmi: Always enable GCP with AVMUTE cleared
        drm/vc4: Fix YUV plane handling when planes are in different buffers
      ec35307e
  3. 16 Feb, 2023 15 commits
  4. 15 Feb, 2023 17 commits
  5. 14 Feb, 2023 1 commit